The Exploit Prediction Scoring System (EPSS) estimates the likelihood that a published CVE will be exploited in the wild. Its value is that it brings several signals into one risk score, instead of treating every vulnerability with the same CVSS severity as equally urgent. The main inputs are:
Data Sources of EPSS
- MITRE’s CVE List: EPSS scores only vulnerabilities that are "published" on this list.
- Text-based “Tags”: Extracted from CVE descriptions and related discussions.
- Publication Duration: The time period since the CVE was published.
- Reference Count: The number of references in the CVE entry.
- Published Exploit Code: Code from platforms such as Metasploit, ExploitDB, or GitHub.
- Security Scanners: Data from security tools such as Jaeles and Nuclei.
- CVSS v3 Vectors: Based on the base score in the National Vulnerability Database (NVD).
- CPE (vendor) Information: Details about the vendors of the products involved, also from NVD.
- Ground Truth Data: Real-world exploitation data from sources such as AlienVault.
EPSS Model and Tools
The current EPSS model, version 2022.01.01, uses 1,164 variables and is based on Gradient Boosting, a machine learning technique. For a visual and interactive view of EPSS scores, the EPSScall tool is useful. It provides historical data and graphs that make score movement easier to inspect.
The Drivers of EPSS Scores
To understand EPSS, it helps to look at which inputs carry the most weight. The variable importance graph shows the strongest contributors to the EPSS score.
Vendor data plays an outsized role in the scoring process. The graph shows how much weight each component has when estimating whether a vulnerability is likely to be exploited.
Why Does This Matter?
EPSS uses these data sources to predict exploit likelihood more directly than severity-only methods. By considering factors from the age of the CVE to real-world exploit instances, EPSS gives defenders a clearer view of which vulnerabilities are more likely to matter operationally. That makes patching and mitigation decisions easier to prioritise when resources are limited.
Understanding the components of EPSS also makes the score easier to interpret. It is not a single severity metric; it is a blend of several data points, each with different weight. Tools like EPSScall make those inputs easier to inspect when tuning a vulnerability management process.
Final Thoughts
EPSS is useful because it shifts vulnerability triage away from severity alone and towards exploit likelihood. Its use of multiple data sources and machine learning makes it a practical tool for defenders who need to decide what to fix first. Prioritising vulnerabilities this way does not replace judgement, but it gives teams a stronger starting point than CVSS alone.
