What Is EPSS? Exploit Prediction Scoring, Explained

EPSS (Exploit Prediction Scoring System) is a data-driven model, maintained by FIRST, that estimates the probability a software vulnerability will be exploited in the wild within the next 30 days. Every CVE gets a score between 0 and 1, updated daily. EPSS answers a question severity scores do not: how likely is this vulnerability to actually be attacked? This guide covers how EPSS works, how it compares to CVSS and CISA KEV, how to prioritize with it, and where it needs runtime context to be reliable.

July 6, 2026
July 6, 2026

0 min read

No items found.
What Is EPSS?

What EPSS measures

EPSS, the Exploit Prediction Scoring System, is a probability score. It estimates the likelihood that a given vulnerability will be exploited in the wild within the next 30 days. Scores run from 0 to 1, or 0 to 100 percent, and are refreshed daily by FIRST, the same organization that maintains CVSS. A CVE scoring 0.90 is far more likely to be attacked in the near term than one scoring 0.02.

EPSS is built from real-world signals: exploit code availability, references across threat feeds, vulnerability characteristics, and observed exploitation activity. It is a forecast, not a guarantee. It tells you where attacker attention is most likely to land.

How EPSS differs from CVSS

CVSS measures severity: how bad the impact would be if a vulnerability were exploited. EPSS measures likelihood: how probable exploitation actually is. They answer different questions, and prioritizing on severity alone is why teams drown in findings marked critical. Most vulnerabilities are never exploited in the wild, so a queue sorted by CVSS puts theoretical impact ahead of real attacker behavior. EPSS helps separate the severe from the probable.

EPSS vs CVSS vs CISA KEV

Modern prioritization uses three signals together. Each answers a different question.

SignalCVSSEPSSCISA KEV
Question it answersHow severe is the impact?How likely is exploitation?Is it already being exploited?
What it measuresImpact severity, 0 to 10Probability of exploitation in 30 days, 0 to 1Confirmed in-the-wild exploitation, yes or no
Maintained byFIRSTFIRSTCISA
Update frequencyOn publication or revisionDailyAs new exploited CVEs are confirmed
Best used forUnderstanding worst-case impactForecasting attacker attentionMandating urgent patching of proven threats

How to use EPSS to prioritize vulnerabilities

Use EPSS as a probability filter on top of severity, not as a replacement for it. A practical approach:

  • Start with confirmed threats. Patch anything on the CISA KEV list first, regardless of scores.
  • Layer EPSS onto severity. Among the remaining findings, raise the priority of high-CVSS vulnerabilities that also carry a high EPSS score.
  • Set a threshold and revisit it. Many teams begin around an EPSS of 0.1 for elevated attention, then tune to their risk tolerance.
  • Re-evaluate daily. EPSS moves as exploit code spreads. When a real chain emerges, like the Copy Fail Linux kernel LPE, its score can climb quickly.

Where EPSS falls short, and why runtime context completes it

EPSS is a global signal. It scores a CVE the same way for every organization, because it knows nothing about your specific application. A vulnerability can carry a high EPSS score and still pose little risk to you if the vulnerable code never loads or executes in your environment. That gap is what runtime reachability closes.

Kodem combines EPSS with runtime evidence. The Kodem Score ranks each issue from 1 to 1000 by blending static factors, including CVSS, EPSS, and exploit maturity, with environmental factors: whether the vulnerable function actually executes in production, whether the service is internet-exposed, and whether it sits on an ingress path. EPSS tells you what attackers are likely to target across the internet. Runtime reachability tells you what is actually exploitable in your application. Together they cut the backlog to what genuinely matters.

See how runtime-powered SCA and vulnerability management apply this, and how Kodem's runtime intelligence determines whether a vulnerability is reachable in the first place.

Frequently Asked Questions

  1. What is a good EPSS score? EPSS is a probability from 0 to 1, so there is no universal cutoff. Many teams treat 0.1, a 10 percent chance of exploitation within 30 days, as a starting threshold for elevated attention, then tune it based on risk tolerance and how it combines with severity and known exploitation.
  1. How often is EPSS updated? Daily. FIRST recalculates EPSS scores every day using the latest exploitation signals, so a CVE's score can rise quickly once exploit code or active exploitation appears.
  1. Is EPSS better than CVSS? Neither replaces the other. CVSS measures severity, EPSS measures likelihood of exploitation. Used together they prioritize far better than either signal alone.
  1. What is the difference between EPSS and CISA KEV? EPSS is a prediction of future exploitation. CISA KEV is a confirmed catalog of vulnerabilities already known to be exploited. KEV is certainty about what is happening now, EPSS is probability about the near future.
  1. Does a high EPSS score mean I am at risk? Not necessarily. EPSS scores a vulnerability the same for everyone. If the vulnerable code never loads or runs in your environment, the real risk is low regardless of the score. Runtime reachability is what confirms whether a high-EPSS vulnerability is actually exploitable in your application.
Table of contents

Related blogs

No items found.

Stop the waste.
Protect your environment with Kodem.

A Primer on Runtime Intelligence

See how Kodem's cutting-edge sensor technology revolutionizes application monitoring at the kernel level.

5.1k
Applications covered
1.1m
False positives eliminated
4.8k
Triage hours reduced

Platform Overview Video

Watch our short platform overview video to see how Kodem discovers real security risks in your code at runtime.

5.1k
Applications covered
1.1m
False positives eliminated
4.8k
Triage hours reduced

The State of the Application Security Workflow

This report aims to equip readers with actionable insights that can help future-proof their security programs. Kodem, the publisher of this report, purpose built a platform that bridges these gaps by unifying shift-left strategies with runtime monitoring and protection.

3D book mockup of Kodem's State of the Application Security Workflow 2025 report

Get real-time insights across the full stack…code, containers, OS, and memory

Watch how Kodem’s runtime security platform detects and blocks attacks before they cause damage. No guesswork. Just precise, automated protection.

Kodem issues list with a magnified view of insight icons: runtime, ingress, and exploitability
Combined author
Aviv Mussinger
Publish date

0 min read

No items found.