What Is EPSS? Exploit Prediction Scoring, Explained
EPSS (Exploit Prediction Scoring System) is a data-driven model, maintained by FIRST, that estimates the probability a software vulnerability will be exploited in the wild within the next 30 days. Every CVE gets a score between 0 and 1, updated daily. EPSS answers a question severity scores do not: how likely is this vulnerability to actually be attacked? This guide covers how EPSS works, how it compares to CVSS and CISA KEV, how to prioritize with it, and where it needs runtime context to be reliable.

What EPSS measures
EPSS, the Exploit Prediction Scoring System, is a probability score. It estimates the likelihood that a given vulnerability will be exploited in the wild within the next 30 days. Scores run from 0 to 1, or 0 to 100 percent, and are refreshed daily by FIRST, the same organization that maintains CVSS. A CVE scoring 0.90 is far more likely to be attacked in the near term than one scoring 0.02.
EPSS is built from real-world signals: exploit code availability, references across threat feeds, vulnerability characteristics, and observed exploitation activity. It is a forecast, not a guarantee. It tells you where attacker attention is most likely to land.
How EPSS differs from CVSS
CVSS measures severity: how bad the impact would be if a vulnerability were exploited. EPSS measures likelihood: how probable exploitation actually is. They answer different questions, and prioritizing on severity alone is why teams drown in findings marked critical. Most vulnerabilities are never exploited in the wild, so a queue sorted by CVSS puts theoretical impact ahead of real attacker behavior. EPSS helps separate the severe from the probable.
EPSS vs CVSS vs CISA KEV
Modern prioritization uses three signals together. Each answers a different question.
| Signal | CVSS | EPSS | CISA KEV |
|---|---|---|---|
| Question it answers | How severe is the impact? | How likely is exploitation? | Is it already being exploited? |
| What it measures | Impact severity, 0 to 10 | Probability of exploitation in 30 days, 0 to 1 | Confirmed in-the-wild exploitation, yes or no |
| Maintained by | FIRST | FIRST | CISA |
| Update frequency | On publication or revision | Daily | As new exploited CVEs are confirmed |
| Best used for | Understanding worst-case impact | Forecasting attacker attention | Mandating urgent patching of proven threats |
How to use EPSS to prioritize vulnerabilities
Use EPSS as a probability filter on top of severity, not as a replacement for it. A practical approach:
- Start with confirmed threats. Patch anything on the CISA KEV list first, regardless of scores.
- Layer EPSS onto severity. Among the remaining findings, raise the priority of high-CVSS vulnerabilities that also carry a high EPSS score.
- Set a threshold and revisit it. Many teams begin around an EPSS of 0.1 for elevated attention, then tune to their risk tolerance.
- Re-evaluate daily. EPSS moves as exploit code spreads. When a real chain emerges, like the Copy Fail Linux kernel LPE, its score can climb quickly.
Where EPSS falls short, and why runtime context completes it
EPSS is a global signal. It scores a CVE the same way for every organization, because it knows nothing about your specific application. A vulnerability can carry a high EPSS score and still pose little risk to you if the vulnerable code never loads or executes in your environment. That gap is what runtime reachability closes.
Kodem combines EPSS with runtime evidence. The Kodem Score ranks each issue from 1 to 1000 by blending static factors, including CVSS, EPSS, and exploit maturity, with environmental factors: whether the vulnerable function actually executes in production, whether the service is internet-exposed, and whether it sits on an ingress path. EPSS tells you what attackers are likely to target across the internet. Runtime reachability tells you what is actually exploitable in your application. Together they cut the backlog to what genuinely matters.
See how runtime-powered SCA and vulnerability management apply this, and how Kodem's runtime intelligence determines whether a vulnerability is reachable in the first place.
Frequently Asked Questions
- What is a good EPSS score? EPSS is a probability from 0 to 1, so there is no universal cutoff. Many teams treat 0.1, a 10 percent chance of exploitation within 30 days, as a starting threshold for elevated attention, then tune it based on risk tolerance and how it combines with severity and known exploitation.
- How often is EPSS updated? Daily. FIRST recalculates EPSS scores every day using the latest exploitation signals, so a CVE's score can rise quickly once exploit code or active exploitation appears.
- Is EPSS better than CVSS? Neither replaces the other. CVSS measures severity, EPSS measures likelihood of exploitation. Used together they prioritize far better than either signal alone.
- What is the difference between EPSS and CISA KEV? EPSS is a prediction of future exploitation. CISA KEV is a confirmed catalog of vulnerabilities already known to be exploited. KEV is certainty about what is happening now, EPSS is probability about the near future.
- Does a high EPSS score mean I am at risk? Not necessarily. EPSS scores a vulnerability the same for everyone. If the vulnerable code never loads or runs in your environment, the real risk is low regardless of the score. Runtime reachability is what confirms whether a high-EPSS vulnerability is actually exploitable in your application.
Related blogs
Stop the waste.
Protect your environment with Kodem.
A Primer on Runtime Intelligence
See how Kodem's cutting-edge sensor technology revolutionizes application monitoring at the kernel level.
Platform Overview Video
Watch our short platform overview video to see how Kodem discovers real security risks in your code at runtime.
The State of the Application Security Workflow
This report aims to equip readers with actionable insights that can help future-proof their security programs. Kodem, the publisher of this report, purpose built a platform that bridges these gaps by unifying shift-left strategies with runtime monitoring and protection.
.avif)
Get real-time insights across the full stack…code, containers, OS, and memory
Watch how Kodem’s runtime security platform detects and blocks attacks before they cause damage. No guesswork. Just precise, automated protection.

