This chapter covers the Exploit Prediction Scoring System (EPSS), a data-driven, probabilistic model for prioritizing vulnerabilities based on the likelihood of exploitation in the wild. EPSS is a critical tool for vulnerability management, and the CS0-003 exam tests your understanding of how it works, how to interpret its scores, and how it differs from CVSS. Expect 5–10% of exam questions to touch on EPSS, often in the context of prioritization frameworks or as a comparison with CVSS. Mastering EPSS will help you answer scenario-based questions about efficient patching strategies.
Jump to a section
Imagine a busy emergency room with hundreds of incoming patients. The triage nurse cannot treat everyone at once, so she must decide who gets seen first. She assigns each patient a score from 0 to 1 based on vital signs, symptoms, and medical history. A patient with chest pain and high blood pressure gets a 0.95, while someone with a mild headache gets a 0.15. The score is not a diagnosis—it's a probability that the patient will deteriorate without immediate care. The nurse updates scores as new information arrives (e.g., lab results). Doctors then prioritize patients with scores above 0.7, but they can also override the score if they spot something the algorithm missed. This is exactly how EPSS works: it assigns a probability (0–1) that a specific vulnerability will be exploited in the wild within the next 30 days, based on threat intelligence, exploit maturity, and other signals. Security teams use EPSS scores to prioritize patching, focusing on vulnerabilities with scores above a chosen threshold (e.g., 0.1). Just as the triage nurse cannot treat every patient instantly, teams cannot patch every vulnerability—they must use probabilistic scoring to focus on the most likely to be exploited.
What is EPSS and Why Does It Exist?
The Exploit Prediction Scoring System (EPSS) is a probabilistic model developed by the Forum of Incident Response and Security Teams (FIRST) to predict the likelihood that a software vulnerability will be exploited in the wild within the next 30 days. It was created to address a fundamental problem in vulnerability management: the sheer volume of published vulnerabilities (over 20,000 per year) far exceeds the capacity of most organizations to patch them all immediately. Traditional severity scoring systems like CVSS (Common Vulnerability Scoring System) measure the inherent severity of a vulnerability—how bad it would be if exploited—but they do not measure the likelihood of exploitation. EPSS fills this gap by providing a data-driven, continuously updated probability score between 0 and 1 (0% to 100%).
How EPSS Works Internally
EPSS uses a machine learning model trained on a wide range of threat intelligence data. The model is updated daily. Here is the step-by-step mechanism:
Data Collection: EPSS aggregates data from multiple sources, including:
- CVE details (e.g., CVSS score, affected products, attack vector) - Exploit code availability (e.g., Metasploit modules, Exploit-DB entries) - Proof-of-concept (PoC) publications - Active exploitation reports (e.g., from CISA, vendor advisories) - Dark web discussions and chatter - Twitter and other social media mentions - Malware analysis reports
Feature Engineering: The raw data is transformed into features (predictors) that the model can use. Examples of features include:
- Days since CVE publication - CVSS base score (especially exploitability metrics) - Presence of a public exploit - Number of references to the CVE - Whether the vulnerability affects widely deployed software (e.g., Apache, Microsoft)
Model Inference: The trained model (a gradient-boosted decision tree or similar ensemble method) takes the feature vector for a given CVE and outputs a probability score between 0 and 1. This score represents the probability that the CVE will be exploited in the wild in the next 30 days. The model is recalibrated periodically to maintain accuracy.
Score Distribution: EPSS scores are heavily skewed toward low values. In practice, over 90% of CVEs have a score below 0.1 (10% probability). Only a tiny fraction (less than 1%) have scores above 0.9. This reflects reality: most vulnerabilities are never exploited.
Key Components, Values, Defaults, and Timers
Score Range: 0 (least likely) to 1 (most likely). A score of 0.05 means a 5% probability of exploitation within 30 days.
Update Frequency: The model is retrained and scores are refreshed daily.
Thresholds: There are no mandatory thresholds. Organizations choose their own risk appetite. Common thresholds:
- High priority: EPSS > 0.1 (top ~10% of CVEs) - Critical priority: EPSS > 0.5 (top ~1% of CVEs) - Data Sources: EPSS v2 (current as of 2024) uses over 150 features. The full feature list is published by FIRST. - API Access: EPSS scores are available via a public API (https://api.first.org/data/v1/epss). No authentication required.
Configuration and Verification
EPSS is not a tool you install; it is a data feed you consume. To use EPSS, you typically:
Retrieve scores: Use the EPSS API or download the daily CSV file. Example API call:
curl https://api.first.org/data/v1/epss?cve=CVE-2023-44487Sample response:
{
"data": [
{
"cve": "CVE-2023-44487",
"epss": 0.9763,
"percentile": 0.9999,
"date": "2024-01-15"
}
]
}Integrate with vulnerability management tools: Many tools (e.g., Tenable, Qualys, Rapid7) now include EPSS scores. You can also write scripts to import scores into your CMDB or ticketing system.
Set policies: Define thresholds in your patch management policy. For example: "All vulnerabilities with EPSS > 0.1 must be patched within 7 days."
How EPSS Interacts with Related Technologies
CVSS: EPSS complements CVSS. CVSS measures severity (impact), EPSS measures likelihood. Many organizations use a combined approach: prioritize CVEs with both high CVSS (e.g., >=7.0) and high EPSS (e.g., >0.1). The exam may ask you to choose between CVSS and EPSS for prioritization.
CISA KEV (Known Exploited Vulnerabilities): CISA maintains a list of vulnerabilities known to be actively exploited. Any CVE on KEV should be treated as critical regardless of EPSS score. EPSS may predict exploitation before a CVE is added to KEV.
Threat Intelligence Platforms (TIPs): EPSS can be ingested into TIPs alongside other threat indicators to enrich vulnerability data.
Patch Management Tools: EPSS scores can drive automated patching workflows. For example, a tool might automatically create a high-priority patch ticket for any CVE with EPSS > 0.5.
EPSS Percentile
In addition to the raw EPSS score, the API returns a percentile. The percentile indicates what fraction of all CVEs have a lower EPSS score. For example, a percentile of 0.9999 means this CVE is in the top 0.01% of all CVEs by exploitation likelihood. Percentiles are useful for relative prioritization when your team cannot handle all CVEs above a certain threshold.
Limitations
EPSS is a prediction, not a guarantee. Some vulnerabilities with low EPSS scores may still be exploited (e.g., targeted attacks).
EPSS does not consider your specific environment (e.g., exposure, compensating controls). It is a global model.
The model is only as good as its training data. New or obscure vulnerabilities may have inaccurate scores.
Exam Relevance
The CS0-003 exam objective 2.2 (Vulnerability Management) specifically includes "Exploit prediction scoring systems (e.g., EPSS)". Expect questions that ask you to:
Interpret EPSS scores in a scenario.
Compare EPSS with CVSS.
Choose the best prioritization method given time constraints.
Understand that EPSS is updated daily and uses threat intelligence.
Retrieve EPSS Scores via API
The first step in using EPSS is to obtain the scores. You can query the EPSS API for a specific CVE or download the entire dataset. For example, to get the score for CVE-2023-44487, you run: curl https://api.first.org/data/v1/epss?cve=CVE-2023-44487. The API returns JSON with the CVE, EPSS score (0-1), percentile, and date. The score is the model's predicted probability of exploitation within the next 30 days. The percentile tells you how this CVE ranks relative to all others. For bulk operations, you can download a CSV from https://epss.cyentia.com/epss_scores-current.csv.gz. This file is updated daily and contains scores for all known CVEs.
Integrate Scores into VM Platform
Once you have the EPSS scores, you need to integrate them into your vulnerability management (VM) platform. Many commercial VM tools (e.g., Tenable, Qualys, Rapid7) now support EPSS natively. If your tool does not, you can write a script to import the CSV and match CVEs to your asset inventory. For example, a Python script could iterate over your vulnerability findings, look up the EPSS score, and add a custom field. This integration allows you to sort or filter vulnerabilities by EPSS score, creating a prioritized list for remediation.
Define Risk Thresholds and Policies
With EPSS scores available, you must define thresholds that align with your organization's risk appetite. For example, you might set a policy: 'All vulnerabilities with EPSS > 0.1 must be patched within 14 days; those with EPSS > 0.5 within 48 hours.' The choice of threshold depends on your patching capacity and tolerance for risk. A common starting point is to use the 0.1 threshold, which covers roughly the top 10% of CVEs. You may also combine EPSS with CVSS: for instance, only patch CVEs with CVSS >= 7.0 AND EPSS > 0.1. Document these policies in your vulnerability management procedure.
Prioritize Remediation Tasks
With policies in place, your VM platform will generate prioritized remediation tasks. For example, a dashboard might show a list of vulnerabilities sorted by EPSS descending. The team then works through the list, starting with the highest EPSS scores. For each vulnerability, they assess whether it applies to their environment (e.g., is the affected software installed?), whether there are compensating controls, and then schedule patching. The goal is to patch the most likely exploited vulnerabilities first, maximizing risk reduction per patch effort.
Monitor and Adjust Thresholds
EPSS is not a set-it-and-forget-it system. You should periodically review your thresholds and the effectiveness of your prioritization. For example, if you find that your team is still overwhelmed, you might raise the threshold from 0.1 to 0.2. Conversely, if you have capacity, you might lower it. Also, monitor the EPSS model itself: FIRST occasionally releases new model versions (e.g., v2, v3) that may change scores. Stay updated by checking the FIRST website. Additionally, cross-reference EPSS with actual exploitation reports (e.g., CISA KEV) to validate that high-scoring CVEs are indeed being exploited.
Enterprise Scenario 1: Large Financial Institution
A global bank manages over 10,000 servers and 50,000 endpoints. Their vulnerability management team discovers an average of 200 new vulnerabilities per week. Using only CVSS, they would be swamped because many critical CVSS 9.0+ vulnerabilities are never exploited. They adopt EPSS with a threshold of 0.1, which reduces their weekly active remediation list to about 20 vulnerabilities. They integrate EPSS into their ServiceNow CMDB via a custom API connector. A Python script runs daily, fetches the latest EPSS scores, and updates a custom field called 'epss_score' on each vulnerability record. Their patch policy now states: "All vulnerabilities with EPSS > 0.5 must be patched within 24 hours; EPSS > 0.1 within 7 days." This approach reduces their patching workload by 90% while still covering the vast majority of exploited vulnerabilities. One challenge they faced was that some critical business systems cannot be patched quickly. For those, they implement virtual patching via Web Application Firewall (WAF) rules or network segmentation. They also use EPSS percentiles to communicate risk to executives: "We are patching the top 1% of likely exploited vulnerabilities."
Enterprise Scenario 2: Managed Security Service Provider (MSSP)
An MSSP monitors hundreds of client environments. They need to prioritize across all clients with limited resources. They use EPSS as a cross-client prioritization metric. Their SIEM (Security Information and Event Management) platform ingests vulnerability scan data from multiple tools. They enrich each finding with the EPSS score via a threat intelligence feed. The SOC (Security Operations Center) analysts focus on vulnerabilities with EPSS > 0.2 across all clients. This helps them identify which client needs immediate attention. However, they also consider client-specific factors like asset criticality and exposure. For example, if a client has an internet-facing server with a CVE that has EPSS 0.15, that might be prioritized over an internal server with EPSS 0.3. The MSSP also uses EPSS to generate automated reports for clients, showing which vulnerabilities are most likely to be exploited. One common pitfall is that clients sometimes question why a vulnerability with CVSS 10.0 is not being patched immediately. The MSSP must educate clients that EPSS provides a more accurate picture of real-world risk.
What Goes Wrong When Misconfigured?
If an organization sets the EPSS threshold too high (e.g., 0.5), they may miss vulnerabilities that are exploited but have moderate EPSS scores. For example, CVE-2023-44487 (HTTP/2 rapid reset) had an EPSS score of 0.97, but if the threshold were 0.5, they would catch it. However, if they set the threshold too low (e.g., 0.01), they would still have too many vulnerabilities to patch, defeating the purpose. Another misconfiguration is not updating the EPSS feed regularly. Since EPSS scores change daily, using stale data (e.g., from a week ago) could cause a newly emerging threat to be missed. Finally, ignoring EPSS percentile can lead to misunderstanding: a score of 0.05 might seem low, but if it is in the 99th percentile, it is actually among the most likely exploited vulnerabilities. Organizations should use both score and percentile for context.
Exactly What CS0-003 Tests on EPSS (Objective 2.2)
The exam objective 2.2 states: "Given a scenario, prioritize vulnerabilities based on risk using threat intelligence, exploitation trends, and vulnerability scoring systems." EPSS is explicitly listed as an example of an exploit prediction scoring system. Expect questions that present a scenario with multiple vulnerabilities and ask which should be patched first. You must understand that EPSS predicts likelihood of exploitation, not severity. The exam will test your ability to differentiate EPSS from CVSS. Key specific points:
EPSS scores range from 0 to 1 (or 0% to 100%).
EPSS is updated daily.
EPSS uses threat intelligence and machine learning.
EPSS does not consider your environment; it is a global model.
CVSS measures severity (impact), EPSS measures likelihood.
Common Wrong Answers and Why Candidates Choose Them
Choosing CVSS over EPSS for prioritization when the scenario emphasizes limited resources and real-world exploitation data. Many candidates assume CVSS is always the best metric because it is more widely known. But the exam scenario will explicitly state that the team is overwhelmed and needs to focus on vulnerabilities most likely to be exploited. In that case, EPSS is the right tool.
Thinking EPSS replaces CVSS. EPSS and CVSS are complementary. The exam may ask which to use for a specific purpose. For example, to determine the worst-case impact, use CVSS. To determine which vulnerability is most likely to be exploited, use EPSS.
Misinterpreting EPSS score as a severity rating. A candidate might see EPSS 0.9 and think it means the vulnerability is extremely severe. Actually, it means there is a 90% probability of exploitation. The severity (e.g., whether it leads to RCE or DoS) is separate.
Assuming EPSS is static. The exam may present a scenario where a vulnerability had a low EPSS score last week but now has a high score. Candidates might ignore the update because they think scores don't change. In reality, EPSS is dynamic.
Specific Numbers, Values, and Terms That Appear Verbatim on the Exam
"EPSS" (Exploit Prediction Scoring System)
Score range: 0 to 1 (or 0% to 100%)
Update frequency: daily
Developed by: FIRST (Forum of Incident Response and Security Teams)
Threshold example: 0.1 (top 10% of vulnerabilities)
Percentile: used to compare relative likelihood
Data sources: threat intelligence, exploit code availability, social media
Edge Cases and Exceptions the Exam Loves to Test
CISA KEV vs. EPSS: If a vulnerability is on CISA's Known Exploited Vulnerabilities list, it should be treated as critical even if EPSS is low. The exam may include a scenario where a CVE has low EPSS but is on KEV; the correct answer is to patch it immediately.
Zero-day vulnerabilities: EPSS may not have a score for very new CVEs. In that case, rely on other intelligence (e.g., vendor advisory, exploit availability).
Combined use: The exam may ask which two metrics to use together. The correct answer is often CVSS and EPSS.
False positives: EPSS is a prediction; some high-scoring CVEs may never be exploited. The exam may test that you understand EPSS is probabilistic, not deterministic.
How to Eliminate Wrong Answers Using the Underlying Mechanism
When you see a prioritization question, first identify the key constraint: time, resources, or risk appetite. If the scenario says "limited patching resources" or "need to focus on most likely exploited," eliminate any answer that relies solely on CVSS. If the scenario mentions "most severe impact," eliminate EPSS-only answers. If a question asks what EPSS measures, eliminate answers that say "severity" or "impact." Remember: EPSS is about probability, not impact. Also, if a question offers an EPSS score without a percentile, consider whether the score alone is sufficient. Usually, percentile provides context. The exam may test that a score of 0.05 might still be high if it is in the 99th percentile.
EPSS predicts the probability (0-1) that a vulnerability will be exploited in the wild within 30 days.
EPSS scores are updated daily and available via public API or CSV download.
EPSS is developed and maintained by FIRST (Forum of Incident Response and Security Teams).
EPSS is complementary to CVSS; use both for effective prioritization.
A common EPSS threshold is 0.1, which covers the top ~10% of vulnerabilities.
EPSS does not consider your specific environment; always add context like asset criticality.
CISA's KEV list overrides EPSS; any CVE on KEV should be patched immediately regardless of EPSS score.
These come up on the exam all the time. Here's how to tell them apart.
EPSS
Measures likelihood of exploitation (probability score 0-1).
Updated daily based on threat intelligence.
Developed by FIRST.
Does not consider environmental factors.
Used for prioritization based on real-world exploitation trends.
CVSS
Measures severity of vulnerability (score 0-10).
Static once assigned (unless recalculated).
Developed by FIRST (originally NIST).
Can be modified with environmental and temporal metrics.
Used for baseline severity assessment, not exploitation likelihood.
Mistake
EPSS replaces CVSS for vulnerability prioritization.
Correct
EPSS and CVSS are complementary. CVSS measures inherent severity (impact), while EPSS measures likelihood of exploitation. Most organizations use both to prioritize vulnerabilities that are both severe and likely to be exploited.
Mistake
An EPSS score of 0.9 means the vulnerability is extremely severe.
Correct
EPSS score is a probability of exploitation, not a severity rating. A 0.9 score means a 90% chance of being exploited within 30 days, regardless of impact. The vulnerability could be a low-severity information disclosure that is easily exploited.
Mistake
EPSS scores are static and do not change over time.
Correct
EPSS scores are updated daily based on new threat intelligence. A vulnerability that was low risk yesterday might become high risk today if a proof-of-concept exploit is published. Always use the latest scores.
Mistake
EPSS considers the specific environment of the organization.
Correct
EPSS is a global model that does not account for your specific network, compensating controls, or asset criticality. It provides a baseline likelihood that a vulnerability will be exploited anywhere in the wild. You must overlay your own context.
Mistake
A low EPSS score means the vulnerability will never be exploited.
Correct
EPSS is probabilistic. A low score means low probability, but exploitation is still possible, especially in targeted attacks. Always consider other intelligence like CISA KEV and your own threat model.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
CVSS (Common Vulnerability Scoring System) measures the inherent severity of a vulnerability, including its potential impact on confidentiality, integrity, and availability. EPSS (Exploit Prediction Scoring System) measures the likelihood that a vulnerability will be exploited in the wild within the next 30 days. CVSS scores range from 0 to 10; EPSS scores range from 0 to 1. They are complementary: use CVSS to understand how bad an exploit would be, and EPSS to understand how likely it is to happen. For example, a vulnerability with CVSS 9.0 but EPSS 0.01 is severe but unlikely to be exploited, so you might patch it later than a CVSS 7.0 with EPSS 0.9.
EPSS scores are updated daily. The model is retrained periodically, but the scores are refreshed every day with new threat intelligence data. This means a vulnerability's EPSS score can change significantly overnight if a new exploit is published or if there is a surge in dark web chatter. Always use the most current scores when making prioritization decisions.
There is no single correct threshold; it depends on your organization's risk appetite and patching capacity. A common starting point is 0.1, which typically covers the top 10% of vulnerabilities. Some organizations use 0.5 for critical priority. You can also use percentiles: e.g., patch all vulnerabilities in the 99th percentile or above. The key is to choose a threshold that reduces your workload to a manageable level while still covering the vast majority of exploited vulnerabilities. Monitor and adjust as needed.
No. EPSS is a global model that predicts exploitation likelihood across the entire internet. It does not know if a specific vulnerability affects software you use, if it is exposed to the internet, or if you have compensating controls. You must overlay your own context: for example, a vulnerability with high EPSS but only affecting software you don't use should be deprioritized. Conversely, a vulnerability with moderate EPSS on an internet-facing server might be more urgent than a high EPSS on an isolated internal system.
EPSS scores are publicly available. You can query the API for a specific CVE: curl https://api.first.org/data/v1/epss?cve=CVE-2023-44487. For bulk access, download the daily CSV from https://epss.cyentia.com/epss_scores-current.csv.gz. The data is free and does not require authentication. Many vulnerability management tools also integrate EPSS natively.
The EPSS percentile indicates what fraction of all CVEs have a lower EPSS score. For example, a percentile of 0.9999 means this CVE is in the top 0.01% of all CVEs by exploitation likelihood. Percentiles are useful for relative prioritization when you cannot patch all CVEs above a certain raw score. For example, you might choose to patch all CVEs in the 95th percentile or above, regardless of their raw score.
EPSS may not have a score for very new CVEs (zero-days) because the model requires data. In such cases, you should rely on other sources like vendor advisories, CISA KEV, or threat intelligence feeds. Once the CVE is published and data accumulates, EPSS will assign a score. For zero-days, the absence of an EPSS score does not mean low risk; treat them with caution.
You've just covered EPSS Probabilistic Scoring for Prioritisation — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?