Exploit Prediction Scoring System (EPSS)
EPSS is a daily-updated probability estimate from FIRST, scoring each CVE from 0 to 1 on how likely it is to be exploited in the wild within the next 30 days.
The Exploit Prediction Scoring System (EPSS) is maintained by FIRST, the Forum of Incident Response and Security Teams. It assigns every published CVE a probability between 0 and 1 that the vulnerability will be exploited in the wild within the next 30 days, updated daily.
How It Works
EPSS is a machine-learning model trained on real exploitation telemetry — intrusion-detection and honeypot observations — combined with vulnerability characteristics. Instead of describing how severe exploitation would be (CVSS's job), it predicts how likely exploitation is. FIRST publishes the scores as a free daily feed.
Why It Matters
Most vulnerabilities are never exploited. Triage that sorts by severity alone spends most of its effort on flaws no attacker touches. FIRST's published comparisons show probability-based triage achieving far more remediation coverage per unit of effort than a CVSS-threshold approach. EPSS is forward-looking and probabilistic — it informs prioritization for the large majority of CVEs that carry no confirmed exploitation evidence, but it does not replace that evidence.
Related Terms
EPSS complements the KEV catalog (confirmed exploitation) and the LEV metric (estimated historical exploitation), and pairs with CVSS severity in evidence-weighted scores like RiskScore.