Intel · Tool review
A daily-updated probability that a given CVE will actually be exploited in the next 30 days. The tiebreaker for any CVSS-only patch policy.
Reviewed by The Field Notes Desk · May 24, 2026 · 4 min read
It’s Wednesday morning. Your queue has a CVSS 9.8 sitting next to a CVSS 7.5. The 9.8 has an EPSS probability of 0.001. The 7.5 has an EPSS probability of 0.78. Your auditor wants the 9.8 patched inside 24 hours because the policy says criticals get patched inside 24 hours. Statistically, the 7.5 is the one about to ruin your week. EPSS is the artifact you put in front of the auditor when you want to patch the 7.5 first without lying about what you’re doing.
That’s the whole pitch. CVSS tells you how bad a vulnerability could be in theory. EPSS tells you how likely it is that someone will actually point an exploit at it in the next 30 days. Both numbers are useful. Only one of them is trained on what attackers have actually done.
EPSS is a model maintained by a working group under FIRST.org. It ingests features about a CVE (vendor, product, known exploit code, mentions in public sources, CVSS metrics, and others) and produces two numbers per CVE, refreshed daily:
If you only remember one thing: probability is the answer, percentile is the rank. Most of the misuse I’ve seen on Twitter and in vendor decks comes from someone reporting a percentile and calling it a probability.
The most defensible free prioritization stack today is two layers:
A useful threshold to start with is EPSS probability ≥ 0.1 (roughly the top few percent of all CVEs) as “treat this as elevated even without KEV.” Tune from there based on how often it would have flagged things that actually mattered in your environment.
EPSS is a probabilistic model trained on historical signal. That means two real limits:
Treat EPSS as one input to a decision, not the decision itself. The reason it pairs cleanly with KEV is that KEV says “known exploited” (high confidence, narrow coverage) and EPSS says “predicted likely to be exploited” (probabilistic, broad coverage). Different failure modes, complementary use.
PatchDay Alert’s own digest pipeline already uses EPSS internally. The “low-audience device cap” (router, firmware, IoT, DVR CVEs limit) has a hard bypass for any CVE with EPSS ≥ 0.1, regardless of vendor or audience size. That’s the cleanest endorsement I can offer: when we wrote the rule that says “don’t let three router bugs from the same week dominate the digest,” EPSS is what we trusted to say “wait, this router bug is the exception, let it through.” We eat our own cooking.
Daily CSV download and a public API, no key required, no registration, no rate-limit grief: https://www.first.org/epss/ . The API returns JSON keyed by CVE ID and is fast enough to call inline during a triage session.
If your patch policy still treats CVSS as a single-input scoring system in 2026, EPSS is the cheapest credible upgrade available. It does not replace KEV, it does not know your environment, and it will occasionally miss something a careful human would not. It also costs nothing, updates daily, and gives you a defensible number to put next to “this CVSS 9.8 can wait until next sprint.” That’s the kind of artifact a one-person ops team needs more of, not less.
Sources
This is an editorial review. PatchDay Alert was not paid by FIRST.org to write it. Sponsored content, when we run it, is labeled Sponsored and kept visually distinct from editorial reviews.