EPSS vs KEV
Last reviewed June 2, 2026
EPSS and the CISA KEV both relate to exploitation, but in opposite directions. EPSS predicts the probability a CVE will be exploited in the next 30 days using a daily machine-learning model. The CISA KEV is a curated catalog of CVEs with confirmed, observed exploitation in the wild. EPSS is forward-looking and probabilistic; KEV is evidence-based and binary. Use KEV as a hard override and EPSS to rank everything else.
The core difference
EPSS is a prediction. It assigns every scored CVE a probability that exploitation will occur within 30 days, and that number is recalculated daily as new evidence appears. The CISA KEV is a confirmation. A CVE is on the KEV list because CISA has reliable evidence that it is already being exploited in the wild.
In other words, EPSS tells you what is likely to happen, and KEV tells you what is already happening. A CVE often climbs in EPSS before it lands on the KEV catalog, and many KEV entries carry high EPSS scores precisely because the model picked up the same signals.
EPSS vs KEV at a glance
| Dimension | EPSS | CISA KEV |
|---|---|---|
| Nature | Predictive probability | Confirmed evidence |
| Output | Probability 0 to 1 plus percentile | On the list or not (binary) |
| Maintained by | FIRST.org (EPSS SIG) | CISA |
| Updated | Daily, for all scored CVEs | Added as exploitation is confirmed |
| Coverage | Nearly all published CVEs | A curated subset (thousands of CVEs) |
| Carries a deadline | No | Yes, under BOD 22-01 for US federal agencies |
| Best used for | Ranking the full backlog by likelihood | A hard, top-priority override |
How they work together
- Treat KEV membership as a non-negotiable top priority: confirmed exploitation outranks any prediction.
- For the vast majority of CVEs that are not on the KEV list, use EPSS to rank by likelihood of near-term exploitation.
- Watch for high or rising EPSS scores as an early warning that a CVE may soon be added to the KEV catalog.
- Layer CVSS on top of both to weigh the impact of the vulnerabilities you have surfaced.
Coverage and limitations
The KEV catalog is intentionally narrow: it lists only what CISA can confirm, so it omits exploitation that has not been observed or reported. That precision is its strength, but it means absence from the KEV list is not proof a vulnerability is safe.
EPSS covers nearly every published CVE, giving you a signal even when there is no confirmed exploitation. The trade-off is that EPSS is a statistical estimate; a low score reduces probability but does not rule out a targeted attack. Using both closes the gap between broad prediction and confirmed fact.
Keep exploring
Frequently asked questions
- Is KEV or EPSS more important?
- They serve different roles. KEV is the stronger signal because it reflects confirmed exploitation, so KEV entries usually take top priority. EPSS then ranks the much larger set of CVEs that are not on the KEV list.
- Can a CVE be on the KEV list but have a low EPSS score?
- It can happen, though it is uncommon, because EPSS and KEV draw on overlapping but not identical evidence. When they disagree, the confirmed KEV evidence should win.
- Does EPSS replace the KEV catalog?
- No. EPSS predicts likelihood across all CVEs, while KEV confirms real exploitation for a curated subset. They are complementary, and mature programs use both.
- Why might a CVE have high EPSS before joining the KEV?
- EPSS reacts daily to signals like public exploit code and observed scanning, so it can flag a likely target before CISA has confirmed and published exploitation evidence.
