What is EPSS?
Last reviewed June 2, 2026
EPSS, the Exploit Prediction Scoring System, is a data-driven model maintained by FIRST.org that estimates the probability a given CVE will be exploited in the wild within the next 30 days. It outputs a probability from 0 to 1 plus a percentile rank against all scored CVEs, and it is recalculated daily. EPSS measures likelihood of exploitation, not severity or confirmed attacks.
EPSS in one sentence
EPSS (the Exploit Prediction Scoring System) is a community-driven effort, governed by FIRST.org, that produces a daily estimate of how likely a vulnerability is to be exploited in the wild. Each scored CVE receives a probability between 0 and 1 and a percentile that ranks it against every other scored CVE.
Unlike a severity score, EPSS answers a forward-looking question: of all the known vulnerabilities, which ones are attackers most likely to actually use in the near term? That makes it a prioritization signal rather than a measure of technical impact.
Probability vs percentile
Every EPSS entry has two numbers, and confusing them is a common mistake. The probability is the model's estimate of the chance the CVE is exploited within the next 30 days. The percentile expresses where that probability ranks relative to all other CVEs.
- Probability (0 to 1): a CVE with an EPSS probability of 0.90 has an estimated 90 percent chance of being exploited in the next 30 days.
- Percentile (0 to 100): a CVE at the 97th percentile scores higher than 97 percent of all CVEs, which is useful for setting a relative threshold.
- A high percentile does not always mean a high probability, because exploitation is rare overall and the distribution is heavily skewed toward zero.
How EPSS is calculated
EPSS is a machine-learning model trained on real-world exploitation data. It ingests dozens of signals, including the presence of public exploit code, references in exploitation feeds, mentions on social media and security lists, CVSS vector characteristics, the affected vendor and product, and the age of the vulnerability.
The model is retrained and rescored daily, so a CVE's EPSS value moves as new evidence appears. A proof-of-concept landing on a public repository or a spike in observed scanning can push a score up within a day.
What EPSS does not tell you
EPSS is one input, not a complete decision. It does not measure the technical severity or business impact of a vulnerability, which is the job of CVSS. It also does not confirm that exploitation has actually happened, which is what the CISA KEV catalog records.
A low EPSS score is a probability estimate, not a guarantee of safety. Targeted attacks against a specific organization may never appear in the public data EPSS learns from, so EPSS should always be combined with severity and confirmed-exploitation signals.
Keep exploring
- CVSS vs EPSSHow severity scoring and exploit prediction differ and complement each other.
- EPSS vs KEVPredicted likelihood versus confirmed exploitation in the wild.
- How to prioritize vulnerabilitiesA practical workflow that combines CVSS, EPSS, and KEV.
- What is CVSS?The severity scoring system EPSS is often paired with.
- What is Metasploit?The framework for authorized penetration testing.
Frequently asked questions
- What does EPSS stand for?
- EPSS stands for the Exploit Prediction Scoring System, a model maintained by FIRST.org that estimates the probability a CVE will be exploited in the wild.
- What is a good EPSS score?
- There is no universal cutoff, but many teams treat a probability above roughly 0.1 (10 percent) or a percentile above 90 to 95 as a signal to prioritize, then tune the threshold to their risk tolerance and capacity.
- How often is EPSS updated?
- EPSS scores are recalculated and published daily, so a CVE can move sharply when new exploit code or exploitation evidence emerges.
- Is EPSS the same as CVSS?
- No. CVSS measures the severity and potential impact of a vulnerability, while EPSS estimates the likelihood it will be exploited soon. They answer different questions and work best together.
