How to prioritise patches: KEV, EPSS, CVSS & SSVC
Patch prioritisation · 8-min read · Check a version → · updated June 2026
You can't patch everything at once, and a queue sorted by CVSS alone wastes effort on bugs nobody is exploiting. The fix is to order by what attackers are actually doing — then layer in severity and your own context.
The four signals
| Signal | Question it answers | Source |
|---|---|---|
| KEV | Is it being exploited right now? | CISA |
| EPSS | How likely is exploitation in 30 days? | FIRST.org |
| CVSS | How bad if it is exploited? | NVD / vendor |
| SSVC | What should I do, given my context? | Your decision tree |
The ordering, step by step
Anything on the CISA Known Exploited Vulnerabilities list is being used by attackers now. These go to the top of the queue, regardless of CVSS.
For the rest, EPSS estimates the chance of exploitation in the next 30 days. A high EPSS (say ≥ 10%) pulls a vulnerability up even before it reaches KEV.
Among similar exploitation signals, fix higher-severity issues first. CVSS answers "how bad if exploited", not "how likely".
Factor in exposure, mission impact and whether automatable exploitation is possible. SSVC turns the signals into a Track / Attend / Act decision for your environment.
Patch, mitigate, or accept-and-document each item. Recording the decision is what makes the order defensible to an auditor or an incident reviewer.
Turn this into action. Which CVE do you fix first? How to combine severity, exploit probability and active exploitation into a defensible, exploited-first order.
Check a version — free →Frequently asked questions
Which should I trust most: CVSS, EPSS or KEV?
They answer different questions. CVSS = severity, EPSS = likelihood, KEV = confirmed exploitation. Lead with KEV, then EPSS, then CVSS.
What is SSVC?
Stakeholder-Specific Vulnerability Categorization — a decision framework that turns exploitation status plus your context into Track / Attend / Act. See what is SSVC.
Is a Critical CVSS always urgent?
No. A CVSS 9.8 with no known exploitation and a near-zero EPSS is usually less urgent than a CVSS 7 that is actively exploited. Exploitation-first ordering reflects real-world risk.
How does IsItPatched help?
It combines NVD severity, EPSS probability and CISA KEV into one verdict and a fix-first queue, so you do not have to merge three feeds by hand — see the methodology.
This guide is vendor-neutral and informational, grounded in publicly-available guidance from bodies such as OWASP, NIST and CISA. IsItPatched is independent and not affiliated with them, and this is not legal or compliance advice. See our disclaimer.