What is EPSS? The Exploit Prediction Scoring System, explained
A plain-English guide · part of how IsItPatched ranks risk · all security terms → · updated June 2026
EPSS (Exploit Prediction Scoring System) is a probability — from 0 to 100% — that a vulnerability will be exploited in the next 30 days. Where CVSS tells you how severe a flaw is, EPSS tells you how likely it is to actually be attacked. It's published by FIRST.org and recalculated every day from real-world signals.
What does EPSS stand for?
EPSS stands for Exploit Prediction Scoring System, maintained by the Forum of Incident Response and Security Teams (FIRST). It uses a machine-learning model trained on exploitation data to output a daily probability for almost every published CVE.
EPSS, CVSS and KEV — the three signals
- CVSS — how severe (0–10).
- EPSS — how likely to be exploited soon (0–100%).
- CISA KEV — confirmed being exploited now.
The smart play: fix what's on KEV first, then use EPSS to get ahead of what's likely to be exploited next — often before it lands on KEV. IsItPatched folds EPSS into a single verdict; see the methodology.
What counts as a high EPSS score?
Most CVEs score very low — the vast majority are never exploited. So even a few percent is meaningful, anything above ~10% is comparatively high, and scores above 50% signal a strong near-term likelihood. Reading EPSS as a relative ranking ("which of my open CVEs is most likely to be hit?") is more useful than chasing an absolute threshold.
Use EPSS on your own software
EPSS is only actionable once you know which vulnerabilities you actually have. IsItPatched surfaces EPSS alongside severity and KEV status for the products and components you run.
- Live exploited CVEs — KEV flaws with EPSS and severity, ranked.
- Check your version — instant verdict for any product + version.
- Scan an SBOM — EPSS-aware prioritisation across your stack.
Frequently asked questions
What is EPSS?
EPSS — the Exploit Prediction Scoring System — is a data-driven model that estimates the probability that a given CVE will be exploited in the wild within the next 30 days. It is published by FIRST.org and expressed as a percentage from 0 to 100%, recalculated daily from real-world exploitation signals.
What does EPSS stand for?
EPSS stands for Exploit Prediction Scoring System. It is maintained by the Forum of Incident Response and Security Teams (FIRST).
How is EPSS different from CVSS?
CVSS measures how severe a vulnerability is if exploited; EPSS estimates how likely it is to be exploited at all. A flaw can be CVSS 9.8 (critical) but have a tiny EPSS score because nobody is attacking it — and vice versa. Used together, they answer "how bad" and "how likely".
How is EPSS different from KEV?
EPSS is a forward-looking probability; KEV is confirmed fact. EPSS says "this is likely to be exploited soon"; CISA KEV says "this is being exploited now". Many teams patch KEV first, then use a high EPSS score to prioritise what to fix next before it lands on KEV.
What is a high EPSS score?
EPSS is a percentile-style probability, and most CVEs score very low. Anything above roughly 10% is comparatively high, and scores above 50% indicate a vulnerability with a strong, near-term exploitation likelihood that warrants urgent attention.
IsItPatched is independent and not affiliated with FIRST, CISA or NIST. EPSS data is sourced from FIRST.org. Always verify against your vendor's advisories — see our disclaimer.