Papers
Topics
Authors
Recent
Search
2000 character limit reached

Exploit Prediction Scoring System (EPSS)

Updated 4 July 2026
  • EPSS is an open, data-driven model that estimates the probability of a vulnerability being exploited in the wild within a short-term (30-day) window.
  • It evolved from a logistic regression model with 16 features to a community-governed XGBoost framework using 1,477 variables, reflecting a significant performance improvement.
  • EPSS is integrated into broader risk prioritization systems to complement CVSS, providing actionable threat detection and aiding operational decision-making.

Searching arXiv for recent EPSS-related papers to ground the article. arXiv search query: "Exploit Prediction Scoring System EPSS vulnerability prioritization" The Exploit Prediction Scoring System (EPSS) is an open, data-driven scoring system that estimates, for each Common Vulnerabilities and Exposures (CVE) entry, the probability that the vulnerability will be exploited “in the wild.” In the original formulation, EPSS was defined as the probability of exploitation within the first twelve months after public disclosure; later work and the current operational framing describe it as a probability of exploitation within the next 30 days, expressed as a number in the interval [0,1][0,1]. EPSS is therefore a threat-likelihood model rather than a severity metric: it is designed to predict exploitation, not to measure technical impact, business criticality, or environmental exposure (Jacobs et al., 2019, Jacobs et al., 2023, Sherif et al., 12 Mar 2026, Parla, 2024).

1. Historical development and governance

EPSS emerged from the observation that vulnerability management programs were dominated by CVSS Base scores, ad hoc expert judgment, and incomplete data, even though CVSS does not measure threat and severity is not equivalent to risk. The 2019 EPSS paper presented what it described as the first open, data-driven framework for assessing vulnerability threat, with a published logistic-regression scoring function that used 16 features and was simple enough to implement in a spreadsheet (Jacobs et al., 2019).

Later work recast EPSS as a centralized, community-governed system. The 2023 EPSS Special Interest Group paper describes EPSS as a community effort involving more than 170 experts across industry, government, and academia, and identifies the third major version of the model as an XGBoost-based system trained on daily, multi-source telemetry and feature updates. That paper reports a precision-recall AUC increase from 0.4288 for EPSS v2 to 0.7795 for EPSS v3, which it summarizes as an 82\% performance improvement over past models in distinguishing vulnerabilities that are exploited in the wild (Jacobs et al., 2023).

This evolution also changed the operational horizon. The original EPSS work used exploitation within 12 months after disclosure as the prediction target, whereas later papers describe EPSS as a near-term predictor for the next 30 days. A plausible implication is that EPSS shifted from a disclosure-time threat estimate toward a continuously refreshed operational score aligned with monthly patching cycles (Jacobs et al., 2019, Jacobs et al., 2023).

2. Statistical meaning and score semantics

Several papers formalize EPSS as a conditional probability model. One empirical comparison defines it as

EPSS(v)=P(“v will be exploited in the wild in a given time window”features of vulnerability v),\text{EPSS}(v) = P(\text{“v will be exploited in the wild in a given time window”} \mid \text{features of vulnerability } v),

with output on [0,1][0,1] and a CVE-centric scope that is independent of any particular organization’s assets, business impact, or exposure (Koscinski et al., 19 Aug 2025).

The original EPSS implementation used Elastic Net regularized logistic regression. Its score was the logistic transform of a linear predictor built from vendor indicators, exploit-code indicators, vulnerability-characteristic tags, and a reference-count term: Pr[exploitationi]EPSSi=11+eLogOddsi.\Pr[\text{exploitation}_i] \equiv \text{EPSS}_i = \frac{1}{1 + e^{-\text{LogOdds}_i}}. The published model included 16 features, including exp:weaponized, exp:poc_code, tag:code_execution, tag:remote, and log(ref_count+1)\log(\text{ref\_count}+1) (Jacobs et al., 2019).

Later literature treats EPSS as a predictive exploitability model whose internal form may still include logistic-regression-style components,

EPSS(v)=σ(β0+β1xv1++βkxvk),\text{EPSS}(v) = \sigma(\beta_0 + \beta_1 x_{v1} + \dots + \beta_k x_{vk}),

but also notes that the current production model is more complex. In particular, the 2024 KEV-focused study characterizes EPSS v3 as an XGBoost model with 1477 features, while also observing that the exact feature list and transformations are not publicly available (Koscinski et al., 19 Aug 2025, Parla, 2024).

Operationally, EPSS is distributed as a point-in-time score and is often accompanied by a percentile and timestamp. In the LLM-assisted threat-intelligence pipeline, each CVE record carries epss, percentile, and date, for example epss = 0.61340, percentile = 0.97823, and a dated model update. This supports both absolute-probability and rank-based interpretations (Paul et al., 1 Apr 2025).

3. Data sources, features, and model inputs

The original EPSS work assembled vulnerability metadata from MITRE CVE and NIST NVD, derived semantic tags from CVE references using Rapid Automatic Keyword Extraction, collected proof-of-concept exploits from Exploit-DB, collected weaponized exploit evidence from Rapid7 Metasploit, D2 Elliot Framework, and Canvas Exploitation Framework, and used exploitation telemetry from Proofpoint, Fortinet, AlienVault, and GreyNoise as the outcome variable. The study covered 25,159 CVEs published from June 1, 2016 through June 1, 2018, of which 921 were observed exploited in the wild within 12 months, for an exploitation rate of approximately 3.7\% (Jacobs et al., 2019).

The later EPSS v3 paper substantially expanded the feature universe. It reports 192,035 CVEs, 6.4 million exploitation observations over about 6.5 years, and 12,243 unique CVEs observed exploited. Its 1,477 variables are grouped into published exploit code, public vulnerability lists, social media, offensive security tools, reference counts and NVD reference tags, keyword descriptions, CVSS metrics, CWE indicators, vendor labels, and vulnerability age. The same paper states that exploitation labels were derived from Fortinet, AlienVault OTX, Shadowserver Foundation, and GreyNoise, aggregated as daily boolean observations of exploit attempts (Jacobs et al., 2023).

The transition from the 2019 model to later EPSS versions therefore involved both methodological and evidentiary broadening. In the original paper, EPSS could be implemented locally from public features; in the later architecture, scores are centrally recomputed and updated daily, reflecting newly observed exploit code, KEV additions, social-media mentions, and offensive-tool coverage (Jacobs et al., 2019, Jacobs et al., 2023).

4. Empirical behavior and comparative evaluation

Across studies, EPSS is consistently distinguished from CVSS severity. The 2019 EPSS paper reports time-based validation results of ROC AUC $0.838$ and PR AUC $0.266$, versus substantial effort reductions relative to CVSS-threshold policies. For example, to match the coverage of a CVSS 7\ge 7 strategy, EPSS required 1,091 vulnerabilities of effort instead of 2,773, corresponding to an effort reduction of approximately 60.7\% (Jacobs et al., 2019).

The 2025 Microsoft Patch Tuesday comparison finds that EPSS is only weakly correlated with CVSS, has moderate-at-best correlation with SSVC and Microsoft’s Exploitability Index, and aligns better with real-world exploitation than severity alone. In that study, EPSS is evaluated on 600 vulnerabilities and is described as adding new information rather than merely re-ranking high-CVSS items (Koscinski et al., 19 Aug 2025).

A 2026 framework centered on Key Risk Indicators (KRI) provides a larger-scale quantitative assessment against the CISA Known Exploited Vulnerabilities catalog. It reports that EPSS alone achieves ROC-AUC $0.9299$ and AUPRC EPSS(v)=P(“v will be exploited in the wild in a given time window”features of vulnerability v),\text{EPSS}(v) = P(\text{“v will be exploited in the wild in a given time window”} \mid \text{features of vulnerability } v),0 on 280,694 CVEs, whereas the full KRI score achieves ROC-AUC EPSS(v)=P(“v will be exploited in the wild in a given time window”features of vulnerability v),\text{EPSS}(v) = P(\text{“v will be exploited in the wild in a given time window”} \mid \text{features of vulnerability } v),1 and AUPRC EPSS(v)=P(“v will be exploited in the wild in a given time window”features of vulnerability v),\text{EPSS}(v) = P(\text{“v will be exploited in the wild in a given time window”} \mid \text{features of vulnerability } v),2. The same paper interprets this as evidence that EPSS is the strongest pure exploit detector, while KRI serves a different objective by reordering vulnerabilities according to impact and exposure. At EPSS(v)=P(“v will be exploited in the wild in a given time window”features of vulnerability v),\text{EPSS}(v) = P(\text{“v will be exploited in the wild in a given time window”} \mid \text{features of vulnerability } v),3, EPSS and KRI have identical KEV Recall@500 of EPSS(v)=P(“v will be exploited in the wild in a given time window”features of vulnerability v),\text{EPSS}(v) = P(\text{“v will be exploited in the wild in a given time window”} \mid \text{features of vulnerability } v),4, but KRI achieves ERV@500 of EPSS(v)=P(“v will be exploited in the wild in a given time window”features of vulnerability v),\text{EPSS}(v) = P(\text{“v will be exploited in the wild in a given time window”} \mid \text{features of vulnerability } v),5 compared with EPSS(v)=P(“v will be exploited in the wild in a given time window”features of vulnerability v),\text{EPSS}(v) = P(\text{“v will be exploited in the wild in a given time window”} \mid \text{features of vulnerability } v),6 for EPSS and Critical Recall@500 of EPSS(v)=P(“v will be exploited in the wild in a given time window”features of vulnerability v),\text{EPSS}(v) = P(\text{“v will be exploited in the wild in a given time window”} \mid \text{features of vulnerability } v),7 compared with EPSS(v)=P(“v will be exploited in the wild in a given time window”features of vulnerability v),\text{EPSS}(v) = P(\text{“v will be exploited in the wild in a given time window”} \mid \text{features of vulnerability } v),8 for EPSS (Sherif et al., 12 Mar 2026).

Not all evaluations are favorable. The 2024 study of high-severity KEV CVEs argues that EPSS v3 often behaves more as a trailing risk indicator than as a proactive predictor for newly disclosed, high-value perimeter and supply-chain vulnerabilities. It reports that, for all 250 KEV CVEs in its study period, more than two thirds had EPSS scores below EPSS(v)=P(“v will be exploited in the wild in a given time window”features of vulnerability v),\text{EPSS}(v) = P(\text{“v will be exploited in the wild in a given time window”} \mid \text{features of vulnerability } v),9 immediately prior to KEV inclusion, and that among 57 KEV CVEs from 2023 or later, 42 had consistently low EPSS scores before KEV listing (Parla, 2024).

A further methodological critique comes from prospective evaluation. The 2026 evidence-graph paper shows that naive random splitting with unfiltered evidence inflates apparent prospective recall by [0,1][0,1]0 and EPSS-high recall by [0,1][0,1]1, arguing that exploitability prediction should be evaluated only with evidence available at a fixed decision time (Alpay et al., 17 Jun 2026).

5. Operational use in prioritization systems

EPSS is often used as the threat-likelihood component of larger triage systems rather than as a standalone risk score. In the SBOM-driven IoT firmware triage pipeline, EPSS is the primary signal for “likelihood of exploitation” and is incorporated into a composite Risk Priority Score: [0,1][0,1]2 with [0,1][0,1]3 the CVSS Base Score, [0,1][0,1]4 the exploitability factor, [0,1][0,1]5 a context factor, and weights [0,1][0,1]6, [0,1][0,1]7, and [0,1][0,1]8. When a CVE is not in KEV, the paper defines [0,1][0,1]9; when the CVE is in KEV, exploitability is overridden to Pr[exploitationi]EPSSi=11+eLogOddsi.\Pr[\text{exploitation}_i] \equiv \text{EPSS}_i = \frac{1}{1 + e^{-\text{LogOdds}_i}}.0. This makes EPSS the largest weighted component of the score unless KEV provides a hard override (Tolay, 4 Jan 2026).

EPSS is also used as structured metadata in retrieval-augmented threat-intelligence systems. In the LLM-assisted proactive threat-intelligence architecture, EPSS is ingested through the Patrowl framework alongside CVE, CWE, and KEV feeds; stored in Milvus as metadata attached to CVE records; and exposed to GPT-4o through retrieved context. In that system EPSS is not a retrieval metric, but a probability-and-percentile field used for reasoning, filtering, and analyst-facing explanations (Paul et al., 1 Apr 2025).

In model-based IoT security quantification, EPSS is treated even more literally as an empirical exploit probability. The IoT attack-tree paper defines the probability of each Basic Attack Step as

Pr[exploitationi]EPSSi=11+eLogOddsi.\Pr[\text{exploitation}_i] \equiv \text{EPSS}_i = \frac{1}{1 + e^{-\text{LogOdds}_i}}.1

then propagates those probabilities through OR and AND gates,

Pr[exploitationi]EPSSi=11+eLogOddsi.\Pr[\text{exploitation}_i] \equiv \text{EPSS}_i = \frac{1}{1 + e^{-\text{LogOdds}_i}}.2

and maps the resulting attack tree to a Bayesian Network. In its smart irrigation case study, this yields a Top Event probability of Pr[exploitationi]EPSSi=11+eLogOddsi.\Pr[\text{exploitation}_i] \equiv \text{EPSS}_i = \frac{1}{1 + e^{-\text{LogOdds}_i}}.3 (Abdulhamid et al., 15 Jun 2026).

These applications share a common pattern: EPSS is used as a numeric likelihood term that is easy to join on CVE identifiers, but it is rarely treated as sufficient on its own. Contextualization is supplied either by local deployment signals, KEV membership, or architecture-aware propagation logic (Tolay, 4 Jan 2026, Abdulhamid et al., 15 Jun 2026).

A recurring limitation in the literature is that EPSS is not a risk score in the full organizational sense. It does not encode business impact, asset value, network exposure, or compensating controls; it is global and generic rather than environment-specific; and it may be less informative for newly disclosed vulnerabilities with limited telemetry. The Microsoft-only comparative study emphasizes that EPSS should complement CVSS and internal context rather than replace them (Koscinski et al., 19 Aug 2025).

Another criticism concerns opacity and exploit actionability. The AEAS paper describes EPSS as producing “opaque probability estimates” and argues that it does not assess whether usable exploit code exists, whether that code is functional, or how difficult it is to deploy. AEAS is therefore positioned as complementary to EPSS, focusing on exploit availability, functionality, setup complexity, and ranked exploit recommendations rather than on exploitation-in-the-wild probability (Shen et al., 22 Sep 2025).

Several adjacent proposals attempt to incorporate what EPSS omits. SecScore replaces the static CVSS Exploit Code Maturity factor with a time-dependent empirical function based on exploit-code emergence, while explicitly proposing use alongside EPSS (Santana et al., 2024). Expected Exploitability (EE) predicts the development of functional exploits rather than exploitation in the wild, treats exploitability as time-varying, and reports increasing precision from 49\% to 86\% over existing metrics, including two state-of-the-art exploit classifiers (Suciu et al., 2021).

Later work also raises methodological caution. The compute-budgeted evidence-graph framework argues that exploitability claims should be leakage-safe, prospective, and paired with evidence certificates listing supporting signals, timestamps, source layers, and leakage flags. This suggests that future EPSS-like systems may be evaluated not only by discrimination metrics but also by temporal admissibility and auditability (Alpay et al., 17 Jun 2026).

Taken together, these critiques do not reject EPSS’s central role. Rather, they establish a narrower and more precise interpretation: EPSS is a strong, publicly available baseline for short-horizon exploit detection, but it is most effective when combined with impact metrics, exposure or context factors, exploitation evidence such as KEV, or architecture-aware and evidence-aware reasoning layers (Sherif et al., 12 Mar 2026, Koscinski et al., 19 Aug 2025).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Exploit Prediction Scoring System (EPSS).