CrowdStrike named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Download report

The Exploit Prediction Scoring System (EPSS) is a data-driven model that estimates the likelihood that a software vulnerability will be exploited in the wild. Developed and maintained by the Forum of Incident Response and Security Teams (FIRST), EPSS provides defenders with a probability-based measure to understand which vulnerabilities are most likely to matter in real-world scenarios.

Unlike other severity scores that focus on theoretical impact, EPSS provides predictive insights rooted in actual exploit activity. The goal is simple yet transformative: to help cybersecurity teams patch smarter by focusing on the vulnerabilities that adversaries are most likely to exploit.

Why is the EPSS needed?

Organizations face a constant flood of new vulnerabilities, yet only a fraction of them are ever used in active attacks. Traditional scoring systems like the Common Vulnerability Scoring System (CVSS) are valuable, but they rate vulnerabilities based on potential impact, not probability of exploitation.

This disconnect shows up in daily operations. A vulnerability management team may see thousands of new Common Vulnerabilities and Exposures (CVEs) in a quarter, many rated "critical" by CVSS. Yet history shows that a majority of these flaws never get weaponized.

For example, flaws that require highly specific configurations or deep local access may receive a maximum CVSS rating but are unlikely to appear in the wild. Conversely, some moderate CVSS flaws that enable remote code execution with minimal prerequisites often become favored tools for attackers. Without a predictive signal, defenders can consume their time patching vulnerabilities that represent little practical risk while missing others that adversaries rush to exploit.

Many programs try to close this gap by leaning on CISA’s Known Exploited Vulnerabilities (KEV) catalog. KEV is a valuable resource, but it only lists vulnerabilities that are already being used in active attacks. By the time a CVE is added, attackers are already ahead. EPSS attempts to fill that gap by predicting which vulnerabilities are most likely to be exploited before they appear in KEV. This gives teams a chance to act proactively rather than scrambling to respond after an exploitation is underway.

CrowdStrike 2026 Global Threat Report

AI threats have reached a critical turning point. Access the definitive look at the cyber threat landscape.

How does the EPSS work?

The EPSS model draws on a wide array of data sources and applies machine learning to predict exploitation probability. Here’s a closer look at how it works:

Data sources

To generate its predictions, EPSS aggregates vulnerability metadata, including CVE identifiers, CVSS scores, common weakness enumeration (CWE) categories, and textual descriptions from databases like NVD and MITRE. Beyond that, it incorporates:

  • Exploit availability: If a vulnerability already has a working exploit in databases like Exploit-DB or Metasploit, it means attackers don’t have to do the hard work themselves. Ready-made tools are a strong signal that exploitation is more likely.
  • Proof-of-concept code: When researchers (or attackers) publish sample code on GitHub or Pastebin, it often sparks wider interest. Even simple proofs of concept can lower the barrier for others to weaponize a vulnerability.
  • Threat intelligence: Signals from honeypots, internet-wide scanners, or security sensors show when attackers are testing or probing for specific vulnerabilities. These early attempts provide context that exploitation is already underway or imminent.
  • External references: EPSS treats sources like Google Project Zero and CISA KEV as historical indicators of vulnerability disclosure rather than active exploitation signals, since they reflect past events. By analyzing what happens after vulnerabilities are listed, EPSS aims to predict future exploitation risk, noting that inclusion on lists like KEV may actually reduce future attacker use as defenders prioritize remediation.
EPSS Machine Learning Model

Modeling approach

EPSS relies on a prediction engine that works like a decision-making tree. The model it uses, called a boosted decision tree, handles mixed types of data and can uncover relationships that aren’t obvious at first glance.

For example, a CVSS score that shows “low complexity, remote attack vector” already suggests elevated risk. But if exploit code has also been posted on GitHub, the likelihood of real-world exploitation increases significantly. EPSS accounts for these combined signals and produces a probability score that reflects this risk.

The model is retrained regularly using telemetry of actual exploit attempts observed across contributing organizations. This feedback loop improves accuracy and adapts predictions as attacker trends change. For instance, if a new exploit kit begins weaponizing a particular class of vulnerabilities, retraining captures that shift.

Output format and updates

Each CVE scored by EPSS comes with two key outputs:

  • Probability score: A number between 0 and 1 that estimates the chance of that vulnerability being exploited in the next 30 days. You can think of it like a forecast — the closer the number is to 1, the higher the likelihood attackers will use it soon.
  • Percentile rank: A relative score showing how the CVE stacks up against all others. For example, a vulnerability in the 95th percentile is among the riskiest compared to the rest of the dataset.
  • Probability vs. percentile: The probability score represents the model’s estimate of exploitation likelihood within the next 30 days. A score of 0.82 means an 82% chance of real-world exploitation. Percentile rankings show how a CVE compares relative to all others. For instance:
    • 90-100th percentile = extremely likely to be exploited
    • 70-89th percentile = elevated risk
    • < 50th percentile = low risk

Consider two examples:

  1. High CVSS, low EPSS: Consider a CVE vulnerability with a CVSS score of 9.8 but an EPSS score of only 0.02. In practice, it may never be exploited because it requires an unusual setup or deep system access that attackers aren’t likely to have.
  2. Moderate CVSS, high EPSS: Now take a flaw with a CVSS score of 6.5 but an EPSS score of 0.76. Proof-of-concept code is already public, which lowers the barrier for attackers to weaponize it. Even though the severity rating is moderate, the high likelihood of exploitation makes it a pressing concern.

These scores are refreshed every day and published openly through FIRST.org, available via API or CSV download. That makes it easy to feed EPSS into existing tools like vulnerability scanners, security information and event management (SIEM) platforms, and patch management workflows. Because the model updates daily, defenders get a live signal that reflects the latest attacker behavior.

How to use EPSS for vulnerability prioritization

EPSS shows its real value when paired with other contextual insights, especially CVSS severity and asset importance. Together, these signals help security teams build a clear triage map instead of drowning in endless “critical” alerts. 

One way to think about it is as a simple 2×2 matrix:

 Low EPSS
(unlikely to be exploited)
High EPSS
(likely to be exploited)
Low CVSS
(limited impact)
Lowest priority. These flaws pose little real risk.Worth monitoring, especially if they touch important assets.
High CVSS
(serious impact)
Can often be deferred or scheduled, depending on asset exposure.Top priority. These are both severe and likely to be exploited soon.

Let’s take an example using the matrix above. A SOC analyst might start with internet-facing systems. If a vulnerability in one of these systems lands in the “high EPSS + high CVSS” quadrant, it becomes a patching priority. On the other hand, a “high CVSS + low EPSS” flaw buried deep in a non-critical system can safely be queued for later remediation.

This approach gives teams a structured way to prioritize, focus patching where it matters most, and improve efficiency without sacrificing security.

Evolution of the EPSS model

Since its launch in 2021, EPSS has advanced through several major updates focused on sharpening prediction accuracy and expanding transparency.

  • Version 2 introduced stronger data handling and incorporated a wider range of exploit and telemetry inputs. This made the model more resilient and better at separating noise from meaningful signals.
  • Version 3 delivered a major leap forward and raised predictive performance by 82% over the previous version. It added more sophisticated modeling techniques and began publishing clear metrics on false positives and false negatives.
  • Version 4, released in March 2025, refined the underlying algorithms and reinforced transparency so organizations can understand and trust how scores are produced.

Each iteration has attempted to make the model more accurate, transparent, and useful for defenders deciding which vulnerabilities to patch first.

How EPSS is governed

EPSS is a community-driven initiative overseen by FIRST’s Special Interest Group (SIG). Members span academic researchers, private sector organizations, and government agencies, all working together to refine the model and validate its outputs.

The way EPSS is governed aligns with many open-source security standards. Unlike closed, proprietary scoring systems, its development is open and peer-reviewed. Every update to the model, methodology, and performance metrics is published where anyone can see it. That transparency gives the security community a chance to question, refine, and appreciate the results.

EPSS limitations and considerations

EPSS is a potentially powerful tool, but it’s not the whole answer. Like any model, it has blind spots that security teams should keep in mind.

  • Scope: EPSS measures likelihood, not severity. A vulnerability with a high probability score may not have a catastrophic impact if exploited, and vice versa. Teams still need to consider CVSS, business impact, asset value, and regulatory requirements.
  • Data quality: Machine learning models are only as good as the data they learn from. Incomplete telemetry, uneven reporting, or poor input data can lead to false positives. That means some CVEs may be flagged as highly exploitable but may never see real-world use by attackers.
  • AccuracyStudies have shown that EPSS underperforms as a predictor of real-world exploitation. Research by members of the Rochester Institute of Technology and the University of Hawai‘i at Mānoa found that only 19.9% of CVEs later added to the CISA KEV catalog held an EPSS score above 0.5 before exploitation. Just 8.3% ever reached a score above 0.9, and more than 22% of exploited CVEs had no EPSS score at all prior to being exploited.
  • Context matters: EPSS scores are global by design. A CVE marked as highly exploitable worldwide may not be relevant in every environment. Factors like asset criticality, internet reachability, and local configurations can change the real risk picture. A low-scoring vulnerability on an internet-facing system that handles sensitive data may still deserve immediate attention.

The takeaway: EPSS can be used as a critical factor in your risk assessment toolkit, but it shouldn't be the whole toolkit. Despite the aforementioned flaws, EPSS can still prove valuable as the model continues to improve. It is considered to work best when paired with CVSS for severity, asset context for relevance, and human oversight for judgment. This combination helps organizations build a risk picture that's both predictive and practical.

How ExPRT.AI compares with EPSS

Both EPSS and ExPRT.AI predict which vulnerabilities are most likely to be exploited, but they take distinctly different approaches to get there.

FeatureEPSSExPRT.AI (CrowdStrike)
Data foundationRelies on public vulnerability metadata, exploit databases (e.g., Exploit‑DB, Metasploit), proof-of-concept signals, and open‑source threat data.Uses real-world data from the CrowdStrike Falcon® sensor plus live threat hunting intel from CrowdStrike Falcon® Adversary OverWatch™.
Timeliness of insightStatic model updated daily based on historical trends.Dynamic model tuned to near real-time attack observations across live customer environments.
Accuracy in contextOffers a standards-based, multi-vendor perspective.Tailors predictions to actual attacker behavior across the Falcon platform ecosystem, which results in more direct relevance for those using CrowdStrike solutions.
Ideal forOrganizations leveraging diverse tools and seeking a neutral, open scoring reference.Customers consolidating on the CrowdStrike Falcon platform who want richer, real-time, operationally grounded scoring.

Why this matters

ExPRT.AI’s edge lies in real-time insight: It taps actual exploitation activity and endpoint visibility that EPSS can't see. This advantage translates into faster, more relevant prioritization for organizations using the Falcon platform across their environments. EPSS remains valuable for broader, cross-platform contexts where Falcon platform-level visibility may not exist.

Managing cyber risk exposure with CrowdStrike

EPSS represents a major step forward in predictive cybersecurity by applying data science to vulnerability management to guide smarter decisions. When paired with CVSS scores and asset context, it helps security teams patch smarter and faster. Its transparency, community governance, and ease of access make it a useful tool for modern security operations.

CrowdStrike customers already have a powerful tool, the ExPRT.AI scoring system, to prioritize the riskiest exposures in their environment. Although CrowdStrike does not provide native EPSS integration, customers can still combine EPSS with CrowdStrike's vulnerability data by analyzing it in CrowdStrike Falcon® Next-Gen SIEM. This allows teams to apply the prioritization metric that best fits their needs.

CrowdStrike Falcon® Exposure Management builds on predictive risk analytics by correlating vulnerabilities with adversary tradecraft, threat intelligence, and business context. This gives organizations a path to reduce risk faster and stay ahead of adversaries.

Ready to reduce risk and outpace threats? Learn more about Falcon Exposure Management