Part 1 - Taming the Vulnerability Flood: How EPSS (Exploit Prediction Scoring System) Helps Cybersecurity Leaders Focus on Real Threats

The Rising Tide of Vulnerabilities

Every week seems to bring news of another software vulnerability. Security teams scramble to patch critical systems, and executives are left wondering which vulnerability could become the next breach headline. The truth is that no organization can fix every flaw immediately – not when the number of known vulnerabilities has already surpassed a quarter million (271,000-plus as of March 2025) and grew by about 41 % from 2023 to 2024 (Study Finds EPSS Shows Strong Performance in Predicting Exploits). It’s a flood, and trying to plug every leak isn’t realistic.

Yet, only a small fraction of these vulnerabilities will ever be exploited by attackers. Roughly 6% of published vulnerabilities have been observed being exploited in the wild (Study Finds EPSS Shows Strong Performance in Predicting Exploits). In other words, out of thousands of new security issues, only a handful turn into actual cyber incidents. The challenge for leadership is identifying those dangerous few in advance. Historically, companies relied on severity scores like CVSS to gauge risk. But severity is not the same as risk – a “critical” vulnerability might never be touched by attackers, while a “medium” one might become the entry point for a major breach. This is where the Exploit Prediction Scoring System comes in.

What is EPSS (Exploit Prediction Scoring System)?

EPSS is essentially a data-driven crystal ball for cybersecurity teams. Developed by an industry consortium led by FIRST (the same organization behind CVSS), it estimates the likelihood (probability) that a given vulnerability will be exploited in the near term (Exploit Prediction Scoring System (EPSS)). In non-technical terms, EPSS tells you, “What’s the chance attackers will actually use this flaw against someone?” The system draws on real-world cyber threat data – exploit code sightings, attacks observed by sensors, discussions in hacker forums – and uses machine learning to output a probability from 0 to 1 (or 0% to 100%). A higher EPSS score means a higher chance that bad actors will leverage that vulnerability in an attack (Exploit Prediction Scoring System (EPSS)).

Importantly, EPSS scores are updated daily to reflect the latest intelligence (Using EPSS to Modernize Vulnerability Prioritization). Unlike static risk ratings, EPSS keeps up with shifting attacker focus. If hackers suddenly start exploiting a vulnerability that was quiet before, the EPSS score will rise. If a flaw fades out of hacker attention, its score can drop.

And EPSS isn’t a niche academic experiment – it’s rapidly becoming essential cybersecurity infrastructure. Dozens of vendors (over 60 on FIRST’s public adopter list) have integrated EPSS into their products (scanners, threat platforms, etc.) (Supporting EPSS: a More Data-Driven Future | Empirical Security), and a growing community of enterprises rely on its insights. The model has been refined through multiple versions since 2018 and consistently improved its predictive power. By 2023, studies showed EPSS could correctly distinguish exploited vs. non-exploited issues about 80 % of the time (Exploit Prediction Scoring System | Empirical Security), and later versions have only gotten better. For executives, this means EPSS is a mature, vetted approach, not theoretical pixie dust.

Why Executives Should Care

From a leadership perspective, EPSS offers a way out of “patch everything” paralysis. It shifts the conversation from “How do we fix thousands of vulnerabilities?” to “Let’s focus on the few that matter most right now.” This focused approach has concrete benefits for the business:

Efficient Risk Reduction: By tackling the vulnerabilities most likely to be used in an attack, you dramatically reduce the organization’s true risk exposure with far less effort. Security teams aren’t chasing ghosts; they’re fixing the issues that attackers are actually eyeing.

Optimized Use of Resources: Patching and testing updates consume time, money, and can even cause downtime. EPSS helps ensure those resources are spent where they yield the highest security ROI. One study found that using EPSS to prioritize fixes can cut the workload by more than 80% while achieving the same risk coverage (Introducing Exploit Prediction Scoring System v4 | Empirical Security). Imagine going from patching 500 vulnerabilities to just 100 – and still preventing the same number of attacks.

Proactive Decision-Making: Executives can move from a reactive stance (“We think this high-severity bug might be dangerous…”) to a proactive strategy driven by data (“EPSS shows this vulnerability has a 20% chance of exploitation in the next month – let’s act on it now”). It’s similar to weather forecasting: you don’t cancel an event for a 5% chance of rain, but you certainly would for a 70% chance. EPSS provides that forecast for cyber attacks (Study Finds EPSS Shows Strong Performance in Predicting Exploits).

Cross-Industry Relevance: Whether you run IT for a mental health clinic, a tribal casino, Private Primary School, or a multinational bank, EPSS adapts to your context. The system is built on global threat intelligence, so it captures trends that affect all sectors. For example, if ransomware gangs are exploiting a certain software bug to hit hospital databases, EPSS will flag that – valuable information if you’re in healthcare. If cybercriminals start targeting a vulnerability in casino management software, EPSS will reflect that too. In short, it gives every industry a heads-up on what’s likely to come.

(Study Finds EPSS Shows Strong Performance in Predicting Exploits) Figure: The vast majority of vulnerabilities (grey area) are never exploited, while a small slice (red area, about 6%) see real-world attacks (Study Finds EPSS Shows Strong Performance in Predicting Exploits). EPSS helps identify which vulnerabilities fall into that red slice. This allows leaders to prioritize those few high-risk issues and avoid diverting resources to the many that pose little immediate threat.

Consider a quick example. A mental health services provider with limited IT staff faces thousands of new vulnerability alerts each year. Many relate to systems handling sensitive patient data. It’s overwhelming to decide what to tackle first. By applying EPSS, the IT director discovers that out of 50 “high” severity findings this month, only 5 have an EPSS score above 5% (meaning a notable likelihood of exploitation). Those 5 become the top priority for immediate patching. The others – still important – can be scheduled into routine maintenance. The result? The most dangerous vulnerabilities are neutralized before they can be used to compromise patient records, and the organization isn’t burning out its team chasing every theoretical hole in the fence.

Addressing the “What If We’re Wrong?” Scenario

No prediction system is perfect. As an executive, you might worry: What if EPSS tells us a vulnerability is low-risk, and then that vulnerability gets exploited and hurts us? It’s a fair question. There will always be edge cases – a vulnerability that EPSS scored low could, in rare cases, become a target. But these cases are the exception, not the rule, and EPSS is designed to adapt quickly when the unexpected happens.

Think of it this way: if a low-probability event occurs (say a “1-in-100” chance vulnerability does get exploited), that doesn’t invalidate the approach. It’s like a 5% probability storm hitting unexpectedly – it can happen, but you still needed to base your plan on the most likely forecast. EPSS significantly tilts the odds in your favor. And when something changes, it won’t go unnoticed. The moment there’s evidence that attackers are gravitating toward a vulnerability (new exploit code published, a spike in attacks on that CVE, etc.), the EPSS score will update accordingly. Your team can then react, shifting that issue into the priority lane.

Moreover, organizations should never rely on EPSS alone. Defense in depth is still key. In practice, that means even those “low EPSS” vulnerabilities aren’t ignored forever – they’re monitored and eventually patched as part of your regular cycle, and in the meantime your other security controls (firewalls, intrusion detection, network segmentation, backups) provide safety nets. If a surprise attack hits a lower-ranked vulnerability, those layers limit the damage and give your team time to respond.

Some critics point out that EPSS could produce false positives (vulnerabilities deemed likely to be exploited that don’t end up being used). This is also expected – and acceptable. Cybersecurity is about reducing risk, not achieving perfection. If EPSS guided you to patch ten vulnerabilities and only six of them later faced attacks, that’s a win. You eliminated six serious threats, and the effort spent on the other four was a reasonable trade-off. In fact, that 60% “efficiency” is vastly better than what most companies get by patching based solely on severity (Introducing Exploit Prediction Scoring System v4 | Empirical Security) (where efficiency can be as low as single digits).

Finally, remember that EPSS is continuously validated by the community. Researchers are actively measuring its performance and refining the model. In one analysis, remediating vulnerabilities with an EPSS score above 0.6 achieved about 80% efficiency – meaning 8 out of 10 of those fixes were indeed targeting vulnerabilities that saw real attacks (Study Finds EPSS Shows Strong Performance in Predicting Exploits). Those are odds any security leader would take in an uncertain threat landscape. The fact that EPSS is on its fourth version, with each iteration showing stronger results, shows that it’s not static. It learns from misses and incorporates new data (for example, the latest model added ransomware and malware telemetry to improve predictions (EPSS: Effort vs Coverage | Empirical Security).

Turning Insight into Action

In the end, EPSS empowers executives and managers to make smarter, faster security decisions. It’s about doing the right things sooner, rather than doing everything haphazardly. By focusing your limited time and budget on the vulnerabilities that are actually likely to bite, you reduce the chance of a breach in a measurable, defensible way.

The vulnerability flood isn’t slowing down, but with EPSS, you gain a way to channel those floodwaters toward what truly matters. It’s a strategic advantage that translates technical noise into clear priorities. For any leader tasked with safeguarding their organization in today’s threat environment, that clarity is worth its weight in gold.

Tame the flood. Prioritize what matters. Sleep better tonight.

Stop drowning in CVEs. Let our EPSS-driven experts show you exactly which vulnerabilities put your business on the line—before attackers do.

→ Book a no-obligation, 20-minute “Risk-Cut Session” today.

We’ll map your top-priority fixes and send you a quick-win action plan you can start using right away.