What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven machine-learning model that estimates the probability that a published CVE will be exploited in the wild in the next 30 days.

It replaces subjective severity judgments with empirical signals from observed exploitation and ongoing activity, helping you focus limited remediation effort where attacks are most likely. EPSS publishes a 0–1 probability (with ranking percentiles) every day for every CVE and makes the data freely and openly accessible via CSV and API, so it slots easily into workflows and dashboards.

What is the EPSS SIG?

The EPSS User Special Interest Group (SIG) is a practitioner community focused on putting EPSS to work. We meet every other Friday at 16:00 UTC during Standard Time/15:00 UTC during Daylight Time. Meetings are often interactive sessions that feature presentations spanning EPSS and related vulnerability and exposure management topics as well as Q&A and candid discussion with practitioners and EPSS creators. Members get access to past meeting recordings and notes, plus a low-volume mailing list for announcements and questions. If you’re interested in contributing, we’re always looking for informative talks, case studies, and “how we implemented EPSS” walk-throughs. It’s a great way to get to know the group, who often offer constructive feedback to help you refine your ideas.

To get a better idea of what EPSS is and what the SIG is about, please read the FAQ or dig into the details in the modeling page.

Goals

1. Clarify how EPSS works, its strengths and limitations, and provide accessible guidance to promote informed and transparent use across the community and industry.
2. Help defenders incorporate EPSS into their vulnerability management and quantitative risk models through practical examples, shared workflows, and open discussions.
3. Create an open forum for experimentation, feedback, and constructive criticism to improve understanding of EPSS, inspire enhancements, and strengthen trust in data-driven vulnerability prioritization.

Chairs

• Jay Jacobs, Chief Data Scientist at Empirical Security
• Stephen Shaffer, Principal Security Engineer at Moderna

Acknowledgements

The EPSS User SIG is grateful for the invaluable contributions of our members. Key contributors are listed below.

• Jay Jacobs, Empirical Security
• Sasha Romanosky, RAND
• Ben Edwards, BitSight
• Michael Roytman, Empirical Security
• Idris Adjerid, Virginia Tech
• Armin Sarabi, University of Michigan
• Octavian Suciu, University of Maryland
• David Severski, Cyentia Institute
• Jerry Gamblin, Cisco
• Patrick Garrity, VulnCheck
• Chris Madden, Yahoo
• Stephen Shaffer, Moderna

FIRST Support

All of us are very grateful to the staff and volunteers at FIRST for their efforts in supporting the administration and hosting of the SIG.

• Exploit Prediction Scoring System (EPSS)
  • The EPSS Model
  • Data and Statistics
  • User Guide
  • EPSS Research and Presentations
  • Frequently Asked Questions
  • Who is using EPSS?
  • Open-source EPSS Tools
  • API
  • Related Exploit Research
  • Blog
    • Understanding EPSS Probabilities and Percentiles
    • Log4Shell Use Case
    • Estimating CVSS v3 Scores for 100,000 Older Vulnerabilities
  • Data Partners