What is EPSS and why CVSS alone is not enough

The problem with CVSS

Every security professional knows CVSS, the Common Vulnerability Scoring System. It rates vulnerabilities on a scale from 0 to 10 and assigns severity levels: Critical, High, Medium, Low. Sounds reasonable. Until you look at the numbers.

In 2025, over 35,000 CVEs were published. Roughly 15% had a CVSS score of 9.0 or higher (Critical). That is over 5,000 "critical" vulnerabilities. No security team in the world can prioritize 5,000 patches per year.

The problem: CVSS measures severity, not likelihood. A CVE with CVSS 9.8 can theoretically be devastating. But if it is never actively exploited, it is practically less urgent than a CVE with CVSS 7.5 that has had a PoC on GitHub since yesterday.

What is EPSS?

EPSS stands for Exploit Prediction Scoring System. It is operated by FIRST.org (the same organization behind CVSS) and answers a fundamentally different question:

"How likely is it that this CVE will be actively exploited in the next 30 days?"

EPSS uses machine learning and analyzes hundreds of signals, including:

• Whether a PoC (Proof of Concept) is publicly available
• Social media activity around the CVE
• Characteristics of the affected software
• Historical exploit patterns

The result is a probability value between 0 and 1 (0% to 100%). A CVE with EPSS 0.92 has a 92% chance of being exploited in the next 30 days.

CVSS vs. EPSS: A real-world example

	CVE-2024-21762	CVE-2024-21887
CVSS	9.8 (Critical)	8.2 (High)
EPSS	0.02 (2%)	0.97 (97%)
PoC available	No	Yes (actively exploited)
Priority	Can wait	Patch immediately

CVE-2024-21762 (Fortinet FortiOS) had a near-perfect CVSS score but initially low exploitation activity. CVE-2024-21887 (Ivanti Connect Secure) scored lower on CVSS, yet was massively exploited in the wild within days. Based on CVSS alone, you would patch FortiOS first. With EPSS, Ivanti is the clear priority.

How Nautilus uses EPSS

Nautilus automatically enriches every CVE with the current EPSS score and displays it directly on the VulnCard:

• Red (> 50%): High exploitation probability. Act immediately.
• Amber (> 10%): Elevated risk. Review promptly.
• Gray (< 10%): Low probability. Monitor.

Combined with the Technology Watchlist, Nautilus filters thousands of CVEs down to the few that affect your stack AND are likely to be exploited. This reduces daily effort from 30+ minutes to seconds.

Frequently Asked Questions

How often is EPSS updated? EPSS scores are updated daily by FIRST.org. Each update incorporates new exploit intelligence, social media signals, and PoC availability data.

What EPSS score is considered high? An EPSS score above 10% warrants prompt review. Above 50% is urgent and typically indicates active or imminent exploitation. Below 10% means the CVE can be monitored but is less likely to be exploited soon.

Is EPSS free to use? Yes. EPSS is a free, open data source provided by FIRST.org. The scores are available via a public API and can be integrated into any vulnerability management workflow.

Can EPSS replace CVSS? No. EPSS and CVSS answer different questions. CVSS measures the potential severity of a vulnerability. EPSS measures the probability of exploitation. The most effective approach is to use both together for risk-based prioritization.

Conclusion

CVSS and EPSS are not competitors. They answer different questions. CVSS tells you how bad it can be. EPSS tells you how likely it is to happen. Together, they provide the foundation for data-driven patch prioritization.

Relying on CVSS alone means patching the wrong things first. Adding EPSS means patching the right ones.

Related: Learn how the CISA KEV catalog helps you identify CVEs under active attack, read about NIS2 vulnerability management requirements for SMEs, or start with the complete guide to vulnerability management.

---

Nautilus shows you EPSS scores, PoC status, and KEV flags on every CVE. Start for free.