EPSS Model

EPSS and its Evolution

Dinesh Choudhary
November 18, 2023

Organization are facing challenges in patching vulnerabilities, leading to a higher risk of cyber-attacks. Current vulnerability scoring methods are limited and may not reflect the true probability of exploitation due to vendor-specific, private, or outdated information. This highlights the need for a more accurate and accessible vulnerability ranking system.

The prioritization process for vulnerabilities often involves using the Common Vulnerability Scoring System (CVSS), which calculates severity based on the characteristics and impact on the system. However, NIST only provides the Base metric group of CVSS, which doesn't consider post-disclosure information that can impact the likelihood of attacks. This makes it difficult for vulnerability management professionals to prioritize remediation efforts based on the severity score alone. A more comprehensive approach is needed to accurately assess the likelihood of exploitation.

To determine the likelihood that a software vulnerability will be used in the wild, EPSS takes pleasure in being an open and data-driven initiative, which is a crucial consideration in risk-based vulnerability management. It offers a numerical score from 0 to 1, representing the estimated likelihood of exploitation in the next 30 days. EPSS is governed by FIRST, just like CVSS.

Evolution of EPSS

Model Interpretation

The results from the EPSS model study show how the individual feature contributes to predicting the likelihood of exploitation of any vulnerability. Below are the top 10 variables on which the EPSS model results are dependent in different versions of the EPSS model.





Model Performance

EPSS comparison by Coverage:

Strategy comparisons holding the Coverage constant

With a remediation strategy based exclusively on CVSS v3.1 and a threshold set for scores of 7 or higher, 581 vulnerabilities out of every 1,000 vulnerabilities would be flagged for remediation. Out of those flagged, only 3.9% had observed exploitation activity, and of those exploited, this strategy covered about 82.1% of those.

With a strategy of EPSS v1 (developed in early 2019) and a threshold set for scores at 0.015 or higher, 443 out of every 1,000 vulnerabilities would be flagged for remediation. Out of those flagged, 7.6% had observed exploitation activity which maintains roughly the same amount of coverage at 82.2%.

With a strategy of EPSS v2 and a threshold set for scores of 0.012 or higher, 390 out of every 1,000 vulnerabilities would be flagged for remediation. Out of those flagged, we have a large jump in efficiency up to 8.9% and a comparable 84.7% of coverage was observed.

With a strategy of the newly released EPSS scores(EPSS v3) and a threshold set for scores 0.088 or higher, 73 out of every 1,000 vulnerabilities would be flagged for remediation. Out of those flagged, we have a large jump in efficiency up to 45.5% which maintains roughly the same amount of coverage at 82%.

EPSS comparison by Effort:

In the previous example, we made an effort to keep the same level of coverage while allowing the amount of effort (or our capacity for remediation) to change in line with the efficiency attained. What if, however, we contrasted the various approaches while maintaining the same level of effort (capacity) and merely swapped out the approach we were using to determine which vulnerabilities we ought to flag for remediation?

Strategy comparisons holding the Effort constant

Note how the blue circles are approximately the same size across each of the four strategies (the set of scored CVEs was not the same across each strategy, so the red and blue circles vary slightly). However, the level of efficiency and coverage are not the same. Moving from CVSS v3, EPSS v1, and EPSS v2 to EPSS v3) we are improving both the efficiency of remediation and the coverage of the exploited vulnerabilities.

The performance of EPSS v3 can be summed up in the following plot:

Performance of EPSS v3 as compared to previous versions and CVSS score

Here, by considering the threshold of probabilities 0.36 and above, EPSS v3 would achieve an efficiency of 78.5% and coverage of 67.8%. EPSS v2 can achieve an efficiency rating of 45.5% and coverage of 44.8% while prioritizing vulnerabilities with a threshold probability of 0.16 whereas EPSS v1 achieves an efficiency rating of 43% and coverage of 31.1% while considering vulnerabilities with a probability of 0.2 and above. At the threshold CVSS score of 9.7 and above, CVSS v3.x achieves an efficiency rating of 6.5% and coverage of 32.3% and prioritizes 13.7% of the vulnerabilities.


As the EPSS effort continues to grow, acquire and ingest new data, and improve modeling techniques with each new version, we can see that its performance is improving with every new coming version. When it comes to fixing known security flaws, incorporating the EPSS into a comprehensive, quantitative, and risk-driven vulnerability management program can significantly lighten the load on companies. With EPSS v3, we can only target vulnerabilities with a probability of 0.36 and higher which gives an efficiency of 78.5% and coverage of 67.8%. Hence, with fewer efforts organizations can target more vulnerabilities that have a high likelihood of exploitation.

At SecOps Solution, we have incorporated this EPSS scoring system which will give security teams and business leaders the information they desperately need to make smart risk-based decisions. We developed an EPSS calculator which is a tool that allows users to search for any vulnerability where users can quickly assess the exploit probability of any vulnerability along with their severity, impact, exploit activities, and potential remediation steps on a single platform. This can be a valuable tool for IT and cybersecurity professionals who need to stay informed about any latest vulnerabilities.

SecOps Solution is an award-winning agent-less Full-stack Vulnerability and Patch Management Platform that helps organizations identify, prioritize and remediate security vulnerabilities and misconfigurations in seconds.

To schedule a demo, just pick a slot that is most convenient for you.

Related Blogs