Exploit Prediction Scoring System
In-game article clicks load inline without leaving the challenge.
The Exploit Prediction Scoring System (EPSS) is a technical standard managed by FIRST for estimating the probability a publicly disclosed software vulnerability will be exploited in the wild within the next 30 days. EPSS is complementary to the Common Vulnerability Scoring System. Combining EPSS and CVSS aligns remediation with actual threat activity.
Characteristics
Vulnerabilities get assigned a probability value between 0 and 1 that determines the chance of them being exploited in the real world.
History
The original concept and prototype were presented by researchers Michael Roytman, Jay Jacobs, and Sasha Romanosky at Black Hat in 2019. In April 2020 FIRST started a special interest group to develop the standard.
Versions
- 7 January 2021 – Public publication of daily EPSS scores began (model v1).
- 4 February 2022 – Version 2 incorporated additional telemetry sources and algorithmic improvements.
- 7 March 2023 – Version 3 introduced gradient-boosted decision trees and expanded feature sets.
- 17 March 2025 – Version 4 added contextual threat-intelligence feeds and performance gains.
Adoption
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) encourages using EPSS alongside its Known Exploited Vulnerabilities Catalog for patch triage. Major vulnerability-management platforms, such as Rapid7, Tenable, and Qualys, integrate EPSS scores for risk-based patching. Academic research uses EPSS to model exploit trends and evaluate defenses.