EPSS (Exploit Prediction Scoring System)
A probability model estimating the likelihood of a CVE being exploited within 30 days. ORDR incorporates EPSS alongside CVSS and KEV to help teams focus on the vulnerabilities most likely to be weaponized.
What is EPSS (Exploit Prediction Scoring System)?
A probability model estimating the likelihood of a CVE being exploited within 30 days. ORDR incorporates EPSS alongside CVSS and KEV to help teams focus on the vulnerabilities most likely to be weaponized.
The Exploit Prediction Scoring System (EPSS) is an open, data-driven framework that estimates the probability that a given CVE will be exploited in the wild within the next 30 days. It was developed by FIRST (Forum of Incident Response and Security Teams) as a complementary signal to CVSS — which measures theoretical severity but says nothing about actual exploitation likelihood.
EPSS scores range from 0 to 1 (0% to 100% probability). Most CVEs have EPSS scores below 0.1 (less than 10% probability). A small number have scores above 0.5, indicating high exploitation probability. Critically, EPSS and CVSS are poorly correlated: many high-CVSS vulnerabilities are almost never exploited, while some medium-CVSS vulnerabilities are heavily targeted. Organizations that prioritize by CVSS alone are systematically over-investing remediation effort on low-exploitation-risk vulnerabilities.
Research published with the EPSS model found that combining EPSS with CVSS scores enables organizations to remediate the vast majority of actually-exploited vulnerabilities while working through only 3–5% of the total CVE backlog. This is a dramatic efficiency improvement over CVSS-only prioritization, which requires remediating 60–70% of the backlog to achieve the same coverage.
Key Facts
- EPSS is maintained by FIRST and updated daily based on threat intelligence from multiple sources
- Only 0.4% of all CVEs are actually exploited in the wild — EPSS identifies which ones
- EPSS + CVSS filtering reduces remediation workload by 87% versus CVSS-only approaches while maintaining 87% exploit coverage
- CISA recommends EPSS as a supplementary prioritization signal alongside KEV status
How ORDR Addresses EPSS (Exploit Prediction Scoring System)
ORDR incorporates EPSS scores into every asset risk score, weighting vulnerabilities by their real-world exploitation probability alongside CVSS severity, CISA KEV status, device criticality, and network exposure. This multi-signal approach ensures that security teams focus remediation effort on the vulnerabilities most likely to be exploited, not just the most theoretically severe.
See ORDR in actionFrequently Asked Questions
Complete visibility across your entire attack surface.
ORDR unifies IT, IoT, and OT asset intelligence so your team can see—and act on—what matters most.