How Organisations Can Benefit from Integrating EPSS v4

Cyber threat actors increasingly exploit vulnerabilities as part of their intrusion tactics. This requires organisations to continuously assess and reinforce their security posture through proactive vulnerability management, rapid patching and enhanced threat detection measures.

This is where the Exploit Prediction Scoring System (EPSS) comes into play.

EPSS offers a data-driven approach to predict which vulnerabilities are most likely to be exploited.

The Forum of Incident Response and Security Teams (FIRST), which oversees the EPSS taskforce, launched EPSS version 4, the system’s latest update, on March 17, 2025.

The initial versions of EPSS emerged in 2018 as security practitioners sought ways to prioritise vulnerabilities based not just on technical severity, as the Common Vulnerability Scoring System (CVSS) does, but also on their likelihood of being exploited in real-world attacks.

The goal was to help organisations make more informed decisions about where to invest remediation efforts, given their limited resources.

To estimate the probability that a vulnerability will be exploited actively in the wild, the EPSS framework takes into account a wide range of factors, including:

1. Vulnerability characteristics, such as those captured by the US government-led Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD) programmes (e.g. age of vulnerability, weaknesses leading to the vulnerability, CVSS metrics) or those from Google Project Zero and the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog
2. Historical trends and patterns in exploit development and use
3. Threat intelligence feeds, including emerging data from dark web monitoring and other sources

These data points are standardised and fed into predictive algorithms that have been trained to recognise complex patterns and correlations.

The machine learning component plays a central role in EPSS as it processes diverse inputs to estimate the likelihood that a given vulnerability will be actively exploited.

The output is a risk score that quantifies the probability of exploitation in the next 30 days, complementing conventional severity scores like CVSS.

According to researchers at data-driven cybersecurity firm Empirical, a vulnerability remediation strategy based on EPSS v4 is more efficient than one relying solely on CVSS scores, reducing remediation effort by over eight times while covering a similar number of exploited vulnerabilities.

EPSS v4 has introduced several advancements to the framework, according to many experts, including Chris Hughes, Co-Founder of Aquia and author of the Resilient Cyber newsletter, as well as specialists at Empirical.

These improvements include:

• Improved data ingestion, processing and monitoring
• Exploitation activity now includes malware activity and endpoint detections
• EPSS is collecting exploitation activity for 12,000 vulnerabilities a month
• Added ability to add data from RSS/web mentions
• Using cve.org CNA/ADP information as backup to NVD enrichment (CPE/CVSS)
• Added vulnerabilities scanned by cybersecurity search engine Shodan and HackerOne Hacktivity Reports
• Common weaknesses (CWEs) now converted to top 22 categories with CWE category 1400
• Removed a handful of sources that stopped updating
• CVEs marked as ‘Rejected’ will no longer be scored

Organisations can leverage EPSS v4 in several practical ways to enhance their cyber risk management and vulnerability remediation strategies:

• Vulnerability prioritisation and patch management: Integrating EPSS scores into internal dashboards or vulnerability management platforms enables teams to make more informed, evidence-based decisions when assessing the severity, exploitability and business impact of vulnerabilities. Therefore, it can be used further down the line to prioritise patching and mitigation efforts
• API Integration: Organizations can directly integrate EPSS v4 scores via APIs with their existing vulnerability scanners, SIEMs, or orchestration tools
• Cyber threat intelligence: By routinely consulting EPSS v4 scores, organisations can monitor shifts in the threat landscape and adjust their defences accordingly
• Compliance: EPSS scores provide a quantifiable measure of risk that can be used to supplement traditional compliance reports. Reporting on exploitation probabilities can help in demonstrating to regulators and stakeholders that vulnerabilities are being managed in a risk-based, proactive manner
• Getting the board’s buy-in: Executives and risk managers can use aggregated EPSS data to better understand overall security posture and to justify investments in additional defences or remediation efforts

EPSS represents a significant advancement in vulnerability prioritisation by leveraging machine learning and diverse threat intelligence to predict real-world exploitation risks. With the enhanced capabilities of EPSS v4, organisations can make smarter, data-driven decisions to focus their remediation efforts, monitor emerging threats, and ultimately strengthen their cybersecurity posture. 

However, EPSS should not be seen as a panacea or a silver bullet. Several experts, including from Carnegie Mellon University’s Software Engineering Institute, highlighted that the EPSS model also has some shortcomings, including its lack of transparency, which makes it difficult to understand how decisions are made or how the model is updated.

Additionally, the model relies on pre-existing CVE IDs and associated data, which limits its usefulness for incident response teams, software suppliers and handling zero-day vulnerabilities, as these scenarios often involve vulnerabilities that lack CVE IDs or established metrics.

Therefore, EPSS should be used alongside other metrics and measurement tools to ensure a comprehensive, layered security strategy.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?