EPSS Explained
EPSS (Exploit Prediction Scoring System) is a daily probability score estimating the likelihood a CVE will be exploited in the next 30 days. Maintained by FIRST.org.
Score vs Percentile
Both values appear in BreachSpider responses:
epss_score: Raw probability, 0.0 to 1.0epss_percentile: Rank relative to all CVEs in the EPSS dataset, 0.0 to 1.0
A score of 0.60 with percentile 0.98 means:
- 60% predicted probability of exploitation in 30 days
- In the top 2% of all CVEs by exploitation likelihood
The percentile is often more actionable than the raw score because EPSS scores are heavily skewed toward zero. Most CVEs have scores below 0.01. A score of 0.10 at the 90th percentile is high risk.
Interpretation Guide
| Percentile | Interpretation | Action |
|---|---|---|
| >= 0.95 | Top 5% | Treat as actively exploited |
| 0.90 - 0.95 | Top 10% | Prioritize for immediate patching |
| 0.75 - 0.90 | Top 25% | Patch within current sprint |
| 0.50 - 0.75 | Above median | Track and patch at maintenance |
| < 0.50 | Below median | Routine patch cycle |
EPSS in Triage
BreachSpider's fix_first dashboard list ranks unpatched CVEs by EPSS score (primary sort) then KEV status, then CVSS. This surfaces the CVEs most likely to be actively exploited against your assets.
Data Freshness
EPSS scores are updated daily by FIRST.org. BreachSpider refreshes EPSS data every 24 hours. The temporal.enriched_at field reflects the last enrichment timestamp for each CVE.
EPSS vs KEV
EPSS predicts future exploitation probability. KEV confirms past exploitation. A high EPSS score that has not yet reached KEV is an early warning signal. A KEV entry with low EPSS means exploitation was observed but may not continue.
Both signals together give the most complete picture. BCS combines them.