Understanding EPSS
EPSS (Exploit Prediction Scoring System) is a daily probability score maintained by FIRST.org. It answers one question: "What is the probability that this CVE will be exploited in the wild in the next 30 days?"
Unlike CVSS, which measures how severe a vulnerability is, EPSS measures how likely it is that someone will actually exploit it. This distinction is critical for ICS operators who cannot patch everything and must prioritize.
The Score
EPSS produces two values for each CVE:
Score (0.0 to 1.0): The raw probability of exploitation in the next 30 days. A score of 0.15 means a 15% probability. A score of 0.95 means a 95% probability.
Percentile (0.0 to 1.0): Where this CVE ranks compared to all CVEs in the corpus. A percentile of 0.95 means this CVE is in the top 5% of exploitation likelihood across all known CVEs.
Interpreting EPSS
| Percentile | Meaning | Action Guidance |
|---|---|---|
| 0.95+ | Top 5% -- extremely high exploitation probability | Treat as urgent. This CVE is very likely being targeted. |
| 0.90+ | Top 10% -- very high | Prioritize in your current patch cycle. |
| 0.75+ | Top 25% -- elevated | Address proactively. Do not wait for a KEV flag. |
| 0.50+ | Above median | Include in routine patching plans. |
| Below 0.50 | Below median -- lower probability | Monitor. Address opportunistically. |
EPSS is a relative ranking, not an absolute guarantee. A CVE with 0.02 EPSS can still be exploited -- the model predicts it is less likely, not that it is impossible.
Why EPSS Matters for ICS
Most ICS environments operate under constraints that IT environments do not:
- Patching requires maintenance windows and sometimes process shutdowns.
- Some devices cannot be patched at all (legacy PLCs, end-of-life firmware).
- The cost of applying a patch (downtime, testing, vendor coordination) is high.
- You cannot patch everything immediately, so you must prioritize.
EPSS provides the intelligence to make that prioritization decision. It tells you which CVEs are being actively targeted right now, so you can focus your limited maintenance windows on the vulnerabilities most likely to be used against you.
Example: Your environment has two unpatched CVEs:
- CVE-A: CVSS 9.8, EPSS 0.02 (2nd percentile). Extremely severe but no one is exploiting it.
- CVE-B: CVSS 6.5, EPSS 0.95 (95th percentile). Moderate severity but actively being targeted.
For an ICS operator with one maintenance window this month, CVE-B is the higher real-world priority. Attackers are targeting it now. CVE-A is severe but theoretical.
EPSS Updates
EPSS scores are recalculated daily by FIRST.org. A score can change significantly overnight when:
- A new proof-of-concept exploit is published.
- Exploit code appears in attack frameworks.
- Exploitation is observed in honeypot networks.
- The vulnerability is referenced in threat intelligence reports.
BreachSpider reflects EPSS updates within 24 hours of publication. When an EPSS score spikes for a CVE that matches your assets, the BCS score also updates, and the finding may move up your Strike List.
EPSS vs KEV
EPSS and KEV are complementary signals, not the same thing:
| EPSS | KEV | |
|---|---|---|
| What it tells you | Predicted probability of future exploitation | Confirmed past exploitation |
| Source | FIRST.org machine learning model | KEV manual curation |
| Update frequency | Daily | As confirmed |
| Coverage | All CVEs | Only confirmed exploited CVEs (~1,613) |
| Use case | Predicting what will be targeted next | Knowing what is already being targeted |
A CVE can have high EPSS and not be in KEV (the model predicts exploitation but it is not yet confirmed in KEV). A CVE can be in KEV with moderate EPSS (exploitation was confirmed but the model does not predict high ongoing activity).
Both signals feed into BCS. When either EPSS spikes or KEV is flagged, the BCS score adjusts accordingly.
Using EPSS in BreachSpider
In CVE search: Filter by EPSS minimum to show only CVEs above a certain exploitation probability threshold. Set EPSS minimum to 0.75 to focus on the top quartile.
On the CVE detail page: The EPSS score and percentile are displayed in the scoring block with an interpretation label.
On the Strike List: EPSS contributes to BCS, which determines Strike List ordering. High-EPSS findings appear near the top.
In alerts: Configure alert rules to fire when a CVE in your environment exceeds an EPSS threshold (e.g., alert when any matching CVE crosses the 90th percentile).