Yes, more and more organizations are using EPSS as a primary criterion for deciding which vulnerabilities to patch first, especially when faced with a large volume of vulnerabilities to address. Patching all CVEs with a high CVSS score can be costly and inefficient, especially if some are never exploited. EPSS therefore makes it possible to focus resources on truly dangerous vulnerabilities.
Some security policies now incorporate action thresholds based on EPSS, for example: “patch any vulnerability with an EPSS score > 0.7 within 48 hours”. This pragmatic approach accelerates remediation where it is most useful, while limiting unjustified interruptions.
No, EPSS does not replace CVSS: the two systems are complementary. CVSS provides a structural measure of severity, useful for understanding the potential impact of a vulnerability. EPSS, on the other hand, provides a behavioral and predictive measure, focused on the probability of actual exploitation.
Together, these two scores allow for a more refined risk assessment, both theoretically and operationally. Many companies adopt a hybrid approach, for example by only addressing vulnerabilities with both a CVSS ≥ 7 and an EPSS ≥ 0.5, or by using risk matrices enriched with these two indicators.
EPSS stands for Exploit Prediction Scoring System. It is a probabilistic model that assigns each vulnerability (typically identified by a CVE identifier) a probability of being exploited within 30 days of its observation.
The goal of EPSS is to complement other scoring systems (like CVSS) by adding a dynamic and contextual layer based on real-world exploitation data observed in the wild. This allows organizations to better prioritize their remediation efforts based on the actual risk of exploitation.