No, EPSS does not replace CVSS: the two systems are complementary. CVSS provides a structural measure of severity, useful for understanding the potential impact of a vulnerability. EPSS, on the other hand, provides a behavioral and predictive measure, focused on the probability of actual exploitation.
Together, these two scores allow for a more refined risk assessment, both theoretically and operationally. Many companies adopt a hybrid approach, for example by only addressing vulnerabilities with both a CVSS ≥ 7 and an EPSS ≥ 0.5, or by using risk matrices enriched with these two indicators.
EPSS stands for Exploit Prediction Scoring System. It is a probabilistic model that assigns each vulnerability (typically identified by a CVE identifier) a probability of being exploited within 30 days of its observation.
The goal of EPSS is to complement other scoring systems (like CVSS) by adding a dynamic and contextual layer based on real-world exploitation data observed in the wild. This allows organizations to better prioritize their remediation efforts based on the actual risk of exploitation.