EPSS (Exploit Prediction Scoring System) is a probabilistic model that estimates how likely a disclosed vulnerability is to be exploited in the wild. Maintained by FIRST, the model expresses risk as a probability between 0 and 1.
The model and its inputs
EPSS combines historical exploit telemetry with vulnerability attributes — CVE identifiers, affected products, publication dates — and contextual signals such as proof-of-concept availability and evidence of active exploitation. Results are returned as a single probability score; EPSS v4 (released March 17, 2025) includes updated feature sets and training data documented on the FIRST project page.
Operational use
Security teams use EPSS alongside technical severity measures to prioritize work. EPSS measures likelihood of exploitation; CVSS measures technical severity (impact and exploitability). A high CVSS score can indicate serious technical risk; a high EPSS score indicates a higher probability that attackers will exploit the issue in practice.
Example
An item from a recent high-severity feed, CVE-2025-13201, illustrates how teams combine signals: the CVE’s technical vector supplies context for impact, and an associated EPSS probability supplies an operational ranking for patching or mitigation. (See saved feed snapshot and FIRST EPSS documentation.)
Sources
“EPSS is a data-driven model that estimates the likelihood that a vulnerability will be exploited in the wild.” — FIRST EPSS project page