What EPSS estimates
EPSS estimates exploitation probability over its defined time horizon where available. The score and percentile can change as the model and available signals change. It is probabilistic context, not a forecast for one organization, an asset-compromise indicator, or a business-impact score.
Use EPSS with other evidence
CVSS describes technical severity. KEV indicates known exploitation according to its source. EPSS offers likelihood context. None replaces confirmation of affected product, version, exposure, asset importance, vendor guidance, or compensating controls. Missing EPSS is missing enrichment, not a low-risk classification.
Queue-ordering example
- High CVSS and low EPSS: validate scope and business impact; low probability context is not a safety conclusion.
- Moderate CVSS and high EPSS: investigate exposure and ownership promptly; the technical impact still needs context.
- KEV-listed item: treat as a strong prioritization signal, then validate local applicability and the vendor remediation path.
- Internet-exposed affected service: exposure may justify earlier investigation even when score context is incomplete.
- Internal low-value test asset: record the facts and remediate in a proportionate lane; do not discard the finding without ownership and review.
Practical workflow
- Record score date, percentile where available, and source context.
- Use EPSS to sort a queue or identify items that deserve a second look.
- Validate the affected asset, version, reachable path, and controls.
- Explain the final action using multiple facts, including what is still unknown.
- Revisit items when vendor guidance, KEV status, exposure, or ownership changes.
How not to use EPSS
Do not treat a low score as safe, a high score as confirmed compromise, or a percentile as a mandatory deadline. Do not compare scores from different dates without noting the change. Do not use EPSS alone to close scanner findings or accept risk.