Treat it as a strong validation trigger, not automatic proof that your asset is affected or exposed.
Training Drill
Use KEV and EPSS without turning signals into proof.
Practice deciding what to do when known exploitation and exploit-likelihood context pull in different directions. The goal is not to memorize a score rule; it is to ask for the right validation evidence.
Use it to pace triage, but do not treat it as business impact, compromise, or local exposure evidence.
Combine source confidence, affected status, reachability, patch state, telemetry, asset importance, and owner readiness.
Decision Cases
Pick the safest next action from the signal mix
Each case shows how KEV and EPSS should shape urgency while keeping local validation explicit.
Known exploited, low likelihood score, internet-facing product unknown
Best next action: Validate installed product, version, feature state, and exposure immediately before deciding patch or mitigation lane.
Why: KEV means exploitation has been observed somewhere. Low EPSS does not cancel the need to confirm whether your environment is affected.
High exploit likelihood, no known exploited listing, business-critical internal app
Best next action: Triage quickly, confirm affected status, review reachability, and prepare patch or mitigation options without calling it known exploited.
Why: High EPSS can raise priority, but it does not prove exploitation or local exposure.
Known exploited item with clear vendor fix and exposed service
Best next action: Move toward urgent patch planning, rollback readiness, owner confirmation, and SOC validation for suspicious activity.
Why: KEV, exposure, and fix availability align. The message can say urgent validation and remediation, not confirmed compromise.
Medium likelihood, scanner match, affected version uncertain
Best next action: Validate scanner evidence and affected range before assigning a patch deadline.
Why: A scanner match plus EPSS context can justify review, but version evidence decides whether work is real.
Known exploited item with no fixed version and reachable service
Best next action: Choose mitigation-first work, SOC monitoring, vendor follow-up, owner review dates, and leadership caveats.
Why: No patch does not mean no action. It means compensating controls and evidence tracking become the response lane.
High likelihood but owner proves product or feature is not present
Best next action: Document not-affected evidence, keep source caveats, and review only if vendor scope changes.
Why: Local applicability evidence can override a broad signal for this environment.
Decision Rule
Turn signal pairs into validation questions
KEV changes urgency
Ask whether the asset is affected, exposed, patched, mitigated, or monitored. Do not say local exploitation is proven.
EPSS changes attention
Use it to sort review order and escalation pressure. Do not use it as a stand-in for impact or exploit evidence.
Local evidence changes the lane
Affected status, reachability, fixed version, safety, telemetry, and owner constraints decide patch, mitigate, monitor, escalate, or close.
Next Steps
Move from signal interpretation to action
Responsible KEV Prioritization
Review how to use known exploitation status without overclaiming local exposure.
Responsible EPSS Interpretation
Review how to use exploit-likelihood context without turning it into certainty.
Decision Matrix
Turn the signal mix into patch, mitigate, monitor, validate, detect, or escalate lanes.