EPSS rule: EPSS estimates exploitation likelihood from public signals. It does not prove exploitation, affected status, reachability, severity, business impact, patch safety, or local priority.
Responsible EPSS Interpretation
Exploit likelihood helps sort the queue, but it does not decide the work alone.
Use this guide when a high or low EPSS score is influencing priority, escalation, reporting, or a decision to wait.
Interpretation Lens
Use EPSS to order questions, not to skip them.
High EPSS
Move the item earlier in triage, especially when exposure, PoC, KEV, or patch availability also point toward action.
Low EPSS
Do not dismiss it automatically. A low-likelihood issue can still matter if the asset is critical, exposed, or easy to chain.
Percentile
A high percentile means the issue ranks high compared with other scored vulnerabilities. It is still not a local exposure claim.
Source mode
If EPSS is estimated because live data is unavailable, call that out in notes and treat the value as weaker context.
Workflow
Turn EPSS into a balanced triage decision.
1. Read the signal
Capture the EPSS score, percentile, freshness, and whether the site is showing live or estimated EPSS context.
2. Pair with exploit evidence
Check KEV, public PoC, exploit maturity, campaign mentions, source confidence, and whether exploitation is only theoretical.
3. Validate local exposure
Confirm product, version, reachability, authentication, asset role, segmentation, and vulnerable feature state.
4. Separate likelihood from impact
Use CVSS, business role, data sensitivity, privilege level, and operational dependencies to understand impact.
5. Pick the action lane
Patch, mitigate, detect, monitor, or validate based on the combined evidence, not the EPSS value by itself.
6. Revisit changes
Review when EPSS jumps, KEV status changes, PoC appears, vendor guidance shifts, or exposure changes locally.
Decision Patterns
How common EPSS cases should sound.
High EPSS and exposed
Validate affected status quickly, prepare patch or mitigation, and consider SOC visibility if exploit evidence is credible.
High EPSS but not exposed
Document the exposure proof, monitor for changes, and avoid emergency patch language unless another factor raises urgency.
Low EPSS but critical asset
Keep it visible. Business impact, compensating controls, and maintenance windows may still justify planned remediation.
EPSS unavailable
Do not treat missing EPSS as safety. Use KEV, PoC, CVSS vector, exploit maturity, source quality, and exposure validation.
Copy Template
EPSS interpretation note
EPSS context: [CVE/advisory] has EPSS [score/percentile/source mode]. We are treating this as [high/moderate/low/unavailable] exploit-likelihood context, not proof of local exploitation or business impact. Priority is [lane/timeline] because [exposure], [affected status], [asset role], [patch/mitigation state], and [other exploit evidence]. Review if EPSS changes materially, KEV/PoC appears, or local exposure changes.
Recommended next move: use High EPSS to focus attention, then validate exposure and choose an action lane from the full evidence set.