EPSS: advancing in vulnerability prediction and management

Posted date 14/12/2023
EPSS: advancing in vulnerability prediction and management

The digital ecosystem is experiencing exponential growth on all fronts: from the number of connected devices to the need for interconnection between them. This growth leads to an inevitable increase in the number of potential vulnerabilities that may be present in software, so the task of detecting and managing these vulnerabilities should become one of the cornerstones of any organization.

A sample of this exponential growth can be seen by comparing the vulnerabilities recorded annually. For example, according to the  ‘ENISA Annual Threat Report 2023’, in the period between July 1, 2022 and June 30, 2023, a total of 13,650 vulnerabilities were identified, of which 19.57% were categorized as critical, compared to  the 894 vulnerabilities detected in the whole of 2019.

- The sum of high and critical vulnerabilities accounted for more than half of the vulnerabilities identified by CNAs in the 2022-2023 period. Source. -

In addition, nearly 100 of these vulnerabilities were included in CISA's list of Known Exploited Vulnerabilities (KEVs), lo que indica que no solo son teóricamente problemáticas, sino que han sido explotadas de forma activa, dando lugar a incidentes de seguridad, pérdida de datos u otros daños a las organizaciones o individuos afectados.

The Common Vulnerability Scoring System, or CVSS, has been the community-adopted indicator for assessing and communicating the severity of vulnerabilities in computer systems since its introduction in 2005, providing a standardized structure and methodology to help organizations understand the nature and potential impact of a specific vulnerability. More recently, in 2019, a  new complementary scoring system was proposed, placing more emphasis on the likelihood that a specific vulnerability will be exploited in the next 30 days. This system, known as the Exploitation Prediction Scoring System (EPSS) thus provides valuable information for decision-making in the task of prioritization, within vulnerability management.

EPSS: Operation and methodology

The EPSS system is an initiative led by the Forum of Incident Response and Security Teams (FIRST) and is proposed as a community effort to model and manage vulnerability risk from a probabilistic perspective. Using artificial intelligence and machine learning, it analyzes data, detects patterns, and makes exploitation predictions by assigning a probability between 0 and 1 that a vulnerability will be exploited in the next 30 days, where 1 indicates a 100% probability of exploitation, in a fully automated way. 

The current EPSS model (EPSS v3) is trained on more than a thousand variables, most of which are Boolean values that represented the presence of a specific attribute, such as the software vendor. To understand the contributions of these variables in the model, SHAP, values are used, a tool developed to interpret machine learning models. These values help you understand how certain characteristics affect the probability of exploitation score of a vulnerability. This prediction is based on a wide range of data, including:

  • CVE Descriptions and Textual Tags: Use the detailed descriptions of Common Listed Vulnerabilities (CVEs) to understand the nature and scope of vulnerabilities. Textual tags provide additional information about the specific characteristics of the vulnerability, which can influence its likelihood of exploitation.
  • Duration since CVE release: The time elapsed since a vulnerability is made public, can have an impact on its likelihood of being exploited, as malicious actors are often quick to exploit them before patches are widely distributed.
  • Number of references listed in the CVE: A large number of references may indicate a heightened interest in a particular vulnerability, suggesting that it is more likely to be exploited.
  • Public exploit code: The availability of exploit code in popular repositories such as Metasploit, ExploitDB or GitHub, makes it easier to be exploited.
  • CVSS vectors: In turn, EPSS feeds on CVSS, especially the group of base metrics, which offer detailed information on how a vulnerability can be exploited, what its impact is, and what type of access is required.
  • CPE Vendor Information: Common Platform Environment (CPE) refers to the combination of hardware and software in a computer system. CPE vendor information can be essential in determining whether certain vulnerabilities are more likely to be exploited, depending on the vendor's popularity and market reach.

To assess and compare the impact of vulnerabilities and their management, the EPSS framework introduces several indicators, designed to provide an objective, data-driven assessment of the performance of one vulnerability management strategy compared to another:

  • Coverage: This is a measure of the percentage of exploited vulnerabilities that an analytics framework is able to identify and prioritize. High coverage indicates that the system is capable of detecting most of the vulnerabilities that are being actively exploited. For example, if there are 100 vulnerabilities that are being actively exploited and 90 of them are identified for fixing, then the coverage is 90%. High coverage is crucial because it indicates that we are protecting our systems against most active threats.
  • Efficiency: This refers to the precision with which vulnerabilities that will actually be exploited can be prioritized. In other words, it measures how accurate the system's predictions are relative to the real world. In simple terms, if we prioritize 100 vulnerabilities based on one metric (such as CVSS or EPSS) and only 10 of them turn out to be actively exploited, then our efficiency is 10%. The higher the efficiency, the less resources we waste on false positives.

The latest version of EPSS provides excellent coverage and good efficiency. On the one hand, with the  same effort or amount of work and resources required to remediate the vulnerabilities identified by the system, the latest version of EPSS obtains greater coverage and efficiency in managing vulnerabilities. On the other hand, with the same coverage, the latest version of EPSS is much more efficient.

Comparativa de indicadores entre CVSS y EPSS fijando la variable “esfuerzo” (cantidad de trabajo y recursos necesarios para remediar las vulnerabilidades identificadas por el sistema) con el mismo valor constante.

- Comparison of indicators between CVSS and EPSS by setting the variable "effort" (amount of work and resources needed to remedy the vulnerabilities identified by the system) with the same constant value. Source. -


Comparativa de indicadores entre CVSS y EPSS fijando la variable “cobertura” con el mismo valor constante.

- Comparison of indicators between CVSS and EPSS, setting the variable "coverage" with the same constant value. Source. -

Much of the success of the EPSS model, regardless of its version, is due to the daily observations of vulnerability exploitation activity that it achieves through trusted sources. This allows you to adapt quickly and provide up-to-date, increasingly fine-tuned likelihood scores based on real-time threat activity.

Benefits and implementation 

The adoption of EPSS in companies offers a number of tangible and strategic advantages in the field of cybersecurity:

  • Effective prioritization and resource optimization: Helps organizations decide which vulnerabilities to address first, based on the actual likelihood of exploitation. This effective prioritization allows companies to minimize effort and resources spent, thus optimizing their resources.
  • Informed decision-making: Integrates with various security tools and SIEM systems, providing real-time alerts and recommendations. With real-time metrics and up-to-date data, EPSS facilitates more informed decisions, enabling businesses to quickly adapt to the changing threat landscape. All of this facilitates the risk assessment of the associated assets.
  • Improved security posture and compliance: By identifying vulnerabilities with a high probability of being exploitable, companies can prioritize their patching, significantly minimizing the risk of security breaches. By doing so, companies strengthen their security posture and demonstrate proactivity to stakeholders and customers. This adoption is essential for compliance with regulations and standards, highlighting the company's commitment to proper risk and vulnerability management.

EPSS has an API that can be consulted to expand the details of the vulnerabilities detected within the organizational context. By integrating it with threat notification systems, such as SIEMs, companies can leverage their predictions to structure and prioritize their patching actions. This approach makes it possible to focus on the ratings that the EPSS system awards, thus enriching the identified vulnerabilities with more accurate data through an adapter designed specifically for this task.

Captura de la configuración del adaptador de datos de Wazhu con el API de EPSS

- Capturing Wazhu Data Adapter Configuration with EPSS API. Source. -


Unlike CVSS, which provides a static assessment, EPSS predicts the likelihood that a vulnerability will be exploited within 30 days. This prediction is driven by a wide variety of data, from CVE descriptions to CPE vendor information.

The indicators introduced by EPSS, such as coverage and efficiency, offer a more accurate assessment of the performance of a vulnerability management strategy, allowing an objective comparison between different metrics. The adaptability and accuracy of the EPSS, supported by daily observations of exploitative activity, makes it a cutting-edge tool for cybersecurity.

However, EPSS is not intended to be the only instrument used to decide and establish priorities in actions to correct vulnerabilities, but rather a complementary tool, which in combination with others is of great help in improving the visibility of the organization's cyber risk.