EPSS vs CVSS: How to Actually Prioritize Vulnerabilities in 2026

You have 347 "Critical" vulnerabilities in your scan results. Your team has bandwidth to fix 20 this sprint. Which ones do you pick?

If you're sorting by CVSS score alone, you're doing it wrong. Here's why — and what to do instead.

The Problem with CVSS-Only Prioritization

CVSS (Common Vulnerability Scoring System) rates vulnerabilities from 0 to 10 based on their theoretical worst-case impact. A CVSS 9.8 vulnerability sounds terrifying. But here's what CVSS doesn't tell you:

Is anyone actually exploiting this vulnerability?

CVSS measures what COULD happen. It doesn't measure what IS happening. A CVSS 9.8 vulnerability in a library that nobody has figured out how to exploit is less dangerous than a CVSS 7.0 vulnerability with a weaponized exploit circulating on dark web forums.

This is the fundamental insight that changed vulnerability management: severity ≠ risk.

What Is EPSS?

EPSS (Exploit Prediction Scoring System) is a probabilistic model developed by FIRST.org that estimates the likelihood a vulnerability will be exploited in the wild within the next 30 days.

Key characteristics:

Range: 0% to 100% (probability of exploitation)

Updated daily based on real-world exploit activity

Data sources: Exploit databases, dark web intelligence, threat feeds, honeypot data, social media mentions

Machine learning model trained on historical exploitation patterns

How EPSS Scores Are Calculated

EPSS uses features including:

Whether a public exploit exists (Metasploit, ExploitDB, GitHub PoCs)

Social media and dark web mention velocity

Vulnerability age and disclosure timeline

Affected software prevalence

Historical exploitation patterns for similar vulnerabilities

Reference to CISA KEV if added

The model retrains regularly, so scores change as new intelligence emerges.

CVSS vs EPSS: Side-by-Side

| Metric | CVSS | EPSS |

|--------|------|------|

| Measures | Theoretical impact severity | Exploitation probability |

| Range | 0 – 10 | 0% – 100% |

| Updates | Rarely changes after publication | Daily |

| Data source | Vulnerability characteristics | Real-world exploitation intelligence |

| Question answered | "How bad could this be?" | "Will this actually be exploited?" |

The KEV Factor

CISA's Known Exploited Vulnerabilities (KEV) catalog is the third piece of the puzzle. KEV lists vulnerabilities with confirmed active exploitation — not predicted, confirmed.

When a CVE appears on the KEV list:

Federal agencies must patch within the CISA-mandated timeframe

It means attackers are actively using this vulnerability in real attacks

It's the strongest signal you can get that remediation is urgent

How to Combine All Three

The most effective prioritization uses all three signals together:

Priority 1 — Fix Immediately (24-48 hours)

On KEV list — Regardless of CVSS or EPSS, if it's on KEV, it's being exploited now. Fix it.

Priority 2 — Fix This Sprint (7 days)

EPSS > 10% AND CVSS ≥ 7.0 — High probability of exploitation AND significant impact. These are the vulnerabilities most likely to become the next KEV entries.

Priority 3 — Fix This Month (30 days)

EPSS > 1% OR CVSS ≥ 9.0 — Either meaningfully likely to be exploited or catastrophic if it is. Schedule remediation within the current patch cycle.

Priority 4 — Track and Monitor

EPSS < 1% AND CVSS < 7.0 — Low probability AND moderate impact. Monitor for EPSS score changes. Don't ignore, but don't drop everything either.

Priority 5 — Accept Risk (Document Rationale)

EPSS < 0.1% AND CVSS < 4.0 — Very unlikely to be exploited AND low impact. Document the risk acceptance and review quarterly.

Real-World Examples

Example 1: The Overhyped Critical

CVE-2024-XXXXX — Remote code execution in a rarely-used XML parser

CVSS: 9.8 (Critical)

EPSS: 0.04%

KEV: Not listed

Without EPSS, this would be your #1 priority. But only 0.04% chance of exploitation in 30 days? There's no public exploit, no attacker tooling, and the affected library has minimal deployment. Deprioritize.

Example 2: The Sleeper Threat

CVE-2024-YYYYY — SQL injection in a popular CMS plugin

CVSS: 7.5 (High)

EPSS: 89%

KEV: Listed 3 days ago

CVSS says "High" — not even Critical. But EPSS says 89% exploitation probability and it just hit the KEV list. This is your emergency.

How Vulnios Implements This

Vulnios combines all three signals into a unified priority score:

Every CVE in the Vulnerability Radar shows CVSS score, EPSS probability, and KEV status side-by-side

Scan findings are sorted by combined priority, not just CVSS severity

Watchlist alerts can filter by EPSS threshold — set a minimum EPSS score to avoid alert fatigue

Compliance reports track remediation against priority levels, not just severity counts

This means your team stops chasing every CVSS 9.8 and starts fixing the vulnerabilities that attackers are actually targeting.

Implementing EPSS-Based Prioritization

Step 1: Establish SLAs by Priority Level

| Priority | Remediation SLA | Metric Source |

|----------|----------------|---------------|

| P1 (KEV) | 48 hours | CISA KEV catalog |

| P2 (High EPSS + High CVSS) | 7 days | EPSS > 10%, CVSS ≥ 7.0 |

| P3 (Moderate risk) | 30 days | EPSS > 1% or CVSS ≥ 9.0 |

| P4 (Low risk) | 90 days | Everything else |

| P5 (Accept) | N/A | Document rationale |

Step 2: Automate Scoring

Don't manually look up EPSS for every CVE. Use a platform that enriches findings automatically. Vulnios does this — every scan finding and radar CVE shows EPSS + CVSS + KEV in real time.

Step 3: Track and Report

Measure remediation performance against your priority SLAs:

% of P1 findings remediated within 48 hours

Mean time to remediate by priority level

Number of findings that escalated from P3/P4 to P1/P2 (EPSS increased or added to KEV)

Getting Started

Sign up at vulnios.com — free tier includes Vulnerability Radar with EPSS + KEV

Create a watchlist for your technology stack

Sort by EPSS instead of CVSS and see the difference immediately

Set EPSS-based alerts to catch exploitable vulnerabilities, not just severe ones

---

Start prioritizing by real risk at vulnios.com. EPSS + CVSS + KEV — unified in one dashboard.