TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Vulnerabilities

CVSS vs EPSS: How to Prioritize Vulnerabilities

CVSS tells you how severe a vulnerability is; EPSS tells you how likely it is to be exploited. Learn the difference and how to combine them to patch what matters first.

7 min readUpdated

Every year, tens of thousands of new vulnerabilities are published — far more than any team can patch immediately. The central question of vulnerability management is therefore prioritization: which flaws do you fix first? Two scoring systems dominate this conversation: CVSS and EPSS. They answer different questions, and understanding the difference is the key to patching smarter, not just harder.

In short: CVSS measures how severe a vulnerability is, while EPSS predicts how likely it is to be exploited. Used together, they're far more powerful than either alone.

What is CVSS?

The Common Vulnerability Scoring System (CVSS) rates the severity of a vulnerability on a scale from 0.0 to 10.0, derived from intrinsic characteristics like how it's exploited (attack vector and complexity), whether privileges or user interaction are required, and the impact on confidentiality, integrity and availability. It produces familiar ratings: Low, Medium, High and Critical. CVSS answers the question: if this vulnerability were exploited, how bad would it be? For a full primer, see our guide to CVEs and CVSS.

CVSS is invaluable, but it has a well-known limitation: it measures potential severity, not the probability that anyone will actually exploit the flaw. Many "critical" CVSS vulnerabilities are never exploited in the wild, while some "medium" ones are weaponized within days.

What is EPSS?

The Exploit Prediction Scoring System (EPSS) takes a different angle. It is a data-driven model that estimates the probability that a given vulnerability will be exploited in the wild within the next 30 days, expressed as a percentage from 0% to 100%. EPSS is produced by analyzing real-world signals — exploit code availability, references, vulnerability characteristics and observed exploitation activity — and is updated regularly as the threat landscape shifts.

EPSS answers a different question: how likely is it that this vulnerability will actually be attacked soon? A flaw might have a modest CVSS score but a high EPSS probability, flagging it as an urgent real-world risk that severity alone would miss.

CVSS vs EPSS: the key difference

  • CVSS = severity (how bad the impact would be). Relatively static. Based on the flaw's intrinsic properties.
  • EPSS = likelihood (how probable exploitation is). Dynamic, updated as conditions change. Based on real-world threat data.

Think of it like a weather forecast: CVSS tells you how damaging a storm could be; EPSS tells you how likely it is to actually hit. You want both to decide whether to take cover.

Why you need both — plus exploitation data

Relying on CVSS alone leads teams to drown in "critical" vulnerabilities, many of which pose little real-world risk, while genuine threats hide among "high" or "medium" scores. Relying on EPSS alone ignores impact — a high-probability flaw on a trivial system matters less than a slightly-lower-probability flaw on your crown jewels.

The best prioritization blends three signals:

  1. Is it being actively exploited right now? This trumps everything. CISA's Known Exploited Vulnerabilities (KEV) catalog confirms in-the-wild exploitation — patch these first, period.
  2. How likely is exploitation? Use EPSS to triage the long tail of vulnerabilities not yet in KEV.
  3. How severe and how exposed? Use CVSS and asset context — a critical flaw on an internet-facing crown-jewel system outranks the same flaw on an isolated test box.

This is the foundation of modern risk-based vulnerability management: patch by real-world risk, not by raw severity.

A practical prioritization workflow

  1. Patch anything in the CISA KEV catalog immediately — known exploitation.
  2. Next, prioritize vulnerabilities with high EPSS probability, especially on exposed systems.
  3. Use CVSS plus asset criticality to order the rest.
  4. Re-evaluate regularly — EPSS scores and exploitation status change as new exploits and campaigns emerge.

This is where threat intelligence earns its keep: knowing which vulnerabilities attackers are weaponizing today lets you stay ahead of the EPSS curve rather than reacting after the fact.

Beyond scores: context and decision frameworks

CVSS and EPSS are powerful inputs, but mature vulnerability management recognizes that no score can decide on its own what you should do — because the right action depends on your environment. The same vulnerability can be an emergency on one system and irrelevant on another. That's why the most important factor is often the one no public score captures: context.

Key contextual questions that shape real prioritization include:

  • Is the affected system internet-facing or internal? Exposure dramatically changes exploitability.
  • How critical is the asset? A flaw on a crown-jewel system holding sensitive data outranks the same flaw on a sandbox.
  • What compensating controls exist? Network segmentation, a web application firewall or strict access controls can substantially reduce real-world risk even before patching.
  • Is exploitation actually feasible in your configuration? Some vulnerabilities require conditions that don't apply to how you've deployed the software.

To formalize this kind of contextual decision-making, frameworks like SSVC (Stakeholder-Specific Vulnerability Categorization) have emerged. Rather than producing a single number, SSVC guides teams through a decision tree based on factors like exploitation status, exposure, automatable impact and mission criticality, yielding a clear action — for example, "act now," "schedule," or "defer." It's a recognition that prioritization is fundamentally a decision, not just a score.

The broader direction of the field is clear: away from patching by raw CVSS severity and toward risk-based, context-aware prioritization that blends severity (CVSS), likelihood (EPSS), confirmed exploitation (KEV), and your own asset and exposure context. Threat intelligence sits at the heart of this evolution, because knowing what attackers are actively exploiting today is the signal that ties all the scores back to real-world risk. The teams that prioritize best aren't the ones with the most data — they're the ones who combine these signals with judgment about their own environment to consistently fix the handful of things that genuinely matter most.

The bottom line

CVSS measures severity; EPSS predicts exploitation likelihood. Neither alone tells you what to patch first — but combined with active-exploitation data (like CISA KEV) and asset context, they enable true risk-based prioritization. Since exploitation status changes daily, staying informed is essential: our live threat intelligence feed surfaces reporting on new and actively exploited vulnerabilities from dozens of authoritative sources, ranked by priority and linked to the National Vulnerability Database.

Frequently asked questions

What is the difference between CVSS and EPSS?

CVSS measures the severity of a vulnerability — how damaging exploitation would be — on a 0–10 scale. EPSS estimates the probability that a vulnerability will be exploited in the wild within 30 days, as a percentage. CVSS is about impact; EPSS is about likelihood.

What is EPSS?

EPSS (Exploit Prediction Scoring System) is a data-driven model that estimates the probability a vulnerability will be exploited in the wild within the next 30 days. It uses real-world signals like exploit availability and observed activity, and updates regularly.

Should I use CVSS or EPSS to prioritize patching?

Use both, plus active-exploitation data. Patch anything in CISA's Known Exploited Vulnerabilities catalog first, then prioritize high-EPSS vulnerabilities (especially on exposed systems), then order the rest by CVSS severity and asset criticality.

Why isn't CVSS enough on its own?

CVSS measures potential severity, not the probability of exploitation. Many 'critical' CVSS vulnerabilities are never exploited, while some lower-scored ones are weaponized quickly. Relying on CVSS alone causes teams to drown in criticals while real threats hide among lower scores.

Related threat intel guides

VulnerabilitiesWhat Is a CVE? CVEs, CVSS and the KEV Catalog ExplainedVulnerabilitiesWhat Is a Zero-Day? Vulnerabilities, Exploits and AttacksFundamentalsWhat Is Threat Intelligence? A Complete GuideDetectionIndicators of Compromise (IOCs): The Complete Guide