EPSS over CVSS: stop scoring threats like it's 2003

There is a critical-rated vulnerability in your environment right now. CVSS 9.8. It has been there for six months. No one has exploited it, and no one will. There is also a high-rated vulnerability — CVSS 7.4 — that ransomware crews are actively weaponizing in the wild this week.

Your prioritization queue, sorted by CVSS, ranks the first one above the second. Your prioritization queue is wrong.

What CVSS measures (and what it doesn’t)

CVSS is a severity score. It tries to answer: if this vulnerability were exploited, how bad would the consequences be? Authentication required, scope change, confidentiality impact, integrity impact — all the metrics CVSS uses are properties of the vulnerability itself, not properties of the threat landscape around it.

That made sense in 2003. CVSS was designed to be a stable, vendor-neutral scoring system. It does that job well. But severity ≠ priority. A 9.8 in an obscure XML parser nobody attacks is not a higher priority than a 7.4 in a Citrix appliance every ransomware crew has on their target list.

What EPSS does differently

EPSS — the Exploit Prediction Scoring System, maintained by FIRST.org — answers a different question: what’s the probability this CVE will be exploited in the next 30 days? It’s a daily-updated probability score (0.0 to 1.0) and a percentile rank, derived from real-world exploitation data, exploit code availability, and threat intelligence signals.

A CVE with EPSS 0.95 and percentile 99% is in the top 1% of vulnerabilities most likely to be attacked. A CVE with EPSS 0.001 and percentile 12% is statistical noise.

When you cross-reference CVSS against EPSS, the picture changes:

• CVSS 9.8, EPSS 0.001 — theoretically critical, practically irrelevant. Patch when you can.
• CVSS 7.4, EPSS 0.94 — moderate severity, near-certain to be exploited. Patch now.
• CVSS 5.5, EPSS 0.87, on CISA KEV — looks medium, ranked low by CVSS, but on the federal known-exploited list. This is what gets you breached.

CISA KEV closes the loop

The CISA Known Exploited Vulnerabilities catalog is the third leg of the prioritization stool. KEV is binary — a CVE is either on the list or it isn’t — and inclusion means CISA has confirmed real-world exploitation. KEV adds urgency that EPSS can miss for newer CVEs without enough exploitation telemetry yet.

The combination matters:

Severity (CVSS) × Probability (EPSS) × Confirmed exploitation (KEV) = Real priority.

Drop any one of those factors and you’re back to flying blind on one axis.

The ransomware overlay

For organizations facing ransomware risk specifically, there’s a fourth signal: ransomware group association. Curated threat intelligence maps specific CVEs to specific ransomware crews and their TTPs. A CVE that EPSS ranks at 0.6 might be the explicit initial-access vector for a group that’s been hitting your industry for six months. That context shifts the priority hard.

This is the basis for our Ransomware Exposure Index — a weighted score that blends CVSS (30%), CISA KEV (20%), ransomware-group association (20%), reachability (15%), asset density (10%), and misconfigurations (5%). The exact weights matter less than the principle: severity is one input, not the answer.

What to do with this

Three concrete moves:

1. Stop sorting by CVSS alone. Add EPSS percentile as a secondary sort. If your tool doesn’t expose EPSS, that’s a tool problem.

2. Pull the CISA KEV list daily. Tag every finding that matches. Treat KEV findings as an SLA-bound class — patch within 7 days, no exceptions, regardless of CVSS.

3. Add reachability context. A KEV finding behind three layers of segmentation is different from a KEV finding on an internet-facing asset. Reachability cuts the priority queue by an order of magnitude.

The math has been better than CVSS-alone for years. Most prioritization queues just haven’t caught up to it.