EPSS v4: Smarter Exploit Prediction for Security Engineers

If you're still triaging vulnerabilities based on CVSS scores alone, you’re flying blind.

CVSS tells you how bad a vulnerability could be. EPSS tells you how likely it is to be exploited. That distinction matters — especially when you’re buried under a mountain of CVEs, working against tight SLAs, or chasing down real threats in production.

Now, with the release of EPSS version 4, the model is sharper, faster, and more useful than ever for security teams who need to prioritize what matters.

Let’s break down what changed and why it’s a big deal.

‍

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a machine learning model that predicts the probability that a given CVE will be exploited in the wild in the next 30 days.

It’s maintained by the EPSS SIG and draws from real-world exploitation data, threat intel, and vulnerability metadata.

You don’t need to understand how the model works under the hood to use it effectively. You just need to know this:

EPSS gives every CVE a score between 0.0 and 1.0 — the higher the score, the higher the likelihood of exploitation.

That simple number can change how you triage vulnerabilities.

‍

What’s New in EPSS v4?

EPSS v4, released in March 2025, builds on the foundation laid in versions 2 and 3 — but this update is more than just a tune-up. It's a significant upgrade that gives you more data, better signal, and less noise.

Here are the big enhancements:

1. Broader Exploitation Activity Data

In EPSS v3, the model observed around 2,000 vulnerabilities/month with exploitation data. In v4, that number jumps to ~12,000/month.

Why it matters:
More data = better prediction. And when you’re measuring real-world exploitation (from malware, honeypots, endpoint detections), you’re no longer guessing what might happen — you’re reacting to what’s already happening.

2. Expanded Threat Intel Sources

EPSS v4 pulls from:

• RSS feeds
• Security blog mentions
• Shodan scan data
• HackerOne Hacktivity reports
• And hundreds of community-driven data points

You’re getting context that goes beyond the NVD — including vulnerabilities that are being discussed, tested, and exploited in the wild right now.

3. Improved Categorization & Clarity

EPSS now maps CWEs into the top 22 standardized categories (based on CWE Category 1400), making analysis easier and reporting cleaner.

Also, REJECTED CVEs are excluded from scoring. It’s a small change, but it reduces noise and keeps your dashboards clean.

4. Resilient Enrichment

EPSS now uses cve.org as a fallback when NVD enrichment is slow or missing.

Why this matters:
The NVD backlog has become a problem for many vulnerability management teams. EPSS v4 sidesteps that by not relying on a single source.

‍

What This Means for Security Engineers

1. Triage Smarter

You already know this: Not all critical vulnerabilities get exploited, and not all exploited vulnerabilities are marked “critical.”

EPSS bridges that gap.

With v4, you’re not just patching based on severity — you’re prioritizing based on risk of exploitation. That’s a shift from compliance-driven to threat-driven vulnerability management.

2. Align with Real-World Threats

Let’s say two CVEs both have a CVSS score of 9.8.

• One has an EPSS score of 0.005 — probably not being targeted.
• The other has an EPSS score of 0.73 — likely to be actively exploited.

Which one gets patched first?
(If you said “both,” you might need to talk to your ops team.)

3. Power Automation

EPSS v4 makes automation smarter. You can:

• Set thresholds (e.g. EPSS > 0.5) for automatic escalations
• Combine EPSS with asset criticality for context-aware triage
• Use EPSS scores to enrich SIEM alerts or drive ticketing workflows

‍

How to Use EPSS (and When Not To)

Here’s a quick cheat sheet:

EPSS is a powerful lens, but it’s not a crystal ball. Use it alongside CVSS, business context, and asset value — not as a standalone decision-maker.

‍

Final Thoughts

EPSS v4 gives security teams the edge they need in a world of too many vulnerabilities and not enough time.

If you’re a security engineer trying to make smarter decisions faster, this tool belongs in your arsenal.

Vulnerability management isn’t about checking boxes. It’s about reducing the risk of real-world compromise. EPSS helps you do that, one prioritized CVE at a time.

‍