Introduction
Security teams today are inundated with vulnerability data. A single scan can return hundreds of Common Vulnerabilities and Exposures (CVEs), each with its own severity score, technical details, and patching requirements. The challenge isn’t finding vulnerabilities; it’s knowing which ones to fix first.
Traditionally, Common Vulnerability Scoring System (CVSS) scores have been used to sort vulnerabilities by severity. But while severity is useful in understanding potential impact, it doesn’t account for whether a vulnerability is actually being exploited - or likely to be in the near future.
To help with this, Hexiosec ASM includes data from the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerability list to identify which vulnerabilities have known exploits available.
However, even with both of these metrics, it is hard to know which vulnerabilities are likely to be targeted in the real world when compared with others. The presence of a known exploit does not necessarily mean it is currently being actively exploited in the wild.
This is where we introduce Exploit Prediction Scoring System (EPSS) data to provide an additional complementary signal indicating the current likelihood of a vulnerability experiencing exploitation activity.
When combined with the other metrics, EPSS can help security teams reduce the noise and focus remediation efforts on those vulnerabilities that currently pose the greatest real-world risk of compromise.
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model by the Forum of Incident Response Teams (FIRST) that estimates the probability that a software vulnerability experiences exploitation activity in the wild within the next 30 days. Unlike CVSS, which scores vulnerabilities based on theoretical impact and ease of exploitation, EPSS provides a predictive likelihood based on observed attacker behaviour, public exploit availability, and other real-world factors.
EPSS scores range from 0% to 100%, representing the probability that a vulnerability will experience exploitation activity in the next 30 days.
FIRST describe exploitation activity as: “evidence that exploitation of a vulnerability was attempted, not that it was successful against a vulnerable target. Which means we are collecting data from honeypots, IDS/IPS sensors and host-based detection methods and of course, we are always looking to expand data sources.”
For example:
- An EPSS score of 1% means the vulnerability is very unlikely to experience exploitation activity soon.
- An EPSS score of 90% suggests the vulnerability is highly likely to experience exploitation activity soon.
How can EPSS help me prioritise remediation?
While you should aim to remediate all known vulnerabilities, this takes time, and it can be tricky to know the best place to start and which remediations will have the greatest reduction in real-world risk of compromise.
An organisation with a moderate risk appetite, might be faced with the following conundrum of what to fix first:
- A medium/high-severity CVE with a known exploit and a high EPSS score (85%)
- A critical-severity CVE without any known exploit and a low EPSS score (0.15%)
Whilst it is certainly possible that this critical-severity CVE is exploited in very limited circles or gains a zero-day exploit ahead of published data catching up, it may be theoretical or hard to exploit outside of very specific conditions. The pragmatic approach might be to fix the medium-severity CVE first, especially given it has a known exploit, and the high probability shown in the EPSS modelling would have also considered real-world exploitation activity data, which in this instance would likely represent active targeting of the vulnerability in other organisations.
The remediation for software vulnerabilities is usually to update or patch the vulnerable software component to a newer version. It is often possible to resolve a number of vulnerabilities of varying severities in one go by updating to a newer version.
To help with this, Hexiosec ASM has a feature called Actions, which groups risks into clear actionable tasks you can take to resolve a group of risks related to a given asset, such as a domain or service. You might find there is an action to update a vulnerable software component to a newer version, in doing this can resolve several current and historical vulnerabilities, all in one go. Actions can be assigned to team members, be given a due date and be tracked for progress.
Hexiosec ASM provides the EPSS scores of an action’s associated vulnerabilities. When viewing multiple actions, their maximum EPSS score is displayed alongside each action, allowing you to sort by which actions would fix vulnerabilities with a high likelihood of exploitation in the next 30 days. This allows you to effectively assign and prioritise which actions to resolve first.
Where does Hexiosec ASM show EPSS scores?
As well as alongside each vulnerability-based action, Hexiosec ASM also displays the EPSS score (and optional EPSS percentile) columns on the Risks page.
Hexiosec ASM now includes a new dedicated Vulnerabilities card on the Overview page.
These rows can be expanded to show the model info, alongside a heatmap visualisation of the score and a statement about where the EPSS score ranks among published CVEs.
How does a given CVE rank based on its probability?
The EPSS model also produces an additional metric, known as the EPSS percentile. This indicates the percentage of other vulnerabilities with lower or equal scores and represents the ranking of a vulnerability in the EPSS model, showing how a specific vulnerability compares to all other vulnerabilities.
The EPSS percentile can be helpful to understand a CVE’s EPSS score, when they are considered together it provides useful context about the distribution of EPSS scores among all published CVE’s.
For instance:
- A vulnerability with an EPSS percentile of 99% (i.e. in the 99th percentile), means it is among the top 1% of vulnerabilities likely to experience exploitation activity. These will typically have EPSS scores of 80% or above.
- A vulnerability with an EPSS percentile of 10% (i.e. in the 10th percentile), means it is less likely to experience exploitation activity than 90% of others, i.e. is in the bottom 10% of EPSS scores. These will typically have very low EPSS scores of 0.05% or lower.
What the percentile shows us about the distribution of probability scores in the EPSS model, is that the vast majority of published CVE’s have very low EPSS scores. If you were to chart EPSS percentile against EPSS score you would see a curve like in the graph below:
With this relationship in mind, this means if you see a vulnerability with an EPSS score above 25%, these will be in the top 5% of CVE’s and the ones to most consider acting upon first, as these will be in the subset of known vulnerabilities that attackers are more likely to target.
Final thoughts
In a world where the volume of disclosed vulnerabilities continues to grow, so too does the challenge of knowing where to focus limited resources, prioritisation is essential. While CVSS severity and known exploit data remain valuable indicators, they don’t always reflect the likelihood of real-world exploitation.
By introducing EPSS into the prioritisation process, teams can make more informed decisions by combining severity, known exploitation, and probability to better assess the risks to focus on right now. This triage approach doesn’t replace existing methods but enhances them with real-world probability, allowing your team to work more efficiently and effectively.
Hexiosec ASM brings these signals together in a way that’s designed to support practical remediation workflows. This helps reduce the noise and bring clarity to what matters most.
To learn more about how EPSS scoring is used within Hexiosec ASM, visit our knowledge base.
Related Posts
