What is EPSS Score?
The Exploit Prediction Scoring System (EPSS) is a data-driven predictive vulnerability management framework that assesses vulnerabilities based on their potential for exploitation. EPSS calculates a score for each vulnerability that predicts how likely it is to be exploited in the near future.
The EPSS score enables organizations to prioritize remediation efforts and effectively manage their attack surface.
How does EPSS work?
EPSS, which is managed by the Forum of Incident Response and Security Teams (FIRST), is a machine-learning model that merges descriptive data about vulnerabilities — specifically the common vulnerabilities and exposures (CVE) system — with real-world exploitation evidence and community insights. The EPSS provides accurate and timely predictions regarding the likelihood of a vulnerability being exploited in the wild.
EPSS analyzes a variety of factors that contribute to a vulnerability’s exploitability. Key factors include:
- The complexity of the attack
- The likelihood of discovery
- The potential impact of a successful attack
- The current threat landscape
- The likelihood of discovery
Once EPSS has analyzed all these factors, it generates a score that predicts the likelihood of exploitation. Cybersecurity professionals may use this score to prioritize their efforts and focus on the vulnerabilities that pose the greatest risk to their organization.
Pro Tip: It’s best to unify your vulnerability data before implementing EPSS. Here’s why.
What is the difference between EPSS vs. CVSS?
Similar to EPSS, the Common Vulnerability Scoring System (CVSS) is a framework for assessing vulnerabilities. But CVSS and EPSS use different calculation methods:
- CVSS assesses the severity of a vulnerability based on innate factors such as access complexity, exploitability and impact. The score ranges from 0 to 10, with a higher score indicating a more severe vulnerability.
- EPSS calculation is based on the likelihood of a vulnerability being exploited, a factor CVSS scores do not consider. EPSS provides a probability range between 0 to 1 (0 and 100%). A higher score indicates a vulnerability likely will be exploited within 30 days.
While CVSS scores are still widely used in security programs, EPSS — a more recent and advanced system developed by the same group (FIRST) — offers additional capabilities. To improve the quality of vulnerability data, it is recommended to consider a combination of both EPSS and CVSS, leveraging the strengths of each system.Read our blog post to learn why the CVSS score isn’t the best software vulnerability prioritization approach.
What is EPSS percentile and how does the EPSS percentile score differ from the EPSS probability score?
The EPSS percentile is a percentage score assigned to a specific vulnerability that indicates how likely it is to be exploited compared to other vulnerabilities. For instance, a vulnerability with an EPSS percentile of 90% means it has a higher probability score than 90% of all other CVEs in the group.
Scoring system | Working methodology | Factors taken into account | Resulting score |
---|---|---|---|
EPSS | Looks at the likelihood of the vulnerability being exploited | - Popularity of the affected software - Ease of obtaining exploit code - Existence of known exploits in the wild | Gives security professionals an idea of how likely it is the vulnerability will be exploited |
CVSS | Assesses the severity of security vulnerabilities | - Base metrics, which include attack vector, attack complexity and integrity impact - Temporal metrics, which include the level of availability and reliability of exploit code - Environmental metrics, which include business criticality of the affected asset and collateral damage potential | Gives security professionals an idea of how critical the vulnerability is |
Percentile values may change when focusing on a specific subset of vulnerabilities relevant to a particular network environment. This happens because the sample of total vulnerabilities changes.
Conversely, the EPSS probability score remains consistent across different subsets and provides a more objective measure of the likelihood of vulnerability exploitation. Probability scores are based on a range of 0-100 (in percentage), with higher scores indicating a greater threat level.
How to calculate EPSS vulnerability score?
To calculate the EPSS, you can use the publicly available JSON API by FIRST. This API enables users to connect and input a CVE number, obtaining a probability score in return.
An alternative approach involves using an EPSS calculator, which grants you access to EPSS data. These calculators enable you to describe the vulnerability, prompting the tool to generate the probability of an exploit occurring.
What benefits does EPSS score provide?
Exploit prediction scoring systems benefit security teams in the following ways:
- Helping organizations prioritize their security efforts and protect their critical assets from cyber risks.
- Providing a comprehensive view of vulnerabilities and their likelihood of being exploited to assist organizations in demonstrating compliance with cybersecurity regulations and standards.
- Enhancing incident response capabilities. For instance, in the event of a cyberattack, organizations can use the information provided by these systems to identify and prioritize vulnerabilities that have been exploited quickly. These enhanced capabilities enable incident response teams to act swiftly and effectively, minimizing the damage caused by the attack and reducing downtime.
- Facilitating a common language for discussing vulnerabilities and their potential impact, thereby enabling more effective communication between security teams, IT teams and other stakeholders.
What are the limitations of the exploit prediction scoring system?
Despite the benefits that EPSS offers, there are limitations, too:
- These systems are reliant on the accuracy and completeness of the data that is used to generate scores.
- The EPSS score only considers vulnerabilities associated with a CVE identifier, and some hardware or software bugs may slip under the radar.
- Exploit prediction scoring systems are only one part of a comprehensive security strategy. While EPSS scores can help organizations to prioritize vulnerabilities, they do not replace the need for regular security assessments, vulnerability scanning and custom risk scores configured to your unique business environment.
How Brinqa can help
Organizations should use EPSS to supplement their existing security efforts, not as a complete solution. By combining the use of scoring systems with other security measures, such as context-based risk scoring, you can better protect your systems and data from potential threats.
Brinqa transforms the risk assessment practice from relying solely on human judgment to leveraging thousands of calculations of individual factors known to contribute to risk.
With Brinqa Attack Surface Intelligence Platform, you can prioritize risks based on business context and leverage advanced risk models to facilitate the remediation of vulnerabilities.
Ready to see Brinqa in action? Request a personalized cyber risk demo.
Experience unparalleled risk visibility and improved security posture within minutes.
Book a demoExperience the power of Brinqa in less than 5 minutes
Learn exactly how the Brinqa platform proactively protects your enterprise.