A Visual Exploration of Exploitation in the Wild

“Exploited in the wild” is a relatively meaningless label if it isn’t accompanied by data on timing, volume, and prevalence. This inaugural study of the Exploit Prediction Scoring System (EPSS) evaluates several years of performance data to determine how accurately a daily probability score can forecast attacker behavior. Our goal is to move beyond innate severity metrics like CVSS, which are limited in their ability to assess actual threat levels.

The data reveals that widespread exploitation is a remarkably rare event. Half of all known exploited CVEs are never observed in more than 0.02% of organizations, and less than 5% of exploited vulnerabilities hit more than 1 in 10 firms. This report rewards the reader with evidence that exploitation is not a static trait; once a vulnerability is exploited today, it may not be targeted tomorrow, and a third of all exploit activity periodically goes dormant.
When put to the test against traditional methods, EPSS v3 shows increasingly strong performance. Compared to a strategy of fixing all CVSS 7+ vulnerabilities, EPSS can achieve the same risk coverage with one-sixth of the effort. This allows organizations to move from a reactive “whack-a-mole” approach to a data-driven strategy tailored to their specific risk tolerance.

Key Findings

• The 6% Exploit Constant: Only about 6% of all published vulnerabilities have ever been observed with exploitation activity in the wild.
• Rare “Big” Exploits: Less than 5% of exploited vulnerabilities manage to reach more than 10% of organizations worldwide, proving that most threats are narrow in scope.
• The 10-Year Threat: 38% of all current exploitation attempts target vulnerabilities that were published more than 10 years ago.
• EPSS v3 Performance: Prioritizing vulnerabilities with an EPSS score of 0.1+ achieves 80% risk coverage with 50% precision (efficiency).
• 139-Day Tipping Point: For vulnerabilities that will be exploited, half of them see their first attack within approximately four and a half months of publication.
• EPSS vs. CVSS Efficiency: For a fixed level of effort, EPSS achieves nearly 3 times more risk coverage (93%) than a strategy based on CVSS 9+ scores (37%).