Exploit Prediction Scoring System

The cybersecurity industry has long struggled with a flood of vulnerabilities that outpaces remediation capacity, leaving defenders to rely on subjective severity scores or incomplete data. This research introduces the Exploit Prediction Scoring System (EPSS), the first open, data-driven framework designed to estimate the probability that a software vulnerability will be exploited in the wild within its first twelve months. By moving past innate severity to focus on actual threat, EPSS provides practitioners with a mathematically rigorous way to prioritize patches.

The model utilizes a transparent logistic regression technique to ensure that score changes are explainable and interoperable across different business stakeholders. It analyzes a wide array of features, from the software vendor and the presence of weaponized exploit code to the count of external references in a CVE. This report rewards the click by demonstrating how EPSS allows organizations to achieve the same risk coverage as traditional methods while requiring a fraction of the effort, effectively shrinking the “attacker-defender divide.”

Ultimately, the paper provides a roadmap for an evolving practice of vulnerability management. It deconstructs high-profile cases like “BlueKeep” to show how the model correctly identifies high-probability threats months before they peak. This study serves as a foundational contribution for security teams looking to move from a reactive “whack-a-mole” approach to a defensible, evidence-based prioritization strategy.

Key Findings

• The 3.7% Exploit Reality: In a dataset of over 25,000 vulnerabilities, the overall exploitation rate within the first twelve months was only 3.7%.
• Weaponization as a Force Multiplier: The probability of exploitation rises to 37.1% when proof-of-concept code has been weaponized and built into an exploitation framework.
• Vendor-Specific Risk Density: Vulnerabilities in Microsoft and IBM products are the most significantly correlated with exploitation, with Microsoft flaws being 21.2% likely to be targeted.
• The Reference Count Signal: The number of references in a published CVE is positively correlated with threat, with “BlueKeep” generating ten unique references and a 95% exploit probability.
• EPSS vs. CVSS Efficiency: EPSS achieves nearly 3 times more risk coverage for a fixed level of effort compared to traditional CVSS 9+ strategies.
• Massive Effort Reduction: Implementing an EPSS-based strategy can reduce remediation effort by up to 85.9% while maintaining the same coverage as a “patch everything CVSS 10” policy.