What are EPSS and CISA KEV?
Most scanners hand you a long list of CVEs sorted by CVSS severity. The problem: severity tells you how bad a vulnerability would be if exploited — not how likely it is to be exploited at all. EPSS and CISA KEV fill that gap.
EPSS — the Exploit Prediction Scoring System
EPSS, maintained by FIRST.org, is a model that produces a daily score between 0 and 1 estimating the probability a given CVE will be exploited in the wild within the next 30 days. An EPSS of 0.97 means a finding is almost certain to be attacked soon; 0.02 means it's very unlikely. It's data-driven and updated daily.
CISA KEV — Known Exploited Vulnerabilities
The CISA Known Exploited Vulnerabilities catalog is an authoritative list of CVEs confirmed to be actively exploited right now. If a vulnerability is in KEV, it isn't theoretical — attackers are using it in the real world, and it belongs at the top of your queue.
EPSS vs CVSS — why you need both
Think of it as two axes: CVSS = impact, EPSS = likelihood. A CVSS 9.8 that nobody exploits can often wait; a CVSS 7 with a high EPSS or a KEV flag cannot. The strongest fix-first order combines all three signals:
- KEV first — confirmed active exploitation
- then EPSS — highest exploit probability
- then severity — CVSS as the tie-breaker
A worked example
Imagine a scan returns four findings. Sorting by CVSS alone would put the two 9.8s on top — but that's not where the real risk is:
| Finding | CVSS | EPSS | KEV? | Fix-first rank |
|---|---|---|---|---|
| SMBv1 RCE (MS17-010) | 9.3 | 0.97 | Yes | 1 |
| OpenSSH regreSSHion | 8.1 | 0.92 | Yes | 2 |
| Obscure parser bug | 9.8 | 0.04 | No | 3 |
| Weak TLS ciphers | 5.3 | 0.03 | No | 4 |
The CVSS 9.8 parser bug drops below two lower-CVSS issues because almost nobody is exploiting it, while the KEV-flagged SMBv1 and OpenSSH bugs are being actively weaponised. That re-ordering is the entire point of exploit-aware prioritisation.
How often is EPSS updated, and what's a good threshold?
EPSS scores are recalculated daily, so a CVE that's quiet today can climb sharply once a public exploit appears. There's no universal cutoff, but many teams treat EPSS ≥ 0.1 (a 10%+ chance of exploitation in 30 days) as "act soon", and anything in CISA KEV as "act now regardless of score". Tune the threshold to your risk tolerance and patching capacity.
Common prioritisation mistakes
- Ranking by CVSS alone — treats every high-severity CVE as equally urgent, flooding the queue.
- Ignoring KEV — KEV entries are confirmed real-world attacks; they should never sit in a backlog.
- Treating EPSS as static — re-pull scores regularly; exploitation likelihood changes daily.
- Using likelihood without impact — EPSS tells you if, CVSS tells you how bad. Use both.
How ShadowSecurityScanner uses them
ShadowSecurityScanner folds EPSS and KEV onto every finding automatically, sorts by that KEV → EPSS → severity order, and carries the signals through to exports (including SARIF). A dashboard "fix first" widget surfaces the most exploitable open issues, so triage takes seconds. Ready to try it? See how to run a scan →
See exploit-aware scanning in action
Free and open-source, with EPSS and CISA KEV built in.
Download ShadowSecurityScannerRelated guides
- How to run a network vulnerability scan — put EPSS/KEV prioritisation into practice.
- Best free open-source penetration testing tools.
- ShadowSecurityScanner vs Nessus vs OpenVAS.