EPSS and CISA KEV

AttackLens integrates two critical data sources for vulnerability prioritization: the Exploit Prediction Scoring System (EPSS) and the CISA Known Exploited Vulnerabilities (KEV) catalog. Together with CVSS scores, these data sources help you prioritize remediation efforts based on real-world exploitability, not just theoretical severity.

Why CVSS Alone Is Not Enough

CVSS (Common Vulnerability Scoring System) measures the technical severity of a vulnerability: how impactful it would be if exploited. However, CVSS does not tell you:

How likely the vulnerability is to be exploited
Whether it is currently being exploited in the wild

Many critical-severity CVEs are never exploited, while some medium-severity CVEs are actively targeted by attackers. Effective prioritization requires considering both severity and exploitability.

EPSS: Exploit Prediction Scoring System

What Is EPSS?

EPSS is a data-driven model developed by the FIRST.org EPSS Special Interest Group that estimates the probability that a vulnerability will be exploited in the wild within the next 30 days.

EPSS scores range from 0% to 100%:

EPSS Range	Interpretation	Priority
> 10%	High probability of exploitation	Immediate remediation recommended
1% -- 10%	Moderate probability	Prioritize based on asset criticality
0.1% -- 1%	Low probability	Schedule for routine patching
< 0.1%	Very low probability	Address during regular maintenance

EPSS Percentile

In addition to the raw probability score, AttackLens displays the EPSS percentile, which indicates where a vulnerability ranks relative to all other CVEs.

For example, "95th percentile" means this vulnerability has a higher exploitation probability than 95% of all known CVEs.

INFO

EPSS scores are updated daily by the EPSS model as new threat intelligence becomes available. AttackLens syncs EPSS data through its feed system to keep scores current.

How AttackLens Uses EPSS

Vulnerability list: The EPSS column shows the exploitation probability percentage for each vulnerability
Vulnerability detail: The risk scores panel displays both the EPSS score and percentile
Risk score calculation: EPSS is a factor in the composite risk score (higher EPSS increases the risk score)
Attack graph: Vulnerabilities with high EPSS scores increase the risk profile of affected nodes

CISA KEV: Known Exploited Vulnerabilities

What Is CISA KEV?

The CISA Known Exploited Vulnerabilities catalog is maintained by the Cybersecurity and Infrastructure Security Agency (CISA). It lists vulnerabilities that are confirmed to be actively exploited in the wild.

Unlike EPSS, which predicts the probability of exploitation, KEV entries are based on observed exploitation: these vulnerabilities have been used in real attacks.

KEV Entries

Each KEV entry includes:

The CVE identifier
The vulnerable product and vendor
A description of the vulnerability
The date it was added to the catalog
A remediation due date (for US federal agencies)

How AttackLens Uses KEV

Vulnerability list: A KEV badge appears next to vulnerabilities in the CISA catalog
Summary cards: A dedicated CISA KEV count card at the top of the vulnerabilities page
Severity filter: Click the CISA KEV card to filter to only known-exploited vulnerabilities
Vulnerability detail: The risk scores panel shows "Known Exploited" (red badge) for KEV entries
Risk score calculation: KEV status significantly increases the composite risk score
Attack graph: KEV vulnerabilities are flagged on affected nodes

WARNING

Vulnerabilities in the CISA KEV catalog should be treated as the highest priority for remediation. These are not theoretical risks: they are actively being exploited by threat actors.

Prioritization Strategy

AttackLens recommends the following prioritization approach using all three scoring systems:

Tier 1: Immediate (within 24-48 hours)

Vulnerabilities that meet any of these criteria:

Listed in the CISA KEV catalog
CVSS Critical (9.0+) AND EPSS > 10%

Tier 2: Urgent (within 1-2 weeks)

Vulnerabilities that meet any of these criteria:

CVSS Critical (9.0+) with any EPSS score
CVSS High (7.0+) AND EPSS > 10%
Any CVSS score AND EPSS > 50%

Tier 3: Planned (within 30 days)

CVSS High (7.0+) with moderate EPSS (1-10%)
CVSS Medium (4.0+) with high EPSS (> 10%)

Tier 4: Routine

All remaining vulnerabilities, addressed during regular patch cycles

Using the Risk Score

The composite Risk Score in AttackLens already incorporates CVSS, EPSS, and KEV factors. Sorting the vulnerability list by Risk Score descending provides a ready-made prioritization order.

TIP

Focus on the Risk Score column for day-to-day prioritization. It combines all three factors into a single 0-10 metric. Reserve the individual CVSS, EPSS, and KEV columns for deeper analysis when you need to understand why a vulnerability is ranked where it is.

Data Freshness

Data Source	Update Frequency	Method
OSV	Continuous (as advisories are published)	Feed sync via license server
EPSS	Daily	Feed sync via license server
CISA KEV	As CISA updates the catalog	Feed sync via license server

AttackLens automatically synchronizes vulnerability data through the feed system. No manual action is required to keep data current.

Understanding Vulnerabilities: How vulnerability detection works
View Vulnerabilities: Browse and filter vulnerabilities
Vulnerability Detail: CVE details and risk scores
Feed and Updates: How data feeds are managed

EPSS and CISA KEV ​

Why CVSS Alone Is Not Enough ​

EPSS: Exploit Prediction Scoring System ​

What Is EPSS? ​

EPSS Percentile ​

How AttackLens Uses EPSS ​

CISA KEV: Known Exploited Vulnerabilities ​

What Is CISA KEV? ​

KEV Entries ​

How AttackLens Uses KEV ​

Prioritization Strategy ​

Tier 1: Immediate (within 24-48 hours) ​

Tier 2: Urgent (within 1-2 weeks) ​

Tier 3: Planned (within 30 days) ​

Tier 4: Routine ​

Using the Risk Score ​

Data Freshness ​

Related Pages ​