Tools
Exploit Prediction Scoring System Calculator
EPSS is the first open, data-driven framework for assessing vulnerability threat: that is, the probability that a vulnerability will be exploited in the wild within the first twelve months after public disclosure. This scoring system has been designed to be simple enough to be implemented without specialized tools or software. Below you will find a simple-to-use calculator. Note that over time, and as more data become available, the parameters used to define the probability may change, as could their influence on the outcome.
Vulnerability Attributes
Number of vendor references to the vulnerability
Probability of exploit in next 12 months
Glossary
Vendor | Extracted from NVD-encoded CPE information (primarily CPE v 2.2) |
---|---|
Reference Count | The count of references in the published CVE from Mitre. |
Proof-of-concept exploit available | Exploit code is available, either in ExploitDB or posted to github |
Weaponized exploit available | Exploit code is weaponized in a framework (metasploit, canvas, elliot) |
Enables arbitrary code execution | A variation of "code execution" is present in the description or references for CVE |
Exploitable via local access only | A variation of any actor with or from local network access exists in desc/ref for CVE |
Exploitable via remote access | A variation of any actor with or from remote network access exists in desc/ref for CVE |
Can cause denial of service | A variation of "denial of service" exists in desc/ref for CVE |
Can cause memory corruption | A variation of memory/stack corruption exists in desc/ref for CVE |
Web originated vulnerability | A variation of web-based technology (server/browser) in discussed in desc/ref in CVE |
The Research
Exploit Prediction Scoring System (EPSS)
Jay Jacobs, Sasha Romanosky, Benjamin Edwards, Michael Roytman, Idris Adjerid

Despite the massive investments in information security technologies and research over the past decades, the information security industry is still immature. In particular, the prioritization of remediation efforts within vulnerability management programs predominantly relies on a mixture of subjective expert opinion, severity scores, and incomplete data. Compounding the need for prioritization is the increase in the number of vulnerabilities the average enterprise has to remediate. This paper produces the first open, data-driven framework for assessing vulnerability threat, that is, the probability that a vulnerability will be exploited in the wild within the first twelve months after public disclosure. This scoring system has been designed to be simple enough to be implemented by practitioners without specialized tools or software, yet provides accurate estimates of exploitation. Moreover, the implementation is flexible enough that it can be updated as more, and better, data becomes available. We call this system the Exploit Prediction Scoring System, EPSS.
Related Presentations
Black Hat 2019: Predictive Vulnerability Scoring System
Michael Roytman, Jay Jacobs

This work was originally presented at the Black Hat 2019 conference.
Effective prioritization of vulnerabilities is essential to staying ahead of your attackers. While your threat intelligence might expose a wealth of information about attackers and attack paths, integrating it into decision-making is no easy task. Too often, we make the mistake of taking the data given to us for granted – and this has disastrous consequences.
We'll explain what we miss by trusting CVSS scores, and what should absolutely be taken into consideration to focus on the vulnerabilities posing the greatest risks to our organizations. We'll look at tens of thousands of vulnerabilities, CVSS scores, CVE, NVD, scraping mailing lists, collecting data feeds and ultimately end up with a few dozen data points that helped us understand the probability of a vulnerability being exploited.
Finally, we'll use all that data as well as billions of in-the-wild events collected over 5 years in order to create a machine learning model for predicting the probability of a vulnerability being exploited, a scoring system which outperforms CVSS on every metric: accuracy, efficiency and coverage.