The Exploit Prediction Scoring System (EPSS) is a technical standard managed by FIRST for estimating the probability a publicly disclosed software vulnerability will be exploited in the wild within the next 30 days. EPSS is complementary to the Common Vulnerability Scoring System. Combining EPSS and CVSS aligns remediation with actual threat activity.
The original concept and prototype were presented by researchers Michael Roytman, Jay Jacobs, and Sasha Romanosky at Black Hat in 2019. In April 2020 FIRST started a special interest group to develop the standard.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) encourages using EPSS alongside its Known Exploited Vulnerabilities Catalog for patch triage. Major vulnerability-management platforms, such as Rapid7, Tenable, and Qualys, integrate EPSS scores for risk-based patching. Academic research uses EPSS to model exploit trends and evaluate defenses.