Tuesday, December 30, 2025

EPSS, KEV, and the Joy of Predicting the Past

There is a recurring belief in security that if we just collect enough numbers, the future will eventually confess.

EPSS is one such number.
A clean decimal. A percentile. A promise.

So we asked a boring question: what if you actually ran patch management using EPSS thresholds? Not in theory. Not in slides. In reality—against vulnerabilities that were already exploited.

We took all vulnerabilities added to CISA’s KEV catalog in 2025. KEV is not a model. It is not predictive. It is simply a list of things that were exploited hard enough that someone had to admit it.
Nerds welcome.

Read more »
Posted by at No comments:
Subscribe to: Comments (Atom)