EPSS is one such number.
A clean decimal. A percentile. A promise.
So we asked a boring question: what if you actually ran patch management using EPSS thresholds? Not in theory. Not in slides. In reality—against vulnerabilities that were already exploited.
We took all vulnerabilities added to CISA’s KEV catalog in 2025. KEV is not a model. It is not predictive. It is simply a list of things that were exploited hard enough that someone had to admit it.
Nerds welcome..
Nerds welcome..
Out of 245 KEV vulnerabilities, EPSS existed at decision time for only about 83%. The rest? Silence. No score. No oracle. Operationally, silence behaves exactly like “low risk.”
That already tells you something.
Then we applied the usual thresholds.
If you patched everything with EPSS ≥ 1%, you would catch about one third of what was already being exploited.
At ≥10%, you’d catch roughly one fifth.
This is not a bug in EPSS. It’s a property.
EPSS is very good at ranking what exploitation looks like when it becomes visible at scale.
It is much worse at telling you about targeted exploitation, low-noise campaigns, perimeter systems, or anything that does not generate comfortable telemetry.
MongoBleed is a good example. Confirmed exploitation. KEV-listed. EPSS close to zero. The math said “unlikely.” Reality disagreed.
There is also a second illusion: workload.
At EPSS ≥ 0.1%, you are signing up to patch nearly a quarter of all CVEs for the year. That is not prioritization. That is industrial-scale suffering. At ≥10%, the workload looks reasonable—but now you are explicitly choosing to miss half of KEV.
This is the part that usually doesn’t make it into dashboards.
Percentiles don’t save you either. They normalize ranking, not truth. A vulnerability can be in the bottom 10% of EPSS and still be actively exploited, if the exploitation does not look like what the model expects.
And then there is the awkward part: vulnerabilities without CVE at all. No CVE means no EPSS. No EPSS means no prediction. Exploitation continues regardless.
So what is EPSS good for?
Sorting.
Triage.
Reducing noise when you already know what must be fixed.
What it is not good for is deciding what does not matter.
KEV tells you what already broke reality.
EPSS tells you what might break loudly next.
Confusing the two is how you end up confidently wrong.
Prediction is fine.
Outsourcing judgment is not.
No comments:
Post a Comment