EPSS vs CVSS: How to Actually Prioritize Vulnerabilities in 2026
CVSS scores alone don't tell you what to fix first. Learn how EPSS (Exploit Prediction Scoring System) and the CISA KEV catalog provide real-world exploit context for better vulnerability prioritization.
For over a decade, CVSS (Common Vulnerability Scoring System) has been the default language for vulnerability severity. A CVSS 9.8 is critical. A CVSS 4.0 is medium. Fix the 9.8 first.
The problem? CVSS measures theoretical severity, not real-world risk.
A CVSS 9.8 vulnerability in software you don’t use is irrelevant. A CVSS 7.5 vulnerability that ransomware gangs are actively exploiting is an emergency. CVSS alone can’t tell you the difference.
In 2026, security teams have two additional tools for prioritization: EPSS and the CISA KEV catalog. Here’s how they work and how to use them together.
What is CVSS?
CVSS is a scoring system maintained by FIRST (Forum of Incident Response and Security Teams). It evaluates vulnerabilities on a 0-10 scale based on characteristics like:
- Attack vector: network, adjacent, local, or physical
- Attack complexity: low or high
- Privileges required: none, low, or high
- User interaction: none or required
- Impact: confidentiality, integrity, availability
CVSS scores are static — they’re assigned when the vulnerability is published and rarely change. They describe the potential impact of a vulnerability, not the likelihood of exploitation.
The CVSS problem in numbers
- Over 28,000 CVEs have a CVSS score of 7.0 or higher (“high” or “critical”)
- Fewer than 5% of these are ever exploited in the wild
- Treating all CVSS 7.0+ as urgent creates unmanageable workloads
What is EPSS?
The Exploit Prediction Scoring System (EPSS), also maintained by FIRST, takes a data-driven approach. Instead of measuring severity, EPSS predicts the probability that a vulnerability will be exploited in the next 30 days.
EPSS uses machine learning models trained on:
- Historical exploit data
- Vulnerability characteristics
- Public exploit availability (Metasploit, ExploitDB, etc.)
- Social media and dark web mentions
- Threat intelligence feeds
EPSS scores range from 0 to 1 (0% to 100% probability). A vulnerability with EPSS 0.97 has a 97% chance of being exploited in the next 30 days. A vulnerability with EPSS 0.001 has a 0.1% chance.
Why EPSS matters
EPSS provides the missing context that CVSS lacks:
| CVE | CVSS | EPSS | Real-world status |
|---|---|---|---|
| CVE-2024-3400 | 10.0 | 97.2% | Actively exploited by nation-state actors |
| CVE-2024-XXXX | 9.8 | 0.3% | No known exploits, complex prerequisites |
| CVE-2024-1709 | 10.0 | 82.1% | Used in ransomware campaigns |
| CVE-2024-YYYY | 7.5 | 45.8% | Proof-of-concept published, exploitation increasing |
Without EPSS, a team would treat all four as equally critical (CVSS 7.5-10.0). With EPSS, the priorities are immediately clear.
What is the CISA KEV catalog?
The CISA Known Exploited Vulnerabilities (KEV) catalog goes one step further. While EPSS predicts exploitation probability, the KEV catalog lists vulnerabilities with confirmed active exploitation.
To be added to the KEV catalog, a vulnerability must meet three criteria:
- It has a CVE ID
- There is reliable evidence of active exploitation in the wild
- A clear remediation action (patch or mitigation) exists
As of February 2026, the KEV catalog contains approximately 1,484 entries. Every one of these is being actively used by threat actors — from ransomware gangs to APT groups.
How to use all three together
The optimal approach combines CVSS, EPSS, and KEV:
Priority 1: CISA KEV entries (fix immediately)
If a vulnerability is in the CISA KEV catalog, it is being actively exploited. These should be remediated within the CISA-recommended timeline (typically 14 days for internet-facing systems).
Priority 2: High EPSS + High CVSS (fix this week)
Vulnerabilities with EPSS > 0.5 (50%+ exploitation probability) AND CVSS >= 7.0 are likely to be exploited soon. Prioritize these after KEV entries.
Priority 3: High CVSS + Low EPSS (scheduled patching)
CVSS 9.0+ but EPSS < 0.1? These are severe in theory but unlikely to be exploited soon. Include them in your regular patch cycle.
Priority 4: Low CVSS + Low EPSS (monitor)
CVSS < 7.0 and EPSS < 0.1? These can wait. Monitor for changes in EPSS score.
How SentriKat integrates EPSS
SentriKat integrates FIRST’s EPSS data alongside the CISA KEV catalog. For every matched vulnerability, you see:
- KEV status: Is this vulnerability in the CISA KEV catalog?
- EPSS score: What’s the probability of exploitation in the next 30 days?
- CVSS score: What’s the theoretical severity?
- Confidence tier: Has your vendor already patched this? (Affected / Likely Resolved / Resolved)
This layered approach means your team immediately knows:
- What’s being exploited right now (KEV)
- What’s likely to be exploited soon (EPSS)
- What’s already fixed by your vendor (confidence tier)
- What’s the maximum impact if exploited (CVSS)
The result: instead of triaging thousands of “critical” CVSS findings, you focus on the handful that represent real, immediate risk — and you skip the ones your vendor has already resolved.
Conclusion
CVSS is not going away — it’s still the universal language for vulnerability severity. But using CVSS alone for prioritization is like using a map without knowing where the traffic jams are.
EPSS adds the traffic data. CISA KEV shows you where the accidents have already happened. And SentriKat’s vendor patch detection tells you which roads are already repaired.
Together, they give you a complete picture of which vulnerabilities need your attention today — and which ones can wait.
See how SentriKat combines KEV, EPSS, and vendor patch detection →
Ready to automate your vulnerability management?
Deploy SentriKat on-premises in minutes. Track CISA KEV vulnerabilities, generate NIS2 compliance reports, and protect your infrastructure.
Request a Demo