“Why do we need another scoring system?” is not the best question to ask. Instead we need to get accustomed to asking about performance. This post walks through an example from our latest improvement to our exploit code classifier.

“Why do we need another scoring system?” is not the best question to ask. Instead we need to get accustomed to asking about performance. This post walks through an example from our latest improvement to our exploit code classifier.

LLMs underperform EPSS in estimating vulnerability exploitation in the next 30 days.

Past exploitation is not a guarantee of future exploitation. However, recent exploitation is in fact a powerful predictor of future exploitation!

Conventional wisdom in cybersecurity tells us that if a vulnerability is known to be exploited that everyone should patch it immediately, but the reality is a lot more nuanced. Known exploited in the past does not guarantee future exploited.

Watch our co-founder Jay Jacobs present research and facilitate industry discussions at CVE Program & FIRST VulnCon 2025 in Raleigh, NC.

In cybersecurity, understanding exploitation threats hinges on the quality and source of the data analyzed. Traditionally, vulnerability management has relied heavily on secondary source data, such as Known Exploited Vulnerabilities (KEV) lists, which compile vulnerabilities based on reported incidents. While these lists provide valuable references, relying solely on them leaves significant blind spots. Secondary sources, by nature, reflect past events, often with delays and incomplete context, leading organizations to respond reactively rather than proactively.

Thresholds allow security teams to filter and assess which vulnerabilities are most critical to remediate. Organizations have to make tough calls when choosing which vulnerabilities to prioritize, and thresholds allows teams to make educated decisions based off global model data.

Today we publicly launched our API documentation for Global and EPSS models. Our API is the primary way users interact with our data. Creating docs from scratch is a team effort. Here’s how we managed to draft, edit, and release our docs.

At Empirical Security, we have known for some time now that EPSS serves as essential infrastructure within cybersecurity operations (over 100 vendors incorporate it into their products today). Our support for EPSS aligns closely with our broader vision of evolving cybersecurity tools into a more rigorous and data-driven framework. Our longstanding position has been clear: all cybersecurity tools need to become significantly more data-driven to effectively handle the complexity of current threats.

We just launched a product that I believe is fundamentally different from anything in the market today. A solution that combines the largest collection of real time exploitation activity with years of experience in advanced vulnerability modeling. If you’ve used EPSS before and had a thought that started out with, “I wish that EPSS…” then hopefully this announcement is going to make you excited as well.

One of the misconceptions is that the models we use are crafted somehow. I get it, it's a natural leap since many approaches in cybersecurity to measure risk and other measurements start out by picking some elements that feel important and then assigning a value as a weight then combine things with some basic arithmetic. This couldn't be further from reality as EPSS and our other models are trained on real world data. Using machine learning, statistics and perhaps even a dash of "AI", we allow the mathematics to tell us what's important and how important it is. So it shouldn't be surprising that things shift around when we go from EPSS version 3 to version 4 - where we've now added in thousands of vulnerabilities being used in ransomware and malware. Let's explore what that looks like in the data...

The fourth iteration of the Exploit Prediction Scoring System (EPSS) is being released today. I have been working on EPSS for just over six years now. While I’d love to take you on a long meandering walk down memory lane, go into detail about all of the lessons we’ve learned along the way and introduce you to all of the wonderful people who’ve helped make EPSS better with each iteration, I’ll spare you the details and just offer a set of bullet points…