Anthropic Is Right About EPSS. That Still Leaves the Hard Part.

Here are some more thoughts about Anthropic’s recently released advice for security teams. Read the first part here.

Anthropic’s security team recently gave defenders sensible advice for an AI-accelerated world, which is to patch KEV then use EPSS to prioritize the rest. The team wrote: “EPSS provides a daily-updated probability that a given Common Vulnerability and Exposure (CVE) will be exploited in the next 30 days. Patching the KEV list first and then everything above a chosen EPSS threshold will help you turn thousands of open CVEs into a manageable queue.”

That’s good advice. We agree with it. We helped build EPSS, and we maintain it because it remains the best global baseline for answering a question that security teams have struggled with for years: which vulnerabilities are actually likely to be exploited?

But if you stop there, you haven’t solved the remediation problem. You’re only at the first step of the process.

The next step is the one that tends to get waved away in a lot of security guidance. People say “use EPSS,” then “add local context” as if the second part were easy. It’s not easy. In fact, the attempt to apply local context is where most teams have been stuck the whole time.

And that gap becomes more intractable when AI systems can help find more vulnerabilities, reason about code more quickly, and potentially accelerate the very act of remediation. If all you do is pair a much better pointing machine with a much faster remediation engine, you’re still missing the piece that tells you where to aim.

Without aiming correctly, you’re just increasing the speed at which you can create churn, breakage, and wasted effort. Not to mention you’ll likely spend a king’s ransom in tokens, using agents to remediate vulnerabilities that…well, frankly, weren’t dangerous in the first place.

Anthropic understands this. Their advice is not “patch everything,” but rather to prioritize using global intelligence. Still, the heart of the issue is how to turn thousands of CVEs into a manageable queue by knowing, inside your own environment, which of those issues are actually worth fixing first.

EPSS is a global model that knows a great deal about attacker behavior across the broader internet. It sees patterns in real-world exploitation activity that severity scores never could. That is exactly why it is useful.

What it does not know is your environment.

It does not know what is actually running in your estate, what is reachable, which assets matter most to the business, what controls are already in place, where remediation is risky, or how your own telemetry and history change the odds.

Plenty of vendors can help you find vulnerabilities. Plenty can help you enrich them, score them, ticket them, and display them in another dashboard. The market is full of pointing machines.

What is much harder to find is a system that bridges the gap between global exploit prediction and local remediation precision. That’s the last mile, the piece that turns Anthropic’s advice into an actionable blueprint for resource-strapped security teams.

What teams actually need is a way to connect potential threats to local reality. EPSS gives you the global data. Our Global Model extends that with broader, fresher exploitation telemetry from the Internet. And our Local Models go one step further by training on the environment itself: assets, applications, controls, telemetry, remediation history, and the other pieces of context that decide whether something is likely to be exploited here, not just somewhere.

That last piece is the difference between “we found the vulnerabilities” and “we know which vulnerabilities will actually hurt us.”

We may be biased, but we don’t see anyone else working on this problem.The market has spent years obsessing over how to find more issues and, more recently, how to fix them faster. The harder and more urgent question is: how do you predict which vulnerabilities in a specific environment are actually likely to result in a breach?

Anthropic is right to recommend EPSS. But if the conversation ends there, defenders are still stuck where they’ve always been, which is how to apply local context. We are the only company focused on helping teams move from “find all the vulns” to “remediate the ones that will actually be exploited in your organization, not your neighbor’s.”

We’re focused on the last mile.