Skip to content
03.19.2025 by Jay Jacobs

EPSS: Effort vs Coverage

One of the misconceptions is that the models we use are crafted somehow. I get it, it's a natural leap since many approaches in cybersecurity to measure risk and other measurements start out by picking some elements that feel important and then assigning a value as a weight then combine things with some basic arithmetic. This couldn't be further from reality as EPSS and our other models are trained on real world data. Using machine learning, statistics and perhaps even a dash of "AI", we allow the mathematics to tell us what's important and how important it is. So it shouldn't be surprising that things shift around when we go from EPSS version 3 to version 4 - where we've now added in thousands of vulnerabilities being used in ransomware and malware. Let's explore what that looks like in the data...

plot comparing EPSS v3 to EPSSv4 for effort and coverage

Organizations often set one or more thresholds in their remediation strategies in order to assign labels and consequentially align expectations around remediation SLAs (service level agreement). The plot above shows the relationship between the cost (in effort, left to right) and the benefit (in coverage, up and down). As a strategy prioritizes more vulnerabilities by lowering the threshold, the level of effort required increases as does the amount of exploited vulnerabilities being remediated.

Thresholds Shifting in v4

One thing to highlight in this first plot is that the relationship between the EPSS threshold and effort shifted in v4. As I mentioned in the opening, this is probably from the shifting underlying data and especially the addition of malware activity. It's not a conscious or intentional shift on our part. Since the threshold for EPSS is a calibrated probability, the output is dependent on the exploitation activity it's trained against.

Since perfect knowledge of what will be exploited doesn't exist and the above plot is looking at real world data (using EPSS scores as of Feb 1, 2025, and then waiting 30 days to record what was actually exploited), it's natural that any strategy is going to get up to 100% effort to get 100% coverage. But how we get there can vary wildly. For now though, let's look at how the thresholds in version 3 compare to version 4. We see a crossover around the EPSS probability of 2.5%:

EPSS thresholds versus Effort

Comparing to CVSS

I really hate to pick on CVSS, but there isn't another vulnerability score openly published that is part of daily discussion like CVSS. Plus intuitively, many practitioners expect CVSS to be correlated to exploitation even though CVSS documentation is clear that it doesn't measure risk (or exploitation) and instead measure technical severity. None the less, I pulled the CVSS score for the highest version for the published base score across the vulnerabilities (ya know what people have access to) and we can see the relationship for CVSS between effort and coverage.

Effort vs Coverage for EPSS and CVSS

Other Research

imageLink to /research/supporting-epss-our-vision-for-a-more-data-driven-future
04.01.2025
Supporting Epss: Our Vision for a More Data-driven FutureSupporting Epss: Our Vision for a More Data-driven FutureRead MoreRead More
imageLink to /research/announcing-the-empirical-security-global-model
03.25.2025
Announcing the Empirical Security Global ModelAnnouncing the Empirical Security Global ModelRead MoreRead More