If you manage vulnerabilities, you already know the uncomfortable truth: you cannot patch everything. Tens of thousands of CVEs are published each year, scanners surface thousands of findings, and patching has real operational cost. The job is not “fix all flaws” — it is fix the right flaws first.
The modern answer combines three free, public signals: CVSS, EPSS, and the CISA KEV catalog. Each answers a different question, and using them together produces a far better priority order than any one alone.
The three signals and what each one tells you
| Signal | Question it answers | Source | Best used as |
|---|---|---|---|
| CVSS | How severe is this flaw if exploited? | FIRST / NVD | A severity filter and tie-breaker |
| EPSS | How likely is it to be exploited soon? | FIRST | A forward-looking likelihood estimate |
| KEV | Is it already being exploited? | CISA | The top-priority trigger |
The key insight is that severity, likelihood, and confirmed exploitation are three different things. A flaw can be Critical but never exploited; another can be Medium yet under mass attack. Conflating them is the classic mistake.
Why CVSS alone is not enough
CVSS measures intrinsic severity — see our CVSS scores explained guide for the full breakdown. The problem with prioritizing by CVSS alone is well documented:
- Only a small minority of all published CVEs are ever exploited in the wild.
- Exploitation does not correlate cleanly with severity — plenty of “High” and “Critical” flaws are never weaponized, while some “Medium” ones are.
- If you patch strictly top-down by CVSS, you burn effort on severe-but-dormant flaws while potentially leaving an actively-exploited moderate flaw open.
CVSS is necessary but not sufficient. You need a likelihood signal and an exploitation signal too.
What EPSS adds: likelihood
EPSS (Exploit Prediction Scoring System), also maintained by FIRST, estimates the probability that a vulnerability will be exploited within the next 30 days. It is a machine-learning model trained on real-world exploitation data, and it outputs a score from 0 to 1 (0% to 100%).
EPSS is powerful precisely because it is predictive and dynamic: the score updates as new evidence emerges. A flaw with EPSS 0.92 is far more worth your attention this week than one at 0.01, regardless of their CVSS scores. Most vulnerabilities sit near zero — which is the whole point: EPSS helps you find the few that are likely to be hit.
What KEV adds: confirmed exploitation
EPSS predicts; the CISA KEV catalog confirms. If a CVE is on the KEV list, attackers are already using it — there is no longer any prediction involved. That makes KEV the single strongest trigger in the model. Entries also carry a ransomware flag, which should push them to emergency status.
You can watch new confirmed-exploited flaws land in real time on our KEV timeline.
A practical prioritization workflow
Here is a defensible, vendor-neutral order of operations. Always weight every tier by exposure (is the asset internet-facing?) and importance (is it a crown jewel?).
- Tier 1 — KEV + exposed/critical asset. Confirmed exploitation on something attackers can reach. Patch immediately, emergency change if needed. Ransomware-flagged entries are the top of this tier.
- Tier 2 — High EPSS (e.g. ≥ 0.5) or KEV on a lower-exposure asset. Strong likelihood or confirmed exploitation that is somewhat contained. Patch on an accelerated schedule.
- Tier 3 — High/Critical CVSS, low EPSS, not on KEV. Severe but no evidence of exploitation. Patch in your normal cycle; use CVSS to order within the tier.
- Tier 4 — everything else. Low severity and low likelihood. Routine maintenance.
This is sometimes summarized as: KEV first, EPSS next, CVSS to break ties — all filtered by exposure.
A worked illustration
| CVE (illustrative) | CVSS | EPSS | On KEV? | Asset exposure | Priority |
|---|---|---|---|---|---|
| Example A | 7.5 High | 0.94 | Yes (ransomware) | Internet-facing VPN | Tier 1 — now |
| Example B | 9.8 Critical | 0.03 | No | Internal-only | Tier 3 — normal cycle |
| Example C | 6.1 Medium | 0.71 | No | Public web app | Tier 2 — accelerated |
| Example D | 5.4 Medium | 0.01 | No | Internal | Tier 4 — routine |
These rows are illustrative examples to show the logic, not specific published vulnerabilities.
Notice that Example B, despite the highest CVSS, lands in a lower tier than Example A and Example C — because nobody is exploiting it and it is not exposed. That is the entire value of layering the signals.
Common pitfalls to avoid
- Patching only Criticals. Misses exploited Medium-severity flaws.
- Treating EPSS as a yes/no. It is a probability; set thresholds appropriate to your capacity.
- Ignoring exposure. A perfect score model is worthless if you don’t know which assets are reachable. Asset inventory is the foundation.
- Forgetting KEV is a floor, not a ceiling. Absence from KEV does not mean safe.
Key takeaways
CVSS, EPSS, and KEV are complementary, not competing. Severity, likelihood, and confirmed exploitation each answer a distinct question, and the best programs use all three — weighted by what is exposed and what matters. Start with KEV, layer in EPSS, and let CVSS break ties.
Build your foundations with our explainers on the KEV catalog and CVSS scoring, and see how a CVE goes from disclosure to exploitation to understand the timeline you are racing against.