CVSS, EPSS, KEV: Which Number Should Actually Move Your Queue?

A scanner hands you 4,000 findings rated CVSS 9.8. You have a team of six. Sorting by that score tells you almost nothing, because it answers a question you didn’t ask. CVSS measures how much damage a vulnerability could do if someone exploits it. It says nothing about whether anyone will. Most backlogs are sorted by exactly that number, which is how a team ends up patching a theoretical worst case while the bug that’s being exploited in the wild this week sits three pages down.

CVSS, EPSS, and KEV are not three flavors of the same thing. They answer three different questions, and the trick is knowing which question you’re actually asking when you decide what to fix first.

Three numbers, three questions

CVSS: how bad, if exploited

The Common Vulnerability Scoring System gives a vulnerability a severity score from 0 to 10, built from how the flaw works: can it be reached over the network, does it need authentication, what does a successful exploit grant. It’s a measure of potential impact under the assumption that exploitation happens.

That assumption is the catch. CVSS is computed once, mostly at disclosure, and it doesn’t move when real-world exploitation does. A 9.8 on a service you don’t expose to the internet and a 9.8 on your public payment gateway carry the same score and wildly different real risk. CVSS is a useful description of blast radius. It’s a terrible sort key.

EPSS: how likely, in the next month

The Exploit Prediction Scoring System answers the question CVSS skips: what’s the probability this vulnerability gets exploited in the wild in the next 30 days? FIRST publishes EPSS as a number between 0 and 1, refreshed daily against real-world exploitation signals. A CVE at 0.97 is a near-certainty; one at 0.001 almost certainly won’t be touched.

The reason EPSS matters is that exploitation is rare. Research across the industry keeps landing on the same uncomfortable figure: only a small slice of published CVEs are ever exploited at all.

If 95% of findings never get touched, a queue sorted by severity spends most of its effort on vulnerabilities no attacker will ever use. EPSS is how you find the 5% before they find you.

KEV: who’s being hit right now

CISA’s Known Exploited Vulnerabilities catalog is the highest-signal list in the stack, and the simplest to read. A CVE is on it because exploitation has been confirmed in the wild, not predicted. Under Binding Operational Directive 22-01, US federal agencies have to remediate KEV entries on a fixed clock. You should treat the list the same way regardless of whether you’re a federal agency: if a finding is on KEV and it’s in your environment, the debate about priority is over.

KEV is deliberately conservative. It’s an evidence list, so something appears only after exploitation is documented, which means the catalog is always smaller and slower than reality. High precision, incomplete coverage.

Why sorting by CVSS buries you

Run the arithmetic on a typical enterprise. Tens of thousands of findings a year, the majority scored High or Critical, a team that can realistically close a few hundred a month. Sort that backlog by CVSS and you get a queue that’s mostly noise ranked by how loud it is. The genuinely dangerous findings, the ones being exploited, are scattered through the pile at the same 9.8 as everything else.

This is the trap the “everything is critical” complaint comes from. It isn’t that severity scoring is wrong. It’s that severity was never a priority signal, and using it as one floods the queue past the point of usefulness.

Stacking the signals

The three scores work because they layer. Read them in order of certainty:

1. KEV first. Confirmed exploitation in your environment is the top of the queue, full stop. This is the smallest list and the easiest decision you’ll make all week.
2. EPSS next. For the enormous tail of CVSS-high findings that aren’t on KEV, EPSS triages by likelihood. A high-EPSS finding is a KEV candidate that hasn’t been confirmed yet; treat it that way.
3. CVSS for impact context. Once you know something is likely or confirmed, severity tells you how much it matters if it lands, and on which assets. It’s the modifier, not the sort key.
4. Dollars for the business view. Above a certain volume, even a well-triaged queue needs a tiebreaker the board understands. Translating exposure into financial terms is where FAIR quantification earns its place, because “fix this, it’s $2.1M at the 95th percentile” ranks cleanly against “fix this, it’s a 9.8.”

Where each signal lies to you

Every one of these scores has a blind spot, and pretending otherwise is how programs build false confidence.

CVSS ignores your environment. The base score doesn’t know what’s internet-facing, what holds regulated data, or what’s already behind three layers of compensating control. That context is yours to add.

EPSS is a population estimate, not a guarantee. It tells you what’s likely across the internet, not what’s targeting you specifically. A low-EPSS vulnerability on a high-value asset that a determined attacker has in their sights can still ruin your quarter. Use EPSS to rank the firehose, not to dismiss the named threat.

KEV is a lagging indicator by design. The gap between first exploitation and catalog entry is real, and a zero-day under active use won’t be on any list. KEV tells you what’s confirmed, which is exactly why it can’t tell you what’s coming.

The point of all three

Prioritization isn’t about finding the one true score. It’s about asking the right question at the right moment and reaching for the signal that answers it. Severity, probability, and confirmed activity are three lenses on the same finding, and a program that uses one and ignores the others is optimizing for the wrong thing with great precision.

The scanner’s number is where triage starts. It was never meant to be where it ends.

Curious how this stacking works once you add verification and dollar-based ranking? Walk through a remediation workflow review.