Beyond CVSS: Why EPSS and KEV Are Game-Changers for Prioritizing Vulnerabilities

Publicly disclosed computer vulnerabilities are organized into a globally recognized list called Common Vulnerabilities and Exposures (CVE). To determine their severity, a scoring system is applied, with the most widely used system being the Common Vulnerability Scoring System (CVSS), which is now in its fourth version.

While CVSS has been instrumental in standardizing vulnerability severity, it mainly focuses on the vulnerability’s inherent properties. Although CVSS does have exploitability components, it is often misused due to reliance on base scores alone. This means organizations often treat similarly scored CVEs as equal, regardless of their real-world risk.

This blog explores the Exploit Prediction Scoring System (EPSS), the Known Exploited Vulnerabilities (KEV) catalog, and the growing need for cloud-specific frameworks to prioritize vulnerabilities effectively.

The Exploit Prediction Scoring System (EPSS)

EPSS is designed to estimate the probability of a vulnerability being exploited in the next 30 days. Managed by the Forum of Incident Response and Security Teams (FIRST), EPSS complements CVSS by focusing on the real-world likelihood of exploitation. It uses a machine learning model trained on vast datasets, including:

• CVE details (e.g., vendor, age, Common Weakness Enumeration)
• Exploitation attempts observed in the wild
• Data from honeypots, threat intelligence reports, and government catalogs like CISA’s KEV
• Publicly available exploit code (Exploit-DB, GitHub, MetaSploit)
• Offensive security tools and scanners: Intrigue, sn1per, jaeles, nuclei

Why EPSS Matters

Traditional CVSS-based remediation strategies often lack critical context. For example, a vulnerability with a CVSS score of 7+ (high/critical) may never actually be exploited. EPSS, on the other hand, introduces a data-driven approach to prioritize patching, focusing on vulnerabilities most likely to introduce risk and impact your environment.

Key benefits of EPSS:

• Daily updates for real-time prioritization
• Probability-based scores that reflect exploitation likelihood
• Enables security teams to prioritize vulnerabilities that pose the most risk to the business

EPSS in Action

Take these examples:

1. CVE-2021-44228 (Log4j)

• CVSS: 10
• EPSS: 0.974 (97% likelihood of exploitation)
• Action: Prioritize immediately

2. CVE-2023-48795 (OpenSSH)

• CVSS: 5.9
• EPSS: 0.95 (95% likelihood of exploitation)
• Action: Medium CVSS but significant exploitation risk—address quickly

3. CVE-2024-3094 (XZ)

• CVSS: 10
• EPSS: 0.30 (30% likelihood of exploitation)
• Action: Deprioritize; focus resources elsewhere

The Known Exploited Vulnerabilities (KEV) Catalog

The KEV catalog, maintained by the Cybersecurity and Infrastructure Security Agency (CISA), provides a curated list of vulnerabilities that are known to have been exploited in real-world attacks. Unlike CVSS or EPSS, KEV is binary, either a vulnerability has been exploited or it hasn’t.

Why KEV Is Important

KEV offers a direct and reliable way to identify vulnerabilities that demand immediate attention. By combining KEV with EPSS, security teams can:

• Validate EPSS predictions with confirmed exploitation data
• Identify actively exploited vulnerabilities in their environments
• Achieve a balance between proactive (EPSS-driven) and reactive (KEV-driven) patching strategies

For example, if a CVE appears in KEV and has a high EPSS score, it signals a critical vulnerability that requires immediate remediation. Conversely, a low EPSS score for a KEV-listed CVE might indicate specific exploitation scenarios, allowing tailored prioritization.

Do We Need a Cloud-Specific Framework?

While EPSS and KEV offer incredible insights for prioritizing vulnerabilities, cloud-native environments bring unique challenges that demand a new approach:

• Dynamic Attack Surfaces: Cloud environments are highly dynamic, with ephemeral workloads, containers, and serverless functions.
• Shared Responsibility: Cloud providers manage certain aspects of security, leaving customers responsible for others. Understanding this split is crucial for accurate prioritization.
• Contextual Relevance: Factors like the blast radius of an exploited vulnerability in a multi-tenant architecture or its impact on compliance should influence prioritization.

This raises the question: should we develop a cloud-specific framework for vulnerability prioritization, similar to EPSS or KEV? Such a framework could integrate:

• Cloud provider telemetry for real-time risk analysis
• APIs for automatic mapping of vulnerabilities to cloud resources
• A scoring model that accounts for shared responsibility, privilege escalation paths, and environmental context

Conclusion

The sheer volume of risks that surface on a daily basis means security teams are constantly battling an ever-growing risk backlog, making prioritization a critical component of any risk remediation program. EPSS and KEV have revolutionized the way we approach vulnerability prioritization, addressing critical gaps in traditional CVSS-based systems. However, as cloud adoption continues to rise, a tailored framework for cloud-native environments could be the next frontier in vulnerability prioritization.

If your interested in learning how ZEST helps enterprises streamline prioritization and expedite resolution of vulnerabilities, misconfigurations and other cloud risks, contact our team to see a demo.

‍

We're excited to announce that ZEST Security has been recognized as a vendor in three Gartner Emerging Tech Impact Radar reports this year: Emerging Tech: The Future of Exposure Management is Preemptive, Global Attack Surface Grid, and Preemptive Cybersecurity.
‍
As organizations face increasingly complex threat landscapes, the need for preemptive exposure management, dynamic attack surface reduction, and automated security assessment has never been more critical.
‍
Understanding the Gartner Emerging Tech Impact Radar
‍
Gartner's Emerging Tech Impact Radar helps organizations identify and evaluate emerging technologies that could significantly impact their business operations. These reports assess technologies based on their potential transformative impact and adoption timeline, providing IT and security leaders with crucial insights for strategic planning.
‍
Being featured in three separate reports confirms that ZEST Security is positioned at the forefront of multiple emerging technologies that are fundamentally reshaping security operations, enabling organizations to move from reactive vulnerability management to proactive, automated risk prevention.
‍
ZEST Security in Emerging Tech: The Future of Exposure Management is Preemptive
‍
In June 2025, ZEST Security was recognized in Gartner's Emerging Tech: The Future of Exposure Management is Preemptive report, underscoring the industry's recognition of our approach to transforming how organizations manage security exposures.
‍
The Problem with Reactive Exposure Management
‍
Traditional exposure management creates a perpetual cycle of detection and remediation that leaves organizations constantly playing catch-up. Security teams face thousands of identified vulnerabilities with no clear prioritization, alert fatigue from tools lacking context, and resource constraints that prevent them from addressing an ever-growing backlog.

What is Preemptive Exposure Management?
‍
Preemptive Exposure Management shifts the focus from cataloging existing vulnerabilities to preventing them. This approach enables organizations to anticipate exposures before they become exploitable, maintain continuous real-time visibility, prioritize based on actual business risk rather than theoretical scores, and receive automated remediation guidance.
The result? Teams stay ahead of threats instead of constantly responding to them.

ZEST Security in the Global Attack Surface Grid Report
‍
Dynamic Attack Surface Reduction in Action

Building on preemptive exposure management, Dynamic Attack Surface Reduction actively and continuously minimizes the points of potential compromise across an organization's digital infrastructure. Unlike periodic assessments that quickly become outdated, this approach provides continuous visibility and enables real-time reduction of security exposures.

The Modern Attack Surface Challenge
Cloud infrastructure, remote work, third-party integrations, shadow IT, and connected devices have expanded the enterprise attack surface exponentially. Organizations struggle with unknown assets creating blind spots, daily infrastructure changes introducing new exposures, and hybrid multi-cloud environments that are difficult to monitor comprehensively.

ZEST's Solution

ZEST Security provides continuous visibility into your attack surface with context-driven insights that help teams understand which exposures pose the greatest risk. By automating identification and assessment, we enable organizations to maintain an optimized security posture even as infrastructure evolves, aligned with our preemptive approach to identifying and addressing risks before exploitation.

ZEST Security in the Preemptive Cybersecurity Report

Automated Security Control Assessment
Automated Security Control Assessment evolves security from manual, point-in-time evaluations to continuous, automated validation of security controls. Organizations can verify their defenses are functioning as intended without the delays and resource requirements of manual testing, shifting from detecting and responding to breaches to preventing them.

The Challenge: Too Much Data, Not Enough Context

Security teams don't lack vulnerability data—they lack the ability to make sense of it. Organizations deploy numerous tools that identify thousands of potential issues, but without context, teams can't determine which vulnerabilities pose genuine risk or how to prioritize remediation.

ZEST's AI-Powered Solution

ZEST Security bridges this gap with AI-powered analysis that translates vulnerability data into actionable remediation pathways. Our platform continuously validates security control effectiveness, identifies coverage gaps before exploitation, prioritizes based on actual risk exposure rather than just scores, and automates assessment workflows that would otherwise consume significant manual effort.

A Comprehensive Preemptive Security Strategy
These three Gartner reports address complementary aspects of a unified goal: reducing organizational risk before breaches occur.

Preemptive Exposure Management establishes the foundational philosophy of staying ahead of threats. Dynamic Attack Surface Reduction minimizes exposure points across your infrastructure. Automated Security Control Assessment validates that defenses protecting those exposure points function effectively.

Together, they create a complete preemptive security lifecycle:

- Anticipate potential exposures before they become vulnerabilities
- Minimize attack surface by eliminating unnecessary exposures
- Validate that security controls function as intended
- Remediate issues that pose actual business risk

ZEST Security's recognition in all three reports reflects our holistic approach. We provide the context and guidance needed for effective action across the entire security lifecycle.
‍
What This Means for ZEST Customers
‍
This triple recognition validates the strategic value our platform delivers:
Preemptive operations: Move from reactive firefighting to proactive risk prevention across all security aspects.
Continuous visibility: Understand your attack surface, exposures, and security posture in real-time, not just during periodic assessments.
AI-powered intelligence: Process security data at scale and identify what matters most.
Actionable guidance: Get clear remediation pathways, not just alerts and scores.
Integrated platform: Address exposure management, attack surface reduction, and control validation in one solution.
Industry Validation
ZEST Security's inclusion in three Gartner Emerging Tech Impact Radar reports within six months signals a broader industry shift toward preemptive security. Organizations increasingly recognize that traditional reactive models can't keep pace with modern threats driven by cloud adoption, DevOps practices, remote work, and sophisticated attack techniques.
Gartner's focus on these capabilities in their emerging technology research indicates they're becoming essential requirements for effective risk management, not optional add-ons.

The Future Belongs to Preemptive Security

As threat actors grow more sophisticated and attack surfaces expand, organizations can't rely solely on detection and response. The future belongs to security teams that proactively identify and eliminate risk before breaches occur.
ZEST Security continues innovating at the forefront of this evolution, developing capabilities that help security teams work smarter, reduce risk, and protect their organizations more effectively through intelligent automation, continuous assessment, context-driven prioritization, and preemptive action.

Get Started with ZEST Security

Ready to implement preemptive exposure management, dynamic attack surface reduction, and automated security control assessment? Our free AI-based remediation risk assessment provides a practical starting point for understanding your current security posture and identifying priority improvements.
‍
Try our free remediation risk assessment today and shift from reactive to proactive security operations.