In this session, Tod Beardsley (runZero) sits down with Jay Jacobs (Empirical Security), a co-creator of the Exploit Prediction Scoring System (EPSS), to explore the science and practice of predicting vulnerability exploitation. Jacobs details the evolution of EPSS from a research initiative into a vital, daily-published API that provides probability scores and percentile rankings for hundreds of thousands of CVEs. This data-driven approach allows security teams to move beyond traditional severity scores and focus on the vulnerabilities that attackers are actually targeting in the wild.
The conversation clarifies how EPSS differs from other scoring systems, specifically explaining the relationship between a probability score and a percentile rank. Jacobs addresses common misconceptions about low-probability scores, noting that even a small percentage can be highly significant when measured across a massive population of vulnerabilities. He also breaks down the technical backend, distinguishing between the use of Large Language Models for data cleaning and the core machine learning models used to generate accurate, transparent scores.
Meet Our Speakers
todb
VP of Security Research, runZero
Jay Jacobs
Founder at Empirical Security; Chief Data Scientist Emeritus, Founder at Cyentia Institute
Get the latest news and expert insights delivered in your inbox.
