In this session, Tod Beardsley (runZero) sits down with Jay Jacobs (Empirical Security), a co-creator of the Exploit Prediction Scoring System (EPSS), to explore the science and practice of predicting vulnerability exploitation. Jacobs details the evolution of EPSS from a research initiative into a vital, daily-published API that provides probability scores and percentile rankings for hundreds of thousands of CVEs. This data-driven approach allows security teams to move beyond traditional severity scores and focus on the vulnerabilities that attackers are actually targeting in the wild.
The conversation clarifies how EPSS differs from other scoring systems, specifically explaining the relationship between a probability score and a percentile rank. Jacobs addresses common misconceptions about low-probability scores, noting that even a small percentage can be highly significant when measured across a massive population of vulnerabilities. He also breaks down the technical backend, distinguishing between the use of Large Language Models for data cleaning and the core machine learning models used to generate accurate, transparent scores.
Watch more sessions from runZero Day
| Session Title | Guests | |
|---|---|---|
| Watch Session | A CVE quagmire: Quality versus quantity | Jerry Gamblin, RogoLabs |
| Watch Session | Predicting exploitation: A practitioner's guide | Jay Jacobs, Empirical Security |
| Watch Session | Signal vs slop: Journalists on the evolution of research-driven reporting | Bill Brenner, CYBER.SEC.Community Dennis Fisher, Decipher Steve Ragan, 1Password |
| Watch Session | On the frontlines of investigative journalism in cybersecurity: An insider's perspective | Joseph Menn, Author & Investigative Journalist |
| Watch Session | From risk to resilience: Navigating OT security in a converged world | Mary Gannon, GuidePoint Security Patrick Gillespie, GuidePoint Security |
| Watch Session | Force multiplied: Community-powered vuln detection | Rishi Sharma, ProjectDiscovery |
| Watch Session | Mute the sirens: Prioritizing vulnerability noise | Mark Lambert, ArmorCode |
| Watch Session | The network edge: EOL and exploitation | Kimber Duke, VulnCheck Patrick Garrity, VulnCheck |
| Watch Session | Bug bounties in the age of AI | Casey Ellis, Bugcrowd |
| Watch Session | Perimeters and pathways: Protecting the complete attack surface | HD Moore, runZero Jared Atkinson, SpecterOps Zakir Durumeric, Censys |
| Watch Session | The infinite eye: How AI threat intelligence gives defenders an asymmetric edge | HD Moore, runZero Jonathan Cran, Mallory |
Meet Our Speakers
todb
VP of Security Research, runZero
Jay Jacobs
Founder at Empirical Security; Chief Data Scientist Emeritus, Founder at Cyentia Institute
Get the latest news and expert insights delivered in your inbox.
