Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Vulnerability Prioritization: DVE & EPSS

Ingrid

The following scoring systems can be used to prioritize vulnerabilities. Unlike a purely historical log of exploitations, these systems predict the likelihood that a vulnerability will be exploited within a given time frame.

Dynamic Vulnerability Exploit (DVE)

DVE models exploitation activity based on threat intelligence. It observes attackers discussing, planning, and weaponizing exploits, and measures the systemic relationship between those observations and exploitation activity, to make a prediction about which vulnerabilities will be targeted by attackers.

DVE predicts likelihood of exploitation in a 90-day period. It is presented as a 0-10 score, with 10 indicating a higher likelihood of exploitation.

Cyber Threat Intel

DVE has the following Cyber Threat Intel (CTI) attributes that make up the score:

❖ Any trending attribute can be added and removed at any time based on activity. Most of the other attributes persist once they are seen, as the condition is permanent.

Exploited in the Wild

The vulnerability is reported to have been exploited at least once.

Slug name: has_exploit_in_the_wild_attribute

Has POC Exploit

The vulnerability has at least one published Proof of Concept (POC) exploit.

Slug name: has_poc_exploit_attribute

Metasploit Mention

The vulnerability was mentioned at least once by the actor Metasploit, a computer security project owned by Rapid7 that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.

Slug name: metasploit_attribute

Part of Exploit Kit

The vulnerability is part of at least one exploit kit.

Slug name: has_exploit_kit_attribute

Related to APT

The vulnerability was mentioned in content related to Advanced Persistent Threats (APT).

Slug name: is_related_apt_attribute

Related to Ransomware

The vulnerability was mentioned in ransomware-related content.

Slug name: is_related_ransomware_attribute

Scanned by Anonymous

The vulnerability was scanned at least once by the hacktivism collective “Anonymous.”

Slug name: is_scanned_by_anonymous_attribute

Trending in Arab Underground

The vulnerability is currently trending in the Arab Underground/dark web chatter forums.

Slug name: is_trend_arabic_attribute

Trending in Chinese Underground

The vulnerability is currently trending in the Chinese Underground/dark web chatter forums.

Slug name: is_trend_chinese_attribute

Trending in Cyber Underground

The vulnerability is currently trending in the cyber Underground/dark web chatter forums.

Slug name: is_trend_underground_attribute

Trending in Farsi Underground

The vulnerability is currently trending in the Farsi Underground/dark web chatter forums.

Slug name: is_trend_farsi_attribute

Trending in Russian Underground

The vulnerability is currently trending in the Russian Underground/dark web chatter forums.

Slug name: is_trend_russian_attribute

Trending on GitHub

The vulnerability is currently trending on GitHub, a platform used by developers to store, manage, and share code.

Slug name: is_trend_github_general_attribute

Trending on Twitter

The vulnerability is currently trending on the X social networking service, formerly known as “Twitter.”

Slug name: is_trend_twitter_attribute

Verified Exploit

The vulnerability has an associated exploit verified by ExploitDB.

Slug name: is_verified_exploit

Exploit Prediction Scoring System (EPSS)

EPSS models exploitation activity based on vulnerability properties and characteristics. It uses the correlation between what a vulnerability is like and past exploitation attempts to predict how likely a vulnerability with these given characteristics is to be exploited.

EPSS predicts likelihood of exploitation in a 30-day period, calculated every 24 hours. The EPSS % estimates the likelihood that a software will be exploited to better prioritize vulnerability remediation efforts. The higher the percentage the more likely it is to be exploited.

Which System Is Better at Predicting Exploitation?

DVE and EPSS are trained and validated on disparate datasets. Not all frameworks can reflect the biases in the training data since there's no authoritative visibility into the sum of exploitation activity.

  • Use DVE to plan remediation based on threat intelligence (TI), such as Cybersixgill or other TI feeds. This may be useful during major security events, such as zero-days, vulnerabilities that are changing in real-time, and when vulnerabilities are first published.
  • Use EPSS to plan remediation based on vulnerability characteristics and prioritize interoperability with other tools and industry standardization.
  • April 4, 2025: CTI slug names for the API.
  • April 3, 2025: Published.

Related articles

Feedback

0 comments

Please sign in to leave a comment.