Vulnerability Prioritization with EPSS for Texas IT Teams in 2026

The Common Vulnerability Scoring System (CVSS) has been the default vulnerability metric for two decades. CVSS scores from 0.0 to 10.0 reflect how serious a vulnerability would be IF exploited. Critical (9.0+) gets fixed first, then High (7.0+), then Medium, then Low. Most patch management programs are built around this hierarchy.

The fundamental problem: CVSS measures potential impact, not likelihood of exploitation. The result, validated repeatedly in real-world data:

• Of all CVEs published, fewer than 5% are ever exploited in the wild
• Of CVEs rated CVSS Critical, fewer than 15% are ever exploited in the wild
• Many CVEs rated Medium are heavily exploited (because attackers prefer reliable, easy-to-exploit bugs even when impact is lower)

Patching all Critical CVEs as fast as possible is therefore optimizing for the wrong metric — you spend the most resources on the vulnerabilities least likely to actually matter.

EPSS is a community-maintained scoring system from FIRST.org that uses machine learning trained on real exploitation data to assign each CVE a probability (0% to 100%) that it will be exploited within the next 30 days. Updates daily.

The model uses ~1,500 features per CVE: vendor, product, attack vector, observed exploit kits, GitHub PoC publications, social media mentions, and historical exploitation patterns for similar bugs.

An EPSS score of 0.95 means there's a 95% predicted probability of exploitation within 30 days. An EPSS score of 0.001 means 0.1%. The distribution is highly skewed — the median CVE has EPSS around 0.0005.

Neither metric alone is optimal. The combined approach:

• Tier 1 — Patch immediately (within 7 days): CVSS ≥ 7.0 AND EPSS ≥ 0.10. These are vulnerabilities that are both serious AND being actively exploited or about to be.
• Tier 2 — Patch within standard cycle (30 days): CVSS ≥ 7.0 AND EPSS 0.01-0.10, OR CVSS 4.0-6.9 AND EPSS ≥ 0.10. Either serious-but-not-yet-exploited, or being-exploited-but-lower-impact.
• Tier 3 — Patch when convenient (next quarterly maintenance window): Everything else, evaluated on standard quarterly cadence.

This approach typically reduces the urgent-patch queue by 80-95% while still catching nearly 100% of CVEs that result in real-world incidents.

The CISA Known Exploited Vulnerabilities (KEV) catalog is a curated list of CVEs that CISA has observed being actively exploited in the wild. Any CVE on the KEV catalog should be Tier 1 regardless of CVSS or EPSS — by definition, attackers are using it right now.

For federal contractors and CMMC-scoped environments, KEV catalog patching is a required control with specific timelines (typically 14 days). See our CMMC compliance coverage.

• Tenable Vulnerability Management — native EPSS in dashboards and reports
• Rapid7 InsightVM — EPSS displayed alongside CVSS in vulnerability detail
• Qualys VMDR — EPSS integration in Threat Intel Platform module
• Microsoft Defender Vulnerability Management — EPSS visible in CVE pages, included with Defender for Endpoint Plan 2 and M365 E5
• Free — query the public EPSS API directly: api.first.org/data/v1/epss

For Texas SMBs without dedicated VM tooling, exporting your CVE list and joining against the EPSS API in a weekly script is a no-cost way to get the prioritization benefit. See our Defender family decision guide for what's included with your Microsoft licenses.

1. Daily CVE ingestion against your asset inventory
2. Daily EPSS refresh and KEV catalog check
3. Tiered prioritization combining CVSS, EPSS, and KEV
4. Tier 1 patches within 7 days; Tier 2 within 30; Tier 3 within quarterly window
5. Monthly vulnerability metrics reported to leadership: open Critical+High count, mean time to patch by tier, KEV catalog coverage percentage
6. Quarterly external scan or pen test to validate

For Texas SMBs that are currently patching by CVSS only: pull your last 90 days of vulnerability scan data, join against the EPSS API, and look at how many of your "patched immediately" Criticals had EPSS < 0.01. That is the wasted effort number — and it's usually shocking. Then re-tier going forward using the combined CVSS + EPSS + KEV model.

Related reading: SIEM vs MDR vs XDR comparison, cybersecurity services, 2026 Texas SMB Benchmark Report.

• Houston cybersecurity
• The Woodlands cybersecurity
• Sugar Land cybersecurity
• Austin managed IT