EPSS Exploit Prediction Scraper — CVE Risk Scores

Pricing

Rating

Developer

Actor stats

Categories

Share

EPSS Exploit Prediction Scraper extracts real-time and historical Exploit Prediction Scoring System (EPSS) data from the FIRST.org EPSS API. For every CVE in the database, it delivers an exploit probability score, a percentile ranking, a risk tier classification, and a direct link to the NVD vulnerability detail page — all structured and ready for vulnerability management pipelines, SIEM enrichment, or security dashboards.

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is an open, data-driven model developed by FIRST (Forum of Incident Response and Security Teams) that estimates the probability a given CVE will be exploited in the wild within the next 30 days. Unlike CVSS, which scores severity based on technical characteristics, EPSS measures likelihood of exploitation based on threat intelligence signals, making it far more actionable for security teams with limited patching capacity.

Who uses EPSS data?

• Vulnerability management teams use EPSS to prioritize patching queues — fixing a CVE with a 60% exploit probability before a CVE with a 0.01% probability, regardless of CVSS score.
• SOC analysts use EPSS to triage incoming vulnerability alerts and focus detection resources where active exploitation is most likely.
• Red teams identify high-value CVEs for penetration testing simulations.
• Threat intelligence platforms ingest EPSS to enrich vulnerability feeds with predictive exploit likelihood scores.
• DevSecOps pipelines auto-block or flag CVEs above a defined EPSS threshold during CI/CD scans.

EPSS vs CVSS: A CVE can have a CVSS score of 9.8 (Critical severity) but an EPSS score of 0.001 (virtually never exploited). EPSS closes this gap — studies have shown that pairing EPSS filtering with CVSS scoring reduces the number of vulnerabilities requiring immediate remediation by up to 87% while catching the same number of exploited CVEs.

Historical snapshots: EPSS scores update daily. This scraper supports fetching scores as of any historical date, enabling trend analysis and compliance reporting against a fixed date baseline.

Scale: The EPSS database covers over 200,000 CVEs published since 1999, updated every 24 hours with new threat intelligence signals from FIRST's global network of incident response teams.

Output Data Fields

How to scrape EPSS exploit prediction scores

Follow these steps to extract EPSS data using the Apify platform:

1. Open the Actor in the Apify Console and click Try for free.
2. In the Input tab, leave all fields at their defaults to fetch the top 1,000 CVEs sorted by highest exploit probability.
3. To narrow results, enter CVE IDs in the CVE Filter field (comma-separated, e.g. CVE-2021-44228,CVE-2023-23397).
4. Set a Minimum EPSS Score (e.g. 0.1) to only return CVEs with at least a 10% exploit probability.
5. To pull a historical snapshot, enter a date in Score Date (e.g. 2025-01-01).
6. Adjust Max Results if you need a bulk export (up to 50,000 records per run).
7. Click Start and wait for the run to complete (typically under 60 seconds for 1,000 records).
8. In the Dataset tab, export your results as JSON, CSV, or XLSX.

Input example

{
"cveFilter":"CVE-2021-44228,CVE-2023-23397",
"minEpssScore":0,
"scoreDate":"",
"order":"!epss",
"maxResults":1000
}

To fetch the top 500 CVEs with at least a 10% exploit probability:

{
"cveFilter":"",
"minEpssScore":0.1,
"scoreDate":"",
"order":"!epss",
"maxResults":500
}

Output example

{
"cve":"CVE-2021-44228",
"epssScore":0.97565,
"epssPercentile":0.99986,
"epssPercentageDisplay":"97.57%",
"percentileRank":"99.99%",
"riskTier":"Critical",
"scoreDate":"2026-06-27",
"nvdUrl":"https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
}

FAQ

What is the EPSS score range? EPSS scores range from 0 to 1, representing the probability (0% to 100%) that a CVE will be exploited in the wild within the next 30 days. A score of 0.97 means a 97% predicted exploitation probability. Scores at or above 0.5 are classified as Critical by this scraper.

How often does EPSS data update? FIRST.org updates EPSS scores daily. Running this Actor with no scoreDate filter always returns the most recent scores. Use the scoreDate input to retrieve historical snapshots for trend analysis or compliance reporting.

Can I use EPSS scores in my CI/CD pipeline? Yes. Export results as JSON via the Apify API and consume them in your pipeline. A common pattern is to fetch CVEs with minEpssScore=0.1 and block any dependency with a matching CVE from being deployed. Combine with the CISA KEV Scraper for a two-layer filter: block known-exploited CVEs (KEV) and flag high-probability CVEs (EPSS ≥ 0.1).

Is EPSS a replacement for CVSS? No — EPSS and CVSS are complementary. CVSS measures severity (impact if exploited); EPSS measures likelihood (probability of being exploited). The most effective prioritization strategy combines both: patch CVEs that score high on both CVSS (severity ≥ 7.0) and EPSS (probability ≥ 0.1) first.

Other Actors

• CISA KEV Scraper — Extract the full CISA Known Exploited Vulnerabilities catalog with vendor filters, remediation due dates, and ransomware flags. Pair with EPSS data for confirmed + predicted exploit coverage.
• NIST NVD Scraper — Scrape the National Vulnerability Database for CVSS scores, CWE classifications, and CPE affected product lists. Combine with EPSS for comprehensive CVE enrichment.

Legal disclaimer

This Actor accesses the publicly available FIRST.org EPSS API, which provides open data for security research and vulnerability management purposes. Use of this data is subject to FIRST.org's terms of service. This Actor is not affiliated with or endorsed by FIRST.org. All CVE data originates from public vulnerability databases. Users are responsible for ensuring their use of the extracted data complies with applicable laws and organizational policies. For support, contact the publisher via the Apify Store.