Prioritize Risk: EPSS, GCVE and EvidenceForge Shift Patching

Security teams are moving from CVSS-only vulnerability triage to a model that combines CVSS, EPSS and GCVE signals. Cisco Talos published guidance and released EvidenceForge, an open-source generator for realistic, correlated synthetic security logs, in its Threat Source newsletter on May 28, 2026.

CVSS is a severity metric that produces a score from 0.0 to 10.0 and describes potential technical impact. EPSS, the Exploit Prediction Scoring System, supplies a probability from 0.0 to 1.0 that a given CVE will be exploited within the next 30 days. Talos described using CVSS to assess impact and EPSS to rank the likelihood of exploitation so teams can prioritize patches by both severity and near-term risk.

Many organizations have relied on CISA’s Known Exploited Vulnerabilities catalog. Talos noted that KEV is centralized and reflects U.S. federal visibility, which can delay when enrichment and exploitation evidence appear for the wider community. Global CVE, or GCVE, uses a decentralized model that allows multiple sources to attach references, affected-product details and exploit indicators to the same CVE identifier. Talos reported that GCVE’s model often delivers enrichment faster than traditional National Vulnerability Database pipelines and surfaces a broader set of exploitation signals.

Under the combined approach, defenders can use CVSS to measure technical impact, EPSS to order remediation by likelihood, and GCVE to confirm whether exploitation is observed in the wild across different regions. Talos wrote that pairing those inputs can change which patches receive emergency treatment and which are scheduled for normal maintenance, and that using EPSS alongside CVSS and GCVE can meaningfully shrink the patch backlog.

EvidenceForge is an open-source tool from Cisco Talos designed to generate labeled datasets for training and testing detection logic. The tool applies a single canonical event model and an AI-assisted scenario authoring interface to produce correlated event sequences across more than 20 log formats. It injects background noise, decoy activity and causal sequencing to produce datasets with coherent narratives instead of isolated events.

Talos said EvidenceForge addresses limits in many public or heavily scrubbed datasets by producing synchronized telemetry that better reflects real network visibility without exposing production data. The repository and a guided conversation feature are available on GitHub for teams to build attack scenarios, train SOC analysts, stress-test SIEM configurations and validate detection pipelines.

Talos warned that prioritizing solely by CVSS can consume finite operations capacity on vulnerabilities unlikely to be exploited and recommended that organizations adjust triage logic to account for exploitation probability and observed activity.