Security teams adopt EPSS and GCVE for patch prioritization

Security teams are shifting vulnerability triage away from CVSS-only emergency patching to a process that pairs EPSS probabilities and GCVE exploitation signals with CVSS scores. The approach uses a probability forecast and faster, decentralized enrichment to focus remediation on vulnerabilities most likely to be exploited.

CVSS, the Common Vulnerability Scoring System, rates potential technical impact on a 0–10 scale. EPSS, the Exploit Prediction Scoring System, produces a daily-updated probability between 0 and 1 that a specific CVE will be exploited in the next 30 days. Security practitioners use CVSS to measure impact and EPSS to measure likelihood; a vulnerability with a high CVSS and high EPSS is treated as an immediate priority, while a high-severity issue with near-zero EPSS can be scheduled into the normal patch cycle.

Defenders are also broadening where they look for evidence of exploitation. The U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog remains in use, but its listings reflect centralized federal visibility. Global CVE, or GCVE, is a decentralized enrichment model that allows multiple parties to attach references, affected-product data and exploit indicators to the same identifier. That decentralization can accelerate the arrival of actionable context and bring a wider set of exploitation signals into triage decisions.

Security operations teams that combine CVSS, EPSS and GCVE report a shift in daily workflow: fewer emergency patches for theoretically severe but unlikely flaws, and faster action on moderate-severity defects that show active weaponization. The change reduces the number of urgent tickets and narrows the pool of vulnerabilities that prompt immediate, organization-wide response.

Several recent incidents highlighted the need for timely exploitation signals and broader visibility. A federal contractor published cloud credentials and agency secrets to a public code repository. A supply-chain campaign on May 18 injected malicious workflow automation into more than 5,700 repositories; the injected payloads were designed to steal credentials, keys and tokens. Law enforcement actions removed about 800 servers from a hosting provider established in February 2022; authorities tied that infrastructure to cyberattacks, disinformation and sanctions-evading activity.

On the tooling side, Cisco Talos released EvidenceForge in May 2026. EvidenceForge is an open-source generator for synthetic security logs that produces labeled datasets across more than 20 log formats with causal and temporal consistency, background noise and red herrings. Security teams can use those datasets to train analysts, validate detection rules and test SIEM deployments without exposing production telemetry.

Practitioners describe the combined stack as a way to supplement existing vulnerability management. EPSS highlights what is likely to be exploited soon, GCVE provides broader exploitation evidence beyond a single national view, and CVSS assesses potential impact and remediation urgency.