Security teams move to EPSS and GCVE for precision patching

Security teams are shifting patch triage from CVSS-only sorting to a combined stack that uses CVSS severity, EPSS exploitation probability and GCVE enrichment to prioritize work. The change is intended to align patching with what is being exploited in the wild and to reduce emergency patch sprints.

CVSS remains a technical severity metric scored from 0.0 to 10.0 that estimates potential impact if a vulnerability is exploited. EPSS (Exploit Prediction Scoring System) provides a probability value from 0.0 to 1.0 that a given CVE will be exploited in the next 30 days and is updated continuously with observed signals. Security teams use high CVSS and high EPSS combinations to flag immediate action, while a high CVSS with very low EPSS may be deferred behind lower-severity items that show active exploitation.

Practitioners also are expanding where they look for exploitation evidence. The U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog is a widely used reference, but its updates flow through centralized channels. Global CVE (GCVE) applies a decentralized model that allows multiple parties to annotate the same CVE with references, affected products and exploit indicators. The decentralized design allows enrichment to appear faster than records that must pass through a single national pipeline.

A weekly cybersecurity newsletter warned, “Ready or not, the time of much patching is coming.” Security teams say combining EPSS with faster, broader enrichment helps them choose which patches require immediate incident response and which can follow the normal update schedule.

Tooling to support detection and validation is also changing. Cisco Talos published EvidenceForge, an open-source synthetic log generator that uses a single canonical event model and AI-assisted scenario authoring to produce correlated logs across more than 20 formats. The project generates synchronized datasets with causal and temporal consistency, background noise and false leads so teams can train analysts, validate detection rules and test SIEM systems without using production telemetry. The repository and scenario tools are available on GitHub.

Operational reports from teams that have included EPSS in ticketing and patch-management systems indicate clearer prioritization and fewer overnight escalations triggered by dormant high-severity flaws. Teams say GCVE annotations often surface exploit indicators sooner than traditional feeds, allowing faster decision-making on active threats.

The shift responds in part to delays and backlog in public vulnerability feeds. EPSS was created to convert observed signals into short-term likelihood scores. GCVE is designed to widen the set of sources that contribute exploitation evidence. Security teams preparing for heavier patching cycles are adopting the combined approach to align patching effort with observed threat activity.