Use EPSS and GCVE With CVSS to Reduce Patch Backlog

Cisco Talos recommended that security teams combine EPSS probabilities and Global CVE (GCVE) enrichment with Common Vulnerability Scoring System (CVSS) severity scores to set patch priorities, according to the Talos Threat Source newsletter published May 28, 2026.

CVSS uses a 0.0–10.0 scale to describe potential technical impact. EPSS provides a 0.0–1.0 probability that a given CVE will be exploited in the next 30 days and is updated frequently. Talos noted the two measures answer different questions: CVSS measures how bad exploitation could be, EPSS measures how likely exploitation is soon.

Talos wrote that relying only on CVSS can direct effort to high-severity flaws that are unlikely to be exploited, while mid-severity flaws with high EPSS may present greater near-term risk. The newsletter described vulnerabilities with high CVSS and high EPSS as ‘drop everything’ priorities and suggested high-severity issues with very low EPSS can be deferred behind mid-severity flaws showing strong exploitation probability.

Talos also recommended expanding exploitation evidence beyond centralized catalogs. The advisory described the U.S. CISA Known Exploited Vulnerabilities (KEV) list as conservative and weighted toward federal visibility. Talos wrote that GCVE is a decentralized enrichment model that lets multiple sources attach exploit indicators, references and product mappings to the same CVE identifier. Talos added that GCVE typically delivers faster enrichment and a broader set of exploitation signals than the national vulnerability database pipeline, which has experienced backlog.

Talos stated that combining EPSS and GCVE with CVSS will not eliminate incoming patch volume but will change which fixes receive immediate, out-of-cycle attention and which follow normal update schedules.

Talos published EvidenceForge, an open-source tool that generates correlated synthetic security logs. The tool uses a single canonical event model and AI-assisted scenario authoring to produce coherent sequences across more than 20 log formats, including realistic background noise and decoy events. Talos wrote that defenders can use EvidenceForge to build synchronized datasets for SOC analyst training, SIEM stress testing and detection validation before deploying changes in production; the repository and documentation are available on GitHub.

Talos noted that CVSS has been the default for more than a decade but measures only potential impact. EPSS adds short-term likelihood and GCVE provides decentralized, timely enrichment; used together they supply severity, probability and broader exploitation evidence to inform triage.