Severity scores describe potential harm, but KEV and EPSS show how likely a vulnerability is to be used in the wild. That distinction helps teams separate theoretical exposure from active threat. For Microsoft environments, it means remediation can be aligned to real attacker pressure instead of generic scoring.
Why This Matters for Security Teams
Severity scores are useful for triage, but they do not tell security teams which flaws are being actively exploited or which ones are most likely to become urgent in a real environment. CISA’s Known Exploited Vulnerabilities catalog and epss both shift the question from “how bad could this be?” to “how likely is this to matter now?” That distinction is critical when patch windows are limited and attack paths are already being operationalised.
For Microsoft-heavy estates, the practical risk is overcommitting to high-CVSS items while missing vulnerabilities that are already attracting attacker attention. CISA cyber threat advisories provide the exploitation signal that severity alone cannot, and the Ultimate Guide to NHIs shows why this matters when compromised identities and secrets can turn a modest flaw into a much larger incident. In practice, many security teams encounter exploit-driven compromise only after attackers have already chained exposure, rather than through intentional prioritisation.
How It Works in Practice
KEV and EPSS work best as complementary inputs. KEV is a curated signal that a vulnerability has been observed in active exploitation, so it deserves immediate attention regardless of severity score. EPSS is a probabilistic model that estimates the chance a vulnerability will be exploited over a short horizon, helping teams rank large patch queues more intelligently. Together, they give defenders a way to separate “important on paper” from “dangerous in practice.”
Operationally, current guidance suggests using CVSS as one factor, not the decision engine. A sensible workflow is to:
- treat KEV-listed issues as urgent remediation candidates, even if the CVSS score is moderate
- use EPSS to sort non-KEV vulnerabilities by likelihood of exploitation
- overlay asset criticality, internet exposure, and identity impact before assigning fix order
- prioritise systems that expose secrets, service accounts, or automation paths, as described in the Ultimate Guide to NHIs
This matters because exploitation pressure is contextual. A low-scoring flaw on a domain controller, CI/CD runner, or internet-facing workload can become a faster path to compromise than a higher-scoring but isolated issue. CISA cyber threat advisories help confirm whether the vulnerability is already in adversary toolchains, while EPSS helps forecast what is likely to move next. Security operations teams should feed both into vulnerability management, exposure management, and patch orchestration, then validate the outcome against what is actually reachable from attacker-controlled paths. These controls tend to break down in large hybrid estates with poor asset inventory because likelihood scoring cannot compensate for unknown exposure.
Common Variations and Edge Cases
Tighter exploitation-based prioritisation often increases operational overhead, requiring organisations to balance faster remediation against patch fatigue and business disruption. That tradeoff is real, especially when KEV or EPSS surfaces large volumes of findings at once.
KEV and EPSS are not perfect substitutes for human judgment. Best practice is evolving around how to combine them with business context, and there is no universal standard for this yet. Some organisations give KEV absolute priority. Others use EPSS thresholds to create “fast lane” queues for likely exploitation while reserving emergency handling for confirmed active threats. The right balance depends on staffing, change windows, and how quickly a team can validate compensating controls.
One important edge case is patchable vs non-patchable exposure. If a vulnerability sits behind strong segmentation, compensating controls may reduce urgency, but they do not eliminate risk when identities, tokens, or automation credentials are already present. That is why NHI-focused hygiene matters alongside vulnerability work. NHIMG’s research shows how quickly credential exposure can outpace remediation, and that context often makes KEV-driven prioritisation more valuable than severity alone. For teams needing an external benchmark, CISA cyber threat advisories remain the clearest public signal for active exploitation, while EPSS helps handle the long tail of unconfirmed but likely threats.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.RA-01 | Risk identification should use exploitation likelihood, not severity alone. |
| NIST CSF 2.0 | RS.RP-01 | KEV-driven urgency supports response and remediation planning. |
| NIST AI RMF | MAP | EPSS-like probabilistic signals require contextual risk mapping. |
Map vulnerability likelihood to asset impact before setting remediation priority.