Interview › Security & DevSecOps
What is EPSS, and how does it improve on raw CVSS? [Intermediate]
Answer
EPSS is the Exploit Prediction Scoring System. It estimates the probability that a CVE will be exploited in the wild in the near future. It improves prioritization because it adds likelihood-of-exploitation signals instead of relying only on theoretical severity.
Technical explanation
CVSS describes severity if exploited; EPSS helps estimate how likely exploitation is.
EPSS is useful for prioritizing large vulnerability backlogs where teams cannot patch everything immediately.
It should be combined with asset exposure and business impact because likely exploitation on a low-value isolated asset may still be lower priority than a sensitive exposed system.
Hands-on example
Example: create a vulnerability rule: emergency if KEV=true, or EPSS above 0.7 and internet_exposed=true, or CVSS critical plus sensitive_data=true. Otherwise assign standard SLAs based on contextual risk.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]