EPSS is a measure of exploitability. Specifically, EPSS is estimating the probability of observing any exploitation attempts against a vulnerability in the next 30 days.
This is accomplished by observing and recording exploitation attempts against vulnerabilities and then collecting as much information about each vulnerabilities.
EPSS is best used when there is no other evidence of active exploitation. When evidence or other intelligence is available about exploitation activity, that should supersede the EPSS estimate.
EPSS does not account for any specific environmental, or compensating controls, and it does make any attempt to estimate the impact of a vulnerability being exploited. EPSS should not be treated as a complete picture of risk, but it can be used as one of the inputs into risk analyses.In vulnerability management, EPSS is treated as "pre-threat intel." If an organization have any intel source which something is being exploited (via their own telemetry sensors or OSINT), then they should use that as an indication of activity in the wild. For those without any evidence of exploitation or that lack threat intel, then EPSS is a great fit.
Thus, EPSS can be used for better Vulnerability Management's OSINT strategy and prioritization.
Links: