## Why we built it
EPSS is an excellent score. We use it, we recommend it, and we are not in the business of replacing it. But every security team that lives on EPSS alone eventually gets surprised: CISA adds a CVE to the Known Exploited Vulnerabilities catalog and, looking back, EPSS was quiet on that one the whole time.
Those surprises are not a bug in EPSS. EPSS answers one question — how likely is this CVE to be exploited in the next 30 days? — and it answers it well. But "likely to be exploited" and "likely to be added to KEV" are not the same question, and a meaningful share of KEV additions never look exploitation-probable in the EPSS sense before they get listed.
We wanted to close that gap. Not with a bigger EPSS. With a second, independent opinion that disagrees on purpose.
## What it does
The score is called **KEV Prediction**. For every CVE we track that is at least a month old, we publish a probability — updated daily — that it will land in CISA KEV within the next six months.
It runs alongside EPSS, not on top of it. If EPSS gives a CVE 70% and KEV Prediction gives it 15%, we show you both. You decide what to do.
## What we found
We backtested against a year of real KEV additions — 82 CVEs CISA actually added to the catalog in the window. Given a fixed triage budget of the top 10% of CVEs, here is who caught what:
- EPSS alone: **23 of 82** (28%).
- KEV Prediction alone: **35 of 82** (43%).
- The two of them together: **44 of 82** (54%).
- Genuinely unpredictable from pre-listing signals: **38 of 82** (46%).
For reference, a random top-10% sample would have caught about 8.
The two scores overlap, but not much. That is the whole point. They agree on the obvious cases and disagree on the interesting ones, which means running them side by side uncovers signal that either one alone would miss.
The sharpest win is in the corner where EPSS is below 5%. That is exactly where an EPSS-only workflow will hand you nothing — and it is where KEV Prediction produced almost all of its exclusive catches.
## What we will not claim
We will not tell you KEV Prediction replaces EPSS. It does not.
We will not tell you it predicts exploitation. It predicts a specific administrative event — inclusion in CISA KEV — which is a strong, but not identical, proxy for real-world exploitation.
We will not tell you every CVE with a high KEV Prediction probability will be listed. About 46% of the CVEs CISA actually listed this year gave off no warning any honest model could have read in advance. A score that claims otherwise is lying.
## Where to see it
You already have it. No feature flag, no extra cost.
- **Analytics** — the EPSS vs KEV Prediction scatter shows the backtest, with stat cards that match the numbers above.
- **CVE detail** — each CVE now shows EPSS and KEV Prediction side by side on a 30-day evolution chart.
- **Main page filters** — two sliders let you cut by EPSS percentile and KEV Prediction percentile, independently or together.
- **Prioritization guide** — KEV Prediction is now a first-class signal in our recommended workflow, right after "is it already in KEV today."
## The bottom line
You did not buy CSURFACE for one score. You bought it for a perspective. KEV Prediction is that perspective, applied to the hardest question in vulnerability management: which of the quiet CVEs is about to get loud?
We think most platforms do not answer it honestly. We would rather answer it honestly than answer it confidently.
— CSURFACE
CSURFACE