We’ve all been trained to fixate on the number. Whether it’s a CVSS score of 9.8 or an EPSS probability of 0.73429, security teams are under pressure to rank, triage, and patch based on single metrics. But in Episode 18 of runZero Hour, a conversation with EPSS co-creator Jay Jacobs revealed something that might change how you think about vulnerability risk entirely.
The number itself isn’t always the most important signal. Instead, it’s the change in that number — the volatility — that may hold more predictive power. As runZero’s Tod Beardsley explained in this episode, a sudden spike in an EPSS score might be your first sign of something bigger brewing. “I think the deltas are more interesting than the final number,” he said. “That tells me something just happened to make this much more likely to be exploited.”
This is more than a theoretical observation. EPSS is updated daily using machine learning models fed by real-world exploitation signals — things like IDS/IPS detections from live enterprise networks, newly published Metasploit modules, pull requests on exploit repositories, and dark web chatter. That means it doesn’t just reflect potential severity, like CVSS, it also reflects how “attacky,” as Tod put it, the Internet feels today.
Volatility can serve as a kind of early-warning system. If a vulnerability’s EPSS score jumps 50+ points overnight, it may be time to take a closer look — even if its CVSS score is a sleepy 7.2. And unlike CVSS, which has seen score inflation and subjective disagreement between vendors, EPSS is grounded in observed behavior, not guesswork.
Check out the on-demand recording of this special runZero hour to learn:
- How to operationalize volatility as a signal in your vulnerability management program
- Why CVSS scores aren’t the empirical truth they pretend to be
- A candid breakdown of what EPSS and SSVC get right — and where they still fall short
And check out our latest report, Divining Risk: Deciphering Signals From Vulnerability Scores the strengths and weaknesses of all modern scoring systems.
About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.