EPSS v5 Is Here.
TRS Just Got Sharper.
On June 15, 2026, EPSS v5 goes live. For the Exploit Prediction Scoring System, it's an important update in its history: a 23% improvement in the model's ability to correctly surface the vulnerabilities that are actually likely to be exploited.
If you're a Hackuity user, you don't have to do a thing. Your True Risk Scores will reflect the new model automatically. But understanding what changed, and why it matters, will help you read your prioritization queues with fresh eyes.
What EPSS is, in plain language
EPSS assigns every published CVE a probability, between 0 and 1, of being exploited in the wild within the next 30 days. It's updated daily. It's maintained by FIRST and Empirical Security.
Two important things EPSS is not: it's not a severity score (that's CVSS), and it's not a record of confirmed exploitation (that's the CISA Known Exploited Vulnerabilities catalog). EPSS is purely predictive: "given everything we know today, how likely is this vulnerability to be exploited in the next month?"
That distinction matters. We'll come back to it.
What v5 actually changed
Under the hood, v5 brings three improvements: better model optimization and ranking techniques, a smarter exploit-code intelligence classifier that does a better job detecting repositories and artifacts signaling elevated risk, and most importantly, refined probability calibration.
That last one is the heart of the story.
Less polarized, more precise
Here's what the data says, measured across 334,567 CVEs scored in both v4 and v5.
The median nearly triples while the mean falls. That combination is the statistical signature of better calibration. v5 is doing two things at once.
First, it lifts the massive floor of near-zero scores. In v4, 77% of all scored CVEs had an EPSS below 0.01. In v5, that drops to 58%. Low-risk CVEs still rank low, but now they get small but meaningful gradations instead of a flat near-zero. That's more information, not less.
Second, it deflates over-inflated high scores. The share of CVEs scoring above 0.50 drops 41%, from 7,165 CVEs to 4,232. CVEs scoring above 0.75 are halved, from 3,715 to 1,893.
v4 was calling too many things "highly likely to be exploited." v5 is more disciplined about that label. For security teams drowning in prioritization pressure, fewer false alarms at the top of the list is a genuine operational improvement.
The re-ordering is real
v5 is a refinement, not a reset. The overall ordering of CVEs is strongly preserved. But within that refinement, the movement is significant where it counts.If you were running a "top 5% EPSS" remediation filter, nearly a third of those CVEs look different today.
Some shifts are dramatic. CVE-2020-11022, a widely-known jQuery vulnerability, jumps from an EPSS of 0.025 to 0.99. v5 also introduces a confident near-certainty tier that v4 never used. 502 CVEs now sit in that zone. Those are the ones the model is most confident about.
The flip side is equally striking. Several CVEs that scored above 0.93 in v4 now land below 0.06. CVE-2024-6911 drops from 0.93 to 0.05. CVE-2024-36412 from 0.94 to 0.06. These weren't minor corrections.
What this means inside Hackuity's TRS
Here's where it gets concrete.
Hackuity's True Risk Score is calculated as:
TRS = Vulnerability Score x Threat Score x Asset Score
Each sub-score normalizes to a 0-10 range, giving a final score from 0 to 1000. EPSS is one of four factors that feed the Threat Score, alongside Exploitability, Exploit Maturity, and Threat Intensity.
In TRS, EPSS doesn't flow in as a raw decimal. It gets translated into one of four risk levels (from "Very Unlikely" to "Very Likely"), each carrying a very different weight in the formula.
In total, 11,560 CVEs change risk level between v4 and v5, or 3.46% of all scored CVEs. For every one CVE that moves into a higher-risk level, four move into a lower one. Net de-escalation, with sharper signal at the top.
To make this tangible: take a high-severity finding (CVSS 7.5) with a confirmed PoC exploit and medium threat intensity. If that finding's EPSS moves up a risk level, its position in your remediation queue shifts visibly. That update happens automatically, without any action on your part.
One nuance worth naming: EPSS and CISA KEV
Of the 1,602 CISA KEV CVEs in the dataset, 466 change risk level in v5. Some move up, which is reassuring: CVE-2020-8243 climbs from 0.12 to 0.91. But others move down, which might look confusing at first.
This is worth addressing directly. A lower EPSS score does not mean "safe to ignore." EPSS predicts future 30-day exploitation probability. CISA KEV records confirmed past exploitation. They measure different things.
In Hackuity's TRS, these signals are handled separately. Confirmed exploitation and exploit maturity are captured by the Exploitability and Exploit Maturity factors, independently from EPSS. Even if a KEV CVE's EPSS score drops, those other factors keep its TRS elevated. No single model's miss can blindside you. That's precisely the point of combining multiple independent signals into one score.
What you need to do: nothing
EPSS v5 goes live on June 15. For Hackuity customers, the update is automatic. EPSS feeds directly into TRS, so your risk scores will reflect the improved predictions from day one, with no configuration, no migration, no manual work.
Some findings will rise in your queue. More will fall. All of them will reflect a model that is 23% better at predicting what's actually going to get exploited in the real world.
Better predictions lead to better prioritization. Better prioritization leads to better risk reduction. That's why EPSS v5 matters, and why integrating it automatically into TRS is the only sensible approach.
EPSS v5-beta data sourced from empiricalsecurity’s epss_scores github repository and compared across 334,567 CVEs scored in both model versions (dataset snapshot: May 22nd, 2026). All statistics in this article refer to this matched set unless otherwise noted.
