EPSS CVE Risk Enricher

Enrich CVE IDs with FIRST.org EPSS exploit probability scores, percentiles, risk buckets, and optional score history.

Use this actor when you have vulnerability scanner exports, incident-response CVE lists, customer remediation backlogs, or scheduled patch-prioritization jobs that need exploit-likelihood context.

What does EPSS CVE Risk Enricher do?

EPSS CVE Risk Enricher takes a list of CVE identifiers and returns structured EPSS data from the public FIRST.org API.

It helps you answer questions like:

• Which vulnerabilities in my backlog are most likely to be exploited?
• Which CVEs should be patched before the next maintenance window?
• Which scanner findings deserve manual analyst review first?
• Did a CVE's exploit probability change since my last scheduled run?

Who is it for?

Security operations teams use this actor to triage vulnerability queues.

Managed security providers use it to enrich customer reports.

Security consultants use it to prioritize findings in assessment deliverables.

Product security teams use it to watch CVEs affecting their dependencies.

GRC and compliance teams use it to add evidence to remediation tracking spreadsheets.

Why use this actor?

FIRST.org EPSS scores are useful, but raw API calls are awkward inside repeatable Apify workflows.

This actor adds:

• Clean dataset output
• Input parsing for arrays and pasted text
• Risk buckets for spreadsheet filters
• Not-found and invalid rows for auditability
• Optional time-series history
• PPE charging designed for scheduled enrichment jobs

Data source

The actor uses the public FIRST.org EPSS API:

https://api.first.org/data/v1/epss

No login is required.

No API key is required.

No proxy is used by default.

How it works

1. Paste or upload CVE IDs.
2. The actor normalizes and deduplicates IDs.
3. Invalid CVE IDs are emitted as invalid rows.
4. Valid CVE IDs are batched against FIRST.org EPSS.
5. Results are mapped into a structured Apify dataset.
6. Each row includes a status, risk bucket, source URL, and fetch timestamp.

Output data

Field	Description
cve	CVE identifier.
epss	EPSS exploit probability score from 0 to 1.
percentile	EPSS percentile from 0 to 1.
date	Score date returned by FIRST.org.
riskBucket	critical, high, medium, low, or unknown.
status	found, not_found, invalid, error, or filtered_out.
message	Diagnostic text for non-standard rows.
history	Optional time-series points when enabled.
historyDays	Number of time-series points included.
sourceUrl	FIRST.org API URL used for the request.
fetchedAt	Timestamp when the row was fetched.

Example output

{
  "cve": "CVE-2023-34362",
  "epss": 0.99934,
  "percentile": 0.99968,
  "date": "2026-06-24",
  "riskBucket": "critical",
  "status": "found",
  "sourceUrl": "https://api.first.org/data/v1/epss?cve=CVE-2023-34362",
  "fetchedAt": "2026-06-25T00:00:00.000Z"
}

Input options

CVE IDs

Use cveIds when you already have structured data.

Example:

["CVE-2023-34362", "CVE-2021-44228", "CVE-2024-3094"]

Paste CVE IDs

Use cveText for quick copy-paste workflows.

The actor accepts newline, comma, semicolon, or whitespace separated values.

Date

Set date to retrieve EPSS scores for a historical date in YYYY-MM-DD format.

Leave it blank for the latest available FIRST.org score.

Minimum EPSS

Set minEpss to flag rows below a chosen probability threshold.

Rows below the threshold are kept with status: filtered_out so your audit trail remains complete.

Minimum percentile

Set minPercentile to flag lower-ranked CVEs.

This is useful when you want a small high-priority export.

Include history

Enable includeHistory to request FIRST.org time-series data.

This can increase row size, so keep it off for basic spreadsheet enrichment.

Maximum items

Use maxItems to cap processing after parsing and deduplication.

How much does it cost to enrich CVEs with EPSS scores?

The actor uses pay-per-event pricing.

You pay a small start charge per run plus a per-result charge for each output row.

Because the actor is HTTP-only and does not use proxies by default, compute cost is low for typical vulnerability enrichment jobs.

Recommended workflows

Prioritize scanner exports

Export CVE IDs from a scanner, paste them into cveText, and sort by epss or percentile in the dataset.

Monitor recurring CVE backlogs

Schedule the actor daily or weekly with the same CVE list.

Compare date, epss, and percentile over time.

Enrich customer reports

MSPs can enrich each customer's open CVE list before delivering weekly remediation reports.

Build alert thresholds

Use minEpss or minPercentile to separate urgent rows from lower-priority backlog items.

Risk bucket logic

The actor adds a convenience riskBucket field:

• critical: EPSS >= 0.8 or percentile >= 0.95
• high: EPSS >= 0.4 or percentile >= 0.85
• medium: EPSS >= 0.1 or percentile >= 0.6
• low: lower scored CVEs
• unknown: no score available

These buckets are not a replacement for your risk model.

They are spreadsheet-friendly labels for triage.

Integrations

Use this actor with:

• Apify schedules for recurring CVE monitoring
• Webhooks for high-priority vulnerability notifications
• Google Sheets exports for remediation trackers
• SIEM/SOAR workflows that ingest JSON or CSV
• BI dashboards that join on cve
• Vulnerability scanner exports from tools that include CVE IDs

API usage

Node.js

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: process.env.APIFY_TOKEN });
const run = await client.actor('automation-lab/epss-cve-risk-enricher').call({
  cveIds: ['CVE-2023-34362', 'CVE-2021-44228'],
  maxItems: 100
});
console.log(run.defaultDatasetId);

Python

from apify_client import ApifyClient

client = ApifyClient('YOUR_APIFY_TOKEN')
run = client.actor('automation-lab/epss-cve-risk-enricher').call(run_input={
    'cveIds': ['CVE-2023-34362', 'CVE-2021-44228'],
    'maxItems': 100,
})
print(run['defaultDatasetId'])

cURL

curl -X POST 'https://api.apify.com/v2/acts/automation-lab~epss-cve-risk-enricher/runs?token=YOUR_APIFY_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{"cveIds":["CVE-2023-34362","CVE-2021-44228"],"maxItems":100}'

MCP usage

Use this actor from Claude or other MCP-compatible clients through Apify MCP.

MCP URL:

https://mcp.apify.com/?tools=automation-lab/epss-cve-risk-enricher

Claude Code setup:

$claude mcp add apify-epss-cve-risk-enricher "https://mcp.apify.com/?tools=automation-lab/epss-cve-risk-enricher"

Claude Desktop JSON configuration:

{
  "mcpServers": {
    "apify-epss-cve-risk-enricher": {
      "url": "https://mcp.apify.com/?tools=automation-lab/epss-cve-risk-enricher"
    }
  }
}

Example prompts:

• Enrich these CVEs with EPSS scores and rank them by exploit likelihood.
• Check whether any CVE in this list has EPSS above 0.8.
• Compare today's EPSS scores with the historical date in this input.

Example run input

{
  "cveIds": ["CVE-2023-34362", "CVE-2021-44228", "CVE-2024-3094"],
  "includeHistory": false,
  "maxItems": 100
}

Tips for best results

Normalize scanner exports to CVE IDs before running.

Keep includeHistory disabled for simple CSV enrichment.

Use date for reproducible reports.

Keep invalid rows in your downstream checks; they often reveal scanner export formatting problems.

Use sourceUrl and fetchedAt when you need evidence for audit or compliance reviews.

Troubleshooting

Why did a CVE return not_found?

FIRST.org may not have an EPSS record for that CVE/date, or the CVE may be too new.

Try running again with the latest date or verify the CVE identifier.

Why is a row marked filtered_out?

The CVE was found, but it did not meet your minEpss or minPercentile threshold.

The row is preserved so scheduled jobs remain auditable.

Why is history missing?

History is only included when includeHistory is enabled and FIRST.org returns time-series data.

Legality and data rights

This actor uses a public API endpoint from FIRST.org.

You are responsible for using the data in compliance with FIRST.org terms and your organization's policies.

The actor does not bypass authentication, collect private data, or scrape logged-in pages.

Related scrapers and actors

Explore more automation-lab security and data enrichment actors on Apify:

• https://apify.com/automation-lab
• https://apify.com/automation-lab/website-contact-finder
• https://apify.com/automation-lab/http-status-code-checker

Changelog

0.1

Initial private build.

Support

If the actor fails for a valid CVE list, include your run ID and input when opening an Apify issue.

FAQ

Does this actor use proxies?

No. The FIRST.org EPSS API is public and reachable over direct HTTP.

Can I submit thousands of CVEs?

Yes, within platform limits. Use maxItems to keep runs bounded.

Can I join results back to a scanner export?

Yes. Join on the cve field.

Does EPSS replace CVSS?

No. EPSS estimates exploit probability. CVSS estimates severity. Many teams use both.