# EPSS Exploit Prediction Scraper — CVE Risk Scores (`compute-edge/epss-exploit-prediction-scraper`) Actor Extract EPSS (Exploit Prediction Scoring System) scores from FIRST.org for any CVE. Filter by score threshold, CVE list, or historical date. Includes risk tier classification and NVD links for vulnerability prioritization. - **URL**: https://apify.com/compute-edge/epss-exploit-prediction-scraper.md - **Developed by:** [Compute Edge](https://apify.com/compute-edge) (community) - **Categories:** Lead generation - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, 0 bookmarks - **User rating**: No ratings yet ## Pricing from $3.00 / 1,000 results This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README **EPSS Exploit Prediction Scraper** extracts real-time and historical Exploit Prediction Scoring System (EPSS) data from the [FIRST.org EPSS API](https://www.first.org/epss/). For every CVE in the database, it delivers an exploit probability score, a percentile ranking, a risk tier classification, and a direct link to the NVD vulnerability detail page — all structured and ready for vulnerability management pipelines, SIEM enrichment, or security dashboards. ### What is EPSS? The **Exploit Prediction Scoring System (EPSS)** is an open, data-driven model developed by FIRST (Forum of Incident Response and Security Teams) that estimates the probability a given CVE will be exploited in the wild within the next 30 days. Unlike CVSS, which scores severity based on technical characteristics, EPSS measures **likelihood of exploitation** based on threat intelligence signals, making it far more actionable for security teams with limited patching capacity. **Who uses EPSS data?** - **Vulnerability management teams** use EPSS to prioritize patching queues — fixing a CVE with a 60% exploit probability before a CVE with a 0.01% probability, regardless of CVSS score. - **SOC analysts** use EPSS to triage incoming vulnerability alerts and focus detection resources where active exploitation is most likely. - **Red teams** identify high-value CVEs for penetration testing simulations. - **Threat intelligence platforms** ingest EPSS to enrich vulnerability feeds with predictive exploit likelihood scores. - **DevSecOps pipelines** auto-block or flag CVEs above a defined EPSS threshold during CI/CD scans. **EPSS vs CVSS:** A CVE can have a CVSS score of 9.8 (Critical severity) but an EPSS score of 0.001 (virtually never exploited). EPSS closes this gap — studies have shown that pairing EPSS filtering with CVSS scoring reduces the number of vulnerabilities requiring immediate remediation by up to 87% while catching the same number of exploited CVEs. **Historical snapshots:** EPSS scores update daily. This scraper supports fetching scores as of any historical date, enabling trend analysis and compliance reporting against a fixed date baseline. **Scale:** The EPSS database covers over 200,000 CVEs published since 1999, updated every 24 hours with new threat intelligence signals from FIRST's global network of incident response teams. ### Output Data Fields | Field | Type | Description | |-------|------|-------------| | `cve` | string | CVE identifier (e.g. `CVE-2021-44228`) | | `epssScore` | float | Raw EPSS score, 0–1 (probability of exploitation in 30 days) | | `epssPercentile` | float | Percentile rank as a decimal, 0–1 | | `epssPercentageDisplay` | string | EPSS score formatted as a percentage (e.g. `2.35%`) | | `percentileRank` | string | Percentile rank formatted as a percentage (e.g. `97.40%`) | | `riskTier` | string | `Critical` (≥0.5), `High` (≥0.1), `Medium` (≥0.01), or `Low` | | `scoreDate` | string | Date of the EPSS score snapshot (YYYY-MM-DD) | | `nvdUrl` | string | Direct NVD vulnerability detail URL | ### How to scrape EPSS exploit prediction scores Follow these steps to extract EPSS data using the Apify platform: 1. **Open the Actor** in the Apify Console and click **Try for free**. 2. In the **Input** tab, leave all fields at their defaults to fetch the top 1,000 CVEs sorted by highest exploit probability. 3. To narrow results, enter CVE IDs in the **CVE Filter** field (comma-separated, e.g. `CVE-2021-44228,CVE-2023-23397`). 4. Set a **Minimum EPSS Score** (e.g. `0.1`) to only return CVEs with at least a 10% exploit probability. 5. To pull a historical snapshot, enter a date in **Score Date** (e.g. `2025-01-01`). 6. Adjust **Max Results** if you need a bulk export (up to 50,000 records per run). 7. Click **Start** and wait for the run to complete (typically under 60 seconds for 1,000 records). 8. In the **Dataset** tab, export your results as JSON, CSV, or XLSX. ### Input example ```json { "cveFilter": "CVE-2021-44228,CVE-2023-23397", "minEpssScore": 0, "scoreDate": "", "order": "!epss", "maxResults": 1000 } ```` To fetch the top 500 CVEs with at least a 10% exploit probability: ```json { "cveFilter": "", "minEpssScore": 0.1, "scoreDate": "", "order": "!epss", "maxResults": 500 } ``` ### Output example ```json { "cve": "CVE-2021-44228", "epssScore": 0.97565, "epssPercentile": 0.99986, "epssPercentageDisplay": "97.57%", "percentileRank": "99.99%", "riskTier": "Critical", "scoreDate": "2026-06-27", "nvdUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" } ``` ### FAQ **What is the EPSS score range?** EPSS scores range from 0 to 1, representing the probability (0% to 100%) that a CVE will be exploited in the wild within the next 30 days. A score of 0.97 means a 97% predicted exploitation probability. Scores at or above 0.5 are classified as Critical by this scraper. **How often does EPSS data update?** FIRST.org updates EPSS scores daily. Running this Actor with no `scoreDate` filter always returns the most recent scores. Use the `scoreDate` input to retrieve historical snapshots for trend analysis or compliance reporting. **Can I use EPSS scores in my CI/CD pipeline?** Yes. Export results as JSON via the Apify API and consume them in your pipeline. A common pattern is to fetch CVEs with `minEpssScore=0.1` and block any dependency with a matching CVE from being deployed. Combine with the CISA KEV Scraper for a two-layer filter: block known-exploited CVEs (KEV) and flag high-probability CVEs (EPSS ≥ 0.1). **Is EPSS a replacement for CVSS?** No — EPSS and CVSS are complementary. CVSS measures severity (impact if exploited); EPSS measures likelihood (probability of being exploited). The most effective prioritization strategy combines both: patch CVEs that score high on both CVSS (severity ≥ 7.0) and EPSS (probability ≥ 0.1) first. ### Other Actors - **[CISA KEV Scraper](https://apify.com/seatsignal/cisa-kev-scraper)** — Extract the full CISA Known Exploited Vulnerabilities catalog with vendor filters, remediation due dates, and ransomware flags. Pair with EPSS data for confirmed + predicted exploit coverage. - **[NIST NVD Scraper](https://apify.com/seatsignal/nist-nvd-scraper)** — Scrape the National Vulnerability Database for CVSS scores, CWE classifications, and CPE affected product lists. Combine with EPSS for comprehensive CVE enrichment. ### Legal disclaimer This Actor accesses the publicly available FIRST.org EPSS API, which provides open data for security research and vulnerability management purposes. Use of this data is subject to [FIRST.org's terms of service](https://www.first.org/epss/). This Actor is not affiliated with or endorsed by FIRST.org. All CVE data originates from public vulnerability databases. Users are responsible for ensuring their use of the extracted data complies with applicable laws and organizational policies. For support, contact the publisher via the Apify Store. # Actor input Schema ## `cveFilter` (type: `string`): Comma-separated list of CVE IDs to look up. Example: 'CVE-2021-44228,CVE-2023-23397'. Leave blank to fetch the top-scoring CVEs across all records. ## `minEpssScore` (type: `number`): Only return CVEs with an EPSS score greater than this value (0–1). Example: 0.5 returns only CVEs with a 50%+ exploit probability. Default 0 returns all. ## `scoreDate` (type: `string`): Retrieve historical EPSS scores as of a specific date (YYYY-MM-DD format). Leave blank to get the latest scores. Example: '2025-01-01'. ## `order` (type: `string`): Sort order for results. '!epss' = highest EPSS score first (default). 'epss' = lowest first. '!percentile' = highest percentile first. 'percentile' = lowest percentile first. ## `maxResults` (type: `integer`): Maximum number of CVE records to return. Increase for bulk exports. Default is 1000. ## Actor input object example ```json { "cveFilter": "", "minEpssScore": 0, "scoreDate": "", "order": "!epss", "maxResults": 1000 } ``` # Actor output Schema ## `dataset` (type: `string`): No description # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "order": "!epss", "maxResults": 1000 }; // Run the Actor and wait for it to finish const run = await client.actor("compute-edge/epss-exploit-prediction-scraper").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "order": "!epss", "maxResults": 1000, } # Run the Actor and wait for it to finish run = client.actor("compute-edge/epss-exploit-prediction-scraper").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "order": "!epss", "maxResults": 1000 }' | apify call compute-edge/epss-exploit-prediction-scraper --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=compute-edge/epss-exploit-prediction-scraper", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "EPSS Exploit Prediction Scraper — CVE Risk Scores", "description": "Extract EPSS (Exploit Prediction Scoring System) scores from FIRST.org for any CVE. Filter by score threshold, CVE list, or historical date. Includes risk tier classification and NVD links for vulnerability prioritization.", "version": "0.1", "x-build-id": "OXKNfvgF8k1xG0bvK" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/compute-edge~epss-exploit-prediction-scraper/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-compute-edge-epss-exploit-prediction-scraper", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/compute-edge~epss-exploit-prediction-scraper/runs": { "post": { "operationId": "runs-sync-compute-edge-epss-exploit-prediction-scraper", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/compute-edge~epss-exploit-prediction-scraper/run-sync": { "post": { "operationId": "run-sync-compute-edge-epss-exploit-prediction-scraper", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": { "cveFilter": { "title": "CVE Filter (comma-separated)", "type": "string", "description": "Comma-separated list of CVE IDs to look up. Example: 'CVE-2021-44228,CVE-2023-23397'. Leave blank to fetch the top-scoring CVEs across all records.", "default": "" }, "minEpssScore": { "title": "Minimum EPSS Score", "minimum": 0, "maximum": 1, "type": "number", "description": "Only return CVEs with an EPSS score greater than this value (0–1). Example: 0.5 returns only CVEs with a 50%+ exploit probability. Default 0 returns all.", "default": 0 }, "scoreDate": { "title": "Score Date (YYYY-MM-DD)", "type": "string", "description": "Retrieve historical EPSS scores as of a specific date (YYYY-MM-DD format). Leave blank to get the latest scores. Example: '2025-01-01'.", "default": "" }, "order": { "title": "Sort Order", "enum": [ "!epss", "epss", "!percentile", "percentile" ], "type": "string", "description": "Sort order for results. '!epss' = highest EPSS score first (default). 'epss' = lowest first. '!percentile' = highest percentile first. 'percentile' = lowest percentile first.", "default": "!epss" }, "maxResults": { "title": "Max Results", "minimum": 1, "maximum": 50000, "type": "integer", "description": "Maximum number of CVE records to return. Increase for bulk exports. Default is 1000.", "default": 1000 } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```