EPSS Vulnerability Prioritization Monitor

Turn a CVE list into a remediation queue using FIRST EPSS exploit probability.

This Actor is for security teams, MSPs, vulnerability-management consultants, and platform teams that already have too many CVEs and need a simple feed of what is more likely to be exploited. It accepts CVE IDs from scanners, SBOMs, advisories, or tickets, pulls current EPSS probability and percentile scores, optionally enriches records with NVD details, and marks scores that are new, rising, falling, or unchanged across scheduled runs.

What It Does

• Scores supplied CVE IDs with the public FIRST EPSS API
• Also emits CVEs above configurable EPSS and percentile thresholds
• Flags new_score, score_increase, score_decrease, and unchanged
• Adds NVD enrichment: CVSS, severity, description, CWE, CPE, and references
• Produces dataset rows, a buyer brief, threshold-only export, and Slack-ready alert records
• Works as a scheduled Apify monitor with webhooks to Slack, email, Sheets, or ticketing workflows

Inputs

{
  "cveIds": ["CVE-2024-3094", "CVE-2023-34362", "CVE-2021-44228"],
  "minEpss": 0.7,
  "minPercentile": 0.97,
  "maxResults": 100,
  "includeBelowThresholdWatchlist": true,
  "enrichWithNvd": false,
  "compareToPreviousRun": true,
  "dryRun": false
}

Leave dryRun enabled to preview deterministic demo output without API calls or custom event charges.

Outputs

Each dataset row includes:

• CVE ID
• EPSS probability and percentile
• priority bucket
• score change type and deltas
• optional NVD severity, CVSS score, description, CWE, CPE, and references
• source API URL and compliance notes

Example:

{
  "recordType": "epss_vulnerability_priority_match",
  "cveId": "CVE-2024-3094",
  "changeType": "new_score",
  "priority": "critical",
  "epss": 0.84805,
  "percentile": 0.99352,
  "thresholdMatched": true,
  "nvdSeverity": "CRITICAL",
  "cvssScore": 10,
  "sourceUrl": "https://www.first.org/epss/data_stats#CVE-2024-3094"
}

Why Use This Instead Of A Generic CVE Scraper

Most CVE feeds tell you severity. That is not the same as exploit likelihood. EPSS adds a daily probability estimate that helps teams decide which vulnerabilities deserve attention first. This Actor is built around that workflow: score, threshold, compare to the last run, and emit structured events.

Pricing

Recommended Apify pricing is pay per event:

• epss-vulnerability-match: $0.003 per emitted vulnerability record
• Dry runs are free
• Free-plan users get the first 25 live records without this Actor's custom event charge

Compliance Notes

This Actor uses public FIRST EPSS and, when enabled, NVD APIs. NVD enrichment is off by default so broad threshold runs finish quickly. Without an NVD key, only the first 10 emitted records are enriched to respect public rate limits. EPSS is a prioritization signal, not a final remediation decision. Verify results against your asset inventory, vendor advisories, exposure, compensating controls, and internal policy.