Fetch the CISA Known Exploited Vulnerabilities catalog JSON file from https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json and load it into a local lookup set keyed on CVE ID.
Query EPSS scores (model v4, released March 2025) for your CVE list from the FIRST.org EPSS API: GET https://api.first.org/data/v1/epss?cve=CVE-XXXX-XXXX,CVE-YYYY-YYYY (comma-separated, up to several hundred per request).
Join EPSS probability scores and percentile values, CVSS base scores (from NVD or your scanner), and a boolean kev_listed flag from the CISA KEV lookup for each CVE in your finding set.
Compute a composite priority score using a weighted model (e.g., 0.4 × normalised_cvss + 0.4 × epss_probability + 0.2 × kev_flag) to rank vulnerabilities beyond CVSS alone.
Output the ranked list to your ticketing or SOAR system, flagging any CVE that is both KEV-listed and has EPSS probability above a defined threshold (e.g., 0.1) as requiring immediate escalation.
Known gotchas
EPSS scores change daily as the model ingests new exploitation telemetry; cache scores with a TTL of no more than 24 hours or re-fetch per pipeline run to avoid stale prioritization.
The CISA KEV catalog is a point-in-time snapshot; automate daily re-download rather than treating it as static — new entries can appear with as little as 24 hours notice.
EPSS v4 (March 2025) changed score distributions relative to v3; pipelines calibrated against v3 thresholds may need threshold recalibration after upgrading.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp