Methodology
Modern AI enables us to model security posture, asset value, and attacker behavior with real precision—but only if we adapt to the enterprise’s actual environment. Local models let us reflect your infrastructure, your priorities, and your risk—not someone else’s.
Our models are trained on over 17,000 known exploited CVEs
Effort Comparison: CVSS vs. Empirical Local
Empirical Models outperform CVSS as the way to prioritize vulns. When comparing performance measures (such as effort or coverage) it’s undeniable.
Published CVEs
Prioritized CVEs
Exploited CVEs
CVSS 9+ (Critical)
Threshold: 0.9
Effort: 14.4%
Coverage: 40.4%
Efficiency: 9.5%
Empirical Local (Same Effort)
Better Coverage & Efficiency
Threshold: 0.028
Effort: 14.4%
Coverage: 95.4%
Efficiency: 22.4%
Local model results may vary depending on your security dataset.
Coverage Comparison: CVSS vs. Empirical Local
Empirical Models reduce the required effort to achieve the same coverage compared to CVSS. Empirical Global models are 6x more efficient.
Published CVEs
Prioritized CVEs
Exploited CVEs
CVSS 7+ (High to Critical)
Threshold: 0.7
Effort: 50.5%
Coverage: 76.8%
Efficiency: 5.1%
Empirical Local (Same Coverage)
Less Effort, More Efficiency
Threshold: 0.968
Effort: 2.6%
Coverage: 76.9%
Efficiency: 99.3%
Local model results may vary depending on your security dataset.
Effort, Coverage, and Efficiency
CloseAll Published Vulns (CVEs we could prioritize)
Effort
Measures the relative workload as the proportion of vulnerabilities prioritized out of all the possible CVEs:
True Positives + False Positives / Everything
Coverage
Measures how well our strategy covers the vulnerabilities we prioritized from all vulnerabilities that show exploitation activity (False Positives are prioritized without any exploitation activity observed):
True Positives / True Positives + False Positives
Efficiency
Measures how accurately our strategy focuses on vulnerabilities that have exploitation activity (False Negatives are not prioritized and exploitation activity is later observed):
True Positives / True Positives + False Negatives
FAQ
What is EPSS?
While other industry standards have been useful for capturing innate characteristics of a vulnerability and provide measures of severity, they are limited in their ability to assess threat. EPSS fills that gap because it uses current threat information from CVE and real-world exploit data. The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
How do we define Efficiency?
Efficiency considers how efficiently resources were spent by measuring the percent of prioritized vulnerabilities that were exploited. Prioritizing mostly exploited vulnerabilities would be a high efficiency rating (resources were allocated efficiently), while prioritizing perhaps random or mostly non-exploited vulnerabilities would result in a low efficiency rating. Efficiency is calculated as the number of exploited vulnerabilities prioritized (True Positives, Correctly Identified) divided by the total number of prioritized vulnerabilities (True Positives + False Positives).
How do we define Coverage?
Coverage considers how well is the percent of exploited vulnerabilities that were prioritized, and is calculated as the number of exploited vulnerabilities prioritized (True Positives, Correctly Identified) divided by the total number of exploited vulnerabilities (True Positives + False Positives). Having low coverage indicates that not many of the exploited vulnerabilities were remediated with the given strategy.
Compare Model Threshold Performance
Empirical Models combine real-time internet exploitation telemetry with EPSS predictions to provide the most accurate view of exploitation. Empirical monitors activity on over 17,000 exploited CVEs—10 times more than the next best model—and offers hourly exploitation evidence and volume, an industry first. Compare to DHS CISA KEV: ~1200
We bring measurable impact
Our models increase efficiency and coverage, reveal unknown threats, reduce risk, and optimize remediation capacity.
17,000+
Known Exploited Vulns (and hourly telemetry about when exploitation occurred)
12.4x
A 1249.04% increase in total exploited CVEs as of January 9th, 2025 compared to CISA Known Exploited Vulnerabilities (KEV)
23x
4925 newly exploited CVEs in the last 12 months, compared to 204 in CISA KEV