Modeling Asset Risk Using Grouped EPSS
CVE/FIRST VulnCon 2025 · Main Stage
In an era of relentlessly escalating cybersecurity threats and an ever-growing deluge of vulnerabilities, traditional vulnerability management approaches are proving increasingly inadequate. This talk, "Modeling Asset Risk Using Grouped EPSS," presented by Stephen Jacobs, a Principal Security Engineer at Moderna Therapeutics and co-chair of the EPSS Special Interest Group, addresses this critical challenge head-on. Jacobs introduces a novel methodology to shift the focus from individual Common Vulnerabilities and Exposures (CVEs) to a more holistic, asset-centric view of risk.
AI review
Jacobs brings a clean, practical methodology to VulnCon that does exactly what it says on the tin: takes a well-understood probability identity, applies it to EPSS aggregation at the asset level, and gives practitioners a usable prioritization lever. This is competent, honest practitioner work — not novel research, but not vendor fluff either. The math is straightforward, the implementation is genuinely simple, and the framing around delta-EPSS for remediation impact is the most useful conceptual addition. It will land well with the vulnerability management crowd at VulnCon, which is the…