Let’s face it: most companies are drowning in vulnerabilities and struggling to patch even a fraction of them. The question has never been how many flaws exist, it’s which ones matter most. Now, NIST thinks it may have an answer, or at least a better guess.
In a white paper released on 19 May, researchers Peter Mell and Jonathan Spring introduced a new metric called Likely Exploited Vulnerabilities (LEV). The idea is bold: estimate, not confirm, which vulnerabilities have probably been used in the wild, based on historical trends in exploit prediction data.
It’s not perfect. But in a world where only 5% of vulnerabilities ever get exploited, and yet companies burn valuable time patching 16% of all flaws every month, a little precision could go a long way.
A smarter middle ground
Today’s vulnerability triage relies on two main tools: the Exploit Prediction Scoring System (EPSS), which forecasts the likelihood of future exploitation, and Known Exploited Vulnerability (KEV) catalogs like the one run by CISA, which list confirmed, real-world attacks.
But EPSS is predictive. It doesn’t tell you what has happened. KEV lists, meanwhile, are often incomplete or lagging behind real-time exploitation. That leaves security teams playing a dangerous guessing game with limited resources and an overwhelming list of CVEs.
Enter LEV.
LEV bridges that gap by applying statistical methods to historical EPSS scores, essentially asking: “Given what we know now, how likely is it that this vulnerability has already been exploited?” It’s not confirmation, but it’s more than speculation. Think of it as adding another lens to the triage toolkit, one that helps security teams focus on the flaws that are probably already causing damage.
Why this matters
If you’ve worked in security or run patch management, you already know the pain. Thousands of vulnerabilities, tight budgets, overworked teams, and executive boards asking why the “important one” wasn’t patched.
The new LEV metric can help organizations:
- Estimate how many vulnerabilities in their systems have likely been exploited.
- Identify high-risk flaws missing from KEV lists.
- Uncover blind spots in EPSSm, especially where already-exploited vulnerabilities fly under the radar.
- Test the completeness of official vulnerability advisories.
Perhaps most critically, it offers CISOs and compliance leaders a way to quantify risk with more nuance. LEV can inform policy decisions, shape board-level reporting, and justify why some patches must leapfrog others, even in the absence of hard evidence.
Probabilities, not proof
It’s important to note that LEV scores are not bulletproof. They rely heavily on the accuracy of EPSS, which has gotten better over time, particularly with version 3 released in March 2023. But still isn’t perfect. LEV also makes statistical assumptions, such as treating vulnerability scores independently, which may not always hold true in practice.
And here’s the kicker: there’s no ground truth yet. NIST openly admits that LEV is a promising theory in search of validation. We simply don’t have broad, public access to the data needed to verify whether a “likely exploited” vulnerability actually was.
That’s why the white paper comes with a call to action.
NIST wants partners, now
To move LEV from academic concept to operational asset, NIST needs help. Specifically, they’re looking to collaborate with private-sector companies that hold real-world threat data; think security vendors, threat intel firms, and large enterprises with deep detection capabilities.
These organizations often know when a vulnerability was exploited in the wild. That kind of evidence is exactly what’s needed to train and tune the LEV model.
Without it, LEV remains theoretical, just a good idea with no empirical backbone. But with enough industry cooperation, it could evolve into a high-value addition to the vulnerability management stack.
What’s available now?
The LEV code is already live and ready to use. It’s open, it’s free, and it calculates probability scores based on publicly available EPSS data. Right now, it’s most effective for CVEs published after March 2023, since that’s when EPSS v3 became the standard.
Organizations can generate their own LEV lists using whatever risk threshold fits their appetite (say, only looking at vulnerabilities with a 70%+ probability of prior exploitation). The scores update daily, allowing for dynamic risk modeling as new data rolls in.
Let’s be clear: LEV won’t replace threat intelligence feeds, KEV lists, or the experience of seasoned analysts. But it can sharpen all of them. In an environment where patch fatigue is real, alert volumes are crushing, and budgets are being squeezed, knowing where to focus makes all the difference.
We may never be able to say with 100% certainty which vulnerability is actively being exploited. But if we can make a strong, data-driven guess? That might be just enough to stay ahead of the next breach.
And in cybersecurity, “just enough” can be everything.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.