Stephen Shaffer

@[email protected]
15 Followers
170 Following
51 Posts
Security Engineer | Dad | Ottoneu Player | All things black holes and space | Curious about the nature of reality itself and what we’re all doing here
#infosec #risk #elm
Stephen ShafferNov 1

#EPSS gives us a lens into global exploit pressure.

But to further understand our vulnerability risk posture, we need to adjust that pressure through the lens of our own controls — and their measured effectiveness.

In my latest blog, I show you how to take EPSS asset-level exploit likelihoods (EPSSg) and update them with #Bayesian inference to reflect control effectiveness.

It’s a simple but powerful way to turn the Swiss cheese model from a metaphor into something measurable — a living model that evolves as new evidence arrives.

#cve #infosec

https://stephenshaffer.io/quantifying-swiss-cheese-the-bayesian-way-b2b512472d85

Stephen ShafferMar 14, 2025

‼️ On Monday, March 17th 2025, EPSS v4 will be released and replace the current version (v3).

❓ What does this mean?

The model is being updated and expanded to include more data sources and is more accurate than v3. The Coverage/Efficiency Curve (Precision/Recall) indicates better performance at every threshold and therefore you get better risk management at all risk appetites.

➡️ Do I have to do anything to switch from v3 to v4?

No. The location of the data will remain the same. The API at FIRST will switch over to serving v4 scores automatically on Monday morning, and the CSV will remain accessible from Cyentia Institute, though there will be a redirect to Empirical Security.

⭐ Why is the model updating?

The v4 model is trained on more recent exploitation data. The v3 model was also experiencing degradation in accuracy, which is normal for models over time as reality shifts.

🎁 What's new in v4?

👾 Additional exploitation data sources, including Shodan, HackerOne Hacktivity, endpoint detections, and malware
🪄 More recent exploitation training data than v3
🎯 Recalibrating features (i.e. Twitter being dropped, CVE.org being added as a backup to NVD, and CVSS score changes over time)

#EPSS #CVE #VulnMgmt #RiskMgmt

Stephen ShafferMar 7, 2025

Happy to announce I’ll be speaking #VulnCon25 next month. I’ll be chatting about Asset EPSSg, which is a concept that orients you to the exploitation exposure risk at the asset level, rather than the CVE level. More info here: https://stephenshaffer.io/modeling-asset-risk-using-epss-d6ce8b4491c5

Looking forward to it 🤘🏻 #EPSS

Modeling Asset Risk Using EPSS - Stephen Shaffer - Medium

How can we best operationalize EPSS in our environment by utilizing its mathematical properties?

Medium
Stephen ShafferFeb 11, 2024

Patrick Garrity coming in hot with a Tecmo Super Bowl-themed data viz showcasing the vulnerabilities added to the CISA KEV during the 2023-2024 NFL Season.

Patrick Knows Vulns!

https://www.linkedin.com/posts/patrickmgarrity_cybersecurity-security-infosecurity-activity-7162467198161108992-6BQA

Patrick Garrity 👾🛹💙 on LinkedIn: #cybersecurity #security #infosecurity #riskmanagement… | 12 comments

Super Vuln Sunday is finally here! Inspired by the collaboration between the Cybersecurity and Infrastructure Security Agency (CISA) and the National Football… | 12 comments on LinkedIn

Stephen ShafferNov 8, 2023

So, you want to prioritize vulnerabilities based on EPSS.

Where do you begin?

It's human to try to make sense of things, including EPSS, through categorization, labeling, or binning.

EPSS should never be used in a vacuum, but depending on your organization's size, remediation capacity, and budget, you may be looking for guidance on how to put it into practice.

I offer a variety of perspectives here: https://stephenshaffer.io/determining-epss-score-thresholds-for-prioritization-86e08db21798

#vulnerabilitymanagement #cybersecurity #infosec #epss #cve