
First EPSS
Threat Intelligence- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
This connector integrates with the FIRST.org Exploit Prediction Scoring System (EPSS) API. EPSS is a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. The connector syncs EPSS scoring records — each keyed by a CVE identifier — and exposes the EPSS probability score, the percentile rank of that score, and the score's publication date. These records are mapped to the CVE_RECORD UDM model so EPSS data can enrich vulnerability and CVE intelligence within the platform.
The connector retrieves the full EPSS dataset by paging through the public API in parallel, controlled by configurable page size and parallelism settings.
Data retrieved from FIRST Exploit Prediction Scoring System
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| EPSS Record | Yes | CVE_RECORD |
For detailed steps on how to view the data retrieved from FIRST Exploit Prediction Scoring System in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select FIRST Exploit Prediction Scoring System from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| API URL | No | — | EPSS api base URL |
| Page size | No | — | Maximum number of records to get per API request |
| Parallel requests | No | — | Maximum number of parallel API requests |
Authentication
The FIRST.org EPSS API is public and requires no authentication — no API key, token, or credentials are needed. All requests are issued as anonymous HTTP GET calls against the configured base URL.
Endpoint
| Method | URL |
|---|---|
| GET | https://api.first.org/data/v1/epss |
Request Headers
| Header | Value |
|---|---|
| Accept | application/json |
No Authorization header is sent.
Request Parameters
The connector pages through the dataset using query parameters rather than a request body:
| Parameter | Description |
|---|---|
envelope | Always set to true so responses include paging metadata (total, offset, limit). |
limit | Page size — maximum number of records returned per request (see Configuration). |
offset | Zero-based record offset; incremented per page to walk the full dataset. |
Sample Request
GET https://api.first.org/data/v1/epss?envelope=true&limit=1000&offset=0
Sample Response
{
"status": "OK",
"status-code": 200,
"version": "1.0",
"access": "public",
"total": 174794,
"offset": 160000,
"limit": 100,
"data": [
{
"cve": "CVE-2005-4230",
"epss": "0.011360000",
"percentile": "0.565440000",
"date": "2022-04-26"
}
]
}
Response Fields
| Field | Description |
|---|---|
status | Request status string (e.g. OK). |
status-code | HTTP-style status code returned in the envelope. |
version | API version. |
access | Access level of the data (public). |
total | Total number of EPSS records available. |
offset | Offset of the current page. |
limit | Page size of the current page. |
data | Array of EPSS records. |
Because the API is unauthenticated, no token is captured or reused; each subsequent paging request is simply another anonymous GET with an incremented offset.
Sync Behavior
The connector supports incremental (delta) syncs. It maintains a sync token between runs and applies it as an incremental timestamp filter, so each run re-processes only the records that changed after the previous sync. The initial run retrieves the complete data set; later runs are incremental. The specific timestamp field applied to each object is documented under that object's Sync Duration Parameter.
How to obtain FIRST Exploit Prediction Scoring System credentials
Obtain the required credentials (url (API URL)) from your FIRST Exploit Prediction Scoring System administrator or the FIRST Exploit Prediction Scoring System admin console, then enter them in the connection settings above.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
EPSS Record
| Source Field Name | SDM Attribute |
|---|---|
EPSSRecordResource.cve | UID |
EPSSRecordResource.date | Date |
EPSSRecordResource.epss | EPSS |
EPSSRecordResource.percentile | PERCENTILE |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
EPSS Record
Operation options
This object does not support any operation options.
Delta sync
Supported.
API
- Type: REST endpoint · Endpoint:
GET /data/v1/epss - Default filters:
envelope=true
Changelog
The FIRST Exploit Prediction Scoring System connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.0.4 | Improvements Dependency Upgrades Upgraded internal framework and model libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. | N/A |
| 3.0.3 | Improvements - The CVE identifier is now exposed as a dedicated identifier attribute on each EPSS record, improving how records are matched and correlated with existing CVE data in the platform. Dependency Upgrades Upgraded internal framework and model libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. | N/A |
| 3.0.2 | Improvements - Refined the mapping of EPSS records to the platform's CVE model so that EPSS scores correlate more reliably with existing CVE records. | N/A |
| 3.0.1 | Improvements - EPSS probability scores and percentile ranks are now reported as percentage values (e.g., 0.95 expressed as 95.0) for clearer, more intuitive interpretation. | N/A |
| 3.0.0 | Overview The FIRST Exploit Prediction Scoring System (EPSS) connector integrates with FIRST.org to synchronize EPSS scoring records, each keyed by a CVE identifier, that estimate the likelihood a vulnerability will be exploited in the wild. Category: Threat Intelligence Models | N/A |