Security teams don’t have a CVE problem — they have a prioritization problem.
CVSS tells us severity. EPSS tells us likelihood of exploitation.
But defenders still end up asking:
“Which CVEs do I actually fix first?”
To explore that gap, I built Day0Predictor v0.1 — a defensive, transparent CVE risk scoring tool that integrates EPSS signals with interpretable machine learning.
This is not a zero-day detector and not a scanner. It’s a prioritization signal designed to be auditable and explainable.
🔍 What Day0Predictor Does
Combines EPSS score + percentile
Adds structured threshold features (≥0.01, ≥0.10, ≥0.50)
Trains a lightweight, interpretable model
Outputs:
Risk score (0–100)
Features used
Reasons for the score
Clear disclaimers
No black box. No hype.
🧠 …
Security teams don’t have a CVE problem — they have a prioritization problem.
CVSS tells us severity. EPSS tells us likelihood of exploitation.
But defenders still end up asking:
“Which CVEs do I actually fix first?”
To explore that gap, I built Day0Predictor v0.1 — a defensive, transparent CVE risk scoring tool that integrates EPSS signals with interpretable machine learning.
This is not a zero-day detector and not a scanner. It’s a prioritization signal designed to be auditable and explainable.
🔍 What Day0Predictor Does
Combines EPSS score + percentile
Adds structured threshold features (≥0.01, ≥0.10, ≥0.50)
Trains a lightweight, interpretable model
Outputs:
Risk score (0–100)
Features used
Reasons for the score
Clear disclaimers
No black box. No hype.
🧠 Why EPSS Alone Isn’t Enough
EPSS is powerful, but in practice:
Scores fluctuate daily
Context is missing (attack patterns, structure)
Defenders still need explanation
Day0Predictor treats EPSS as strong evidence, not truth.
Think of it as:
EPSS + structure + explainability
🧪 Example Output { "cve_id": "CVE-2021-44228", "risk": 98, "mode": "trained_model_epss", "features": { "epss": 0.94358, "percentile": 0.99957, "epss_ge_050": 1.0 }, "reasons": [ { "feature": "epss", "direction": "up" }, { "feature": "percentile", "direction": "up" } ] }
This is the kind of output defenders can audit and trust.
🛠️ CLI Usage
Score a CVE directly by ID using EPSS:
day0predict score-epss
–cve-id CVE-2021-44228
–model models/day0predict.joblib
–format json
You can also score CVE JSON files directly.
📊 Model Notes
Logistic regression (intentionally simple)
Handles class imbalance
ROC-AUC ≈ 0.92
Explainability prioritized over complexity
This tool is meant to support human judgment, not replace it.
📦 Open Source
GitHub: 👉 [https://github.com/ethicals7s/day0predictor-v0.1]
(https://github.com/ethicals7s/day0predictor-v0.1)
MIT licensed. Feedback and PRs welcome.
🔮 What’s Next
Ideas for v0.2:
Time-aware training (train on past → predict future)
Explicit CISA KEV features
Lightweight web demo
Expanded text feature analysis
🧠 Final Thought
Security doesn’t need more hype tools.
It needs boring, honest, defensible signals that help humans decide what matters now.
That’s what I tried to build with Day0Predictor.