FIRST also separates total CVE volume from actionable exploitability, using known-exploited lists and EPSS, the Exploit Prediction Scoring System, to focus urgent patching. Exploit likelihood, not raw ...