Predicting Real-World Exploitation with Coalition ESS
Vulnerability management has never been more complex. More than 40,000 new vulnerabilities were published in 2024 alone, and Coalition forecasts that number will exceed 45,000 by the end of 2025.
For businesses, this sheer volume makes it virtually impossible to patch everything. Yet, leaving the wrong vulnerability unaddressed can expose critical systems to cyber attackers.
Cybersecurity teams have long experimented with different ways to decide what to patch first, and their strategies have evolved over time with the threat landscape:
Expert judgment: Back when there were only a few dozen vulnerabilities published each month, security leaders could manually review each one, applying experience and knowledge about local systems to prioritize action where it matters most.
Threat intelligence feeds: As the volume of vulnerabilities increased, security leaders turned to threat intel providers to prioritize vulnerabilities based on evidence of exploitation in the wild, ensuring defenders focus on immediate risks.
Data-driven predictions: To get a jump on threat intel, some security teams have now turned to analytics and machine learning (ML) to anticipate which vulnerabilities are most likely to be exploited in the future.
Each of these strategies reflects the realities of its time and still has value today. While some might see them as competing schools of thought, Coalition is actively embracing them all at once to help businesses develop a more resilient approach to vulnerability management.
That’s where the Coalition Exploit Scoring System (Coalition ESS) comes in, providing predictive insights that strengthen vulnerability management strategies without replacing human judgment or threat intelligence.
Using Coalition ESS in practice
As an example, the predictive value of Coalition ESS can be seen in CVE-2025-48384, which was published on July 8, 2025. Traditional sources were inconsistent, leaving it unclear whether this vulnerability needed to be patched. The National Vulnerability Database (NVD) provided no severity assessment at the time, meanwhile GitHub rated it as a high-severity vulnerability.
The GitHub severity assessment is less significant than it appears given that almost 500 vulnerabilities were rated as critical (above high severity), and there were over 4,000 vulnerabilities published in July 2024. In fact, CVE-2025-48384 wasn’t added to the US Cybersecurity & Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog until mid-August, after which it’s likely that defenders would have reacted by quickly racing to patch this vulnerability before threat actors could exploit it.
However, a defender using Coalition ESS may have been better equipped to act differently.
In the two days after the initial July 8 publication, the Coalition ESS score for CVE-2025-48384 surged from the 91st to the 98th percentile. This warning sign happened a full month and a half before broader evidence of exploitation was addressed publicly, highlighting Coalition ESS's ability to identify some of the most dangerous vulnerabilities by more correctly forecasting future exploitation.
Yet, we can’t evaluate predictive models solely by cherry-picking a single CVE. Instead, we need to evaluate predictive models across many vulnerabilities.
How to evaluate vulnerability forecasts
It’s easy to assume a “good” predictive model is one that looks accurate across all vulnerabilities, both exploited and never exploited. But in vulnerability management, that can be misleading because a predictive model should not get credit for predicting that a vulnerability that has been exploited in the past will be exploited in the future. A truly useful model must provide actionable foresight, a warning on vulnerabilities likely to be exploited before attackers strike, above and beyond information already available to defenders.
Why? Threat intelligence already covers known exploited vulnerabilities. Predictive models shouldn’t get credit for simply echoing what’s already confirmed. Instead, their value lies in how they forecast vulnerabilities that haven’t yet been exploited.
Coalition ESS helps defenders see around the corner, helping them to prioritize the vulnerabilities most worthy of attention before they hit KEV lists.
To test whether Coalition ESS provides predictive value, we looked at Coalition ESS scores for common vulnerabilities and exposures (CVE) published between April 1 and August 1, 2025 before they were published in VulnCheck’s Known Exploited Vulnerabilities (KEV) dataset. The results show a clear trend:
Vulnerabilities that would eventually be exploited consistently scored higher on Coalition ESS, even before they were added to the KEV catalog.
Unexploited vulnerabilities clustered near zero, reinforcing Coalition ESS’ ability to separate likely threats from background noise.
The highest Coalition ESS scores almost exclusively matched vulnerabilities that were later exploited.
In other words, Coalition ESS helps defenders see around the corner, helping them to prioritize the vulnerabilities most worthy of attention before they hit KEV lists.
Turning predictions into action
How should security teams actually use predictive scores in practice? The strategy depends on an organization’s resources and risk tolerance. Think of it as setting a patching threshold (or priorities list):
A large financial institution with deep resources might patch the top 20% of vulnerabilities.
A small hospital with limited staff might focus only on the top 2%.
Every organization has a different tolerance for risk and a different capacity for patching. Some can afford to cast a wide net, while others choose to be highly selective.
Patching the top 9% of vulnerabilities by Coalition ESS would proactively cover half of all future vulnerabilities expected to be exploited.
Coalition ESS scores give defenders a dial they can turn, tightening or loosening thresholds based on resources, risk tolerance, and other criteria; thus, patching strategies become strategically targeted and intentional rather than overly broad and overwhelming. The math works out in defenders’ favor:
Patching the top 9% of vulnerabilities by Coalition ESS would proactively cover half of all future vulnerabilities expected to be exploited.
A more efficient approach, patching the top 0.7% by Coalition ESS score, would address 20% of future vulnerabilities expected to be exploited, while minimizing efforts on vulnerabilities less likely to be attacked.
Of course, predictive models aren’t perfect. Not only are they forecasts, but they can produce odd or outlier predictions, which is why expert review remains critical. Human judgment ensures patching strategies are aligned with local environments, business priorities, and available resources.
A balanced playbook for vulnerability management
The most resilient approach to vulnerability management doesn’t rely on a single strategy; it combines them:
Patch all known exploited vulnerabilities that affect your organization’s systems.
Use resources wisely by estimating how much bandwidth you have for speculative patching.
Apply Coalition ESS thresholds to prioritize and target the speculative vulnerabilities most likely to be exploited in the future.
This layered strategy creates balance. Threat intelligence anchors decisions in what attackers are already exploiting. Predictive models extend the horizon, forecasting tomorrow’s risks. Human judgment ensures decisions are realistic, contextual, and efficient, minimizing the risk of anomalies. By weaving these together, defenders can move beyond “patch everything” mandates and toward risk-based prioritization that is more scalable.