endoflife.ai — deep explainer

The EOL Risk Score™
explained

Published: May 25, 2026 Updated: May 25, 2026 8 min read By endoflife.ai

Every piece of software has an end-of-life date. After that date, the vendor stops issuing security patches. The software doesn't stop working — it just stops being defended. Vulnerabilities accumulate silently. And most teams don't find out until a breach report or a compliance audit lands on their desk.

The existing tools told you whether something was end-of-life. Nobody was telling you how bad that was. "EOL" is a binary flag. Risk is not binary. A six-year-old database with 40 known exploited vulnerabilities attached is not the same risk as a library that went EOL last Tuesday with a clean CVE record.

That gap is why I built the EOL Risk Score™.

"Think of it as the credit score for your software stack — except here, a high number is the one that should keep you up at night."

What the score is

The EOL Risk Score™ is a proprietary composite metric that runs from 0 to 100. It aggregates multiple signals about a specific software version into a single, actionable number. Higher scores indicate higher risk. A score of 87 on Debian 10 is not the same conversation as a score of 12 on something that went EOL three weeks ago. The number makes that difference legible.

Example — Debian 10 "Buster", EOL June 2022
87 risk
Debian 10 "Buster"
EOL since June 30, 2022 — 1,425 days elapsed
Days since EOL
90
KEV matches
85
CVE density
78
Ecosystem reach
95
Patch availability
40

The five signals that make up the score

Each component is independently calculated, then combined into the composite score using a weighted model. The weights are calibrated against real-world breach data and CISA exploitation patterns.

Signal 01
EOL elapsed time
Days since the official end-of-life date. Risk compounds non-linearly — the first 90 days after EOL carry less weight than years three or four of unpatched exposure.
Weight: high
Signal 02
KEV intersection
Count of CISA Known Exploited Vulnerabilities linked to this product version. These are CVEs actively exploited in the wild — not theoretical. This is the single most predictive signal.
Weight: critical
Signal 03
CVE density
Total unpatched CVE count, adjusted for severity distribution. A version with 200 low-severity CVEs scores lower than one with 12 critical ones. Severity weighting matters.
Weight: high
Signal 04
Ecosystem reach
How widely deployed the software category is globally. An OS or runtime scores higher than a niche utility — blast radius matters as much as vulnerability count.
Weight: medium
Signal 05
Patch availability
Whether extended lifecycle support is available from a commercial vendor. If a patch stream exists, risk is reduced — you have a documented remediation path.
Weight: moderate (inverse)

How to read the bands

Score Band What it means Recommended action
0–19 Minimal Recently EOL, no CVE exposure, no known exploits — clock is ticking but threat is not yet present Monitor. Schedule migration.
20–39 Low EOL with early CVE accumulation — vulnerabilities exist but exploitation is limited Prioritize in next planning cycle.
40–59 Medium Meaningful CVE exposure building, possible KEV entries — risk is measurable and growing Active remediation plan required.
60–79 High Confirmed known exploited vulnerabilities — attackers have working methods against this version Escalate. ELS or migration this quarter.
80–100 Critical Active exploitation, deeply EOL, wide blast radius — this is a live threat, not a future risk Immediate action. Stop treating this as a backlog item.
38
KEV products currently EOL
83
avg risk score across KEV-EOL products
7,500+
versions scored across 460+ products

Why a score, not just a flag

Security teams are drowning in binary signals. Every tool gives you red/green, yes/no, EOL/not-EOL. That framing is useless when you're trying to prioritize a backlog of 300 vulnerable packages across 40 services.

The EOL Risk Score™ gives you a number you can sort by, filter by, and build SLAs around. A score of 91 will always be addressed before a score of 44. That's not a judgment call — it's a queue.

This matters for compliance too. Frameworks like SOC 2, PCI DSS, and ISO 27001 require demonstrable risk prioritization. "We only had EOL flags" is not an audit answer. "We triaged by EOL Risk Score™ and addressed everything above 70 within 30 days" is.

Who uses it and how

A real-world scenario

Scenario — fintech production infrastructure

A fintech company is running Debian 10 on 40% of their backend nodes. Their security team knows it's EOL — has been for two years. They have a migration plan that's six months out. The CISO needs to answer: is that acceptable?

Without the EOL Risk Score™, that's a judgment call made in a meeting. With it, it's a number: 87 out of 100. That's in the critical band. There are active CISA KEV entries attached to Debian 10. That six-month timeline needs to be a conversation — not an assumption.

The score doesn't make the decision. It makes sure the decision is made with the right information, by the right people, at the right time.

Migrate or extend?

Choose migration if you can move to a supported version within 6–12 months without major breaking changes. Migration eliminates the risk permanently and removes ongoing support costs. It's always the preferred long-term answer.

Choose extended support if migration is blocked by third-party dependency incompatibilities, regulatory change-freeze periods, insufficient engineering bandwidth, or complex monorepos where upgrading the runtime requires months of testing. Extended lifecycle support (ELS) from a commercial vendor provides continued CVE patches while you execute a controlled migration.

ELS is a bridge, not a destination. The right answer is always to establish a migration timeline alongside any extended support contract. A score of 80+ means both conversations need to happen today.

Accessing the score

Surface 01
Product pages
Every version page on endoflife.ai displays the current score alongside EOL date, CVE count, and KEV intersections. Free, no signup.
Surface 02
Stack Scanner
Upload package.json, requirements.txt, or Gemfile. Scores returned for every detected dependency version. Instant results.
Surface 03
API — api.endoflife.ai
Free tier: 100 req/day, no auth. Pro tier: $199/month, unlimited, X-API-Key header. Integrate scores into your toolchain, SIEM, or CI/CD pipeline.

Frequently asked questions

What is the EOL Risk Score?
The EOL Risk Score™ is a proprietary composite metric developed by endoflife.ai that runs from 0 to 100. It quantifies how dangerous it is to keep running a specific software version after its end-of-life date. Higher scores indicate higher risk.
How is the EOL Risk Score calculated?
It is a weighted composite of five signals: days elapsed since EOL, CISA KEV intersection count, CVE density adjusted for severity, ecosystem reach, and patch availability from extended support vendors. KEV intersection carries the highest weight as it reflects active real-world exploitation.
What score requires immediate action?
Any component scoring 60 or above warrants escalation. Scores of 80–100 (Critical band) indicate active exploitation, deep EOL status, and wide blast radius. Do not treat a Critical score as a backlog item.
Does a high score mean I must migrate immediately?
A high score means you need to act — but action has two forms. Migration is the preferred long-term path. Extended lifecycle support from a commercial vendor is appropriate when migration is blocked by compatibility, resource, or regulatory constraints. ELS buys time. It is not a substitute for upgrading.
How does the score help with SOC 2, PCI DSS, or ISO 27001?
These frameworks require demonstrable risk prioritization. The EOL Risk Score™ provides a documented, quantifiable basis for that prioritization. Timestamped score snapshots can be used as audit evidence. "We triaged by EOL Risk Score and addressed everything above 70 within 30 days" is a defensible audit answer.
Is the score free to access?
Yes. Scores are free on every product and version page on endoflife.ai. No signup required. The API offers a free tier of 100 requests per day per IP with no authentication. The Pro tier at $199/month provides unlimited API access.

Check your stack's EOL Risk Score™

Free, no signup. 460+ products, 7,500+ versions tracked. Know your risk before your auditor — or your attacker — does.

The Monthly EOL Digest™

Once a month — critical end-of-life dates, CVE blind spots, and lifecycle changes worth knowing about.

✓ You're on the list.