Typical lifecycle: discovery (legitimate or malicious) → use in operations (days, months or years in silence) → detection by a defender → coordination with the vendor → patch → end of the zero-day period.
What a zero-day is
A zero-day vulnerability is a security flaw in a product that the vendor either does not yet know about or knows about but has not yet released a patch for. The term "zero-day" refers to the number of days since the patch was published: zero. While the window remains open, any attacker who knows the vulnerability can exploit it across any installation of the product with no official fix in place. When a zero-day is actively exploited in the wild, it is referred to as a zero-day exploit; when the vulnerability is known but no public exploit exists yet, the term N-day is often used.
Why it matters
Zero-days drive the cybersecurity black market. A reliable exploit against iOS or Chrome can sell for millions. Nation-state groups, organized cybercrime and APT operations use them because they bypass traditional defenses based on known signatures or detection rules. For a defending organization, this means classic antivirus and rule-based SIEM will not detect the zero-day: only behavior-based detection (EDR, NDR), rigorous segmentation and prepared incident response processes make a difference. Under NIS2 and DORA, demonstrating detection capability without prior signatures is one of the points auditors review most closely.
Key points
Bug bounty programs (HackerOne, Bugcrowd, Zero Day Initiative) buy zero-days to disclose them responsibly to the vendor, competing on price with the black market. It is the legal way to monetize a discovery.
Effective defenses against zero-day are not specific technologies but environment properties: least privilege, rigorous segmentation, hardening, behavior-based detection and tested response plans.
Once patched, the zero-day becomes a known CVE. The operational window for attackers against organizations slow to patch can remain open for weeks or months — that is where opportunistic mass attacks come in.
Example: zero-day in a corporate VPN gateway
An organization runs a commercial VPN gateway exposed to the Internet. An APT group discovers an unauthenticated remote-code-execution vulnerability and exploits it for weeks against multiple customers of the product, exfiltrating credentials and moving laterally. The vendor is unaware. One day, an incident response team detects anomalous traffic at one of the customers and reports to the vendor, who issues an emergency patch five days later. The customer with mature EDR and proper segmentation detected the post-exploitation behavior (obfuscated PowerShell launches, LSASS access, C2 beacons) even though it did not detect the initial exploitation. Other organizations without those defenses took weeks to notice — with data already exfiltrated.
Common mistakes
- Relying on antivirus and signatures to detect zero-days. By definition there is no signature. Effective detection is by behavior, not by known pattern.
- Thinking 'patch fast' protects. It protects against the zero-day once it stops being one. While it is in active operation known to only a few, the patch does not exist.
- Not having an up-to-date inventory of exposed products. When a zero-day is published — say, in a VPN gateway, an XML parsing library or a mail server — leadership's first question will be "do we have this?". Without SBOM or a clear inventory, the answer takes days.
- Not having a tested incident-response plan. The zero-day stresses exactly the processes: communication, disconnect decisions, containment, customer and regulator notification.
Related terms
Related services
This concept may relate to services such as:
Frequently asked questions
What's the difference between zero-day and N-day?
A zero-day is a vulnerability with no public patch available. An N-day is a vulnerability that already has a public patch but remains unapplied on many systems — N represents the days since the patch was published. The practical exploitation window for many opportunistic attackers is N-day, not zero-day.
How are zero-days discovered?
In several ways: legitimate research by security teams or bug bounty programs, internal analysis by vendors, observation of anomalous activity by defenders who report to the vendor, or reverse engineering of traffic and malware captured during espionage operations. The source determines whether the discovery stays silent or is responsibly disclosed.
Is there real defense against zero-day?
No perfect defense, but effective mitigation. The properties that most reduce risk are: least privilege, rigorous segmentation, behavior-based detection, aggressive hardening, tested response processes and zero-trust architecture. No single technology covers the problem, but the combination materially reduces impact.