TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Vulnerabilities

What Is a Zero-Day? Vulnerabilities, Exploits and Attacks

Zero-days are the vulnerabilities no patch exists for yet. Learn the difference between a zero-day vulnerability, exploit and attack, why they're prized, and how to defend.

7 min readUpdated

A zero-day (also written 0-day) is a software vulnerability that is unknown to the vendor and has no available patch. The name comes from the idea that developers have had "zero days" to fix the flaw before it can be abused. Because there is no fix to apply, zero-days are among the most dangerous threats in cybersecurity and are highly prized by sophisticated attackers and advanced persistent threats.

The term is used loosely, so it helps to separate three related concepts: the vulnerability, the exploit and the attack.

Zero-day vulnerability vs exploit vs attack

  • A zero-day vulnerability is the underlying flaw itself — a bug or weakness in software that no patch yet addresses, often because the vendor doesn't know it exists.
  • A zero-day exploit is the technique or code an attacker develops to take advantage of that vulnerability.
  • A zero-day attack is the act of using that exploit against real targets before a patch is available.

Once the vendor learns of the flaw and releases a fix, the vulnerability is no longer a "zero-day" — it becomes a known, or n-day, vulnerability. But the danger doesn't end there: attackers race to exploit newly patched flaws against organizations that are slow to update.

Why zero-days are so dangerous

Zero-days are uniquely threatening for several reasons:

  • No patch exists. Defenders can't simply update to be safe; they can only mitigate.
  • Signature-based tools may miss them. Because the exploit is new and unknown, antivirus and intrusion-detection signatures often don't recognize it.
  • They enable stealthy, high-impact intrusions. A reliable zero-day in a widely used product can give an attacker access to thousands of organizations before anyone notices.
  • They're valuable. A working zero-day for a popular platform can sell for large sums on both legitimate bug-bounty programs and gray/black markets, fueling a whole economy.

The life of a zero-day

A zero-day typically moves through a window of danger:

  1. Discovery. A researcher or attacker finds the flaw. If a defender finds it first and reports it responsibly, the danger is contained. If an attacker finds it first, the clock starts.
  2. Exploitation in the wild. Attackers weaponize and use it quietly, often against high-value targets.
  3. Detection. Eventually defenders notice the activity — this is where threat intelligence and threat hunting shine.
  4. Disclosure and patch. The vendor is notified and develops a fix.
  5. Patch race. Once the patch and details are public, mass exploitation of unpatched systems often surges before everyone updates.

The most dangerous moment is when a vulnerability is being actively exploited but no patch exists yet — a situation that authorities like CISA flag with urgent advisories.

How to defend against zero-days

You can't patch a flaw nobody knows about, but you can make zero-day attacks far harder and limit their impact:

  • Defense in depth. Layered controls mean a single exploited flaw doesn't lead to total compromise.
  • Behavior-based detection. EDR and analytics that look for malicious behavior — not just known signatures — can catch a zero-day exploit by what it does after landing. This ties to detecting TTPs rather than indicators.
  • Least privilege and segmentation. Limit what a compromised process or account can reach.
  • Rapid patching when fixes arrive. Close the n-day window quickly — most breaches exploit known, unpatched flaws, not true zero-days.
  • Virtual patching. Web application firewalls and IPS can block exploit attempts while you wait for an official fix.
  • Threat intelligence. Knowing the moment a zero-day is being exploited lets you mitigate before you're hit.

Zero-days vs known vulnerabilities: the real risk

Zero-days get the headlines, but it's worth keeping perspective: the majority of successful breaches exploit known vulnerabilities for which a patch already existed — organizations simply hadn't applied it. In other words, the disciplined, unglamorous work of fast patching prevents far more incidents than chasing exotic zero-days. The two priorities aren't in conflict: build behavior-based detection to catch the unknowns, and patch relentlessly to eliminate the knowns. For more on prioritizing, see our guide to CVEs and CVSS.

The zero-day market: who finds and buys them

Zero-days don't just appear — they're discovered, developed and, increasingly, bought and sold in a complex economy with several distinct players:

  • Security researchers and bug-bounty hunters find vulnerabilities and report them responsibly, often earning rewards through vendor bug-bounty programs. This is the "white hat" path that gets flaws fixed.
  • Exploit brokers and gray-market vendors purchase working zero-days — sometimes for very large sums — and resell them to governments and other buyers. A reliable exploit for a popular platform can command six or seven figures.
  • Nation-state programs stockpile zero-days for espionage and offensive operations, valuing the stealth that an unpatched flaw provides.
  • Criminal markets trade exploits for financially motivated attacks, including ransomware deployment.

This economy explains why zero-days are so dangerous: there are well-funded incentives to find vulnerabilities and keep them secret rather than report them. The same flaw that a researcher might disclose for a modest bounty could be worth far more to a buyer who wants it kept quiet and weaponized.

It also underscores the value of vulnerability research and responsible disclosure. Every flaw found and fixed by the defensive community is one that can't be sold or exploited. Bug-bounty programs, coordinated disclosure and proactive code auditing all shrink the pool of available zero-days. For defenders, the practical takeaway is twofold: support and reward responsible disclosure where you can, and assume that sophisticated adversaries may hold zero-days you can't anticipate — which is exactly why layered, behavior-based defense and rapid patching of known flaws matter so much. You can't predict the next zero-day, but you can ensure that when one is used against you, it lands in a hardened, well-monitored environment rather than a soft one.

The bottom line

A zero-day is a vulnerability with no patch, exploited before defenders even know it exists — powerful, valuable and hard to stop with signatures alone. The best defense blends layered controls, behavior-based detection and rapid patching once fixes appear. Speed of awareness is critical: the sooner you learn a zero-day is being exploited, the sooner you can mitigate. Our live threat intelligence feed surfaces reporting on actively exploited and zero-day vulnerabilities from dozens of authoritative sources within minutes, ranked by priority.

Frequently asked questions

What is a zero-day vulnerability?

A zero-day vulnerability is a software flaw that is unknown to the vendor and has no available patch, meaning developers have had 'zero days' to fix it. Because no fix exists, attackers can exploit it before defenders can protect against it.

What is the difference between a zero-day exploit and a zero-day attack?

A zero-day exploit is the code or technique that takes advantage of an unpatched vulnerability. A zero-day attack is the act of actually using that exploit against targets before a patch is available.

Why are zero-days so dangerous?

Because no patch exists, defenders can only mitigate, not eliminate the flaw. Signature-based tools often miss the new exploit, and a reliable zero-day in widely used software can let attackers compromise many organizations stealthily before anyone notices.

How can you defend against zero-day attacks?

Use defense in depth, behavior-based detection (EDR) that catches malicious activity rather than known signatures, least privilege and network segmentation to limit impact, virtual patching via WAF/IPS, rapid patching once fixes arrive, and threat intelligence to learn of active exploitation early.

Related threat intel guides

VulnerabilitiesWhat Is a CVE? CVEs, CVSS and the KEV Catalog ExplainedDetectionIndicators of Compromise (IOCs): The Complete GuideThreat ActorsWhat Is an Advanced Persistent Threat (APT)?DetectionWhat Is Threat Hunting? A Practical Guide