Zero-Day Attack

Most cyberattacks exploit known vulnerabilities — ones with published CVEs and available patches. Zero-days are different: they exploit flaws the vendor doesn't yet know about, giving defenders no opportunity to patch before they're weaponized.

Zero-days are valuable commodities in the offensive security ecosystem. A remote code execution zero-day in a widely deployed product can sell for millions of dollars in both government and criminal markets. As a result, the most dangerous zero-days are typically used in targeted, sophisticated attacks — nation-state espionage, targeted ransomware on high-value organizations — rather than mass exploitation.

When a zero-day is publicly disclosed (either by the discoverer or after evidence of exploitation), it becomes a "one-day" — now a known vulnerability with a race between vendors releasing patches and attackers exploiting organizations that haven't patched yet.

Defense when patching isn't an option

Since you can't patch what doesn't have a patch, zero-day defense relies on layered controls:

Behavioral detection (EDR) — catches malicious behavior even from unknown exploits by recognizing anomalous process activity.

Network segmentation — limits what an attacker can reach even if they get initial access.

Least privilege — reduces the blast radius of any exploit.

NGFW with IPS — can block exploit patterns even without signature-specific knowledge, through protocol anomaly detection.