What Is a Zero Day?
In cybersecurity, “zero day” refers to the window in which a vulnerability is being exploited before defenders have a normal patching advantage.
A zero day is a software vulnerability that is unknown to the vendor, unpatched, or both when attackers begin exploiting it. A zero-day vulnerability is the flaw itself, while a zero-day exploit is the code or technique used to take advantage of that flaw. The reason zero days matter is simple: defenders may have little or no time to patch before abuse starts.
That does not make zero-day attacks unstoppable, but it does make layered defenses more important. For related background, see what is a vulnerability and what is edr.
How a zero day works
A zero day becomes a real security problem when a flaw exists, an attacker can exploit it, and defenders do not yet have a patch or enough notice to protect systems the usual way.
A vulnerability exists first
Every zero day starts as a weakness in software, firmware, a browser, an operating system, a network appliance, or another technology product.
The key issue is timing:
- The flaw exists
- The vendor may not know about it yet, or no fix is available
- Attackers discover or weaponize it before patching catches up
This is what separates a zero day from a normal known vulnerability.
Someone discovers the flaw
A vulnerability can be found by:
- Internal vendor researchers
- Independent security researchers
- Bug bounty participants
- Criminal groups
- State-backed threat actors
Discovery alone is not the problem. The risk depends on whether the flaw is disclosed responsibly, whether exploit code is developed, and whether attackers begin using it before defenders can respond.
An exploit is developed
An exploit is the practical technique used to trigger the flaw and achieve an attacker goal, such as:
- Remote code execution
- Privilege escalation
- Authentication bypass
- Sandbox escape
- Unauthorized data access
- Service disruption
Not every vulnerability becomes a useful exploit. Some are hard to trigger, unreliable, or require multiple conditions. Others are straightforward and highly valuable to attackers, especially if they affect common internet-facing or widely deployed software.
Attackers use it before patching is available
This is the defining moment. Once attackers exploit the vulnerability before defenders can apply a fix, the issue becomes a zero-day risk in the real world.
At that stage, organizations may have to rely on:
- Temporary vendor mitigations
- Network segmentation
- Attack surface reduction
- Application control
- Privilege restriction
- Behavior-based detection
- EDR telemetry and response
- Threat hunting for unusual activity
This is why zero days are dangerous. They remove the simplest answer in security operations: patch the known flaw immediately.
The vulnerability becomes known and manageable
Eventually, the situation changes. The vendor may release:
- A patch
- Configuration workarounds
- Detection guidance
- Logging recommendations
- Temporary mitigations
Once the vulnerability is known publicly and a fix or mitigation exists, it is no longer strictly a zero day. At that point, it is usually referred to as a known vulnerability or, informally, an n-day issue.
Why zero days matter
Zero days matter because they shrink or remove the defender’s normal preparation window.
When a vulnerability is already known and patched, organizations can prioritize remediation through standard vulnerability management. With a zero day, defenders may be forced to react while exploitation is already happening.
That raises the importance of:
- Good asset visibility
- Strong logging
- Endpoint monitoring
- Rapid incident response
- Secure configuration baselines
- Reduced internet exposure
- Least privilege
- Network segmentation
In other words, zero days test the strength of your overall security posture, not just your patch management process.
Common examples of zero-day impact
A zero day can affect many different technologies and lead to different outcomes.
Browser and client application attacks
A zero-day exploit in a browser, messaging app, or document viewer may allow code execution when a user opens malicious content or visits a crafted site.
Internet-facing appliance compromise
A zero day in a VPN, firewall, email gateway, or web application platform can be especially serious because it may give attackers direct remote access to exposed infrastructure.
Privilege escalation on endpoints
Some zero days are used after initial access to move from a normal user context to administrator or system-level control.
Chained attacks
Advanced attackers may chain multiple exploits together. For example, they may use one zero day for initial code execution and another for privilege escalation or sandbox escape.
When you are likely to encounter the term
You will most often hear “zero day” in:
- Vendor emergency advisories
- Threat intelligence reporting
- Incident response investigations
- Media coverage of active exploitation
- Security briefings about major products or platforms
Common situations include:
- A vendor warns that attackers are exploiting a flaw before patches are widely deployed
- Security teams rush to apply emergency mitigations
- Analysts publish threat reports about a previously unknown exploit
- Organizations investigate unusual behavior linked to a widely used platform
- MSPs or internal IT teams ask for urgent exposure reduction on internet-facing systems
For many small and midsize businesses, the practical reality is not discovering a zero day themselves. It is reacting quickly when a vendor, security provider, or trusted advisor says a product they use is under active exploitation.
Zero day vs related terms
Vulnerability
A vulnerability is any weakness that could be exploited. A zero day is a vulnerability defined by timing: defenders do not have a normal patching advantage yet.
Exploit
An exploit is the code or method used to abuse a vulnerability. A zero-day exploit targets a zero-day vulnerability.
N-day vulnerability
An n-day vulnerability is already known publicly, often with a patch available. It may still be dangerous, but it is not a zero day anymore.
Patch
A patch is the vendor’s fix for a vulnerability. Once a patch is available, the issue generally transitions out of zero-day status.
Mitigation
A mitigation is a temporary or compensating control used to reduce risk before a full patch is installed or when patching is delayed.
How organizations reduce zero-day risk
No organization can eliminate zero-day risk completely, but they can reduce exposure and improve response.
Reduce attack surface
Organizations can lower risk by:
- Disabling unnecessary services
- Limiting internet exposure
- Removing outdated software
- Restricting admin access
- Hardening endpoints and servers
Improve detection and response
Because patches may not exist yet, behavior-based detection becomes more valuable. Security teams often depend on EDR, logging, anomaly detection, and threat hunting to spot suspicious activity tied to exploitation or post-exploitation behavior.
Strengthen endpoint and identity hygiene
Basic controls still matter during zero-day events, including:
- Strong unique passwords stored with a password manager like Try 1Password →
- Reputable anti-malware and endpoint protection such as Get Malwarebytes →
- MFA for critical accounts
- Fast isolation of suspicious devices
Protect remote users sensibly
For users handling sensitive work on public or untrusted networks, a VPN such as Check NordVPN pricing → or Try Proton VPN → can improve privacy in transit. It does not stop a zero-day exploit by itself, but it can be a reasonable supporting control for remote work.
Final takeaway
A zero day is a software vulnerability that is unknown to the vendor or unpatched when attackers begin exploiting it. The flaw is the zero-day vulnerability, and the method used to abuse it is the zero-day exploit. What makes zero days important is not just technical severity, but timing: defenders may have no patch lead time at all.
That is why defending against zero-day risk depends on more than patching. Strong visibility, reduced attack surface, layered controls, and fast incident response all matter when the usual patch-first approach is not immediately available.