What is an exploit? How attackers weaponize vulnerabilities

What is an exploit?

An exploit is the bridge between a vulnerability and a security incident. While a vulnerability is a weakness that exists in a system, an exploit is the specific method an attacker uses to take advantage of that weakness.

Exploits exist on a spectrum of sophistication and availability:

Proof-of-concept (PoC). A demonstration that a vulnerability is exploitable, typically published by security researchers. PoCs prove the vulnerability is real but often require modification to work in real-world conditions.
Functional exploit. A working exploit that can reliably compromise vulnerable systems. These may be shared in exploit databases like Exploit-DB or sold in underground markets.
Weaponized exploit. An exploit packaged into malware, ransomware, or attack toolkits for use at scale. This is where vulnerabilities become mass threats.
Zero-day exploit. An exploit targeting a vulnerability that the vendor doesn't know about yet, meaning no patch exists. Zero-days are the most dangerous because defenders have no fix available.

The progression from vulnerability disclosure to weaponized exploit is accelerating.

Why exploits matter for startups

Understanding exploits helps your team make better prioritization decisions. A vulnerability with a known, weaponized exploit is fundamentally different from one that's only theoretical.

Exploit availability changes the risk equation. EPSS and KEV both factor in exploit availability. A CVSS 9.0 vulnerability with no known exploit poses less immediate risk than a CVSS 6.5 with a weaponized exploit being used in active ransomware campaigns. Your prioritization should reflect this.
Exploit kits lower the attacker skill bar. Modern exploit kits package multiple exploits into easy-to-use tools that require minimal technical skill. This means vulnerabilities in your environment aren't just at risk from sophisticated threat actors. They're accessible to anyone who can download a toolkit.
The exploit economy is a market. Zero-day exploits are bought and sold by governments, criminal organizations, and brokers. According to Zerodium's public pricing, zero-day exploits for popular platforms command prices up to $2.5 million. This market incentivizes finding and hoarding exploits rather than reporting them to vendors.
Exploit chains multiply risk. Individual vulnerabilities often look manageable in isolation. But attackers chain exploits together: a low-severity information disclosure reveals an internal endpoint, which has a medium-severity authentication bypass, which provides access to a system with a privilege escalation flaw. Pen testers specialize in finding these chains that automated tools miss.

Frequently asked questions

What is a zero-day exploit?

A zero-day exploit targets a vulnerability that the software vendor doesn't know about and hasn't patched yet. The name "zero-day" refers to the fact that developers have had zero days to fix the issue. Zero-day exploits are the most dangerous category because there's no patch available, and traditional vulnerability scanners can't detect the underlying flaw. Organizations defend against zero-days through layered security: network segmentation limits blast radius, behavioral monitoring detects unusual activity, and least-privilege access prevents lateral movement even if initial access is gained.

What's the difference between an exploit and malware?

An exploit is a technique for taking advantage of a specific vulnerability. Malware is malicious software designed to cause harm (steal data, encrypt files, establish persistence). An exploit is often the delivery mechanism for malware: the exploit breaches the system, then the malware payload does the damage. However, they're distinct concepts. Malware can spread without exploits (through phishing or social engineering), and exploits can be used without deploying malware (for example, exploiting a vulnerability to read sensitive data directly).

How quickly do exploits appear after a vulnerability is disclosed?

The timeline has compressed dramatically. For critical vulnerabilities in widely used software, proof-of-concept exploits often appear within 24 to 48 hours of public disclosure. Weaponized exploits used in real attacks frequently emerge within the first week. This compressed timeline is why patch management speed matters so much: the window between "a patch is available" and "attackers are actively exploiting this" may be only days. Monitoring sources like CISA's KEV catalog and EPSS scores helps teams identify when a vulnerability transitions from theoretical risk to active threat.

Exploit