A zero-day vulnerability is a security flaw in software, hardware, or firmware that is unknown to the vendor and therefore has no available patch at the time it is discovered or exploited. The term "zero-day" refers to the zero days defenders have had to remediate it once an exploit begins circulating.
A zero-day vulnerability is a security flaw that is unknown to the vendor responsible for patching it. As NIST defines it, a zero-day attack is "an attack that exploits a previously unknown hardware, firmware, or software vulnerability." Because the vendor has had zero days to develop a fix, any system running the affected software is exposed the moment the vulnerability becomes known to attackers.
The lifecycle of a zero-day follows a predictable, painful arc. A flaw is introduced into code, usually years before anyone notices. At some point, a researcher or, more concerning, a threat actor discovers it. If a threat actor finds it first, they may exploit it quietly for weeks or months before the vendor is ever aware. Once the vendor learns of it, they begin developing a patch, but the race to deploy that patch before mass exploitation is often already lost.
It's worth distinguishing between a zero-day vulnerability and a zero-day exploit. The vulnerability is the underlying flaw. The exploit is the weaponized code or technique that takes advantage of it. A zero-day exploit is the delivery mechanism; the vulnerability is what it exploits. Not every discovered zero-day becomes a weaponized exploit, but those that do tend to move fast.
Zero-days enter circulation through a few paths. Security researchers who discover them typically follow responsible disclosure protocols, notifying the vendor and giving them time to patch before publishing details. Bug bounty programs incentivize this behavior. But not all researchers take the responsible path, and threat actors actively hunt for flaws to weaponize.
Nation-state groups and advanced persistent threat actors often hoard zero-days, using them for targeted espionage campaigns where stealth matters more than scale. Criminal ransomware groups, on the other hand, tend to weaponize zero-days for maximum reach as quickly as possible. The 2023 Clop ransomware group exploitation of a zero-day in Progress Software's MOVEit Transfer platform affected hundreds of organizations within days of the flaw becoming public.
The exploitation window has compressed dramatically. According to the Verizon 2024 Data Breach Investigations Report, exploitation of vulnerabilities as an initial access vector nearly tripled year-over-year, driven heavily by attacks on unpatched systems. The median time for mass exploitation of a known vulnerability after public disclosure is now measured in days, not weeks.
Not all zero-days carry equal risk. The severity depends on what they affect and what access they grant an attacker.
Some zero-days require no user interaction; others require the target to open a file or click a link. Remote code execution (RCE) zero-days, which let attackers run arbitrary code without any user interaction, are the most dangerous class.
Most compliance frameworks don't directly audit for zero-day coverage, because by definition zero-days are unknown. What they do require is the operational maturity to respond quickly when new vulnerabilities surface. SOC 2 Trust Services Criteria require continuous monitoring and a documented patch management process. ISO 27001 Annex A controls 8.8 (management of technical vulnerabilities) require organizations to maintain timely awareness of vulnerabilities and assess their exposure.
In practice, compliance auditors will look at whether you have processes for tracking new CVE disclosures, how quickly you apply emergency patches, and whether your security monitoring can detect exploitation attempts when known signatures don't exist.
Fencer's vulnerability management layer pulls together findings from SCA, SAST, CSPM, and container scanning into a single prioritized view, so when a new zero-day is disclosed in a dependency or cloud configuration, the affected assets surface immediately without requiring manual cross-referencing across tools. Fencer's continuous monitoring tracks your environment against emerging threat intelligence rather than running a scan once and waiting for the next scheduled window. Guided remediation helps teams prioritize and act quickly, which matters most when the exploitation window is measured in days.
Not directly. Vulnerability scanners work by matching software versions and configurations against databases of known vulnerabilities. Since zero-days haven't been discovered or documented yet, they have no entry in those databases. What scanners can do is flag outdated software that may be at higher risk of containing undisclosed flaws, and identify misconfigurations that would make exploitation easier. The realistic defense against zero-days combines fast patching once flaws are disclosed, behavioral monitoring to catch unusual activity, and least-privilege access controls to limit what an attacker can do if exploitation succeeds.
An unpatched vulnerability is a known flaw for which a patch exists but hasn't been applied. A zero-day is a flaw that the vendor doesn't know about yet, so no patch exists at all. Both are dangerous, but they call for different responses. Unpatched vulnerabilities are addressed through patch management and vulnerability scanning. Zero-days require behavioral detection, network segmentation, and rapid response once the vendor discloses the flaw and releases a fix. In practice, the biggest organizational risk is often the gap between when a patch is released and when it gets deployed, which averages 55 days for critical flaws.
Yes, for two reasons. First, most zero-day exploitation isn't targeted at specific companies. When ransomware groups or criminal actors exploit a flaw in widely used infrastructure like a file transfer tool or a popular library, they hit every organization running vulnerable software, regardless of size or profile. Second, your customers and partners do care about your security posture, especially if you're selling to enterprises or operating in regulated industries. A breach via an undetected zero-day that you had no monitoring in place to catch is a much harder conversation to have with customers than one where your security controls detected and contained the intrusion quickly.
