Why is it called a 'zero-day'?

Because the vendor has had zero days to develop and release a patch — the flaw is being used or disclosed before any fix exists. The 'zero' refers to the defender's preparation time, not the attack's age.

What is the difference between a zero-day and an N-day vulnerability?

A zero-day has no available patch yet. An N-day (or 'one-day') is a vulnerability that has been disclosed and patched, but where some systems remain unpatched 'N' days later. Most real-world breaches actually exploit N-days, not zero-days.

Can you defend against a zero-day if there is no patch?

Yes, partially. Defense-in-depth measures — network segmentation, least-privilege access, exploit mitigations, monitoring, and rapid response — reduce the impact even without a specific patch. And once a fix ships, fast patching closes the window.

Are most cyberattacks zero-days?

No. The large majority of successful attacks exploit known, already-patched vulnerabilities (N-days) on systems that were never updated. True zero-days are comparatively rare and valuable, often reserved for high-value targets.

What is a zero-day vulnerability? (And a zero-day exploit)

A zero-day vulnerability is a software security flaw that the vendor does not yet know about, or has not yet released a fix for. The name comes from the defender’s point of view: there have been “zero days” to develop and deploy a patch. If attackers are using it, they are doing so in a window where no official defense exists.

It is one of the most misunderstood terms in security — partly because the word “zero-day” gets attached to three related-but-different things.

Zero-day vulnerability, exploit, and attack: the distinction

Term	What it is
Zero-day vulnerability	The underlying flaw itself, unknown to the vendor or unpatched.
Zero-day exploit	The technique or code that takes advantage of that flaw.
Zero-day attack	The actual use of a zero-day exploit against a real target before a fix exists.

So a zero-day vulnerability is the hole, the exploit is the tool that fits the hole, and the attack is someone using it. All three share the “zero-day” label because they all happen before a patch is available.

Why are zero-days so dangerous?

Zero-days are feared for a simple reason: the normal defense doesn’t exist yet. With an ordinary vulnerability, the chain is “flaw found → vendor patches → you update.” With a zero-day, attackers are operating before that chain starts. Specifically:

No patch is available, so you cannot simply update your way to safety.
Signatures and detections may not exist, because security tools haven’t seen the technique.
The vendor may be unaware, so there is no advisory telling you what to look for.

This is why zero-days are highly valuable to sophisticated attackers and are often reserved for high-value targets rather than used in mass campaigns — using one risks “burning” it, because once observed and reported, the vendor can patch it.

Zero-day vs. N-day: the part most people miss

Here is the counterintuitive reality: most successful attacks are not zero-days at all. They are N-days.

An N-day (sometimes “one-day”) vulnerability is one that has already been disclosed and patched — but where many systems remain unpatched “N” days later. The flaw is public, the fix is available, the exploit code may be circulating freely, and attackers simply scan for systems that never applied the update.

	Zero-day	N-day
Patch available?	No	Yes
Vendor aware?	Often no	Yes
Exploit code public?	Usually no	Often yes
Who is at risk?	Anyone (no fix exists)	Only those who haven’t patched
Relative frequency in breaches	Lower	Much higher

The practical lesson: while zero-days grab headlines, the biggest, most addressable risk to most organizations is unpatched N-days. A vulnerability that lands on the CISA KEV catalog is, by definition, a known-and-exploited flaw — and patching those promptly closes the window that the vast majority of attackers actually use.

What happens after a zero-day is discovered?

A zero-day does not stay a zero-day forever. The moment the vendor learns of it and ships a fix, it transitions into a known vulnerability with a CVE identifier and, usually, a CVSS score. From there the race is about how fast defenders patch versus how fast attackers reverse-engineer the fix to attack stragglers. We trace this whole journey in how a CVE goes from disclosure to exploitation.

Can you defend against a zero-day with no patch?

You cannot patch what has no patch — but you are not helpless. Defense-in-depth reduces the blast radius regardless of which specific flaw is used:

Network segmentation limits how far an attacker can move after an initial foothold.
Least-privilege access ensures a compromised component can’t reach everything.
Exploit mitigations (memory protections, sandboxing, application allow-listing) raise the cost of turning a flaw into a working exploit.
Monitoring and rapid response catch the unusual behavior that follows exploitation, even when the entry technique is novel.
Fast patching closes the window the instant a fix ships — turning a zero-day into a non-issue for you specifically.

These measures don’t make a zero-day impossible, but they shrink its impact and buy time.

Key takeaways

A zero-day is a flaw with no available patch — “zero days” of vendor preparation.
The exploit is the tool; the attack is its use; the vulnerability is the flaw itself.
Most real breaches exploit N-days (known, patched, but un-updated systems), not zero-days — so disciplined patching, especially of KEV-listed flaws, addresses the bulk of practical risk.
You can mitigate zero-day impact with defense-in-depth even before a patch exists.

Continue with how a CVE goes from disclosure to exploitation, or learn the foundations in how to read a CVE identifier.