BellosatoTech Cybersecurity
Get in Touch
Back to Blog

Zero-Day: What It Is, Why It Is Dangerous and How to Protect Yourself (Explained Without Jargon)

BellosatoTech Security Team

Zero-Day: What It Is, Why It Is Dangerous and How to Protect Yourself

Every time the news reports a major cyberattack — against an important company, a public infrastructure, a service we use every day — one word inevitably appears: zero-day. It tends to be used as a synonym for “sophisticated and unstoppable attack,” leaving the impression that there is nothing to be done.

The reality is more nuanced. A zero-day is certainly one of the most serious threats in the information security landscape — but understanding what the term truly means helps separate real risk from alarmism, and enables concrete decisions rather than a sense of helplessness.

Table of Contents

  1. What “zero-day” actually means
  2. How a zero-day attack works
  3. Why they are so difficult to defend against
  4. The black (and grey) market for zero-days
  5. Who is truly at risk
  6. What can be done concretely
  7. FAQ

1. What “Zero-Day” Actually Means

The name comes from a temporal metaphor: the day on which a vulnerability becomes known to the software developers is “day zero.” If the vulnerability is exploited on that day — or before — it means developers have had zero days to prepare and release a fix.

In more precise terms: a zero-day is a vulnerability in software (an operating system, a browser, an application, a plugin) that:

  1. Exists in the code — it is a real programming error that creates an exploitable weakness
  2. Is not yet known to the vendor — or is known but not yet corrected
  3. Can be exploited by an attacker to gain unauthorised access, steal data, or cause damage

The most effective analogy is this: imagine discovering that the lock on your front door has a manufacturing defect that allows it to be opened with a common object. If that discovery is known only to you (or worse, only to the thief), the manufacturer has not had even one day to replace the defective locks. Every door with that lock is vulnerable — and nobody knows it.

2. How a Zero-Day Attack Works

The lifecycle of a zero-day follows roughly the same path every time:

Discovery — A vulnerability is found. The person who finds it could be a security researcher, a hacker, a government agency, or anyone who analyses software code with sufficient attention.

Exploitation — If the vulnerability is discovered by someone with malicious intent, it is turned into an “exploit”: a specific piece of code or technique that leverages that flaw to gain unauthorised access. This exploit can be used directly or sold.

Disclosure (or non-disclosure) — If the vulnerability is found by a responsible researcher, it is privately communicated to the software vendor before being made public, allowing time to develop a patch. If found by an attacker, it is kept secret for as long as possible to maximise exploitation.

Patch — The vendor releases an update that corrects the vulnerability.

Exposure window — The time between discovery or exploitation and the application of the patch by users is when risk is at its highest. For software with hundreds of millions of installations, this window can represent billions of exposed targets.

3. Why They Are So Difficult to Defend Against

The characteristic that makes a zero-day different from any other vulnerability is precisely this: you do not know it exists.

Against a known vulnerability, traditional defences work: install the patch, update the firewall, update antivirus signatures. Against a zero-day, none of these measures are effective — because the flaw is not yet in any detection system’s signatures, the patch does not exist, and no update can correct something that has not yet been identified as a problem.

It is like trying to defend yourself against a disease whose existence is not yet known: the medicines you have do nothing against a pathogen that laboratories have not yet catalogued.

This is also why zero-days are so valuable in the offensive security market — and so feared by those responsible for defence.

4. The Black (and Grey) Market for Zero-Days

Not everyone is aware that a genuine market exists for zero-day vulnerabilities. It is a market that moves considerable sums and operates at multiple levels.

The “grey” market — bug bounties and legitimate researchers: many technology companies pay independent researchers who find vulnerabilities in their products and report them responsibly. Google, Microsoft, Apple, and Meta all have bug bounty programmes offering compensation ranging from a few thousand to hundreds of thousands of dollars for critical vulnerabilities. It is a system that incentivises responsible disclosure.

The black market — exploit brokers and state actors: outside legitimate channels, there is a market where the most critical vulnerabilities — those affecting widely used operating systems such as Windows, iOS, or Android — are sold at prices that can reach several million dollars. Buyers are often government agencies, intelligence services, and organised criminal groups. A zero-day vulnerability on iPhone can be worth more than a million dollars on the grey market.

This market exists, is documented, and has concrete implications: it means that the most critical vulnerabilities are often exploited for months or years before being disclosed to vendors, because those who possess them have every interest in keeping them secret.

5. Who Is Truly at Risk

Being honest about this point matters, because alarmism does not help anyone make rational decisions.

The highest-value zero-days — those that affect operating systems, browsers, or critical infrastructure and are sold at premium prices — are almost always used in highly targeted attacks: state espionage, attacks on critical infrastructure, operations against specific individuals or organisations. They are not wasted on random attacks, because once used the vulnerability risks being discovered and patched.

Mid-tier zero-days — those that affect widely used software such as CMS platforms, plugins, and common applications — are frequently used in large-scale automated attacks. A zero-day vulnerability in a plugin installed on a million sites quickly becomes the basis of a wave of automated compromises. Here the risk concerns anyone using that software.

The practical distinction: if you are a private individual or a small business, the probability of being targeted by an attack using high-value zero-days is very low. The probability of being affected by zero-days exploiting consumer software — CMS platforms, plugins, unpatched applications — is significantly higher, and grows every year.

6. What Can Be Done Concretely

Acknowledging that no defence is 100% effective against a zero-day exploiting software you are currently using, there are strategies that significantly reduce risk and minimise impact in the event of a compromise.

Reduce the attack surface

Every piece of software running is a potential vector. Every plugin installed, every active application, every service exposed to the internet is a point that could contain an undiscovered vulnerability. The most effective strategy is not to wait for patches — it is to have as little software as possible to patch. Fewer dependencies, smaller attack surface, lower probability of being affected.

This is one of the reasons we prefer developing proprietary solutions for critical functions rather than relying on third-party plugins or libraries: every external dependency is a variable we do not control.

Principle of least privilege

Every user, every service, every system component should have only the permissions strictly necessary to perform its function — and nothing more. This does not prevent an attack, but it limits the blast radius: if one component is compromised, it does not automatically have access to the entire rest of the system.

Segmentation and isolation

In a well-designed system, a compromise in one area does not automatically propagate to others. The database is not directly accessible from the outside, the web server does not have access to administrative areas, logs are isolated and protected from manipulation. This architecture does not block a zero-day — but it contains the damage.

Active monitoring and rapid response

You cannot prevent a zero-day you do not know about. You can, however, detect it quickly once it is under way. A monitoring system that records every access, every file modification, every anomalous server behaviour makes it possible to intercept a compromise in its early stages — before the damage becomes irreversible.

Verified, isolated backups

In the event of a serious compromise, the ability to restore a system to a known clean state quickly is often the difference between a manageable incident and a disaster. Backups must be frequent, regularly tested, and isolated from the primary system — a backup on the same compromised server is useless.

FAQ

Is a zero-day different from a regular virus or malware?

They are not mutually exclusive. Malware can use a zero-day as an entry vector — exploiting the vulnerability to install itself on a system. But they are distinct concepts: a zero-day is a vulnerability in software; malware is the malicious code that the vulnerability may allow to execute. There are zero-days exploited without traditional malware (for direct data access) and malware that does not use zero-days but rather already-known vulnerabilities.

How can I tell if software I use has active zero-day vulnerabilities?

By definition, you cannot know with certainty — if it were already known, it would no longer be a zero-day. What you can do is monitor security feeds such as the NVD (National Vulnerability Database), vendor security bulletins for the software you use, and reports from companies such as CrowdStrike, Mandiant, or Patchstack. When critical vulnerabilities are published, update immediately.

Do antivirus programmes protect against zero-days?

Traditional signature-based antivirus systems do not detect a zero-day because they do not yet have the vulnerability’s signature in their database. Modern behaviour-based endpoint protection systems — which analyse how processes behave rather than looking for known signatures — have better detection capabilities, but offer no guarantee. Protection against zero-days is more effectively achieved through system architecture than through detection tools.

Why don’t companies patch vulnerabilities more quickly?

Developing and testing a patch for a critical vulnerability without introducing new problems takes time — sometimes days, sometimes weeks. For complex, widely deployed software, patches are tested across many different configurations before release. It is a difficult balance between response speed and update stability. Some companies are faster than others — and this is a parameter worth considering when choosing what software to use.

Can a website be compromised via a zero-day without me doing anything wrong?

Yes. This is one of the most frustrating aspects of information security: you can do everything correctly — update, use reliable software, follow best practices — and still be affected by a zero-day in software that does not yet have an available patch. This is precisely why a security architecture cannot rely solely on prevention, but must include detection, containment, and rapid recovery capabilities.

Want to know how reduced the attack surface of your infrastructure is? We analyse your site’s and server infrastructure’s architecture with an approach oriented toward reducing real risk. Contact us

zero day zero day vulnerability zero day exploit information security zero day explained zero day protection cybersecurity basics cyberattacks