What is a zero-day attack?
An attack that exploits a vulnerability before the vendor knows about it or has released a patch — "zero days" to fix it.
Zero-day = Attack exploiting an unknown vulnerability
"Zero days" refers to the time developers have had to fix it — zero. What makes a zero-day special isn't the technique but the timing: the attacker strikes in the window before the vendor even knows the hole exists, so there's no patch and signature-based defenses (which only recognize known threats) are blind to it. That's why defense shifts from "block the known bad" to "watch for abnormal behavior."
Timeline:
- Attacker discovers a vulnerability
- Attacker creates an exploit
- The attack occurs before the vendor knows about it
- No patch exists yet, so systems stay exposed until one is released
Why it's dangerous: there's no patch and no signature, so antivirus and a signature-based IPS may not recognize it at all.
Protection therefore relies on catching the effect rather than the known code: behavior-based detection (flagging anomalies), network segmentation (limiting how far it can spread), and defense in depth (layered controls so one bypass isn't fatal).
Memory tip: Zero-day = "Day zero" — the problem is brand new, no fix exists yet.
Go deeper:
Zero-day vulnerability (Wikipedia) — definitive overview: a flaw unknown to the vendor, exploited before any patch exists.
Zero-Day Exploit (SANS glossary) — authoritative security-vendor framing plus the discovery → weaponization → exploitation lifecycle.