Skip to content
FortaRisks
Back to the glossaryThreat intelligence

Zero-day

A zero-day vulnerability is a security flaw unknown to the vendor or with no available patch at the time it is exploited. Defenders have zero days to prepare: the attack precedes the fix, which makes it one of the hardest threats to counter.

Updated on July 2, 2026

What is a zero-day?

The term zero-day refers to a vulnerability exploited before the software vendor is aware of it or has been able to release a patch. The name comes from that: at the moment of attack, defenders have zero days of lead time to respond.

We distinguish the zero-day vulnerability (the flaw itself), the zero-day exploit (the code that takes advantage of it) and the zero-day attack (its actual use against a target). These flaws are sought after, traded and sometimes sold at high prices on specialized markets.

Why it matters for your organization

A zero-day by definition bypasses defenses that rely on prior knowledge of the threat, such as antivirus signatures or patch lists. That is what makes it formidable and prized by the most advanced attackers.

The stakes therefore shift to speed of response: as soon as exploitation becomes public, a race begins between deploying the patch on one side and mass exploitation on the other. Organizations slow to react find themselves exposed during the most dangerous window.

How to reduce zero-day risk

  • Shrink the attack surface: fewer exposed assets, fewer entry points.
  • Defense in depth: segmentation, least privilege, isolation of critical systems.
  • Behavioral detection: spot abnormal activity rather than known signatures.
  • Fast response: a process able to deploy an emergency patch in hours, not weeks.

Where organizations most often fall short

Many over-invest in fear of the zero-day while neglecting known, unpatched vulnerabilities, which actually cause most compromises. The other pitfall is the lack of an emergency response plan: when a zero-day goes public, it is too late to improvise an accelerated patch process.

Frequently asked questions

What is the difference between a zero-day and a regular CVE?

A regular CVE is a published vulnerability for which a patch usually exists: the risk is being slow to apply it. A zero-day is exploited before the vendor knows about it or ships a fix. Once patched and catalogued, a former zero-day becomes an ordinary CVE, but it stays dangerous until the patch is deployed everywhere.

How do you defend against a zero-day with no patch?

You cannot patch what has no fix, but you can reduce exposure: network segmentation, least privilege, behavior-based rather than signature-based detection, and monitoring for indicators of compromise. Tracking the CISA KEV catalog also lets you act fast the moment exploitation is confirmed.

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.