The name is deceptively simple. A zero-day vulnerability is a security flaw in software, hardware, or firmware that is unknown to the vendor responsible for fixing it. The "zero" refers to the number of days the defender has had to respond: zero. No patch exists. No advisory has been published. No detection signature has been written.
By the time an organization discovers they've been breached through a zero-day, the attacker has often been inside the network for weeks, months, or longer.
In 2026, zero-days are no longer the exclusive province of nation-state intelligence agencies with unlimited budgets. The market for undisclosed vulnerabilities has matured, tooling has democratized, and AI-assisted vulnerability discovery has compressed the timeline from bug discovery to weaponization in ways that defenders are only beginning to reckon with.
This is what the current threat landscape looks like — and why it's getting harder to defend.
A Brief History of the Zero-Day Economy
To understand where we are, it helps to understand how we got here.
Before 2010, zero-day exploits were rare, expensive, and mostly the domain of government intelligence agencies. The NSA, GCHQ, and their counterparts stockpiled undisclosed vulnerabilities as classified assets. A reliable remote code execution exploit in a widely-deployed product might be used once, carefully, before being burned.
The Stuxnet revelation (2010) changed the public understanding of what state-sponsored zero-day exploitation looked like. The worm used four simultaneous zero-days — an unprecedented number — to sabotage Iranian nuclear centrifuges. It demonstrated that nation-states were not just collecting zero-days; they were deploying them at scale.
The broker market emerged through the 2010s. Companies like Zerodium began publicly publishing acquisition prices for exploits — $2.5 million for a zero-click iOS exploit chain, $1 million for a Chrome renderer exploit. This created a legitimate (if ethically murky) market structure that influenced pricing across the grey and black markets.
By the early 2020s, commercial spyware vendors like NSO Group (Pegasus), Intellexa (Predator), and others were operationalizing zero-days into polished products sold to governments and, through them, used against journalists, activists, and dissidents. The Pegasus revelations showed that zero-day-powered surveillance was being deployed industrially, not surgically.
In 2026, the trajectory has continued. The market is larger, more accessible, and increasingly influenced by AI-assisted tooling on both offense and defense.
How Zero-Days Are Found in 2026
Share this article:
Understanding the threat requires understanding the discovery pipeline. Zero-days don't appear from nowhere — they're found through systematic processes that have become significantly more efficient.
Manual Security Research
Elite security researchers — working independently, for bug bounty programs, or for offensive security firms — manually audit codebases, reverse-engineer binaries, and explore attack surfaces. This remains the gold standard for finding complex logical vulnerabilities that automated tools miss.
A skilled researcher might spend weeks or months auditing a single component of a browser engine, kernel subsystem, or network protocol implementation. The reward, if they find something exploitable, can range from a bug bounty payout of tens of thousands of dollars to a broker sale worth millions.
Fuzzing at Scale
Fuzzing — bombarding a program with malformed, unexpected, or random inputs to trigger crashes — has been a staple of vulnerability research for decades. What's changed is scale and sophistication.
Modern coverage-guided fuzzers like AFL++, libFuzzer, and Honggfuzz can run continuously across large cloud infrastructure, exploring program state spaces that would take human researchers lifetimes to traverse manually. Google's OSS-Fuzz project has found thousands of vulnerabilities in open-source software through automated fuzzing since its launch.
In 2026, large organizations run persistent fuzzing infrastructure against their own codebases and, in offensive contexts, against targets of interest.
AI-Assisted Vulnerability Discovery
This is where the threat landscape has shifted most dramatically in recent years.
Large language models trained on code — and increasingly, models trained specifically on security-relevant data — are now capable of:
Identifying patterns associated with known vulnerability classes (buffer overflows, use-after-free, integer overflows, SQL injection, format string bugs) across large codebases faster than human review
Augmenting fuzzers with semantic understanding, generating more targeted inputs that reach deep program states
Analyzing patches to infer the shape of a fixed vulnerability and work backward to find similar unpatched instances in related codebases
Automating exploit development from proof-of-concept to weaponized payload with less human intervention
The democratization concern here is real. Tasks that previously required PhD-level expertise in vulnerability research are becoming more accessible to actors with modest technical skills and access to the right AI tooling. The bar to entry for zero-day discovery is not dropping to zero — but it is dropping.
Supply Chain and Dependency Analysis
Modern software is an archipelago of dependencies. A typical enterprise application may pull in hundreds of third-party libraries, each of which has its own dependency tree. Attackers increasingly look for vulnerabilities not in the target application itself, but in shared components used by thousands of applications simultaneously.
Finding a zero-day in a widely-deployed logging library, compression codec, or cryptographic implementation is vastly more valuable than finding one in a single application — it's a skeleton key, not a single door.
The Exploit Lifecycle: From Discovery to Deployment
A zero-day's journey from discovery to weaponization follows a recognizable arc, though the timeline has compressed significantly.
[Discovery]
│
▼
[Triage & Reproduction] ──── "Is this actually exploitable?"
│
▼
[Exploit Development] ────── Days to months (now often weeks with AI tooling)
│
▼
[Weaponization] ──────────── Packaging into a reliable, deployable payload
│
├──► [Broker Sale] ────── Sold to government/commercial spyware operators
│
├──► [Internal Use] ───── Nation-state actor deploys against priority targets
│
└──► [Criminal Use] ───── Ransomware operators, espionage, financial theft
│
▼
[Discovery by Defender or Researcher] ──── The clock starts NOW for the vendor
│
▼
[Patch Development & Release] ────────── Days to months
│
▼
[Patch Adoption] ─────────────────────── Weeks to years (the real problem)
The gap between Discovery by Defender and Patch Adoption is where most damage occurs. Even after a patch exists, organizations with large, complex infrastructure may take weeks or months to deploy it — and some never do.
Who Is Using Zero-Days in 2026, and Why
The threat actor landscape is more diverse than ever.
Nation-State Actors
Governments remain the most sophisticated zero-day operators. Agencies like the NSA (US), SVR/FSB (Russia), APT41 and related units (China), and Unit 8200 (Israel) maintain substantial offensive cyber capabilities that rely on undisclosed vulnerabilities.
Their motivations are strategic: intelligence collection, pre-positioning in critical infrastructure for potential future use, sabotage of adversary capabilities, and — increasingly — economic espionage.
What's notable in 2026 is the willingness of some state actors to deploy zero-days more aggressively and with less concern for operational security than in prior years. The implicit norm of "don't burn your best capabilities on low-priority targets" appears to be eroding.
Commercial Spyware Operators
The Pegasus/Predator ecosystem, despite legal pressure and sanctions against some vendors, has not collapsed. New vendors have emerged to serve the same market of government customers who want to surveil specific individuals without their knowledge.
These operators are now major consumers of the zero-day broker market. A commercial spyware product lives and dies on its ability to silently compromise a target device — which requires zero-clicks (no user interaction) and zero-days (no existing detection). When Apple or Google patches the underlying vulnerability and updates detection rules, the product loses capability until new zero-days can be acquired.
This creates a continuous procurement cycle that sustains the commercial zero-day market.
Ransomware and Financially Motivated Actors
Ransomware operators have historically relied on known vulnerabilities and social engineering rather than zero-days — the economics don't favor spending millions on an exploit when phishing works fine.
But the most sophisticated ransomware groups have begun acquiring or developing zero-days, particularly for network appliances (VPN gateways, edge routers, firewalls) where a single exploit gives immediate network access without requiring a user to click anything.
Vulnerabilities in products like Ivanti, Fortinet, Citrix, and Palo Alto Networks appliances have been exploited as zero-days with distressing frequency in recent years. These devices sit at the perimeter, are often poorly monitored, and grant enormous access.
Bug Hunters and Independent Researchers
Not every zero-day discoverer has malicious intent. Independent security researchers find zero-days and face a choice: responsible disclosure to the vendor (often slow, sometimes unrewarded), bug bounty programs (faster, but payouts rarely approach broker prices for critical bugs), or sale to brokers.
The tension between the financial incentives for not disclosing and the ethical imperative to disclose is a structural problem the security industry hasn't solved.
Why Patches Exist But Don't Help (Fast Enough)
The cynical view of software security is that patches are announced faster than they're applied. The data supports this view uncomfortably well.
Consider the lifecycle of a critical vulnerability in enterprise software:
Day 0: Vendor publishes patch and advisory
Day 1–7: Security teams triage — is this software in our environment? What version? Is the mitigating configuration in place?
Day 7–30: Change management process begins — testing the patch in staging, scheduling downtime, coordinating with operations teams
Day 30–90: Patch deployed to most systems (in well-run organizations)
Day 90–365+: Patch deployed to legacy systems, forgotten assets, shadow IT
Never: Some systems are never patched
Attackers know this timeline intimately. The period immediately following public disclosure of a critical vulnerability — even one that now has a patch — is the most dangerous window. Mass exploitation of newly-disclosed vulnerabilities typically begins within 72 hours of patch release.
This means even "known" vulnerabilities function like zero-days for organizations that haven't yet patched. The distinction between a zero-day and an n-day (a vulnerability with an existing patch) is largely theoretical for organizations with slow patch cycles.
The AI Acceleration Problem
The integration of AI into offensive security tooling represents the most significant shift in the zero-day threat landscape in the past two years.
Historically, exploit development was a bottleneck. Finding a vulnerability is one thing; turning it into a reliable, weaponized exploit that works across multiple OS versions, evades memory protections like ASLR and DEP, and achieves meaningful post-exploitation capabilities is genuinely hard. It requires deep expertise and significant time.
AI tooling is eroding that bottleneck:
Automated patch diffing: AI systems can analyze before/after code changes in a security patch, infer the vulnerability that was fixed, and generate candidate exploits for similar patterns in unpatched software — sometimes in hours rather than days
Exploit primitive chaining: LLMs trained on exploit development techniques can suggest how to chain multiple smaller primitives (information leak → heap spray → ROP chain) into a complete exploit
Obfuscation and evasion: AI-generated payloads are more varied and harder for signature-based detection to catch than manually-written exploits
The defensive side has AI too — and there's active work on AI-assisted vulnerability discovery and automated patching. But the asymmetry of offense vs. defense means that an attacker only needs to find one way in, while a defender needs to close every hole.
Detection: How Defenders Catch Zero-Days in Flight
Since zero-days have no patch and no prior signature, traditional antivirus and patch-management approaches are useless against them. Detection requires a different posture.
Behavioral Detection
Instead of looking for known-bad code (signatures), behavioral detection looks for known-bad actions. An exploit, regardless of what bug it uses, must eventually:
Allocate and execute memory in unusual ways
Make unexpected system calls
Escalate privileges
Write to sensitive filesystem locations
Establish unexpected network connections
EDR (Endpoint Detection and Response) platforms — CrowdStrike, SentinelOne, Microsoft Defender for Endpoint — operate primarily on behavioral signals and can detect zero-day exploitation in progress, even when the specific vulnerability is unknown.
Memory Safety Technologies
A significant class of zero-day vulnerabilities — buffer overflows, use-after-free, out-of-bounds reads — stem from memory-unsafe code, primarily C and C++. Hardware and software mitigations (ASLR, stack canaries, Control Flow Integrity, Memory Tagging Extension on ARM) raise the cost of exploitation without fixing the underlying bugs.
The industry-wide push toward memory-safe languages (Rust, Go, Swift) is a long-term structural defense. The NSA, CISA, and their international equivalents have all published guidance encouraging migration away from C/C++ for new development. This is generational work — the existing C/C++ codebase will be with us for decades — but its impact on the zero-day attack surface will be significant over time.
Threat Intelligence and Sharing
Zero-days are finite. When one is discovered and reported — whether by a researcher, a vendor's security team, or a forensic investigation following a breach — that information becomes valuable to the defense community.
Organizations like CISA (Cybersecurity and Infrastructure Security Agency), MITRE (CVE/ATT&CK), and threat intelligence vendors maintain and share data on observed exploitation techniques. When a zero-day is burned — used in an attack that gets detected and analyzed — the resulting intelligence benefits defenders globally.
The challenge is that the best zero-days are never burned in ways that allow forensic analysis. They're used against high-value, isolated targets where the attacker is confident there's no telemetry going anywhere useful.
Case Studies: Zero-Days That Defined Recent Years
Ivanti Connect Secure (2024–2025)
Multiple zero-day vulnerabilities in Ivanti's VPN product were exploited by state-linked actors before patches were available. The vulnerabilities allowed unauthenticated remote code execution on a device sitting at the network perimeter — a worst-case scenario. The exploitation was widespread, affecting government agencies, critical infrastructure operators, and enterprises globally before Ivanti issued patches and CISA issued emergency directives.
What made this particularly instructive: the integrity checking tool Ivanti provided to detect compromise was itself circumventable. Detection was harder than it should have been, and many organizations didn't know they were compromised until weeks later.
MOVEit Transfer (2023)
The SQL injection zero-day in Progress Software's MOVEit Transfer product — exploited by the Cl0p ransomware group — affected hundreds of organizations and millions of individuals before it was patched. The exploitation pattern was mass and automated: attackers swept the internet for exposed MOVEit instances and exfiltrated data from all of them before the vulnerability was public.
This case illustrated how a single zero-day in widely-deployed enterprise software can generate enormous collateral damage in a very short window.
What Organizations Can Do
No defense is perfect against a sophisticated zero-day attack. But reducing exposure and impact is achievable.
Reduce attack surface: Every internet-exposed service is a potential zero-day vector. Services that don't need to be internet-exposed shouldn't be. Legacy systems that can't be patched should be isolated or decommissioned.
Assume breach: Organizations that operate under the assumption that sophisticated attackers may already be inside invest differently in detection, segmentation, and response. Zero trust architecture — where no network location is inherently trusted and every access request is authenticated and authorized — limits what an attacker can do after initial compromise.
Prioritize patch velocity: The window between patch release and exploitation is measured in days. Organizations that can patch critical internet-facing systems within 24–48 hours of a critical advisory are meaningfully safer than those with 30-day patch cycles.
Invest in behavioral detection: EDR platforms, network traffic analysis, and SIEM correlation are the realistic mechanisms for detecting zero-day exploitation in progress. This requires both tooling and the human expertise to tune and respond to alerts.
Threat modeling: Understanding which assets are most likely to be targeted — and by whom — allows prioritization. Not every organization is a target for nation-state zero-day exploitation. Knowing your actual threat model helps allocate defense resources rationally.
The Uncomfortable Equilibrium
There is something structurally broken about the current situation. Software vendors have strong financial incentives to ship features and limited incentives to invest in security — at least until a breach generates headlines. Governments simultaneously defend against zero-days and stockpile them as offensive weapons. The commercial spyware industry provides cover for authoritarian governments to surveil their populations with tools that began as legitimate law enforcement technology.
Reform proposals abound: mandatory vulnerability disclosure timelines, tighter regulation of commercial spyware vendors, government drawdown of zero-day stockpiles, increased investment in memory-safe languages and formally-verified software. Some of these are making slow progress. None are close to resolving the fundamental tension between offense and defense.
What's clear is that zero-days are not an edge case. In 2026, they are a routine instrument of state power, criminal enterprise, and corporate espionage. The organizations that survive them are not those that assume they won't be targeted — they're the ones that have accepted the uncomfortable reality that prevention is insufficient, and built their security postures around rapid detection and resilient recovery.
The clock starts at zero. The question is how fast you can count.
