February 28, 2023 By Doug Bonderud 4 min read

Zero-day attacks are on the rise.

Not only was 2021 a record-breaking year for the total number of zero-day attacks, but it also accounted for 40% of the zero-day breaches over the last decade. In part, this race to zero is tied to the sheer number of web, mobile and cloud-based applications being developed and deployed. With so much code created so quickly, it’s not surprising that attackers are finding more digital doors unlocked.

The massive volume of users constantly connected to corporate networks also increases the success rate of zero-day efforts. If attackers can compromise even a single endpoint, they may be able to capture or exfiltrate data that allows them to dive undetected into zero-day exploits.

But what exactly is a zero-day attack? What are its common stages, and how can companies protect themselves?

What is a zero-day attack?

No piece of software is perfect. If cyber criminals can compromise application data and pinpoint potential threat vectors that IT teams don’t know about, the resulting attack leaves companies zero days to prepare and respond.

In practice, there are three components to a zero-day compromise: Zero-day vulnerabilities, zero-day exploits and zero-day attacks.

Zero-day vulnerabilities are undetected flaws in systems or software that could result in compromise. Zero-day exploits are the methods developed by attackers to take advantage of vulnerabilities. Lastly, zero-day attacks are the actions attackers take to use their exploit and compromise your system.

The biggest risk factor of a zero-day effort is the element of uncertainty. Since companies aren’t aware of flaws in their code until attackers attempt to exploit them, staying protected can be challenging. Instead, enterprises must remain on their toes.

Step by step: The killer connection

Zero-day attacks use what’s known as the “kill chain” — a series of interconnected steps which lead to data compromise.

While every zero-day issue differs depending on the application itself, the type of data stored and the ability of companies to detect these problems ASAP, most attacks follow a similar kill chain pattern. These are the most common steps.


Before attackers can create zero-day exploits and compromise critical systems, they need to know what they’re getting into. This is the role of reconnaissance. Depending on the nature of the software — proprietary vs. open-source — reconnaissance will look very different. Open-source code allows attackers to browse at their leisure, but exploits may not generate the same impact given the more cautious use of open-source solutions at scale.

Proprietary programs, meanwhile, typically secure their code using tools such as obfuscation and encryption. As a result, attackers will first look to gain system access via techniques such as social engineering, then conduct code observation.


With vulnerabilities identified, attackers can weaponize these zero-day issues into exploits. First, they write exploit code that allows them to leverage the vulnerability. Then they deploy this code themselves, sell it to the highest bidder or make it public knowledge to drive interest.


Implementation comes next. Attackers deploy the exploit on your system or any other systems running your software. They accomplish implementation via malicious email attachments, unprotected form fields or brute-force efforts.

Exfiltration and exploration

Once inside your system, malicious actors may choose to exfiltrate key data or move laterally through your network to explore other data sources.

These steps parallel more familiar attacks, such as ransomware or phishing, but with the additional challenge of unpredictability. Since IT teams aren’t aware of zero-day vulnerabilities, their approach and impact may be unexpected.

Thankfully, problems tied to zero-day attacks often present the same way as their more commonplace counterparts. For example, if IT teams notice a sudden uptick in data transfer volumes or odd slowdowns in specific applications, this could indicate zero-day issues.

Zeroing in on effective defense

If zero-day attacks come without warning, what can companies do to bolster protection?

First, it’s worth recognizing that these attacks aren’t entirely without warning. Vulnerabilities in the code exist, whether or not attackers find them. With the right approach, it’s possible for teams to mitigate at least some of the risk tied to zero-day efforts.

Three approaches can help improve zero-day response.

Reliable input validation

Input validation is the process of testing all data inputs to ensure they’re properly formatted. If this process detects improper data formats, it may suggest the presence of a zero-day exploit attempting to gain access.

Regular vulnerability scans

Vulnerability scans can simulate software attacks. Regularly conducting these scans helps pinpoint potential issues. For example, if you’ve just deployed a new piece of software, vulnerability scanning can help detect possible weak points before attackers find them, in turn allowing IT teams to act.

Robust patch management

Along with scanning and validation, patch management also matters. While it’s true that zero-day exploits are naturally unpatched because they’ve never been detected before, this comes with a caveat, especially if your company is using new software created by a third party.

Here’s why: If you’re using a piece of recently released software but haven’t yet patched the application, it may still be vulnerable to the original zero-day vulnerability. Robust, automated patch management can help reduce this risk.

The race to zero

There are also other efforts to help mitigate the impact of zero-day issues, such as the zero-day initiative. This program provides monetary rewards for researchers who choose to report zero-day vulnerabilities rather than making them public or selling them on the black market.

Bottom line? The race to zero is still on as attackers look to leverage unknown vulnerabilities, create new exploits and compromise key software.

While it’s impossible to avoid damage from every zero-day attack, companies can mitigate their risk by validating inputs, regularly scanning for vulnerabilities and keeping patches up-to-date.

More from Risk Management

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

It all adds up: Pretexting in executive compromise

4 min read - Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.What is pretexting?Pretexting is the use of a fabricated story or narrative — a “pretext” — to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today