“A zero-day vulnerability gives defenders no time cushion.” It is a software flaw that attackers exploit before a patch is available or before the vendor and defenders have had time to respond effectively. Because the window of exposure opens at the moment of discovery or exploitation, zero-days are among the most prized assets in offensive cyber operations.
Executive Summary
A zero-day vulnerability is a previously unknown or unpatched flaw that can be exploited before defenders are ready. The term matters because zero-days allow attackers to bypass standard security assumptions and hit high-value targets before detection signatures, workarounds, or patches exist. State actors, brokers, and criminal groups all value them, but the strategic implications are greatest when zero-days are used against government systems, critical infrastructure, or widely deployed software. CISA’s Known Exploited Vulnerabilities workflow has made the policy side of zero-days more visible by tying active exploitation to urgent remediation deadlines.
The Strategic Mechanism
- Zero-days create an advantage window between exploitation and effective defense.
- Attackers can use them for initial access, privilege escalation, remote code execution, or stealthy persistence.
- Widely deployed products make the most valuable targets because one flaw can expose thousands of organizations.
- The market for zero-days includes state buyers, private brokers, and offensive security contractors.
- Once disclosed, the advantage quickly erodes as patches, indicators, and public scrutiny spread.
Market & Policy Impact
- Forces organizations to prioritize patching, asset visibility, and vulnerability management.
- Increases scrutiny of software vendors and secure-by-design practices.
- Fuels debate over government stockpiling, disclosure norms, and vulnerability equities processes.
- Creates large downstream costs for incident response, compliance, and software assurance.
- Strengthens demand for managed detection, exploit intelligence, and rapid patch orchestration.
Modern Case Study: Pegasus, ForcedEntry, and the Economics of the Unknown Flaw, 2021-2023
In 2021, Citizen Lab and Apple disclosed ForcedEntry, a zero-click iMessage exploit used to deploy NSO Group’s Pegasus spyware against targeted devices. The case showed how a zero-day vulnerability can deliver strategic surveillance value against diplomats, journalists, and officials without requiring user interaction. Apple moved quickly to issue patches, while Citizen Lab and security researchers documented how the exploit chain had operated in practice. The episode also exposed the political economy around zero-days: NSO Group reportedly sold high-end access capabilities to government clients at industrial scale, turning rare software flaws into instruments of state surveillance. Apple executive Ivan Krstic publicly emphasized the sophistication of the attack and the company’s emergency response. The case remains one of the clearest examples of why zero-days matter beyond technical circles: a single undisclosed flaw can reshape diplomacy, privacy, and the market for offensive cyber tools.