The cybersecurity industry has turned zero-day vulnerabilities into convenient scapegoats for security failures, according to a new analysis that challenges the conventional wisdom about these supposedly unstoppable attacks.
Cybersecurity researcher Candy Wong argues that while zero-day vulnerabilities are real and dangerous, they have become an overused excuse for defensive failures that actually stem from more mundane security lapses.
"Zero-days are treated as acts of god in security — unforeseeable, unstoppable, inevitable. But is that actually true?" Wong wrote in her comprehensive analysis of zero-day defense strategies.
%20(1)%20(1).webp)
The reality is far different from the typical post-breach narrative that organizations deploy to explain major security incidents.
"The attackers exploited a previously unknown vulnerability. This was a sophisticated, nation-state-level attack. There was nothing we could have done," Wong noted as the standard press release formula that follows major breaches.
However, research from threat intelligence firm Mandiant reveals a striking disconnect between perception and reality. In 2022, Mandiant published analysis showing that in the majority of intrusions attributed to zero-day exploitation, the vulnerability actually had a patch available at the time of the breach.
These incidents represent attacks using known, patched vulnerabilities against organizations that simply hadn't applied the available fixes — not genuine zero-day exploits.
"These are not zero-days. They are N-days exploited against organisations with poor patch hygiene," Wong explained. "Calling them zero-days is inaccurate and, from a defensive standpoint, dangerous — because it suggests the organisation was helpless when it was not."
The numbers paint a clearer picture of the actual threat landscape. Multiple threat intelligence firms estimate that genuine zero-day exploitation — attacks using vulnerabilities truly unknown to vendors at the time of the attack — accounts for only 4% to 12% of all initial access methods in tracked intrusions.
The remaining 88% to 96% of attacks rely on much more pedestrian methods, including supply chain compromises, misconfiguration exploitation, valid credential abuse, phishing and social engineering, and known vulnerabilities that organizations failed to patch.
Wong's analysis distinguishes between true zero-day vulnerabilities and what the industry calls "N-days." A genuine zero-day vulnerability must meet three specific criteria: it's exploited before a fix is available, remains unpatched at the time of exploitation, and is unknown to the software vendor.
The term "zero-day" derives from "zero days since the vendor has known about it." Once a vendor is notified and releases a patch, the vulnerability becomes an N-day, where N represents the number of days since the patch became available.
This definitional precision matters enormously for defensive strategies. Organizations that assume they're helpless against zero-days may neglect basic security hygiene that would actually prevent the vast majority of attacks they face.
Wong's analysis delves into the zero-day lifecycle, explaining how these vulnerabilities are discovered through independent research, differential analysis, and other sophisticated methods before being weaponized.
"Zero-days are real. They are dangerous. Nation-state actors do use them. But the security industry has collectively allowed the term to become a catch-all excuse for defensive failures that had nothing to do with unknown vulnerabilities," Wong wrote.
The research suggests that organizations should focus their defensive efforts on the security fundamentals that prevent the overwhelming majority of attacks, rather than assuming they're powerless against sophisticated zero-day exploits.
The analysis comes as organizations continue to grapple with increasingly sophisticated cyber threats while struggling to implement basic security measures effectively. Wong's findings indicate that the greatest cybersecurity improvements may come from better execution of established defensive practices rather than exotic new technologies designed to counter zero-day attacks.
Security teams and executives should watch for more detailed analysis of defensive measures that actually reduce zero-day impact, as Wong's research continues to challenge long-held assumptions about cybersecurity's most feared attack vector.