In plain English
A zero-day is a security flaw that the software maker doesn't know about yet — so there's no patch available. Attackers who discover or buy zero-days have a window to exploit them freely until the vendor becomes aware and releases a fix. This is why rapid patch deployment (an Essential Eight control) is so critical once patches do become available.
Full definition
Most attacks rely on known vulnerabilities with available patches. Zero-days are different. The vendor doesn't know the flaw exists, so there's nothing to patch. When a zero-day is actively exploited, defenders are working without a net.
They're also genuinely rare in the wild. Nation-state groups and sophisticated criminal organisations trade them because they're hard to find and expensive to burn. The 2021 Microsoft Exchange Server zero-days, known as ProxyLogon, were a sharp illustration: tens of thousands of organisations worldwide were compromised before a patch was available, including Australian government agencies. The issued an emergency advisory within hours of public disclosure.
How you limit the damage
You can't patch what doesn't have a patch yet. What you can control is how much damage an attacker can do if they get through. stops . Least-privilege access limits what an attacker can reach from a compromised account. tools can flag unusual behaviour even when the attack method is new. A zero-day landing in a well-segmented, well-monitored environment causes far less damage than the same exploit hitting a flat network with no visibility.
- Segment your network so a compromised endpoint can't reach your finance systems directly
- Apply least-privilege access so have limited reach
- Deploy EDR across all endpoints to catch abnormal behaviour patterns
- Maintain offline or immutable backups so delivered via a zero-day can't destroy your recovery options
