Zero-Day Exploits: Discovery to Patch in 2026

TL;DR: Zero-day vulnerabilities hit a record 97 exploited in the wild in 2023, up 50% from the previous year. The average time from discovery to patch is 25 days, but exploitation often begins within hours. Proactive detection, network segmentation, and behavioral monitoring are the only defenses that work before a patch ships.

What Exactly Is a Zero-Day Vulnerability?

A zero-day is a software flaw that the vendor does not know about at the time an attacker exploits it. The name refers to the number of days the vendor has had to fix the problem: zero. Once a vendor learns about the flaw and issues a patch, the vulnerability stops being a zero-day and becomes a known CVE with a published identifier.

The distinction matters because it defines the defensive posture available to you. Against known vulnerabilities, you patch. Against zero-days, patching is not an option. You need detection, containment, and architectural resilience to survive the exposure window.

Google's Threat Analysis Group tracked 97 zero-day vulnerabilities exploited in the wild during 2023, a 50% increase from 62 in 2022 (Google TAG, 2024). This is not an anomaly. The trend line has pointed upward for five consecutive years. The market for zero-day exploits is maturing, and both state-sponsored groups and criminal organizations are investing more resources into finding them.

How Are Zero-Days Discovered in 2026?

Zero-day discovery falls into three distinct pipelines, each with different motivations, methods, and outcomes.

Offensive security research. Independent researchers and security firms hunt for vulnerabilities through manual code review, fuzzing, and reverse engineering. Fuzzing, the process of feeding malformed inputs to software and monitoring for crashes, accounts for the majority of memory corruption discoveries. Tools like AFL++, libFuzzer, and Honggfuzz have matured to the point where they can find complex bugs in hours that would take manual reviewers weeks to identify. Google's OSS-Fuzz project has found over 10,000 vulnerabilities across 1,000 critical open source projects since its launch (Google OSS-Fuzz, 2024).

State-sponsored programs. Intelligence agencies in multiple countries maintain dedicated vulnerability research teams. The NSA, GCHQ, Unit 8200, and their counterparts invest significant budgets in finding zero-days in widely deployed software. These discoveries are stockpiled for intelligence operations rather than reported to vendors. The Wassenaar Arrangement attempted to regulate exploit exports starting in 2013, but enforcement remains inconsistent across jurisdictions.

Commercial exploit brokers. Companies like Zerodium, Crowdfense, and several unnamed brokers purchase zero-day exploits from researchers at prices that often exceed what bug bounty programs offer by a factor of 10 to 100. Zerodium's public price list in 2025 offered up to $2.5 million for a full-chain, zero-click iOS exploit (Zerodium, 2025). These brokers sell exclusively to government clients, creating a gray market that operates outside traditional vulnerability disclosure norms.

In our experience running cybersecurity assessments, the most relevant zero-days for most organizations are not the headline-grabbing state-sponsored exploits. They are the ones found by criminal groups targeting widely deployed enterprise software: VPNs, email gateways, file transfer tools, and web application frameworks.

The Zero-Day Market in 2026: Economics and Scale

The economics are straightforward. The value of a zero-day exploit is directly proportional to the number of systems it can compromise and the difficulty of finding an alternative attack path. As software vendors improve their overall security posture, the remaining vulnerabilities become harder to find and more valuable when discovered.

Bug bounty programs, while valuable, cannot compete on price with the exploit broker market. Apple's Security Research Device Program offers up to $2 million for a kernel-level zero-click exploit chain. Brokers offer the same or more, with no disclosure requirement and no waiting period. For a researcher motivated purely by financial return, the broker market is the rational choice. The Atlantic Council's 2024 report on vulnerability markets estimated that fewer than 15% of high-severity zero-days discovered globally are reported through legitimate disclosure channels (Atlantic Council, 2024).

Demand from government buyers is the primary price driver. Mandiant's M-Trends 2024 report documented that state-sponsored actors accounted for 58% of zero-day exploitation observed in the wild, with the remaining 42% attributed to financially motivated criminal groups (Mandiant M-Trends, 2024). Both buyer categories are growing their budgets year over year.

The supply side is also expanding. AI-assisted vulnerability research is lowering the barrier to discovery. Research teams at multiple universities published papers in 2025 demonstrating LLM-guided fuzzing that found known CVEs 3x faster than traditional approaches. The gap between AI-assisted discovery and fully autonomous zero-day hunting is closing faster than most defenders expect.

The Five Phases from Discovery to Patch

The timeline from zero-day discovery to active exploitation follows a predictable pattern, and understanding it is critical for defensive planning.

Phase 1: Weaponization (hours to days). Once a researcher or attacker identifies a vulnerability, they develop a working exploit. For memory corruption bugs in C/C++ codebases, this typically requires building a reliable exploit primitive, bypassing ASLR and DEP mitigations, and testing across target configurations. Experienced exploit developers can weaponize a heap overflow in 24 to 72 hours.

Phase 2: Initial exploitation (days to weeks). The exploit is deployed against specific targets. State-sponsored actors tend to use zero-days surgically against a small number of high-value targets to minimize the chance of discovery. Criminal groups often burn zero-days quickly against as many targets as possible before the window closes.

Phase 3: Detection (variable, often weeks to months). Someone notices anomalous behavior, a security vendor captures the exploit in a honeypot, or a targeted organization's incident response team identifies the intrusion. The Mandiant M-Trends 2024 report measured the global median dwell time at 10 days, down from 16 days in 2022 (Mandiant, 2024). For zero-days specifically, dwell times are typically longer because signature-based detection tools have no signatures to match.

Phase 4: Vendor notification and patch development (days to weeks). The vendor receives the vulnerability report, reproduces the issue, develops a fix, tests it across all supported configurations, and coordinates a disclosure date. Google Project Zero's 90-day disclosure deadline has become the industry benchmark, but many patches ship faster. Microsoft's average time from report to patch was 58 days in 2024 for critical vulnerabilities.

Phase 5: Patch deployment (weeks to months). This is where most organizations fail. The patch exists, but deploying it across a heterogeneous environment takes time. CISA's analysis of Known Exploited Vulnerabilities found that 40% of organizations had not patched actively exploited vulnerabilities within 30 days of patch availability (CISA KEV, 2024). That 30-day window is where the vast majority of mass exploitation occurs.

How Do Attackers Exploit Zero-Days in Practice?

The exploitation techniques in 2026 cluster around several dominant patterns, and knowing them shapes your defensive architecture.

Zero-click exploits in messaging platforms. The most dangerous category. An attacker sends a specially crafted message, image, or file to a target. The messaging application processes the payload automatically, without the user clicking or interacting. The NSO Group's Pegasus spyware used zero-click iMessage exploits documented by Citizen Lab across multiple campaigns between 2021 and 2024. The exploit chain typically combines an initial memory corruption bug in a media parser with a sandbox escape and a kernel privilege escalation.

Edge device targeting. VPN appliances, firewalls, email security gateways, and load balancers sit at the network perimeter and process untrusted traffic by design. Vulnerabilities in these devices provide direct access to the internal network. Ivanti Connect Secure, Fortinet FortiOS, Citrix NetScaler, and Palo Alto PAN-OS all had zero-days exploited in the wild during 2024. When we run AI-powered security audits for clients, edge device exposure is consistently in the top three findings.

Browser exploitation chains. A browser zero-day typically requires chaining multiple bugs: a renderer bug for initial code execution inside the browser sandbox, a sandbox escape to reach the operating system, and sometimes a kernel bug for full system compromise. Chrome's V8 JavaScript engine and WebAssembly runtime are frequent targets. Google reported 8 Chrome zero-days exploited in the wild in 2024 alone.

Supply chain injection. Rather than exploiting software directly, attackers compromise the build or distribution pipeline. The XZ Utils backdoor (CVE-2024-3094) was a social engineering operation spanning two years where an attacker gained commit access to a critical compression library used by SSH on nearly every Linux distribution. The backdoor was discovered accidentally by a Microsoft engineer who noticed a 500ms latency increase in SSH connections during routine benchmarking. If that engineer had not been paying attention, the backdoor would have shipped in stable releases of every major Linux distribution.

Can You Detect Zero-Day Exploitation Without Signatures?

Yes, but it requires a fundamentally different detection philosophy than signature-based tools provide. You cannot match against a pattern you have never seen. You can detect the behavioral consequences of exploitation.

Behavioral anomaly detection. Exploitation produces observable side effects: unexpected process creation, unusual network connections, privilege escalation attempts, and file system modifications in directories that should be static. Endpoint Detection and Response (EDR) tools that baseline normal behavior and alert on deviations catch zero-day exploitation that signature scanners miss entirely. CrowdStrike's 2025 Global Threat Report found that behavioral detection identified 75% of zero-day exploitation events in their customer base before any signature existed (CrowdStrike, 2025).

Network traffic analysis. Exploitation of edge devices produces network traffic patterns that differ from legitimate use: unusual destination IPs, connections at unusual times, data exfiltration patterns that do not match normal business flows. Network Detection and Response (NDR) tools like Zeek, Suricata with JA4+ fingerprinting, and commercial platforms can surface these anomalies.

Canary tokens and honeypots. Place decoy credentials, files, and services throughout your network. Any access to these decoys is definitionally malicious, zero false positives. Tools like Thinkst Canary and canarytokens.org provide simple deployment options. In our security engagements, we consistently find that organizations with internal honeypots detect lateral movement 4x faster than those relying solely on EDR.

Memory forensics. Post-exploitation artifacts live in process memory even when disk artifacts are cleaned up. Volatile memory captures analyzed with tools like Volatility 3 can reveal injected shellcode, hooked system calls, and loaded modules that do not appear on disk.

How Should You Architect Systems to Survive Zero-Day Exploitation?

Accepting that zero-days will be used against your infrastructure is the starting point for a realistic security architecture. The goal is not to prevent all exploitation. The goal is to limit the blast radius and ensure that a single compromised component does not give an attacker access to everything.

Network segmentation with zero-trust principles. Every system should authenticate and authorize every connection, regardless of network location. A compromised edge device should not automatically grant access to internal databases, source code repositories, or administrative interfaces. Micro-segmentation tools enforce policies at the workload level rather than the network perimeter.

Principle of least privilege, enforced mechanically. Service accounts, API tokens, and human users should have the minimum permissions required for their function. Review and prune permissions quarterly. When a zero-day compromises a web server running as root with database admin credentials, you lose everything. When it compromises a web server running as an unprivileged user with read-only database access, you lose the web server. The difference is existential.

Immutable infrastructure. Containers and infrastructure-as-code make it possible to detect unauthorized modifications simply by comparing running systems to their declared state. If a compromised container has files that do not match the image it was built from, you know something happened. Rebuild and redeploy from a known-good image rather than trying to clean a compromised system.

Aggressive patching with staged rollouts. The fastest path from zero-day disclosure to patch deployment wins. Automate patching for everything possible. For critical infrastructure that requires testing, maintain a staged rollout pipeline that can push emergency patches to production within hours, not weeks. CISA's KEV catalog is the priority list: if it appears there, patch within 48 hours.

For teams building AI agent systems or running production AI workloads, the attack surface includes model serving endpoints, inference APIs, and agent communication channels that traditional security architectures may not cover. Our AI cybersecurity service specifically addresses these gaps with monitoring designed for AI-native infrastructure.

Responsible Disclosure Under Pressure

The vulnerability disclosure ecosystem is under pressure from multiple directions. Bug bounty programs at major vendors now pay meaningful amounts: Google paid $10 million in bounties in 2023, and Microsoft's program regularly pays six-figure amounts for critical findings. But these programs compete with a broker market that pays more and asks fewer questions.

Google Project Zero's 90-day disclosure policy, where they publish vulnerability details 90 days after reporting to the vendor regardless of patch status, has become the de facto standard for pressuring vendors to ship fixes. Apple, Microsoft, and other major vendors have accelerated their patch timelines in direct response to this pressure.

The tension between offense and defense remains unresolved. Intelligence agencies argue that stockpiling zero-days serves national security. Security researchers argue that disclosure protects everyone. The Vulnerabilities Equities Process (VEP) in the United States is supposed to balance these interests, but its decisions are classified and its effectiveness is debated. What is clear: every zero-day that remains undisclosed is a zero-day that every attacker who independently discovers it can exploit without opposition.

What Should You Do Next?

Zero-day protection is not about buying a single product. It is about building an architecture and operational practice that limits damage when, not if, an unknown vulnerability is exploited against your systems.

Start with visibility this week. Deploy EDR on every endpoint if you have not already. Enable behavioral detection rules, not just signature matching. Baseline normal process behavior and network connections so that anomalies surface automatically. You cannot defend what you cannot see.

Audit your edge devices immediately. List every internet-facing appliance: VPNs, firewalls, load balancers, email gateways. Subscribe to the vendor's security advisory feed for each one. When a zero-day is disclosed for any of these, you need to be able to apply mitigations within hours. CISA's KEV catalog should be in your RSS reader or monitoring dashboard today.

Implement network segmentation between critical systems. A compromised web server should not be able to reach your database server, your CI/CD pipeline, or your cloud credentials. This single architectural change reduces the blast radius of any zero-day exploitation from total compromise to contained incident.

Deploy canary tokens across your internal network. Place fake credentials in configuration files, fake documents in file shares, and fake services on internal ports. Any interaction with these canaries triggers an immediate alert with zero false positive risk. This is the highest signal-to-noise detection mechanism available and costs almost nothing to deploy.

Review your patching speed. Measure the time from CISA KEV publication to patch deployment in your environment. If it is measured in weeks, invest in automation to bring it to days. The organizations that survive zero-day campaigns are the ones that can respond fastest once a patch becomes available.

For organizations that need continuous monitoring against both known and unknown threats, our AI-powered security audit combines behavioral analysis, edge device scanning, segmentation testing, and threat intelligence correlation into a single assessment. We find the gaps that zero-day attackers target, including exposure in AI infrastructure and agent communication channels that traditional scanners overlook entirely.

Zero-days are not going away. The market is growing, the techniques are advancing, and the exploitation windows are shrinking. The only viable strategy is to accept that unknown vulnerabilities exist in your stack right now and build the detection, segmentation, and response capabilities that limit their impact when they are inevitably used.