We use the phrase zero day like it means something anymore. Nobody who mutters it in a boardroom, on a podcast, in a threat report, or during a late-night post-incident Slack thread is talking about the same thing. The wall is cracking, and the industry is papering over it because precision is bad for engagement.
The term once had a clean, engineering meaning. In the early BBS era “0-day” meant software stolen or released before the vendor shipped, counted as “day zero.” In vulnerability research it evolved into something tighter: an unknown flaw, no patch in existence, no public disclosure, no CVE. The vendor’s clock has not started. That definition appears almost exactly in the same places you would expect it: RAND’s 2020 work on “zero-day” vulnerability markets, NIST’s 2022 guidance on coordinated disclosure, and CISA’s Known Exploited Vulnerabilities catalog documentation. Each one treats zero day as a precise, narrow state: exploited or weaponized before awareness and before mitigation.
Then the market and the media got involved. Today, zero day is a marketing tier. It means “expensive.” It means “advanced.” It means “nation-state.” Vendors stamp “zero‑day” on a CVE that has been public for months. Threat intel teams label anything slightly novel as “zero‑day‑like.” Bug bounty programs quietly “buy zero days” that are already patched and disclosed. The moment a flaw is disclosed and a CVE exists, it is no longer a zero day. It is a one‑day. Yet we keep calling it zero day because it sounds hotter and less embarrassing.
The uncomfortable truth is that most incidents are not zero days. The majority of breaches cataloged by Verizon, Crowdstrake, and Mandiant, and most CISA KEV entries, involve known vulnerabilities with patches available. CVE‑2021‑44228, CVE‑2023‑44487, CVE‑2022‑22965. None were zero days when they burned thousands of networks. They were unpatched. Zero day has become a comfortable lie that lets organisations outsource blame to “sophisticated actors” instead of admitting they failed on basic hygiene, patch cadence, architecture, or risk acceptance.
RAND’s research on zero‑day lifespans hinted at this problem years ago: many “zero days” live long enough to become public before they are ever widely exploited. The line between zero‑day and known vulnerability is blurry by design, and the industry exploits that ambiguity. Consulting firms monetise it. Vendors differentiate on it. Media outlets weaponise it for clicks.
Calling everything a zero day erodes the word’s technical value and inflates our collective sense of helplessness. It disguises operational failure as inevitability. It lets boards nod along to “how could we have known” instead of “why did we not patch within days, not years.”
Stop letting the zero-day lie drive your decisions and your language. When you hear zero day in the next incident report, the next vendor pitch, the next threat feed, ask one question: was there truly no patch, no CVE, no disclosure, no chance to act? Or are you just hearing a brand name for failure?
More at https://securitycyber.uk
Mastodon: https://infosec.exchange/@securitycyber
LinkedIn: https://www.linkedin.com/in/charlie-collins-sec
Bluesky: https://bsky.app/profile/securitycyberuk.bsky.social
Substack: https://securitycyber.substack.com
Discord: https://discord.gg/securitycyber
Recommended resources to go deeper: https://www.hackthebox.com for hands-on practice, https://portswigger.net/web-security for free web security labs, and https://academy.tcm-sec.com for structured courses.
Originally published at https://securitycyber.uk
Top comments (0)