Mythos

A [zero-day exploit](https://en.wikipedia.org/wiki/Zero-day_(computing)) is an attack that weaponizes a software vulnerability before the vendor has issued a patch, leaving defenders with zero days of advance warning.

The underlying flaw is called a "zero-day vulnerability" and the code or technique that abuses it is the "exploit." Because no patch exists at the time of attack, signature-based defenses are ineffective, and the window between initial use and public disclosure is the period of greatest systemic risk. Zero-days are prized by intelligence agencies, criminal operators, and bug-bounty researchers alike, with a mature underground market where individual exploits can sell for seven figures depending on target and reliability.

Key Facts

  • Category: Cybersecurity vulnerability / exploit
  • Named for: Zero days of vendor warning before attack
  • Disclosure types: Responsible (reported to vendor), full (public), commercial (sold to broker or government)
  • Market pricing: $10K–$2M+, highest for iOS, Windows kernel, and enterprise identity targets
  • Notable examples: Stuxnet (2010), Heartbleed (2014), Log4Shell (2021)
  • Primary defenses: Defense-in-depth, runtime protections, rapid patch deployment once disclosed

How It Works

  • Discovery — a researcher, attacker, or automated fuzzer finds a flaw the vendor does not know about
  • Weaponization — the flaw is turned into reliable exploit code, often chained with other bugs to achieve privilege escalation or remote code execution
  • Deployment — the exploit is used in a targeted attack, sold on an underground market, or reported under a bounty or responsible-disclosure program
  • Patch race — once the flaw is disclosed, the vendor ships a patch and defenders race attackers to deploy it before the exploit spreads
  • Retirement — after patches are widely deployed the bug becomes an "n-day" vulnerability; still dangerous to unpatched systems but no longer "zero"

Why It Matters

Zero-days are the sharp edge of the asymmetry between offense and defense in software security. A single undisclosed flaw in widely deployed infrastructure — a browser, kernel, TLS library, or identity provider — can compromise millions of systems before anyone is aware the vulnerability exists. For frontier AI systems, autonomous zero-day capability is a threshold that safety teams track closely; models that can independently discover or weaponize exploits shift the defender's workload in ways traditional patch cycles are not designed to absorb.

FAQ

What is a zero-day exploit in simple terms?

It is an attack that uses a software flaw the vendor does not know about and has not fixed. Because no patch exists, defenders have no time to prepare — hence "zero days."

What is the difference between a zero-day vulnerability and a zero-day exploit?

The vulnerability is the underlying flaw. The exploit is the code or technique that abuses it. A zero-day vulnerability becomes a zero-day exploit only once someone builds working attack code against it.

How long does a zero-day remain a zero-day?

Until it is disclosed, patched, and the patch is deployed. RAND Corporation research found that zero-days used by state actors remained undisclosed for an average of 6.9 years before discovery.

Are zero-days legal to sell?

In most jurisdictions, yes. Governments, defense contractors, and brokers (e.g., Zerodium) legally purchase exploits for intelligence, law enforcement, or offensive cyber operations. Export controls and ethics rules vary by country.

Can AI models discover zero-days?

Increasingly, yes. Frontier AI systems have demonstrated the ability to identify novel vulnerabilities in open-source code. 📝Project Glasswing, the restricted 📝Claude Mythos preview launched April 7, 2026, was scoped to defensive-cybersecurity research in part to study this dynamic under controlled access.

Related

Contexts

Created with 💜 by One Inc | Copyright 2026