A [zero-day exploit](https://en.wikipedia.org/wiki/Zero-day_(computing)) is an attack that weaponizes a software vulnerability before the vendor has issued a patch, leaving defenders with zero days of advance warning.
The underlying flaw is called a zero-day vulnerability and the code or technique that abuses it is the exploit. Because no patch exists at the time of attack, signature-based defenses are ineffective, and the window between initial use and public disclosure is the period of greatest systemic risk. Once the flaw is disclosed and patched, the bug becomes an n-day vulnerability — still dangerous to unpatched systems but no longer offering surprise.
Zero-days are prized by intelligence agencies, criminal operators, and bug-bounty researchers, with a mature market in which individual exploits sell for anywhere from $10K to over $2M depending on target and reliability. iOS, Windows kernel, and enterprise identity bugs command the highest prices. Disclosure paths split into three: responsible (reported privately to the vendor), full (published openly), and commercial (sold to a broker or government). RAND Corporation research has found that zero-days used by state actors remained undisclosed for an average of 6.9 years before discovery.
Zero-days sit at the sharp edge of the asymmetry between offense and defense in software security. A single undisclosed flaw in widely deployed infrastructure — a browser, kernel, TLS library, or identity provider — can compromise millions of systems before anyone is aware the vulnerability exists. For frontier AI systems, autonomous zero-day discovery is a capability threshold safety teams track closely; 📝Project Glasswing, the restricted 📝Claude Mythos preview launched April 7, 2026, was scoped to defensive-cybersecurity research in part to study this dynamic under controlled access.