What are zero-day vulnerabilities?

• The time between zero-day discovery and disclosure can span years, meaning attackers can exploit them long before defenders know they exist. 
• AI models like Claude Mythos Preview and ChatGPT-5.5 have collapsed the time from discovery to weaponization, making manual defense inadequate. 
• Traditional vulnerability scanning tools only assess known vulnerabilities, so they offer little protection against zero days. 
• AI-assisted exposure management can mitigate the risk of zero-day threats by automatically discovering shadow IT, unmanaged servers, forgotten cloud buckets, and other assets exposed to the public internet that threat actors could probe for zero days.

A zero-day vulnerability is a known vulnerability that doesn't yet have a patch to fix it, leaving it vulnerable to potential attacker exploitation. That means if attackers find the vulnerability before the vendor and no patch is available, security teams have “zero days” to prepare.  

While zero-day vulnerabilities have been discovered for decades, the sophisticated vulnerability discovery and exploitation capabilities of frontier AI models like Anthropic’s Claude Mythos Preview and OpenAI ChatGPT-5.5 have brought them into sharper focus. With frontier LLMs, attackers can find and exploit zero-day vulnerabilities faster than ever.  

In fact, Anthropic revealed in April that Claude Mythos Preview autonomously discovered in minutes a decades old flaw that had eluded security researchers for nearly three decades. The implication? The exposure window for these zero-day flaws has never been smaller or higher stakes.  

Patching still matters, but patches can only be developed for a zero day once security researchers have discovered it. As frontier AI accelerates vulnerability discovery, attackers are more likely to find exploitable flaws before vendors can build patches for them. 

As a result, exposure management is more important than ever. It gives your security team the continuous visibility into exposed assets, vulnerable software, weak controls, and likely attack paths they need to preemptively reduce risk, even when no patch is available.

What makes a vulnerability a “zero-day” is the fact that the vendor who created the software does not yet know about the flaw, so no patch is available.

Zero-day vs n-day vulnerabilities 

That lack of vendor awareness distinguishes zero-day vulnerabilities from n-day vulnerabilities. A zero-day is unknown and unpatched, whereas an n-day is known and unpatched. 

N-day vulnerabilities are much more common than zero days, but even though vendors develop patches for them, N-day vulnerabilities often linger unpatched inside organizations. According to data that Tenable contributed to the 2026 Verizon DBIR, organizations fully remediated only 26% of critical vulnerabilities (those in the CISA KEV catalog) in 2025, down from 38% the previous year. Meanwhile, the median time to full resolution increased to 43 days, almost two weeks longer than the previous year’s 32 days. 

What is the lifecycle of a zero-day exploit? 

Zero-day exploitation follows a typical lifecycle:

• Discovery - Cybercriminals identify the vulnerability. At this stage, the vendor is still unaware that the vulnerability exists. As mentioned, attackers are increasingly using AI to accelerate vulnerability discovery. 
• Weaponization - Attackers develop code, techniques, or delivery mechanisms that turn the flaw into a usable zero-day exploit they can reliably abuse in real-world environments. In its latest DBIR, Verizon warns that AI-driven exploit development could fundamentally accelerate this stage by increasing the speed and scale of exploit creation. 
• Exploitation - Attackers exploit a zero-day vulnerability in a system, a stage also known as a zero-day attack, typically to gain initial access. But attackers also exploit zero days like EternalBlue that enable them to move laterally, Copy Fail (CVE-2026-31431) that enable them to elevate their privileges, and MOVEit Transfer (CVE-2023-34362) that allow them to deploy ransomware and exfiltrate data
• Disclosure - Eventually, the vulnerability becomes known to the vendor, either through private reporting, incident response investigations, threat intelligence investigations, or security researchers disclosing it publicly.
• Patching - The vendor develops and releases a fix. Organizations then identify affected systems, test the patch, prioritize deployment, and remediate the vulnerability across their environments.

In early April 2026, Anthropic announced Claude Mythos Preview, an AI cybersecurity tool capable of locating dormant bugs in decades-old code and exploiting them at a speed human researchers – and attackers – cannot manually match.  

For example, Mythos Preview identified a 27-year-old Denial-of-Service (DoS) vulnerability in OpenBSD’s TCP SACK implementation, and a 17-year-old flaw in FreeBSD’s NFS implementation. It’s unlikely to be long before other AI models gain the same or similar capabilities — and these capabilities fall into adversarial hands.  

When attackers inevitably get hold of frontier AI models (and it’s likely they already do), vulnerability discovery timelines will fall from years and months to minutes. Zero-day vulnerabilities will no longer sit, unknown and unexploited, for decades. Attackers using AI zero-day discovery will find and exploit them alongside misconfigurations and identity weaknesses to breach your data faster than your manual security workflows can detect them.

The speed of AI-assisted cyberattacks will force a change in how security teams find and mitigate zero-day vulnerabilities.

Knowing how to protect against zero-day vulnerabilities starts with visibility.

Maintain continuous visibility across your full attack surface 

Mitigating the risk of zero-day vulnerabilities requires continuous visibility across your organization’s entire attack surface, including cloud, IT, OT, IoT, identity systems, AI-enabled workflows, internet-facing assets, and third-party connections.

Specifically, you need asset discovery capabilities to continuously map every asset exposed to the public internet, and therefore reachable by threat actors. By automatically discovering and shutting down shadow AI and IT, unmanaged servers,and forgotten cloud buckets, you radically reduce the attack surface where a zero day may be lurking and prevent attackers from reaching it. 

Map attack paths

While threat actors have exploited zero-day vulnerabilities to move laterally, elevate their privileges, and steal data, they primarily use zero-day exploits to gain initial access. Since you can’t detect a zero day on a publicly exposed edge device if you don’t know the zero day exists (i.e., it hasn’t been publicly discovered and disclosed), you need to work backward from your most critical assets and identify the ways threat actors could reach them, whether through over-permissioned AI agents, an Active Directory misconfiguration, orphaned credentials, exposed secrets, and other means.

Exposure management constantly maps internal attack paths. It identifies the misconfigurations, overly permissive user identities, and other vulnerabilities an attacker could chain together after they exploit the zero day. If you can close those exposures ahead of time, the zero day becomes a dead end.

As part of an exposure management program, attack path analysis is equally important after a critical zero day, like Log4Shell or MoveIT, has been discovered and disclosed. When that happens, security teams begin the stressful, and sometimes chaotic, race to identify if the zero day is present in their environment and to test and deploy the patch. Exposure management alleviates the stress and chaos by allowing security teams to quickly answer the following questions: 

Scope - Where is the zero day present in our environment?

Criticality - Which of those systems affected by the zero day are linked to critical assets or data? 

Compensating controls - What secondary defenses, like a web application firewall rule or disabling a specific network port, can we deploy right now to block the exploit while we wait for the vendor’s official patch? 

Attack path mapping also gives you a mechanism for prioritizing remediation of the zero day alongside all the other vulnerabilities and misconfigurations needing attention. 

Accept that patching is not always immediately possible 

The natural reaction to finding a zero day that’s been disclosed is often to patch it immediately (assuming a patch is available). But there are several environments in which patching is not feasible: 

• OT and ICS environments 
• SCADA and PLC systems 
• Healthcare infrastructure 
• Manufacturing environments 
• Legacy enterprise applications 
• Critical infrastructure systems 

In these environments, uptime, safety, vendor approval, compatibility testing, and maintenance windows are all constraints to patching. Some systems may even be unsupported or impossible to patch quickly.

As a result, zero-day protection cannot rely solely on swift patching. You’ll want to leverage security controls — such as network segmentation, privileged access restrictions, compensating controls, monitoring, and documented risk acceptance — that reduce exploitability and limit blast radius while patches are unavailable. These controls are the essence of business resilience: they allow you to mitigate some of the risk of unpatched vulnerabilities. 

Leverage automation and agentic AI remediation workflows 

When zero-day vulnerabilities are immediately patchable, speed is of the essence. Agentic AI and automated vulnerability remediation workflows can give you that speed — isolating vulnerable systems, triggering compensating controls, reconfiguring exposed assets, and deploying fixes.

Even when patching isn’t possible, automated workflows still help reduce exposure. They can flag vulnerable assets, map exploitable attack paths, identify compensating controls, restrict privileged access, and escalate the highest-risk systems for human review. 

We’re beginning to see these benefits of automation and agentic AI security show up in real-world enterprise environments. According to the IBM Cost of a Data Breach Report 2025, security teams that used AI and automation extensively shortened their breach times by 80 days and lowered their average breach costs by $1.9 million compared to organizations that didn’t use these solutions.

Agentic AI helps close the gap between exposure, decision, and action.

Apply CTEM principles to continuously reduce exposure 

As vulnerability volumes spiral out of control — the number of CVEs may reach as high as 100,000 this year – and AI-enabled attackers finding them faster than ever, it’s not possible to treat every exposure equally. That’s where exposure management, also known as Continuous Threat Exposure Management (CTEM) comes in.

CTEM principles focus on continuously assessing, prioritizing, validating, and reducing exploitable exposure across the environment.

It starts with continuous discovery: finding assets, vulnerabilities, misconfigurations, identity weaknesses, exposed services, and shadow infrastructure. From there, security teams prioritize exposures based on severity, exploitability, asset criticality, business context, and potential business impact.

Validation refers to processes for testing identified risks through simulations like penetration testing or red/purple team exercises to confirm vulnerability exploitability and understand potential attack paths. Validation helps refine prioritization and remediation plans. 

Finally, mobilization helps organizations act on validated findings by coordinating remediation workflows alongside other compensating controls, such as network segmentation and access restrictions, across teams and security tools.

By applying CTEM principles, you can continuously reduce the conditions that could lead to catastrophic cyber events for your organization.

Tenable’s research team is dedicated to identifying and reporting zero-day vulnerabilities. In fact, Tenable’s Zero-Day Research team has disclosed more than 450 zero-day vulnerabilities since 2019 — more than any other vendor in the vulnerability management space.

Vulnerability disclosure and remediation guidance 

 After the team discovers a vulnerability, Tenable reports it to the affected vendor and adheres to strict responsible disclosure practices for reporting the vulnerability via public outlets. For the most high-profile disclosures, Tenable Research has published detection plugins within 24 hours.

Tenable Vulnerability Watch provides breaking alerts and real-time guidance on zero-day threats and vulnerabilities, straight from Tenable’s Research Special Operations team. Combined with Tenable Emergency Response, teams can track exposures in real time with historical threat context to streamline vulnerability prioritization and remediation efforts. 

Automated exposure correlation and asset owner identification 

When a zero-day drops, most security teams lose critical hours manually stitching together context to find out which assets are affected and who owns them. Tenable Hexa AI eliminates that bottleneck,

As the agentic engine of the Tenable One Exposure Management Platform (EAP), Tenable Hexa AI automatically correlates CVEs to affected assets, matches them to the right owners, and triggers remediation workflows in seconds. 

Tenable Hexa AI understands, for example, that a vulnerability in a web application is critical not just in isolation, but because it's linked to a privileged service account with access to sensitive data. Every action that Tenable Hexa AI takes is governed, auditable, and grounded in the Tenable Exposure Data Fabric, so your AI validates the true state of your environment, not just guesses it.

Attack path analysis 

Attack path analysis has traditionally been a forensic tool, used after a breach to trace where an attacker went and how they got there.

Tenable One’s Attack Path Analysis, however, is a preventative tool.

It correlates assets, vulnerabilities, identities, privileges, and permissions across vulnerability management, the AI attack surface, identity exposure, OT, and web app security. It automatically and continuously maps the relationships among assets, identities, and permissions across different attack surfaces visually, so your teams can see how exposures chain together into exploitable paths, even as your environment changes. 

That means, rather than waiting for a zero-day to drop and for patch management teams to scramble to fix it, organizations shut down the points in attack paths that will prevent attackers from causing real harm — even if they do initiate a zero-day attack.

Faster exposure remediation, even at scale 

Knowing what to fix first is a crucial part of exposure management.

Tenable One combines static and dynamic variables — including exploit code availability and how frequently attackers are exploiting a vulnerability in the wild — with Asset Criticality Ratings to produce an Asset Exposure Score for every asset.

That gives security teams a clear, continuous view of where the most risk lives in their environment. Teams can also use chokepoint analysis to identify the single fixes that remove the most attack paths to critical assets.

Meanwhile, Tenable Hexa AI automatically matches exposures to asset owners, orchestrates remediation workflows, and routes tickets to the right teams with whatever level of human oversight your organization requires. This allows you to close exposures faster at scale.

Schedule a demo today to see how Tenable can help you find, remediate, and limit the impact of zero-day vulnerabilities — fast.

Zero-day vulnerabilities are nothing new. However, with the rise of AI and its impact on both the speed by which attackers can exploit weaknesses, as well as how defenses can harden their posture, there are a lot of evolving frequently asked questions. Let's answer some of the age-old, as well as emerging ones here.

What is a zero-day vulnerability? 

A zero-day vulnerability is a known vulnerability that doesn't yet have a patch to fix it, leaving systems exposed to potential attacker exploitation.

What's the difference between a zero-day vulnerability and a zero-day exploit? 

A vulnerability is the software flaw; an exploit is the code that weaponizes it. A zero-day attack is when an exploit is deployed against a target. The three sit in sequence: first, attackers discover the vulnerability; next, they build the exploit, which they use to launch an attack. 

What is the difference between a zero-day and an n-day vulnerability? 

A zero-day is unknown to the vendor and unpatched. N-day vulnerabilities are known and patchable, but remain dangerous until organizations apply the fix. The “n” in n-day refers to the number of days since disclosure. 

What is the impact of frontier AI models on vulnerability discovery and exploitation? 

Frontier AI models like OpenAI ChatGPT 5.5 and Anthropic’s Claude Mythos Preview can find and exploit zero-day vulnerabilities much faster than humans can, even if they’ve been hidden for decades.

What should you do when a zero-day vulnerability is publicly disclosed? 

Identify if the zero day is present in your environment, and if so, which assets it affects and whether they’re publicly exposed. Assess the risk the zero day creates for your organization: are threat actors actively exploiting it against organizations in your industry? Is the zero day part of an attack path leading to a critical system or sensitive data? Prioritize remediation based on severity, real-world exploitability, and potential business impact.

How does Tenable detect zero-day vulnerabilities? 

Tenable’s Zero-Day Research team aggregates and assesses insights from hundreds of sources daily and conducts formalized reverse engineering efforts to discover zero-day vulnerabilities.

What is the zero-day exploitation lifecycle? 

Threat actors discover a vulnerability, weaponize it into an exploit, and use the exploit against a vulnerable system. AI compresses this lifecycle from months, weeks, and days to minutes.

Why is patching alone not enough to protect against zero-day attacks? 

Because you can’t patch what hasn’t been disclosed. By definition, zero-days have no patch at the point of discovery. This is why it’s so important for organizations to practice good security hygiene and implement preemptive security strategies, starting with exposure management.

How does exposure management reduce zero-day risk? 

Exposure management is a strategic approach to preemptive security designed to reduce cyber risk by continuously identifying, contextualizing, validating, prioritizing, and remediating your organization’s most urgent cyber exposures. Cyber exposures are toxic combinations of preventable cyber risks, such as known vulnerabilities, misconfigurations, and identity weaknesses that can lead to significant operational disruption when exploited.

Exposure management mitigates the risk of a zero-day attack by focusing on preemptively shrinking your attack surface and hardening the surrounding environment. It combines asset discovery and attack path analysis capabilities to show you what assets are exposed to the internet, and therefore, if attackers exploited a zero-day vulnerability on one of these assets, it would give them an initial access vector. With attack path analysis, exposure management helps you see other security weaknesses and critical assets in your environment that threat actors could exploit to move from initial access to impact so that you can proactively address them.