How can organizations defend against zero-day attacks?

Since no patch exists by definition, zero-day defense relies on non-patch controls: network segmentation (limiting the blast radius if an exploited device is compromised), behavioral detection (identifying anomalous behavior caused by exploitation), least privilege (ensuring exploited devices have minimal impact), and rapid response (containing compromised devices quickly before lateral movement progresses). These controls are effective against zero-days and known vulnerabilities alike.

Definition

Zero-Day

A vulnerability that is unknown to vendors and has no available patch. Especially dangerous in OT and IoMT environments where even known, patched vulnerabilities often remain unaddressed for years.

What is Zero-Day?

A vulnerability that is unknown to vendors and has no available patch. Especially dangerous in OT and IoMT environments where even known, patched vulnerabilities often remain unaddressed for years.

A zero-day vulnerability is a security flaw that is unknown to the software vendor — meaning there are zero days of advance warning before the vulnerability can be exploited. Zero-days may be discovered by security researchers, bug bounty hunters, or threat actors, and their significance depends on who knows about them and what they do with them. A zero-day in the hands of a nation-state actor can be exploited indefinitely while the vendor remains unaware; a zero-day disclosed responsibly to a vendor leads to a patch before widespread exploitation.

Zero-days represent the most sophisticated end of the threat spectrum — they target vulnerabilities for which no defensive patch exists. Nation-state intelligence agencies maintain inventories of zero-days for use in targeted operations. Criminal organizations acquire zero-days (often through dark web markets) for use in high-impact attacks. The Stuxnet worm famously used four separate Windows zero-days simultaneously — an unprecedented display of technical sophistication.

In IoT and OT environments, zero-days are particularly concerning because even when vendors eventually publish patches, the patching timeline is so long that "new" vulnerabilities remain unpatched for years. An OT zero-day that receives a vendor patch 18 months after disclosure is effectively a zero-day for the entire patching cycle in operational environments that cannot be updated on short notice.

Key Facts

The zero-day market is a billion-dollar industry — nation-states and criminal organizations pay millions for high-value zero-days
Stuxnet used four Windows zero-days simultaneously in its attack on Iranian centrifuge controllers
Google Project Zero tracks zero-day exploitation in the wild; average time to patch a zero-day is 70 days
Behavioral detection catches zero-day exploitation effects even before a CVE exists

How ORDR Addresses Zero-Day

ORDR's behavioral detection approach is specifically valuable for zero-day scenarios — it detects the behavioral anomalies caused by exploitation even when no patch or signature exists. When a zero-day is exploited, the resulting device behavior (unexpected connections, unusual protocol activity, data exfiltration patterns) deviates from behavioral baselines and triggers alerts regardless of whether the specific vulnerability is known.

See ORDR in action

Frequently Asked Questions

Back to Glossary

Complete visibility across your entire attack surface.

ORDR unifies IT, IoT, and OT asset intelligence so your team can see—and act on—what matters most.

REQUEST A DEMO Platform Overview