The cybersecurity industry's reliance on zero-day vulnerabilities as explanations for major breaches is masking a more uncomfortable truth: most successful cyberattacks exploit basic security failures rather than sophisticated, unstoppable threats, according to new research that challenges the conventional wisdom surrounding these high-profile incidents.
Cybersecurity researcher Candy Wong has published a comprehensive analysis arguing that while zero-day vulnerabilities represent genuine dangers, they have evolved into overused scapegoats that allow organizations to deflect responsibility for preventable security lapses.
"Zero-days are treated as acts of god in security — unforeseeable, unstoppable, inevitable. But is that actually true?" Wong wrote in her analysis, which examines the disconnect between public perception and the reality of modern cyber threats.
The typical post-breach narrative has become predictably formulaic, Wong observed. "The attackers exploited a previously unknown vulnerability. This was a sophisticated, nation-state-level attack. There was nothing we could have done," she noted as the standard press release template that organizations deploy following major security incidents.
However, data from threat intelligence firm Mandiant reveals a striking gap between these public explanations and actual attack methods. In 2022, Mandiant published analysis demonstrating that in the majority of intrusions initially attributed to zero-day exploitation, the exploited vulnerability actually had a patch available at the time of the breach.
Race Results
These incidents represent attacks using known, patched vulnerabilities against organizations that simply hadn't applied available fixes — not genuine zero-day exploits. The distinction carries profound implications for how organizations approach cybersecurity strategy and resource allocation.
"These are not zero-days. They are N-days exploited against organisations with poor patch hygiene," Wong explained. "Calling them zero-days is inaccurate and, from a defensive standpoint, dangerous — because it suggests the organisation was helpless when it was not."
By the Numbers
By the Numbers
By the Numbers
The statistical reality of the threat landscape tells a story far different from the zero-day-focused narratives that dominate cybersecurity discourse. Multiple threat intelligence firms estimate that genuine zero-day exploitation — attacks using vulnerabilities truly unknown to vendors at the time of the attack — accounts for only 4% to 12% of all initial access methods in tracked intrusions.
This means the remaining 88% to 96% of attacks rely on far more mundane methods that organizations can actively defend against. These include supply chain compromises, misconfiguration exploitation, valid credential abuse, phishing and social engineering campaigns, and known vulnerabilities that organizations failed to patch in a timely manner.
Wong's analysis emphasizes the importance of definitional precision when discussing cybersecurity threats. A genuine zero-day vulnerability must meet three specific criteria: it's exploited before a fix is available, remains unpatched at the time of exploitation, and is unknown to the software vendor.
The term "zero-day" derives from "zero days since the vendor has known about it." Once a vendor receives notification and releases a patch, the vulnerability transitions into what the industry calls an "N-day," where N represents the number of days since the patch became available.
"zero-day"
Wong's research delves into the zero-day lifecycle, explaining how these vulnerabilities are discovered through independent security research, differential analysis of software updates, and other sophisticated methods before being weaponized by threat actors. The process requires significant resources and expertise, making genuine zero-day exploitation the domain of well-funded adversaries rather than opportunistic criminals.
"Zero-days are real. They are dangerous. Nation-state actors do use them. But the security industry has collectively allowed the term to become a catch-all excuse for defensive failures that had nothing to do with unknown vulnerabilities," Wong wrote.
The implications extend beyond academic debate. Organizations that misattribute successful attacks to unstoppable zero-day exploits may miss critical lessons about improving their security posture. Instead of investing in exotic defenses against theoretical threats, Wong's research suggests that organizations should focus their defensive efforts on security fundamentals that prevent the overwhelming majority of attacks.
The analysis arrives as organizations continue wrestling with increasingly sophisticated cyber threats while struggling to implement basic security measures effectively. The research suggests that rather than assuming powerlessness against sophisticated zero-day exploits, organizations would benefit more from addressing the mundane but critical security gaps that enable most successful cyberattacks.
Race Results
Wong's findings challenge the cybersecurity industry to move beyond convenient narratives and confront the uncomfortable reality that most breaches result from preventable failures rather than unstoppable sophisticated attacks. This shift in perspective could fundamentally change how organizations allocate security resources and measure defensive success.
