What is a zero-day, and how do you defend against something with no patch?
Short answer
A zero-day is a vulnerability the vendor doesn't yet know about (or hasn't patched), so defenders have had 'zero days' to fix it. Since no patch exists, defense relies on layered controls, behavior-based detection, segmentation, least privilege, and fast incident response rather than a signature.
The term sounds dramatic, and interviewers want to see you can define it precisely and reason about defense when the usual answer — "apply the patch" — isn't available.
What "zero-day" means
A zero-day vulnerability is a flaw that the software vendor does not yet know about or has not yet fixed. The name comes from the vendor having had zero days to develop a patch. A zero-day exploit is working attack code for such a flaw, and a zero-day attack is its use in the wild before a fix exists.
Contrast this with an n-day: a vulnerability that is known and patched, but where some systems remain unpatched. Most real-world compromises actually exploit n-days, because organizations are slow to patch.
Why they're dangerous
Signature-based defenses (antivirus, IDS rules) often rely on knowing the threat in advance. A true zero-day has no signature, so these tools may miss it entirely, and there is no patch to deploy.
How you defend without a patch
You shift from "block the known" to resilience and depth:
- Defense in depth so no single bypass leads to full compromise.
- Behavior- and anomaly-based detection (EDR, network analytics) that flags suspicious actions rather than known signatures.
- Least privilege and segmentation to limit blast radius.
- Virtual patching / WAF rules to mitigate exploitation paths temporarily.
- Threat intelligence and fast patching so you deploy the vendor fix the moment it ships.
- A rehearsed incident-response plan for when prevention fails.
Why this matters
Interviewers are checking whether you panic or think in systems. A candidate who defines zero-day correctly, distinguishes it from n-days, and explains layered, behavior-based defense shows they understand that security is about reducing risk, not chasing a perfect block.
Likely follow-ups
- How does a zero-day differ from an n-day or known CVE?
- What detection approaches work when no signature exists?
- What is responsible disclosure?