Skip to content

What is a zero-day, and how do you defend against something with no patch?

Short answer

A zero-day is a vulnerability the vendor doesn't yet know about (or hasn't patched), so defenders have had 'zero days' to fix it. Since no patch exists, defense relies on layered controls, behavior-based detection, segmentation, least privilege, and fast incident response rather than a signature.

The term sounds dramatic, and interviewers want to see you can define it precisely and reason about defense when the usual answer — "apply the patch" — isn't available.

What "zero-day" means

A zero-day vulnerability is a flaw that the software vendor does not yet know about or has not yet fixed. The name comes from the vendor having had zero days to develop a patch. A zero-day exploit is working attack code for such a flaw, and a zero-day attack is its use in the wild before a fix exists.

Contrast this with an n-day: a vulnerability that is known and patched, but where some systems remain unpatched. Most real-world compromises actually exploit n-days, because organizations are slow to patch.

Why they're dangerous

Signature-based defenses (antivirus, IDS rules) often rely on knowing the threat in advance. A true zero-day has no signature, so these tools may miss it entirely, and there is no patch to deploy.

How you defend without a patch

You shift from "block the known" to resilience and depth:

  • Defense in depth so no single bypass leads to full compromise.
  • Behavior- and anomaly-based detection (EDR, network analytics) that flags suspicious actions rather than known signatures.
  • Least privilege and segmentation to limit blast radius.
  • Virtual patching / WAF rules to mitigate exploitation paths temporarily.
  • Threat intelligence and fast patching so you deploy the vendor fix the moment it ships.
  • A rehearsed incident-response plan for when prevention fails.

Why this matters

Interviewers are checking whether you panic or think in systems. A candidate who defines zero-day correctly, distinguishes it from n-days, and explains layered, behavior-based defense shows they understand that security is about reducing risk, not chasing a perfect block.

Likely follow-ups

  • How does a zero-day differ from an n-day or known CVE?
  • What detection approaches work when no signature exists?
  • What is responsible disclosure?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.