What Exactly Is a Zero-Day Threat?
The term "zero-day" refers to the number of days a software vendor has had to fix a newly discovered vulnerability: zero. The moment an attacker finds a flaw before the developer does, they have an open window to exploit it — and no one can stop them with traditional defences.
Zero-day vulnerabilities are the most valuable commodities in the cybercriminal underground. They are bought, sold, and weaponised by nation-state actors, organised crime syndicates, and advanced persistent threat (APT) groups. Once in the wild, a zero-day can affect millions of systems before a patch is ever released.
It is important to distinguish between a zero-day vulnerability and a zero-day exploit. A vulnerability is the underlying flaw in software or hardware. An exploit is the specific code or technique that weaponises that flaw to achieve a malicious objective. Not every vulnerability becomes an active exploit immediately — but for high-value targets, sophisticated actors invest significant resources to develop working exploits within hours of discovering a flaw.
⚠️ Why Traditional Tools Cannot Stop Zero-Day Attacks
Antivirus, intrusion detection systems, and signature-based firewalls all rely on known threat databases. A zero-day, by definition, has no signature, no published CVE, and no rule that can block it. Any tool that depends on "known bad" is structurally blind to zero-day exploits. This is not a configuration problem — it is an architectural limitation.
The Zero-Day Economy: How Exploits Are Bought and Sold
The market for zero-day exploits is a thriving, multi-billion-dollar ecosystem that operates in plain sight alongside shadier underground markets. Understanding this economy is essential to appreciating the scale and sophistication of the threat.
Government and Intelligence Markets
Zero-day brokers — companies that legally purchase and resell vulnerability information — openly advertise to government intelligence agencies, law enforcement, and military organisations. Well-known brokers in this space have publicly offered between $500,000 and $2.5 million for fully working iOS or Android zero-days. These exploits are used for intelligence gathering, offensive cyber operations, and law enforcement purposes. When these tools leak — as happened with the NSA's EternalBlue exploit, later used in WannaCry — the consequences for civilian organisations are catastrophic.
The Cybercriminal Underground
Beyond the grey-market government broker ecosystem, zero-day exploits circulate in cybercriminal forums on the dark web. Ransomware-as-a-service (RaaS) operators pay premium prices for reliable zero-days that allow their affiliates to bypass patch management and gain guaranteed initial access to target networks. A functioning zero-day in a widely deployed VPN or firewall product can sell for hundreds of thousands of dollars — and generate millions in ransomware proceeds.
Nation-State Stockpiling
Multiple nation-states — including Russia, China, North Korea, Iran, and Western intelligence agencies — maintain stockpiles of zero-day exploits for use in offensive cyber operations. These exploits are often held for months or years before deployment, waiting for geopolitical situations that warrant their use. The periodic disclosure of these stockpiled exploits, whether through leaks or responsible disclosure, creates sudden mass-exploitation windows that can affect organisations globally within hours.
Notable Zero-Day Incidents: Lessons from the Field
Understanding the real-world impact of zero-day attacks — not just their technical mechanics — is critical for security leaders making investment decisions. The following incidents illustrate the devastating consequences of zero-day exploitation and what might have been done differently.
SolarWinds SUNBURST (2020)
Attackers compromised the build pipeline of SolarWinds' Orion IT management platform, inserting malicious code into a signed software update distributed to approximately 18,000 organisations, including multiple US federal agencies and major enterprises globally. The malware lay dormant for two weeks after installation before activating, remained active for up to 14 months before discovery, and used legitimate Orion network protocols to blend into existing traffic.
What AI behavioural analysis would have caught: The malware's dormant-then-active pattern, unusual DNS lookups to command-and-control infrastructure, and atypical process behaviour post-activation would all have deviated from established baselines — even though the software itself was signed and trusted.
Log4Shell / CVE-2021-44228
A critical remote code execution vulnerability in the ubiquitous Log4j Java logging library was publicly disclosed in December 2021. Within 72 hours of disclosure, security researchers observed over 800,000 exploitation attempts globally. Organisations had virtually no time to patch before active exploitation began, and the library was embedded in thousands of enterprise applications, making the attack surface immense and difficult to enumerate quickly.
What AI behavioural analysis would have caught: The exploit triggered unusual outbound LDAP connections from Java application servers — a behaviour that deviates from normal application traffic baselines. Even before patching was possible, anomaly detection could have flagged and blocked exploitation attempts within seconds of the first observed deviation.
MOVEit Transfer Zero-Day (2023)
The Cl0p ransomware group exploited a previously unknown SQL injection vulnerability in the MOVEit file transfer platform to exfiltrate data from over 2,700 organisations globally, including government agencies, financial institutions, and healthcare providers. The vulnerability was exploited at scale across hundreds of targets within a narrow window before the patch was released. Many organisations did not know MOVEit was even in their environment.
What AI behavioural analysis would have caught: Unusual database queries, mass file access events, and large outbound data transfers to unfamiliar external hosts — all clearly detectable deviations from normal MOVEit usage patterns, regardless of the underlying exploit mechanism.
The Anatomy of a Zero-Day Attack
Understanding how zero-day attacks unfold is critical to understanding why behavioural detection is the only viable response.
Vulnerability Found
A researcher or attacker discovers a previously unknown flaw in software, firmware, or a protocol. The vendor has no knowledge of it at this point. Nation-state actors and well-funded criminal groups may invest months in reverse engineering complex software to find exploitable flaws before vendors discover them independently.
Exploit Developed
The attacker builds a working exploit — code that reliably triggers the vulnerability to achieve a specific malicious outcome (remote code execution, privilege escalation, authentication bypass, data theft). Quality exploits are engineered to be stealthy, reliable across target configurations, and resistant to analysis.
Attack Launched
The exploit is deployed against target systems — via email, web application, VPN gateway, or supply chain compromise. No security signature exists. Traditional tools see nothing abnormal at the file or network packet level. The attacker has full code execution on the target before any defender is aware.
Attacker Establishes Foothold
Having gained initial access, attackers move laterally through the network — escalating privileges, harvesting credentials, mapping the environment, and establishing persistent backdoors. This phase can last days, weeks, or months. During this time, attackers operate carefully to avoid detection, often using legitimate tools and credentials.
Data Exfiltration or Damage
The attacker achieves their goal — sensitive data exfiltration, ransomware deployment, intellectual property theft, infrastructure disruption, or establishing long-term persistent access for future exploitation. By this phase, the attacker may have been inside the network for months, and the cost of remediation is exponentially higher than early detection would have been.
Why Behavioural AI Catches What Threat Intelligence Feeds Miss
Many organisations subscribe to threat intelligence feeds — curated lists of known malicious IP addresses, domains, file hashes, and indicators of compromise (IOCs). These feeds are valuable, but they share a fundamental limitation with signature-based antivirus: they rely on knowledge of threats that have already been observed and catalogued.
A sophisticated attacker using a zero-day exploit will rotate their infrastructure specifically to avoid known-bad lists. They will use freshly registered domains, clean IP addresses, and novel malware that has no hash match in any feed. By the time a threat intelligence feed includes their infrastructure, the attacker has already moved on.
Behavioural AI has no such dependency. It does not need to know whether a destination IP is on a blocklist — it detects that a particular process is initiating outbound connections it has never made before. It does not need to recognise a malware hash — it detects that a process is accessing memory regions, spawning child processes, or communicating with a cadence that deviates from established norms. The attacker's novelty is irrelevant; their behaviour still stands out.
💡 Behaviour Is Harder to Change Than Identity
Attackers can change their malware hashes trivially. They can rotate their infrastructure in minutes. But they cannot easily change the fundamental behaviour their attack requires — accessing credentials, moving laterally, staging data, or communicating with external infrastructure. Behavioural AI locks onto these invariant attack patterns, making evasion significantly harder for even the most sophisticated adversaries.
How AI Behavioural Analysis Detects Zero-Day Attacks
Since zero-day exploits have no known signatures, the only detection strategy that works is analysing what systems and users are doing rather than what they have. AI behavioural analysis establishes precise baselines of normal activity and flags deviations — regardless of whether the cause is a known threat or a novel exploit.
MAIA's AI Cyber Security Agent takes this approach to its logical conclusion, orchestrating over 350 specialised agents that continuously monitor and correlate activity across every system, user, and process in your organisation.
🔍 User Behaviour Baselines
Every user gets an individual behavioural profile built from months of observed activity. Unusual login times, unfamiliar file access patterns, abnormal data transfer volumes, or access to resources outside their normal scope trigger immediate investigation — even if no malicious file is involved.
⚙️ Process & System Anomalies
Exploits typically cause processes to behave in unexpected ways — spawning unusual child processes, accessing sensitive memory regions, communicating on atypical ports, or loading DLLs they have never previously loaded. AI catches these process-level deviations instantly, regardless of the underlying exploit mechanism.
🌐 Network Behaviour Analysis
Even when attackers use legitimate protocols to blend into normal traffic, their communication patterns deviate from established norms — timing, volume, destination, sequence, and frequency. AI identifies these micro-deviations that human analysts and rule-based tools will consistently miss.
🔗 Cross-System Correlation
A single anomaly on one system might be noise. The same anomaly appearing simultaneously across multiple systems, or a chain of low-confidence signals that individually appear innocuous but collectively indicate an attack, is detected by cross-system correlation in milliseconds — something no human team can achieve at scale.
📁 File Integrity & Forensics
AI monitors file system changes with forensic precision — detecting unexpected modifications, new persistence mechanisms, privilege changes, or access patterns that indicate an active exploit or backdoor installation. Every file operation is logged with full context for post-incident forensic review.
🧠 Continuous Learning
Unlike static rule sets, AI models improve continuously as your environment evolves. New applications, users, and infrastructure are incorporated into updated baselines automatically. As new attack techniques emerge, the system's detection capabilities adapt — without manual tuning, signature updates, or vendor intervention.
🔐 Identity & Access Anomalies
Compromised credentials are used in nearly every advanced attack chain. AI detects impossible-travel events, privilege escalation patterns, access to sensitive resources outside normal job function, and unusual authentication sequences — catching identity-based attacks that bypass perimeter controls entirely.
☁️ Cloud and SaaS Monitoring
Modern attack surfaces extend far beyond the traditional network perimeter. AI behavioural analysis extends to cloud infrastructure, SaaS applications, and hybrid environments — providing the same baseline-and-deviate detection across AWS, Azure, Microsoft 365, and other platforms where modern organisations are most exposed.
The MAIA Approach: Neurosymbolic AI for Zero-Day Defence
Most AI security tools use pure machine learning — statistical models that identify patterns. While powerful, these models can be brittle: they may miss novel attack techniques that fall outside their training distribution, generate false positives when legitimate behaviour changes, or be gradually manipulated by patient adversaries who slowly shift their behaviour to blend into updated baselines.
MAIA's AI Cyber Security Agent takes a more sophisticated approach using neurosymbolic AI — a combination of machine learning (to detect subtle statistical anomalies) and symbolic reasoning (to apply logical rules and institutional knowledge). This hybrid produces both the sensitivity to catch novel threats and the precision to avoid overwhelming security teams with false alarms.
Why Neurosymbolic AI Outperforms Pure ML in Zero-Day Detection
Pure ML weakness: Statistical models can be fooled by attackers who gradually shift behaviour to blend into updated baselines — a technique called "slow burn" infiltration. As the model adapts to slightly unusual behaviour over weeks, it gradually normalises the attacker's presence.
Neurosymbolic advantage: Logical rules anchor detection to hard constraints that cannot be gradually normalised away. Even if an attacker slowly shifts statistical patterns, logical rules catch violations that are inherently suspicious regardless of frequency — for example, a process accessing LSASS memory is flagged regardless of how gradually it approaches that action.
The result: MAIA maintains detection accuracy even against sophisticated, patient adversaries — the kind that are most likely to use zero-day exploits and invest time in evading detection.
The Detection-to-Containment Pipeline
Detecting a zero-day attack is only half the challenge. The speed and quality of the response determines whether an anomaly becomes a contained incident or a full-scale breach. Here is how MAIA's detection-to-containment pipeline operates:
- Anomaly Detection AI models across the entire environment continuously evaluate telemetry — process events, network flows, authentication events, file operations — against established baselines. Deviations are scored by severity, confidence, and blast-radius risk within milliseconds.
- Cross-Environment Correlation Individual anomaly signals are correlated across all monitored systems. A low-confidence anomaly on one endpoint combined with a network anomaly and an unusual authentication event may collectively constitute a high-confidence attack indicator — identified automatically without human analysis.
- Attack Chain Reconstruction MAIA maps correlated signals onto known attack chain frameworks (MITRE ATT&CK, Cyber Kill Chain) to determine where in an attack sequence the activity falls. This provides analysts with immediate tactical context: are we at initial access, or has the attacker already achieved lateral movement?
- Risk-Weighted Alert Generation Rather than generating a separate alert for every anomaly, MAIA generates a single, contextually rich incident record with full forensic detail, supporting evidence, and a recommended response action. Analysts receive far fewer alerts — each one actionable and prioritised.
- Autonomous Containment (Configurable) For high-confidence, high-severity incidents, MAIA can execute pre-configured autonomous response actions — isolating an affected endpoint, suspending a compromised account, blocking a network connection, or triggering a step-up authentication challenge — without waiting for human approval. Every action is fully logged and auditable.
- Analyst Notification and Forensic Package Security analysts receive a complete forensic package: timeline of the attack chain, affected systems and users, evidence supporting each detection, containment actions already taken, and recommended remediation steps. Investigation time is reduced from hours to minutes.
Real-World Zero-Day Scenarios: What Behavioural AI Catches
Scenario 1: Compromised Web Application
An attacker exploits an unknown vulnerability in a web application to gain shell access on a server. No signature exists. But the web server process suddenly spawns a new shell process, attempts an outbound connection to an unfamiliar IP, and accesses system credential files. MAIA flags all three anomalies simultaneously and triggers an automated containment response — network isolation of the affected server and immediate escalation to the SOC with a complete forensic package.
Scenario 2: Supply Chain Attack via Trusted Software
A trusted software vendor's update mechanism is compromised, delivering malicious code to thousands of organisations. The code is signed and trusted by traditional tools. But it begins making unusual API calls, creating registry keys it never created before, and communicating with new external hosts. Behavioural baselines catch the deviation immediately — even though the software is "trusted" — and containment begins before any data is exfiltrated.
Scenario 3: Privileged Credential Abuse
A zero-day in an authentication service allows an attacker to generate valid session tokens without credentials. Technically, the login appears legitimate. But the behaviour does not match the user's established profile — wrong location, wrong time, wrong applications accessed, unusual privilege escalation sequence. MAIA's AI agent detects the anomaly and triggers a step-up authentication request before any data is touched.
Scenario 4: Ransomware Pre-Deployment Detection
An attacker who has maintained persistent access to a network for several weeks begins the pre-deployment phase of a ransomware attack: enumerating backup systems, mapping file shares, and staging the ransomware binary in a temporary directory. Each individual action might appear marginal in isolation. But MAIA correlates the enumeration of backup infrastructure, unusual access to file share metadata across the network, and the creation of a new executable in a temporary folder into a high-confidence ransomware pre-deployment indicator — triggering containment and analyst escalation before a single file is encrypted.
Measuring Zero-Day Resilience: Key Security Metrics
Security leaders need quantifiable metrics to assess their organisation's zero-day resilience and make the business case for AI-based detection investments. The following are the most meaningful indicators:
Mean Time to Detect (MTTD)
The average time between an attacker gaining initial access and the organisation detecting the breach. Industry average without AI: 287 days. Organisations using AI behavioural detection: typically under 24 hours. Reducing MTTD is the single most impactful lever for limiting breach costs.
Mean Time to Respond (MTTR)
The average time between detection and full containment. AI-driven autonomous response dramatically compresses MTTR — from days or weeks to hours or minutes — by enabling containment actions at machine speed without waiting for analyst availability.
False Positive Rate
The percentage of alerts that turn out to be benign activity. High false positive rates destroy analyst efficiency and mask genuine threats. AI-based detection with mature behavioural baselines achieves false positive rates 60–80% lower than comparable rule-based systems.
Coverage Breadth
The percentage of your environment — endpoints, servers, cloud infrastructure, SaaS applications, network flows — under active behavioural monitoring. Gaps in coverage create blind spots that sophisticated attackers will identify and exploit. Comprehensive coverage is non-negotiable.
The Human-AI Partnership in Zero-Day Response
A common misconception about AI-based security is that it aims to replace human security analysts. The reality is the opposite: AI dramatically amplifies analyst effectiveness by handling the tasks that machines do better — continuous monitoring at scale, sub-millisecond pattern analysis, cross-system correlation, and routine containment responses — freeing analysts to focus on the tasks that require human judgment.
In a zero-day incident, an experienced analyst brings something no model can replicate: contextual understanding of the organisation's business environment, intuition about attacker intent based on target selection, and the ability to make judgment calls in ambiguous situations. When MAIA detects an anomaly and automatically contains an affected system, the analyst's job is not to triage the alert — it's to conduct the higher-order investigation: who is the attacker, what was their objective, was anything exfiltrated before containment, and what does this tell us about our exposure to similar future attacks?
Organisations that deploy MAIA's AI Cyber Security Agent consistently report that their analysts spend significantly less time on alert triage and significantly more time on threat hunting, proactive security improvement, and strategic incident analysis — the work that actually builds long-term security posture.
Building a Zero-Day Resilient Security Architecture
Zero-day resilience requires a layered approach. Behavioural AI is the most critical layer, but it performs best within a broader architecture:
- Least-privilege access — Limits the blast radius if an exploit gains initial access; attackers cannot access what they cannot reach
- Network segmentation — Prevents lateral movement even after initial compromise; a breach of one segment does not mean a breach of all
- Continuous monitoring — AI cannot detect what it cannot see; full visibility across endpoints, network, identity, and cloud is non-negotiable
- Rapid patch management — Reduces the window of exposure once vulnerabilities become publicly known; prioritise internet-facing and privileged systems
- Incident response planning — Pre-defined playbooks for zero-day scenarios — including autonomous containment triggers — cut response time dramatically when seconds matter
- Attack surface management — Continuously map and reduce your exposed attack surface; unknown assets are unknown vulnerabilities
- Supply chain security controls — Vendor access, software updates, and third-party integrations are primary zero-day delivery vectors; monitor them with the same rigour as internal systems
- Threat hunting programme — AI detection catches known deviations; a proactive threat hunting programme searches for the subtle indicators AI may not yet have baselined
Frequently Asked Questions
How quickly can AI behavioural analysis detect a zero-day exploit in progress?
Behavioural AI can flag anomalous activity within seconds to minutes of an exploit executing — far faster than any human analyst can respond to an alert. The exact timing depends on the nature of the behaviour, the quality of the established baselines, and the configuration of the detection platform. Systems like MAIA's AI Cyber Security Agent with mature baselines and autonomous containment can detect and contain an exploit's initial foothold in under five minutes in many scenarios.
Can AI detection generate too many false alarms, causing alert fatigue?
Early-generation behavioural AI tools did suffer from high false positive rates, which created alert fatigue similar to legacy rule-based systems. Modern platforms using mature behavioural modelling and neurosymbolic AI achieve dramatically lower false positive rates — typically 60–80% lower than rule-based alternatives. The key is the depth and quality of the behavioural baselines: systems that model individual users, processes, and devices rather than relying on static rules generate far more precise, actionable alerts.
Does zero-day defence require replacing our existing security tools?
No. Platforms like MAIA's AI Cyber Security Agent are designed to integrate with and enhance existing security infrastructure — SIEM, EDR, firewalls, identity providers — rather than replace them. They act as an intelligent correlation and detection layer that makes existing investments more effective while adding the zero-day and novel threat detection capabilities that legacy tools structurally cannot provide.
How does AI behavioural analysis handle legitimate changes in user behaviour?
All behavioural AI platforms must handle the reality that users' behaviour legitimately changes — new job responsibilities, new applications, organisational changes. Good platforms handle this through adaptive baseline management: models continuously update to incorporate genuine behaviour changes while remaining sensitive to the rate of change (sudden, large shifts remain suspicious even if they could theoretically be legitimate). Analysts can also manually update or confirm behavioural context when they know a change is legitimate, preventing false alerts.
What is the difference between zero-day protection and patch management?
Patch management addresses known vulnerabilities after a vendor has released a fix. It is essential hygiene but provides no protection against zero-day exploits, which by definition occur before a patch exists. Zero-day protection through behavioural AI provides detection capability during the exposure window before a patch is available — and in many cases catches the behavioural indicators of exploitation even after patching reveals that a compromise may have already occurred. The two practices are complementary, not alternatives.
Stop Zero-Day Attacks Before They Become Breaches
MAIA's AI Cyber Security Agent uses behavioural analysis and neurosymbolic AI to detect threats that no signature-based tool can see — including zero-day exploits, insider threats, supply chain attacks, and ransomware pre-deployment indicators.
Discover MAIA AI Security Agent →