ThinkableWhat is this?

Cybersecurity & Digital Warfare

The Weapon That Only Works Once

Somewhere right now, a government or criminal syndicate is sitting on a flaw in your software that the people who built it don't know exists — and they're deciding whether today is the day to use it.

The Idea

A zero-day exploit is a cyberattack that targets a vulnerability unknown to the software's developer. The name comes from the defender's perspective: they have had zero days to prepare a patch, zero days of warning. The moment that flaw is discovered and weaponised, the clock starts — and until a fix is issued, every system running that software is exposed. What makes zero-days so unsettling isn't just their technical power. It's their economics. A working zero-day for a widely used operating system or browser can be worth enormous sums on grey and black markets — bought by intelligence agencies, sold by brokers, and hoarded like ammunition. The paradox is that the moment you use one, you risk burning it: a sophisticated enough target might detect the intrusion, reverse-engineer the attack, and hand the vulnerability to the developer. So possessing a zero-day creates a strange strategic tension. Use it too early or too carelessly, and you lose it forever. This is why serious state-level actors stockpile zero-days rather than deploying them constantly. They are less like rifles and more like precision munitions — reserved for targets where the intelligence value justifies expending the weapon. The result is a shadow marketplace and a hidden arms race, playing out entirely beneath the surface of the software billions of people use every day.

In the World

The most consequential zero-day deployment in recorded history was Stuxnet, discovered in 2010. The malware — widely attributed to a joint US-Israeli operation — targeted Iranian nuclear centrifuges at the Natanz enrichment facility. What made security researchers' jaws drop wasn't just the ambition of the target. It was that Stuxnet exploited not one but four separate zero-day vulnerabilities in Windows, simultaneously. Using four unknown flaws in a single weapon was practically unheard of; most sophisticated attacks might leverage one. Stuxnet was designed to spread quietly through infected USB drives, seek out specific industrial control systems made by Siemens, and then subtly manipulate the spin speed of centrifuges — causing physical damage while reporting normal readings to operators. For months, Iranian engineers watched their centrifuges fail without understanding why. The machines were lying to the people running them. When Stuxnet was eventually isolated and analysed by researchers at Kaspersky Lab and others, it reshaped how the world understood cyberwarfare. This wasn't espionage. It was sabotage — code that reached out of the digital world and broke physical infrastructure. The zero-days at its core weren't just technical tools; they were the keys to a door that, once opened, could never quite be closed again. Every nation with a serious intelligence capability took note.

Why It Matters

Most of us will never be targeted by a state-level zero-day operation. But the ecosystem these weapons create has direct consequences for everyone who uses software — which is everyone. When intelligence agencies discover vulnerabilities and stockpile them rather than disclosing them, they are making a calculated bet: that their ability to exploit the flaw is worth more than the risk of that same flaw being found and used by someone else. That bet doesn't always pay off. In 2017, a cache of NSA hacking tools — including zero-days — was leaked by a group calling itself the Shadow Brokers. One of those tools became the engine behind WannaCry, a ransomware attack that crippled hospitals, shipping companies, and telecoms across dozens of countries. The deeper question zero-days force is about who bears responsibility for digital infrastructure security, and whose interests are being protected when vulnerabilities are treated as assets rather than hazards. The next time you hear about a software update that patches a 'critical security flaw', there's a reasonable chance that flaw was already known to someone — just not to the people whose job it was to fix it.

A Question to Ponder

If a government discovers a flaw that lets it spy on its adversaries but leaves its own citizens equally vulnerable, how should it weigh those two interests — and who, if anyone, should get to make that call?

Get a new one of these every morning.

Start learning with Thinkable
One topic like this, every day.Start free