Zero-day vs N-day: what is the difference?
Last reviewed June 2, 2026
A zero-day is a vulnerability that is exploited before the vendor has released a patch, often before the vendor even knows it exists. An N-day (also called a one-day) is a vulnerability that is already known and patched, but still exploited against systems that have not applied the fix. The core difference is whether a patch exists at the time of exploitation: a zero-day has none, while an N-day does but remains unpatched in the wild.
The core difference
The distinction comes down to one question: at the moment of exploitation, does a patch exist? A zero-day is exploited when no fix is available, so defenders have had zero days to prepare a patch. An N-day is exploited after a fix has been published, so the flaw is known and patchable but some systems remain vulnerable because the update has not been applied.
Both describe the same underlying flaw at different points in its lifecycle. A vulnerability often begins as a zero-day and becomes an N-day once the vendor releases a patch and the details become public.
Side-by-side comparison
| Attribute | Zero-day | N-day (one-day) |
|---|---|---|
| Patch available | No, not at the time of exploitation | Yes, a fix has been released |
| Known to vendor | Often unknown when first exploited | Yes, publicly disclosed |
| Defender preparation time | Zero days | Days to months, depending on patch lag |
| Primary risk driver | No fix exists to apply | Fix exists but is not applied |
| Typical defense | Detection, mitigation, defense in depth | Prompt patching and update management |
| Cost to attacker | High; discovery or purchase of unknown flaw | Low; details and exploits are often public |
| Example lifecycle stage | Before disclosure and patch | After disclosure and patch |
The vulnerability timeline
A single vulnerability moves through phases, and the same flaw is labeled differently depending on the phase in which it is attacked. Understanding the timeline clarifies why the same word is not used at every stage.
- Discovery: someone finds the flaw; if an attacker finds it first and uses it, it is a zero-day.
- Disclosure: the vendor is informed or the flaw becomes public.
- Patch release: the vendor publishes a fix; exploitation after this point targets an N-day.
- Patch adoption: as systems update, the window for N-day attacks narrows but rarely closes completely.
Risk and defense
Zero-days carry high impact because no patch is available, but they are comparatively rare and costly for attackers to find or purchase. Defense relies less on patching and more on layered controls: behavioral detection, network segmentation, least privilege, and rapid mitigation guidance from the vendor when it arrives.
N-days are far more common in real-world attacks. Once a patch and technical details are public, attackers can reverse-engineer the fix and target organizations that have not yet updated. The defense is straightforward in principle and difficult in practice: patch quickly. The CISA Known Exploited Vulnerabilities (KEV) catalog is a key resource here, because it lists vulnerabilities confirmed to be exploited and helps teams prioritize the N-days that matter most.
Keep exploring
- What is a zero-day?Vulnerabilities exploited before a patch exists.
- What is the CISA KEV?The catalog of actively exploited vulnerabilities.
- What is an exploit?How attackers turn a flaw into an attack.
- What is EPSS?Scoring the probability that a flaw is exploited.
- CVE lifecycleThe stages a vulnerability passes through.
- What is a CVE?How disclosed vulnerabilities are identified.
Frequently asked questions
- Does a zero-day become an N-day?
- Generally yes. Once the vendor releases a patch and the vulnerability becomes publicly known, continued exploitation against unpatched systems is described as an N-day attack. The flaw is the same; only its lifecycle stage has changed.
- Which is more dangerous, a zero-day or an N-day?
- It depends on context. A zero-day has higher per-incident impact because no patch exists, but N-days cause more breaches overall because many organizations are slow to apply available fixes. Both warrant attention.
- Why are N-days still exploited if a patch exists?
- Patching takes time. Organizations may face testing requirements, downtime constraints, or simply lack visibility into what needs updating. Attackers exploit this gap, often within days of a patch becoming public.
- How does the CISA KEV catalog help with N-days?
- The KEV catalog lists vulnerabilities confirmed to be actively exploited, so teams can prioritize patching the known flaws that attackers are using rather than treating every advisory equally.
