Affiliate links present. Disclosure
Guide
Zero-day threats explained
The confusion
Zero-day is one of those security terms that appears in both serious research and in antivirus marketing copy. Products advertise 'zero-day protection' as a premium feature. Security researchers discuss zero-days as events that can compromise any machine regardless of its protection. These descriptions refer to the same term but different threat scenarios.
Antivirus comparison tests publish 'zero-day detection rates' — percentages like 99.1% and 97.4% that imply some products catch almost all zero-days and some don't. But zero-day in those test methodologies means something more specific than 'a brand new threat no one has seen before.' The terminology is used inconsistently and the difference matters when evaluating what protection you actually have.
The gap between 'zero-day' as used in AV test scores and 'zero-day' as used in nation-state cyberattack reporting is significant — and understanding it clarifies what AV products can and can't claim to protect against.
What most people assume
Most people assume a zero-day is any new malware that hasn't been seen before. More precisely, a zero-day is an attack that exploits a previously unknown vulnerability — a flaw in software that the vendor hasn't patched because they don't know it exists yet. The attacker has 'zero days' of warning from the vendor. This is distinct from new malware that uses known techniques but hasn't been added to signature databases yet. Both are 'new' — only one is a zero-day.
Most people assume when AV tests report 'zero-day detection rates,' they're measuring protection against true zero-day exploits. In practice, AV test methodology uses 'zero-day' to describe malware samples collected in the days or weeks before the test starts — before most antivirus databases have been updated to include them. This is a real and meaningful measurement of early-detection capability, but it's not measuring protection against exploits of unknown vulnerabilities. The distinction matters when the marketing claims meet the test methodology.
Most people assume better antivirus protects against nation-state zero-days — the vulnerabilities used in high-profile government or infrastructure attacks. True zero-day exploits of unpatched vulnerabilities are usually not caught by antivirus at the moment of exploitation. They may be caught in subsequent stages — when the payload is delivered, when malicious processes start behaving suspiciously — but the initial exploitation of an unknown vulnerability is largely outside what consumer antivirus is designed to stop.
What's actually true
For home users, the practical protection gap that AV test zero-day scores measure — early detection of new malware before databases are updated — is real and worth considering. A product that catches 99% of new threats in their first week of circulation versus one that catches 97% is a meaningful difference in exposure window, especially for malware that spreads rapidly in its first days of deployment.
True zero-day exploits of unpatched software vulnerabilities are a different category. For home users, keeping operating system and application software updated is a more direct defense against this threat category than antivirus product selection. Zero-days that target unpatched Windows vulnerabilities are largely mitigated by Windows Update. Zero-days in browsers are mitigated by browser auto-updates. The antivirus layer is a secondary defense in this scenario, not the primary one.
Where you might be
If you're choosing between antivirus products and zero-day detection scores are part of your comparison — the scores in AV-TEST and AV-Comparatives reflect early-campaign detection, which is the realistic threat scenario for home users. Bitdefender and ESET consistently score at the top of this metric.
See top-performing products on zero-day detection →
If your machines run software that isn't being updated — legacy applications, end-of-life operating systems, or software where auto-updates are disabled — that's the specific configuration where unpatched vulnerability exposure is highest. Antivirus is a partial compensating control, not a substitute for patches.
See protection options for various machine configurations →If you're trying to understand what level of threat 'zero-day protection' in a product actually addresses — versus the nation-state attack scenario — the distinction is relevant for calibrating what your setup does and doesn't cover.
See how behavioral detection relates to zero-day protection →What no tool solves
No consumer antivirus product reliably stops a true zero-day exploit of an unpatched vulnerability at the moment of exploitation. The exploit itself happens in legitimate software — a browser, a PDF reader, an OS component — before any malicious payload is delivered. What antivirus can catch is the behavior that follows.
The 'zero-day detection rate' metric in independent tests measures something real — early-campaign malware detection — but it doesn't measure protection against targeted attacks using previously unknown vulnerabilities. These are different threat categories and the scores shouldn't be read as addressing both.
Behavioral detection improves zero-day coverage meaningfully, but only in the execution phase — after the exploit has already run. The window between initial exploitation and behavioral detection firing is where damage can occur. Keeping software updated closes the vulnerability window before the exploit can run at all, which is a different layer of the defense entirely.
© 2026 Softplorer