A vulnerability that's being exploited in the wild before a patch is available, the worst-case shape of a security incident.
A zero-day (or 0-day) is a security vulnerability that attackers are actively exploiting before the vendor has released a patch, defenders have zero days of advance notice, hence the name. Zero-days range from privately-discovered bugs sold on grey markets to publicly-disclosed flaws that take weeks for vendors to patch. Mitigations during the window include WAF rules, network-level allowlisting, feature flags that disable affected code paths, and increased monitoring on related signals.
Most security operations are tuned for known vulnerabilities (CVE patching, scan-and-remediate). Zero-days break that workflow because the patch doesn't exist yet. Maturity here is measured by how fast a team can ship a virtual patch (a WAF rule, a config change, a feature flag) within hours of disclosure, before the vendor's actual patch lands. Pair this with intel feeds and runbooks specifically for zero-day response.
See the part of the platform that handles zero-day in production.