Why Most Cyber Attacks Don’t Need Zero-Days
A practical breakdown of how real-world breaches happen using misconfigurations, weak credentials, and exposed services.
Why Most Cyber Attacks Don't Need Zero-Days
Here's something that surprised me when I started studying cybersecurity: the scary stuff — zero-day exploits, custom malware, nation-state APTs — accounts for a tiny fraction of actual breaches.
The vast majority of successful attacks? They use stuff that's been known and documented for months, sometimes years. The CVE is public. The patch exists. Nobody applied it.
That's the real story of cybersecurity, and it's way less glamorous than the movies make it look.
The "Advanced Hacker" Myth
Zero-days are real, but they're expensive. We're talking hundreds of thousands of dollars on the exploit market. They're used for targeted ops — espionage, surveillance, military operations. Your average attacker isn't burning a zero-day on a random startup's web server.
What they are doing:
- Scanning for exposed admin panels on Shodan
- Trying default credentials (admin/admin still works more often than you'd think)
- Looking for known CVEs that haven't been patched
- Credential stuffing with leaked password databases
None of this requires genius. It requires patience and a search engine.
How Breaches Actually Happen
Exposed Services
I've seen MongoDB instances with no auth sitting on public IPs. Redis servers wide open. Dev environments accidentally deployed to production with debug mode on. A simple nmap scan is often the only "exploit" needed.
This is not theoretical — Shodan indexes thousands of these every day.
Credential Reuse
This one is so simple it's almost embarrassing. People reuse passwords. Data breaches leak credentials. Attackers try those credentials on other services. If your users use the same password for their email and your app, one breach compromises both.
You don't need an exploit for this. You need a Python script and a leaked database.
Cloud Misconfigurations
This is the modern goldmine for attackers:
- S3 buckets set to public (this has caused some of the biggest breaches in history)
- IAM roles with wildcard permissions
- API keys committed to public GitHub repos
- Secrets sitting in environment variables that get logged
I once found an API key in a public repo just by searching GitHub for AKIA (the prefix for AWS access keys). Took about 30 seconds.
Why This Keeps Happening
Because security is treated as an afterthought. It's the thing you do after launch, after the sprint, after someone asks about it. The security review gets pushed to "next quarter." The dependency update gets marked as "low priority."
Attackers know this. They're not looking for the hardest way in — they're looking for the easiest. And the easiest way in is almost always something that someone already knew about and didn't fix.
What Actually Helps
Forget advanced threat hunting for a minute. Before any of that matters, you need the basics locked down:
- Patch what you know is broken. Sounds obvious. Most orgs don't do it consistently.
- Enforce least privilege. If a service only needs read access, don't give it write.
- Know what's running. You can't secure assets you don't know exist.
- Audit regularly. Not annually — continuously!
The Uncomfortable Truth
If you're defending against APTs but you haven't rotated your default credentials or patched last month's critical CVE, you're defending the wrong perimeter.
The attackers will walk through the front door you left open while you were busy installing a laser grid in the basement. Start with the obvious stuff. It's less exciting, but it's where 90% of breaches actually happen.
Found this useful?
Share it with your network.