A zero-day exploit refers to an undetected or unaddressed security vulnerability in hardware or software. In contrast, a zero-day event describes any cyber attack that uses the exploit before developers can patch up the vulnerability. The "zero-day" term comes from the fact that the people responsible for the software's security had no time to fix the problem before it got exploited by cybercriminals.
In other words, the entity responsible for security only discovered the exploit after an event already happened. Thus, they had zero days to patch the issue before an event occurred. Sometimes, security professionals or even users uncover potential events before they occur. In the worst examples, these exploits and even events may remain undetected for weeks or months.
To better understand how much damage an undetected, zero-day exploit can do, look at some high-profile examples:
If potential exploits can threaten such large tech companies as Google and Microsoft, they're obviously hard to detect. By definition, they're unknown vulnerabilities, so common security software won't have them included in their databases yet. Still, even small businesses and individuals can take some steps to protect themselves.
Threat Hunting and Detection
Tools such as Sophos’ Intercept-X have the possibility of detecting a Zero-Day, however it is most likely that if an Advanced Persistent Threat or APT were to target your business and deploy a Zero-Day it would most likely go unnoticed until defensive tools found the malicious anomalies.
Naturally, computer users should make it their policy to apply patches and new releases right away. This measure cannot eliminate risks completely, but it can reduce them by slimming the entry points in which to launch an attack.
On the positive side, some organizations have created zero-day initiatives. These reward people for reporting vulnerabilities to reduce financial incentives to sell this kind of information on the black market. Some companies such as Zerodium will reward ethical research with millions of dollars for their work, which would hopefully reduce the likelihood of them being used maliciously.