How to respond to a zero-day in 24 hours
Incident response · 7-min read · See what is exploited → · updated June 2026
When a critical bug drops, panic is the enemy. A runbook turns a chaotic morning into five ordered moves — confirm, scope, mitigate, patch, verify — so you reduce real risk instead of thrashing.
The five-move runbook
Identify the CVE, the affected products and versions, and whether exploitation is confirmed (CISA KEV) or theoretical. Work from the advisory, not the headline.
Do you run an affected version? Check your inventory / SBOM. "Are we affected?" is the first question leadership will ask — have the answer fast.
If a patch is not ready, apply interim mitigations from the advisory — disable the feature, restrict access, add a WAF rule, or take it offline. Reduce blast radius first.
Apply the vendor fix to affected systems, highest-exposure first. Track which systems are done so nothing is missed.
Confirm the fix landed, watch for exploitation attempts, and tell stakeholders what happened and what you did. Record it for the post-incident review and any reporting duty.
The clock: what to do in the first hours
| Window | Focus |
|---|---|
| First hour | Confirm CVE + affected versions; check if it is on CISA KEV |
| Hours 1–4 | Scope exposure across inventory/SBOM; apply interim mitigations |
| Hours 4–24 | Patch highest-exposure systems; monitor for exploitation |
| After | Verify, communicate, record, and check any reporting duty (e.g. CRA) |
Turn this into action. A calm, repeatable runbook for the moment a critical bug drops: confirm exposure, scope blast radius, mitigate, patch, and communicate.
See what is exploited — free →Frequently asked questions
What counts as a zero-day?
A vulnerability being exploited before (or as) a fix becomes available — so defenders have "zero days" to prepare. The priority is reducing exposure fast, even before a patch exists.
First question to answer?
"Are we affected?" Scope it against your inventory or SBOM. You cannot triage urgency until you know whether you run a vulnerable version.
No patch yet — what do I do?
Apply the advisory’s interim mitigations: disable the affected feature, restrict network access, add detection, or isolate the system. Mitigate first, patch when available.
Where do I watch for active exploitation?
The IsItPatched exploitation radar tracks CISA KEV, and security feeds push new exploited CVEs to your reader, Slack or SIEM.
This guide is vendor-neutral and informational, grounded in publicly-available guidance from bodies such as OWASP, NIST and CISA. IsItPatched is independent and not affiliated with them, and this is not legal or compliance advice. See our disclaimer.