Proactive cyber defence: Managing the growing risk of zero-day vulnerabilities

In today’s digitally driven world, the race between cyber attackers and defenders is more intense than ever. Every enterprise, regardless of industry, relies on a vast web of interconnected systems, cloud services, on-prem applications, and hybrid collaboration tools.

This interconnectedness, while essential for agility and growth, introduces a critical risk: the exploitation of zero-day vulnerabilities.

The recent discovery of a critical zero-day vulnerability impacting SharePoint on-premise servers, referred to in industry circles as “ToolShell” (CVE-2025-53770), is yet another reminder of the evolving and unpredictable threat landscape.

This flaw, which allows unauthenticated remote code execution, was actively exploited in the wild before any formal patch was released.

It’s a textbook case of how attackers continue to innovate and why organisations must rethink how they manage cyber risk, especially for unknown and unpatched threats.

Zero-day realities: Not “if,” but “when?”

Zero-days are by nature invisible, until they’re not. They represent flaws in software or systems that developers and defenders aren’t yet aware of, but attackers may have already discovered and weaponised. This asymmetry creates a dangerous window of opportunity for malicious actors. In ToolShell’s case, attackers were able to execute arbitrary code remotely, potentially gaining full control of affected systems.

While this particular case is notable, it is by no means unique. Whether targeting collaboration platforms, email servers, web frameworks, or even security tools themselves, zero-day vulnerabilities are becoming a standard tactic in the modern attacker’s playbook. This brings forth a pressing question: how can organizations prepare for threats they cannot see?

Building cyber resilience: From reactive to proactive

Effective cybersecurity in the face of zero-day threats requires a multi-layered and forward-looking strategy. Here are five key focus areas every organization should adopt:

Assume breach and minimise blast radius

The first shift in mindset must be this: assume a breach is inevitable. This isn’t pessimism, it’s realism. By adopting an “assume breach” posture, companies can invest in segmentation, access controls, and identity protections that limit how far an attacker can move once inside.

Privileged access should be limited, lateral movement should be monitored, and sensitive data must be isolated.

Adopt extended detection and response (XDR)

Detection is no longer enough; organizations need tools that correlate behavior across endpoints, identities, cloud workloads, and networks. XDR platforms provide that visibility, enabling faster detection of anomalies and coordinated response across environments.

When a zero-day is exploited, the ability to see the full kill chain and isolate affected systems becomes mission-critical.

Invest in threat intelligence and real-time updates

Staying ahead means being informed. Enterprises should subscribe to threat intelligence feeds and work with cybersecurity partners who offer real-time updates, including Indicators of Compromise (IOCs) and hunting queries, even before public advisories are issued. Early detection and context-rich threat intel can dramatically reduce dwell time and response lag.

Integrate vulnerability management with active monitoring

Traditional vulnerability management often runs on a monthly cadence, too slow for today’s environment. Modern organizations need continuous vulnerability exposure assessments that integrate with their detection tools. If a system is found to be vulnerable, real-time flags should trigger proactive isolation or prioritization in patch pipelines.

Foster cross-team collaboration and executive visibility

Cyber risk is a business risk. IT, security, and executive leadership must collaborate closely to ensure that the organization’s risk tolerance, response protocols, and communication plans are well understood and exercised.

Business continuity planning should include simulations for zero-day incidents — not just ransomware or known malware.

From defence to anticipation

While patching known vulnerabilities remains essential, organsations can no longer rely solely on post-exploit remediation. The key lies in anticipating threats through behavioral analysis, automated response, and architectural resilience.

Emerging technologies, including AI-powered security platforms,  are helping analysts detect suspicious patterns even without a known signature.

This level of proactive defense is increasingly becoming the gold standard. It’s also critical to eliminate blind spots. Tools should be able to detect unexpected process executions, unusual SharePoint or IIS behaviors, and anomalous command-line arguments, signs that something like ToolShell may be at play.

Staying one step ahead

Zero-days will continue to surface. Some may grab headlines; many will fly under the radar. But the organisations that thrive in this reality are those that don’t wait for the news to act. They invest in proactive visibility, rapid containment, and flexible response strategies.

The ToolShell vulnerability may fade from news cycles in weeks, but the lesson it carries must remain: in cybersecurity, speed and preparedness make all the difference. The winners are those who treat zero-day defense not as a one-time effort, but as a core capability woven into the fabric of their technology, their processes, and their culture.

The writer is senior director, solutions engineer at SentinelOne, a global leader in AI-powered cybersecurity.