In AP Cybersecurity, a zero day is a previously undocumented software vulnerability that the vendor has not yet patched. Only high-skilled adversaries can discover zero days, making them a hallmark of advanced attackers in Unit 1.
A zero day is a flaw in software that nobody on the defense side knows about yet. The vendor hasn't documented it, hasn't patched it, and probably has no idea it exists. The name comes from the idea that defenders have had "zero days" to fix it.
In the CED, zero days come up under EK 1.3.A.1 when classifying adversaries by skill. Low-skilled adversaries just buy or download tools that exploit known vulnerabilities. High-skilled adversaries are different. They have the capacity to discover undocumented vulnerabilities, known as zero days, and to build custom tools to exploit them. So a zero day isn't just "a bug." It's specifically a bug the good guys don't yet know about, which is what makes it so dangerous and why it signals a sophisticated attacker.
Zero days live in Unit 1: Introduction to Security, under topic 1.3 Best Practices for Public Networks. The directly tied objective is AP Cybersecurity 1.3.A, which asks you to identify the type of adversary conducting a cyberattack. Zero days are the giveaway for a high-skilled adversary. If an attacker is exploiting something nobody has documented, you're not dealing with a script kiddie running purchased tools. You're dealing with someone capable of original research. Pinning down adversary skill level early sets up the rest of the unit, since the defenses you'd recommend depend on who you're up against.
Keep studying AP Cybersecurity Unit 1
Visual cheatsheet
view galleryHigh-Skilled Adversary (Unit 1)
Zero days and high-skilled adversaries are basically two sides of the same EK. Discovering a zero day is the defining capability that separates a high-skilled adversary from a low-skilled one who only reuses known exploits.
Adversary Classification by Skill (Unit 1)
The whole point of EK 1.3.A.1 is sorting attackers into low-skilled versus high-skilled. The presence of a zero day is your fastest clue that you're looking at the high-skilled end of that scale.
Evil Twin and Jamming Attacks (Unit 1)
These are named wireless attacks in topic 1.3, but they exploit known techniques anyone can run. Contrast that with a zero day, which exploits something no defender even knows about yet, a difference in sophistication, not just method.
Zero days show up most on multiple-choice questions that test adversary classification. A typical stem describes someone who "discovers a previously unknown vulnerability the vendor has not documented or patched" and asks what that vulnerability is called (answer: a zero day) or what kind of adversary found it (answer: high-skilled). Another common stem describes building custom malware to exploit an undocumented flaw and asks you to identify the attacker. Your job is to recognize the keywords "undocumented," "previously unknown," "not yet patched," and connect them to zero day and high-skilled adversary. No released FRQ has used this term verbatim, but the concept supports any scenario where you have to assess an attacker's skill level and recommend defenses accordingly.
A known vulnerability has already been documented, and usually there's a patch available, so low-skilled adversaries can exploit it with purchased tools. A zero day is the opposite. It's undocumented and unpatched, so only a high-skilled adversary who found it can use it. The difference is entirely about whether defenders know it exists.
A zero day is an undocumented, unpatched software vulnerability that defenders don't yet know about.
Discovering a zero day is a capability of high-skilled adversaries, per EK 1.3.A.1.
Low-skilled adversaries only exploit known vulnerabilities with tools made by others, never zero days.
On MCQs, keywords like 'previously unknown,' 'undocumented,' and 'not yet patched' point to a zero day.
Zero days live in Unit 1, topic 1.3, and support the objective of identifying the adversary (AP Cybersecurity 1.3.A).
A zero day is a previously undocumented software vulnerability that the vendor hasn't patched. In the CED (EK 1.3.A.1), only high-skilled adversaries have the capacity to discover them.
No. Low-skilled adversaries rely on tools created by others that exploit already-known vulnerabilities. Discovering an undocumented zero day requires the original-research capability of a high-skilled adversary.
A known vulnerability has been documented and usually patched, so it's widely exploitable. A zero day is still undocumented and unpatched, which is exactly why it signals a sophisticated, high-skilled attacker.
Because no one on the defense side knows it exists yet, there's no patch and no detection signature. Defenders have had 'zero days' to prepare, hence the name.
Look for words like 'previously unknown,' 'undocumented,' or 'the vendor has not yet patched.' Those phrases mean a zero day, and they tell you the adversary is high-skilled.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.