Previously unknown “zero-day” software vulnerabilities are mysterious and intriguing as a concept. But they’re even more noteworthy when hackers are spotted actively exploiting the novel software flaws in the wild before anyone else knows about them. As researchers have expanded their focus to detect and study more of this exploitation, they’re seeing it more often. Two reports this week from the threat intelligence firm Mandiant and Google’s bug hunting team, Project Zero, aim to give insight into the question of exactly how much zero-day exploitation has grown in recent years.

Mandiant and Project Zero each have a different scope for the types of zero-days they track. Project Zero, for example, doesn’t currently focus on analyzing flaws in internet-of-things devices that are exploited in the wild. As a result, the absolute numbers in the two reports aren’t directly comparable, but both teams tracked a record high number of exploited zero-days in 2021. Mandiant tracked 80 last year compared to 30 in 2020, and Project Zero tracked 58 in 2021 compared to 25 the year before. The key question for both teams, though, is how to contextualize their findings, given that no one can see the full scale of this clandestine activity.

“We started seeing a spike early in 2021,and a lot of the questions I was getting all through the year were, ‘What the heck is going on?!’” says Maddie Stone, a security researcher at Project Zero. “My first reaction was, ‘Oh my goodness, there’s so much.’ But when I took a step back and looked at it in the context of previous years, to see such a big jump, that growth actually more likely is due to increased detection, transparency, and public knowledge about zero-days.”

Before a software vulnerability is publicly disclosed, it’s called a “zero-day,” because there have been zero days in which the software maker could have developed and released a patch and zero days for defenders to start monitoring the vulnerability. In turn, the hacking tools that attackers use to take advantage of such vulnerabilities are known as zero-day exploits. Once a bug is publicly known, a fix may not be released immediately (or ever), but attackers are on notice that their activity could be detected or the hole could be plugged at any time. As a result, zero-days are highly coveted, and they are big business for both criminals and, particularly, government-backed hackers who want to conduct both mass campaigns and tailored, individual targeting.

Zero-day vulnerabilities and exploits are typically thought of as uncommon and rarified hacking tools, but governments have been repeatedly shown to stockpile zero-days, and increased detection has revealed just how often attackers deploy them. Over the past three years, tech giants like Microsoft, Google, and Apple have started to normalize the practice of noting when they’re disclosing and fixing a vulnerability that was exploited before the patch release. 

While awareness and detection efforts have increased, James Sadowski, a researcher at Mandiant, emphasizes that he does see evidence of a shift in the landscape.