Earlier this year, Anthropic released a blog post discussing Claude Mythos Preview, their general purpose language model that has been finding vulnerabilities in a plethora of software. The results are impressive and I’m not even going to debate those. After all, I’ve seen what Gemini has been able to do for me across small code bases, so with unlimited credits, I’d image the sky is the limit. If you’ve read the article, you’ll know that they spent “under $20,000” to find an OpenBSD denial of service and $10,000 to find several vulnerabilities in FFmpeg. Expensive, but still an impressive feat.
I don’t really want to talk about that. Instead, I want to talk about something that Anthropic did that tech journalists have been guilty of for several years. The misuse of the term ‘zero-day.’ I’m not going to say this is a capital offense, but it is a serious misstep that has plagued our industry for quite some time and something that I’ve heard complaints about across multiple groups and organizations.
I’ve sat in on several meetings, both internal and external, where the discussion of the use of the word zero-day has come up. Most of these conversations happen after Patch Tuesday when various publications, depending on the writer, mention differing numbers of zero-day vulnerabilities involved in the Patch Drop. Let’s take a look at January 2026:
1 Zero-day | 2 Zero-days | 3 Zero-days |
| ||
| ||
| SC World * | |
| ||
|
|
*SC World used the terms “actively exploited zero-day” and “publicly disclosed zero-day” but the sum of these two terms was 3 vulnerabilities.
So, what is the actual answer? If you pull data from the Microsoft API for January, you get the following list of vulnerabilities that were tagged as either actively exploited or publicly disclosed:
CVE | Severity | Publicly Disclosed | Exploited | Customer Action Required | Exploitability |
CVE-2026-21265 | Important | Yes | No | Yes | Exploitation Less Likely |
CVE-2026-20805 | Important | No | Yes | Yes | Exploitation Detected |
CVE-2023-31096 | Important | Yes | No | Yes | Exploitation More Likely |
CVE-2026-21509 | Important | No | Yes | Yes | Exploitation Detected |
CVE-2026-0902 | None | No | Yes | Yes | Exploitation Detected |
Both CVE-2026-21509 (Microsoft Office Security Feature Bypass) and CVE-2026-0902 (Chromium Vulnerability) came out after the January Patch Tuesday, leaving us with 3 items that were either exploited or publicly disclosed.
CVE | Severity | Publicly Disclosed | Exploited | Customer Action Required | Exploitability |
CVE-2026-21265 | Important | Yes | No | Yes | Exploitation Less Likely |
CVE-2026-20805 | Important | No | Yes | Yes | Exploitation Detected |
CVE-2023-31096 | Important | Yes | No | Yes | Exploitation More Likely |
It’s easy to see how everyone arrived at the conclusion they did. There is one exploitation detected vulnerability and three overall. The exception is Tenable with two, however they note on their post that they excluded the MITRE assigned CVE-2023-31096 from their counts.
It used to be that a zero-day had a very specific meaning, a meaning that a lot of us still expect to see. That meaning: “An exploit for a previously unknown vulnerability.” Which you can see referenced as being on Wikipedia back in 2013 via this blog. Unfortunately, Wikipedia has removed the page Zero-Day Attack and now it redirects you to Zero-Day Vulnerability.
Then the phrase shifted and zero-day suddenly referred to any vulnerability disclosed without a patch. This greatly shifted the expectation associated with the phrase zero-day because an entire generation of sys admins and security folks had been trained that a zero-day was a worst-case scenario, but that was no longer the case. A vulnerability without an exploit isn’t nearly the same risk as a vulnerability with an exploit. Many would argue that a vulnerability without an exploit presents no risk.
The phrase then shifted again, and this is the shift that pains me the most. Zero-day now means any vulnerability without a patch, even if it hasn’t been disclosed. This is the definition that we see Anthropic using in their blog post and this is the language that Wikipedia has been updated to include. Interestingly, someone was really interested in a couple of publications from a small group of authors and updated that Wikipedia page with roughly 30 references to 3 or 4 books.
The problem with this most recent definition, is that it has no meaning and no value. If everything is a zero-day, then nothing is. The term zero-day should be an alarm bell that notifies us that something is wrong and that there’s something that we need to care about. We don’t need to care about every vulnerability, and we really don’t need the alarm bell rung for every vulnerability. So, let’s agree to stop over-sensationalizing vulnerabilities. Let’s go back to zero-day having meaning.
While my preference would be to return to the original definition because that’s when the alarm bell really needs to ring loudly, I’d accept if we met in the middle with disclosed vulnerabilities. I want to say kudos to those vendors and publications that said there was only one zero-day in the January Patch Tuesday, they provided the most useful reporting and shame on vendors like Anthropic who abuse the term to try and get more attention.
