Zero-Day Panic? Here’s How to Decide If You Must Escalate Immediately

Imagine a fire alarm that goes off at the slightest hint of smoke. Eventually, people stop paying attention. The same principle applies to cybersecurity. 

If you escalate every vulnerability like it’s a five-alarm fire—especially when dealing with high-profile issues like zero-days—stakeholders will start tuning out. But the consequences can be major if you fail to sound the alarm when it truly matters.

Raf Borges, Director of Security Operations at Axonius, has worked with multiple organizations navigating this challenge. He’s seen firsthand why many teams struggle to prioritize vulnerabilities and how they can break free from ineffective processes.

In this guide, we’ll share his insights and dig into how modern security teams escalate critical vulnerabilities—so you know exactly when to sound the alarm.

The Fire Alarm Model for Vulnerability Escalation

Your security team has to be ready to act quickly when a vulnerability is disclosed. Should you raise the alarm and rush to implement a patch, or can it wait until the next scheduled update? Follow Raf’s fire alarm model to fine-tune your response strategy.

1. Assess the Technical Impact 

Consider: Blast radius, affected systems

The first step is to understand the blast radius: which systems, assets, and environments are affected? If a vulnerability impacts mission-critical infrastructure, the stakes are higher, and immediate remediation may be necessary.

Raf emphasizes key considerations when evaluating impact:

"Are we impacted by the CVE? And if we are, what's the exposure of this impact?” said Raf. “A vulnerability on an internal server that has no access to anything important is not as critical as one that is on a public-facing web server that has sensitive data. The other thing that we consider: Is this something that is currently being exploited?”

2. Understand the Business Impact 

Consider: Revenue impact, compliance risk

Teams need to assess whether the vulnerability impacts revenue-generating systems, sensitive customer data, or compliance requirements. If a quick patch leads to downtime, security teams must consider whether the risks associated with the fix outweigh those posed by the vulnerability itself.

3. Determine if It's Being Actively Exploited

Consider: Threat intelligence, industry reports

One of the biggest challenges in vulnerability management is determining if an exploit is currently being used. Vendors may not always provide clear information, so security teams often depend on real-time threat intelligence, industry reports, and collaboration with other organizations to assess whether attackers are already exploiting the vulnerability.

4. Coordinate the Response

Consider: Cross-team response, runbook creation

When escalation is necessary, response efforts need to be rapid and coordinated. IT, cloud, network, and security teams need to work in sync, while leadership must be kept informed of the strategy. A well-defined incident response plan ensures teams act efficiently and avoid last-minute chaos.

Consider creating a runbook for critical vulnerability triage and escalation that outlines the communication channels (e.g., Slack, Teams) and systems of record (e.g., Jira, ServiceNow) for documenting decisions.

5. Document Lessons Learned

Consider: Process refinement, future preparedness

Every vulnerability response presents an opportunity for growth. Documenting what worked—and what didn’t—helps refine security processes, improve asset visibility, and strengthen future response efforts. Security teams should use these lessons to enhance preparedness for the next critical vulnerability.

How to Approach Zero-Day Vulnerabilities

While zero-days require prompt evaluation, not all of them necessitate immediate escalation. Others can be managed without pulling the fire alarm. Check out Raf’s key questions to consider when assessing real-time risk.

1. Is this being actively exploited?

• Have attackers already weaponized it?

• Do threat intel reports confirm real-world exploitation?

1. How easy is it to exploit?

• Does the vulnerability require specialized knowledge and resources, or can it be exploited using publicly available tools?

• Can it be exploited remotely, or does it need local access?

2. What’s the blast radius?

• Does it impact business-critical systems, regulated data, or production environments?

• Could it cause operational downtime, financial loss, or reputational damage?

• Do you have mitigating controls?

Criteria to Determine If a Zero-Day Can Wait

Your team should adopt a structured approach to determine whether an urgent response is needed or if temporary mitigations can be implemented until a patch is released. Here’s how to determine if a zero-day can wait:

• It’s mitigated by existing security controls. (Network segmentation, Web Application Firewall, or Intrusion Prevention System rule protecting against that specific threat)

• It’s already scheduled in an upcoming patch cycle. (No need for emergency intervention)

• There’s no evidence of exploitation in the wild. (High severity ≠ active attack)

• The impact is isolated. (A low-risk internal system vs. a public-facing customer database)

Making the Right Call at the Right Time in Vulnerability Management

The journey to more comprehensive, risk-based vulnerability management begins with adopting a structured, intelligence-driven approach. This means prioritizing risks based on factors like impact, exploitability, exposure, and mitigation—rather than relying on headlines or gut feelings. 

To learn how high-performing security teams scale vulnerability management, join us for our webinar, 7 Best Practices for Vulnerability Management in a World of Noise.

We’ll explore:

• Why security is facing a scalability crisis

• The 7 best practices to handle vulnerability management

• Resources and an action plan to apply the best practices in your environment

Register for the webinar today.