The Zero-Day Tax: Why Vendor Risk Is Now a Budget Problem

The annual release of the Google Threat Intelligence Group (GTIG) report, "Look What You Made Us Patch: 2025 Zero-Days in Review," serves as more than a post-mortem of security failures. It is a leading indicator of how adversary resource allocation is evolving. In 2025, we witnessed a definitive structural shift: the "Industrialization of Zero-Days." Attackers have moved past opportunistic consumer-grade exploits toward the high-value, systemic compromise of enterprise infrastructure.

The New Normal: 90 Zero-Days and the Enterprise Pivot

According to the GTIG, 90 zero-day vulnerabilities were tracked in 2025, a significant volume that confirms exploitation is no longer a rare event but a persistent operational reality. For the first time, enterprise-specific technologies—networking gear, VPNs, and security appliances—accounted for 48% of all zero-day exploitations. This represents a measurable shift in attacker targeting behaviour, with enterprise infrastructure now a primary focus rather than a secondary concern.

This shift suggests that the hardening of consumer platforms, such as browsers and mobile operating systems, is working. However, it has displaced the risk to the enterprise perimeter. As organisations adopt multi-cloud and hybrid environments, the "blind spots" in edge devices have become the primary entry points for sophisticated actors.

The Rise of Commercial Surveillance and State-Sponsored Convergence

A critical insight from the 2025 data is the dominance of Commercial Surveillance Vendors (CSVs). These entities, often operating in a "gray market," were attributed with 15 zero-day exploitations, surpassing the 12 attributed to traditional state-sponsored espionage groups. This democratisation of high-end cyber weaponry means that mid-market organisations now face the same level of sophistication previously reserved for national governments.

Why This Matters to Your Business: Risk and Budget Decisions

The 2025 data tells a simple story: attackers are now targeting the unglamorous infrastructure that runs your business—the routers, firewalls, and VPNs that connect your offices and data centres. This is not abstract security risk. It is a budget and vendor management problem.

Your Vendors May Not Be Ready. When attackers exploit vulnerabilities in networking equipment or security appliances, the vendor's ability to respond matters as much as your defences. A small vendor with limited engineering resources cannot patch flaws as quickly as Google can patch Chrome. Yet you may have no alternative—you have already committed to their products. This means your procurement decisions are now risk decisions. When you buy a router or firewall, you are implicitly accepting the vendor's response speed and security culture as part of your risk profile.

Before your next major infrastructure purchase, ask your vendor: How long does it take you to patch a critical flaw? What is your process when a zero-day is discovered in the wild? Can you tell us publicly how quickly you respond? Vendors who cannot answer these questions clearly are asking you to absorb risk they should be managing.

Budget Shift: From Walls to Response. For decades, security budgets focused on prevention—building walls higher, adding more locks. The 2025 data shows this approach no longer works. Attackers will find vulnerabilities. Your money is better spent on speed of response: Can you detect an intrusion quickly? Can you isolate the affected system without shutting down the whole business? Can you restore operations fast?

This means your CFO should expect a budget conversation about resilience, not prevention. Instead of asking "How do we stop attacks?" the better question is "When we are attacked, how fast can we recover?" Organisations that answer this question well will survive breaches with minimal damage. Those that do not will face months of downtime and recovery costs.

What Your Organisation Should Do

The Google report points to two practical steps:

  • Know What You Own: You cannot protect systems you do not know exist. Many organisations have lost track of all their routers, firewalls, and edge devices—especially in hybrid and multi-cloud environments. Your first task is to inventory every internet-facing device. This sounds basic, but most organisations fail at it.
  • Assume You Will Be Breached: Instead of spending endlessly on prevention, build your systems so that a breach in one part does not shut down everything. If a router is compromised, can attackers reach your data? Or is it isolated behind additional layers? This is called segmentation, and it is your best defence against the inevitable.

Building Resilience Into Your Strategy

The core lesson from the Google report: your organisation's ability to recover matters more than your ability to prevent attacks. Here is what that means in practice:

  • Inventory Everything: You cannot protect what you cannot see. Keep a complete, up-to-date list of all systems connected to the internet. When a new vulnerability is announced, you need to know within hours whether you are affected.
  • Demand Accountability From Vendors: When you buy infrastructure software or equipment, make vendor response time a contract requirement. If a critical flaw is found, how long until a patch? This should be in writing before you sign the deal.
  • Plan for Recovery, Not Just Prevention: Build your systems assuming they will be compromised at some point. Can you isolate the problem? Can you switch to a backup system? Can you restore operations without losing everything? This is better risk management than hoping an attack never happens.

The Executive Take: Five-Year Budget and Risk Strategy

For boards and executive leadership, the 2025 zero-day trend signals one clear message: assume breaches will happen. This should change how you budget and build your systems.

Instead of asking security teams "How do we stop attacks?" start asking "When we are attacked, how quickly can we recover?" The organisations spending smart money over the next five years are those that shift budgets from prevention (which is increasingly futile) toward resilience (which actually saves money when things go wrong).

Concretely, this means: invest in systems that isolate problems, invest in vendors who respond fast to flaws, and invest in teams that can restore operations quickly. The companies that do this well will pay far less for breach recovery than those that do not. It is straightforward business risk management.

Works Cited

Google Cloud Blog. "Look What You Made Us Patch: 2025 Zero-Days in Review." 5 Mar. 2026. https://cloud.google.com/blog/topics/threat-intelligence/2025-zero-day-review

Infosecurity Magazine. "Zero-Day Attacks on Enterprise Software Reach Record High, Google Warns." 6 Mar. 2026. https://www.infosecurity-magazine.com/news/zero-day-enterprise-record-high/

SecurityWeek. "Google: Half of 2025's 90 Exploited Zero-Days Aimed at Enterprises." 5 Mar. 2026. https://www.securityweek.com/google-half-of-2025s-90-exploited-zero-days-aimed-at-enterprises/

About Shashi Bellamkonda
Loading bio...
LinkedIn
Disclaimer: This blog reflects my personal views only. Content does not represent the views of my employer, Info-Tech Research Group.