Racing the Patch: N-day Exploitation Patterns in Nation-State Cyber Operations (2024-2025)
Abstract:
Conventional narratives position zero-day exploits as the hallmark of Advanced Persistent Threat (APT) sophistication, shaping defensive resource allocation toward exotic threat detection. This study challenges that assumption through empirical analysis of 60 verified APT campaigns (January 2024-July 2025). Social engineering dominates initial access at 40%, while zero-day exploitation accounts for only 8.3%. N-day vulnerabilities exceed zero-days at 13.3%, suggesting time-to-patch matters more than exploit novelty. Dwell-time analysis reveals a detection paradox: living-off-the-land techniques persist longest (156 days), while zero-days are detected fastest (42 days). Defenders should prioritise identity-centric controls and accelerated patch-window closure over zero-day detection capabilities.
AUTHORS
Norwegian University of Science and Technology (NTNU)
Trondheim, Norway
Raymond Andre Hagen is a Senior Cyber Security Advisor at the Norwegian Digitalisation Agency (Digdir), where he works on national cybersecurity policy and strategy. He is concurrently completing an Industrial PhD at the Norwegian University of Science and Technology (NTNU), focusing on APT defence frameworks for resource-constrained organisations. With over 25 years of experience in information security, he serves on multiple international standardisation committees, has been CISSP certified since 2008, and is a liaison member of FIRST.org.
Published In
Journal of Information Warfare
The definitive publication for the best and latest research and analysis on information warfare, information operations, and cyber crime. Available in traditional hard copy or online.
Quick Links
Archive
