The zero-day exploit market has undergone a transformation so profound over the past decade that its 2028 incarnation bears almost no resemblance to the shadowy forums of the early 2010s. What was once a niche ecosystem of freelance researchers selling vulnerability chains to a handful of government contractors has metastasized into a multi-billion-dollar industry with institutional buyers, tiered pricing models, and a geopolitical significance that now rivals conventional arms markets. Understanding how this market operates — and where it is heading — is essential for anyone responsible for defending networks, shaping policy, or assessing national security risk.
The Price of Silence: How Zero-Days Are Valued in 2028
The economics of zero-day exploits are governed by a deceptively simple principle: a vulnerability is worth what the most motivated buyer will pay, and the most motivated buyers are governments. In 2025, Zerodium’s publicly listed acquisition prices topped $2.5 million for a full-chain iOS remote code execution exploit with persistence. By early 2026, private broker transactions have reportedly crossed the $10 million threshold for certain Android and iOS zero-click exploit chains — prices that reflect both the increasing difficulty of finding such vulnerabilities and the strategic value governments place on mobile surveillance capabilities.
The pricing stratification has become remarkably sophisticated. Tier-one exploits — zero-click, remote, full-chain compromises of major mobile operating systems — command the highest premiums. These are the crown jewels of offensive cyber operations, enabling intelligence agencies to compromise targets without any user interaction. A single such chain can provide access to the communications, location data, and stored credentials of any individual carrying a targeted device.
Tier-two exploits target enterprise software: Microsoft Exchange, Citrix ADC, VMware ESXi, Fortinet FortiOS, and other widely deployed infrastructure platforms. These vulnerabilities are priced lower than mobile chains — typically in the $500,000 to $2 million range — but their strategic value is immense because they provide access to corporate networks, government systems, and critical infrastructure.
Tier-three exploits target less common software or require user interaction (such as opening a malicious document). These trade in the $50,000 to $500,000 range and constitute the bulk of the market by volume.
The Broker Ecosystem: From Zerodium to Sovereign Funds
The zero-day broker landscape in 2028 is dominated by a handful of key players operating in a legal grey zone that varies by jurisdiction. Zerodium, founded by Chaouki Bekrar in 2015, remains the most publicly visible acquisition platform, though its dominance has eroded as competitors have emerged and governments have developed in-house acquisition capabilities.
The most significant development has been the emergence of what intelligence analysts call “sovereign exploit funds” — government-backed entities that operate dedicated vulnerability acquisition programs with annual budgets exceeding $100 million. The United States, through a combination of NSA’s Tailored Access Operations, CIA’s Center for Cyber Intelligence, and U.S. Cyber Command, maintains the largest known acquisition program. But China’s Ministry of State Security, Russia’s GRU and FSB, Israel’s Unit 8200, and at least a dozen other nations now operate sophisticated programs of their own.
The 2023 Chinese regulation requiring all vulnerability disclosures to be reported to the government within 48 hours effectively nationalized China’s zero-day pipeline. Chinese security researchers — among the most skilled in the world, as demonstrated by their dominant performance at Pwn2Own competitions — now feed their discoveries into a state-controlled ecosystem. Western intelligence officials assess that this regulation alone has provided China with a strategic advantage in exploit availability that will take years to counterbalance.
Private-sector exploit brokers have also diversified their business models. Companies like NSO Group, which was placed on the U.S. Commerce Department’s Entity List in 2021, have been joined by Intellexa, Candiru, QuaDream, Paragon, and numerous less visible firms that develop and sell turnkey surveillance solutions built on zero-day exploit chains. The market for “access-as-a-service” — where the buyer pays for the capability to compromise a target without receiving the underlying exploit code — has grown rapidly.
Vulnerability Stockpiling: The Arms Control Debate Nobody Is Having
The fundamental tension at the heart of the zero-day market is the conflict between offensive and defensive equities. When a government discovers or acquires a zero-day vulnerability, it faces a choice: disclose the vulnerability to the vendor so it can be patched (benefiting everyone who uses the software), or keep it secret for use in intelligence operations and cyberattacks (benefiting national security but leaving millions of systems vulnerable).
The United States formalized this decision-making process through the Vulnerabilities Equities Process (VEP), first established under the Obama administration and updated under Trump and Biden. The VEP creates an interagency review board that evaluates each discovered vulnerability against criteria including the severity of the exploit, the prevalence of the affected software, the intelligence value of maintaining the capability, and the risk of independent discovery by adversaries.
In practice, the VEP has released a significant majority of vulnerabilities for patching. But critics argue that the process is opaque, that intelligence agencies have structural incentives to retain capabilities, and that the government’s track record includes catastrophic failures — most notably the NSA’s loss of the EternalBlue exploit, which was stolen by the Shadow Brokers group and subsequently used in the WannaCry ransomware attack that caused an estimated $8 billion in damages worldwide.
As of 2026, no international framework exists for governing the stockpiling of cyber weapons. The Wassenaar Arrangement includes “intrusion software” in its dual-use technology controls, but enforcement is inconsistent and the definitions are poorly calibrated to the realities of the exploit market. Multiple proposals for “cyber arms control” treaties have been floated in academic and diplomatic circles, but none has gained meaningful traction.
The problem is structural. Unlike nuclear weapons, which require rare materials and massive industrial capacity, zero-day exploits can be discovered by a talented individual with a laptop. Unlike chemical or biological weapons, cyber weapons leave no physical trace and attribution is inherently uncertain. And unlike conventional arms, cyber weapons are often single-use — once an exploit is used and detected, it can be patched, rendering the entire investment worthless.
The AI Factor: Machine-Discovered Vulnerabilities
The most significant development reshaping the zero-day landscape is the application of artificial intelligence to vulnerability discovery. Google’s Project Zero and DeepMind teams demonstrated in 2024 that large language models could identify previously unknown vulnerabilities in open-source software. By 2025, multiple companies — including Trail of Bits, Semgrep, and several startups — were offering AI-powered vulnerability discovery tools.
The implications are profound. If AI systems can discover vulnerabilities at scale, the historical scarcity that underpinned the zero-day market’s economics could be disrupted. A world in which thousands of zero-day vulnerabilities are discovered monthly — rather than dozens — would fundamentally alter the balance between offense and defense.
On the offensive side, nation-states with advanced AI capabilities could discover vulnerabilities faster than vendors can patch them, creating a permanent advantage for attackers. On the defensive side, the same AI tools could be used for proactive discovery and patching, potentially closing vulnerabilities before they are exploited. The outcome depends on whether the AI advantage accrues more to attackers or defenders — a question that remains genuinely uncertain.
What is clear is that the barrier to entry for zero-day discovery is falling. The combination of fuzzing automation, AI-assisted source code analysis, and binary analysis tools means that mid-tier nation-states and well-resourced criminal organizations can now discover zero-day vulnerabilities that were previously accessible only to the most sophisticated intelligence agencies.
Looking Toward 2028: The Converging Storm
Several trends are converging to make the zero-day landscape in 2028 significantly more dangerous than it is today. The attack surface continues to expand as IoT devices, autonomous vehicles, medical implants, and industrial control systems proliferate. Each new category of connected device introduces new classes of vulnerabilities.
The geopolitical environment is deteriorating. U.S.-China technological competition, the Russia-Ukraine conflict, Middle East instability, and rising tensions in the Indo-Pacific all create incentives for governments to invest in offensive cyber capabilities. The 2028 U.S. presidential election cycle will create additional demand for surveillance and information operations capabilities.
Memory-safe languages like Rust are gradually reducing the incidence of certain vulnerability classes (buffer overflows, use-after-free), but the transition is measured in decades, not years. Legacy C and C++ codebases will remain in production — and remain vulnerable — through 2028 and far beyond.
The zero-day market is not going away. It is professionalizing, expanding, and becoming more deeply integrated into the machinery of national security. Whether the world develops governance frameworks adequate to manage this reality — or simply allows the exploit market to operate as a de facto unregulated arms bazaar — may be one of the defining cybersecurity questions of the next decade.