The challenge is in the name: Zero-day attacks don’t wait for a convenient moment. They arrive before there’s a known fix, before teams fully understand the blast radius and often before leaders have a clear answer to the most basic question: “What exactly is happening?” In that moment, an incident response plan becomes more than a document. It becomes a stress test of how well an organization can coordinate a solution and make critical decisions with limited information and zero warning.
That kind of pressure can expose system and human weaknesses that routine drills miss. With exploited zero-day vulnerabilities affecting enterprise technologies reaching an all-time high in 2025, leaders must act now to strengthen weak links in the response chain: slow-moving approval protocols, communication channels that break down, and assumptions about staff, systems and partner readiness that don’t hold true. The risk isn’t limited to technical disruption: A poorly handled response can affect operations, customer trust, regulatory exposure and reputation all at once.
While zero-day attacks strike without warning, it doesn’t mean organizations can’t prepare. Members of the Senior Executive Cybersecurity Think Tank bring deep expertise in enterprise cybersecurity strategies, data breach prevention, risk management and modern security leadership. Below, three of them share what zero-day incidents reveal about incident response readiness and how organizations can build teams capable of withstanding the pressure.
“Too often, traditional systems are slow and may even be compromised. Teams that self-assemble and share information well outperform their counterparts.”
Build Human Capability, Not Technical Perfection
David Etue, Chief Strategy Officer at Cyberbit, sees zero-day incidents as a test of far more than technical tooling. In the highest-pressure moments, human capabilities—learning, communicating and adapting—are critical.
“In a zero-day incident, technical skills and telemetry are the cost of admission,” Etue says. “These events are a ‘human systems’ shock, but you can prepare.”
That preparation has to extend beyond knowing which tools to use or which steps appear in the plan. In a zero-day incident, time is of the essence, so muscle memory is essential. To build high-performing teams, Etue recommends regular practice and learning, including cyber range events, tabletop exercises and post-event retrospectives. And since events may move faster than formal structures can handle, he stresses that employees can’t always wait for permission before taking action.
“Role and goal clarity matters. Rigid hierarchies collapse under stress,” Etue says. “Playbooks are critical, but when they are incomplete, you need the frontline to be empowered versus waiting for a board meeting.”
The superpower organizations need for effective zero-day response? Etue says it’s soft skills.
“Great communication and collaboration increases speed,” he says. “Too often, traditional systems are slow and may even be compromised. Teams that self-assemble and share information well outperform their counterparts.”
For Etue, zero-day resilience depends on investing in people as much as processes or platforms.
“Focus on human capability, not technical perfection, to shine in the most challenging incidents.”
Train Teams to Make Decisions Without Perfect Information
Boyd Clewis, CEO of Genesis Security and Compliance, says leaders who expect a zero-day incident to play out like the scenarios already written into their response plans are in for a rude awakening.
“The assumption that fails first is that your runbook will hold,” Clewis says. “Zero days don’t follow your playbook because your playbook was built around known threats.”
That doesn’t mean planning has no value. Instead, it means incident response teams need to train for the parts of a crisis that can’t be fully scripted: incomplete data, fast-moving risk and decisions that can’t wait for perfect consensus.
“What survives is the team’s ability to triage in real time, communicate cleanly across functions and make irreversible decisions without perfect information,” Clewis says. “Train for that, not for the runbook.”
He explains that this kind of readiness requires practice and permissions that reflect the uncertainty of a real attack. He suggests running unannounced exercises where the scenario isn’t in any document, along with empowering the IR lead to make containment calls without waiting for a committee. Further, he emphasizes that cross-functional relationships need to be established before an emergency strikes.
“Structure the team so engineering, legal, comms and leadership are already in the same room before the incident, because you don’t build those relationships at 3 a.m. with the network on fire.”
Strengthen Governance Before a Crisis
Bhavya Bhandari, Cybersecurity Risk Management Leader, Financial Services at Ernst & Young US LLP, says zero-day incidents quickly test whether an organization’s normal processes are built for real pressure.
“Several assumptions tend to fail under zero-day attack norms—especially the standard approval and communication processes,” he says.
That failure can have consequences far beyond the security function. A zero-day event may begin as a technical issue, but if teams haven’t been properly trained to respond, risk and impact spread rapidly.
“Zero-day events can quickly translate into enterprisewide issues, disrupting business operations and impacting reputation and trust,” Bhandari says.
He highlights the importance of strong response structures to help ensure an organization isn’t improvising its leadership model in the middle of an event.
“Organizations that establish and maintain governance and oversight across incident response appear to be more resilient.”
Strengthen the Human Side of Zero-Day Response
- Train for uncertainty, not just procedure. Zero-day attacks rarely follow the exact path documented in a runbook, so response teams need practice making decisions with incomplete information.
- Make role clarity a priority before pressure hits. Teams move faster when they already understand who owns containment, communication, escalation and business decisions.
- Empower frontline responders to act when waiting creates more risk. During a fast-moving incident, rigid hierarchies and slow approval chains can undermine response and containment.
- Treat communication as a core response capability. Promptly sharing clear information across security, engineering, legal, communications and leadership teams strengthens coordination when systems are unstable or compromised.
- Build governance before the crisis begins. Strong oversight, defined processes and cross-functional alignment make it less likely that leaders will have to invent a response model during an enterprisewide disruption.
- Use exercises to expose the assumptions most likely to fail. Cyber range events, tabletop exercises, unannounced scenarios and post-event retrospectives can reveal gaps in permissions, relationships and decision-making before an actual zero-day incident does.
Resilience Depends on Readiness
Zero-day incidents put organizations under immediate pressure because they remove the familiarity of known threats, tested fixes and complete information. Technical skills matter, but teams also need practiced judgment, clear roles, trusted relationships, strong governance and the authority to act quickly.
As zero-day exploitation continues to challenge enterprise defenses, incident response readiness will become a larger measure of overall business resilience. Organizations that prepare people, processes and leadership structures before a crisis will be better positioned to contain disruption, protect trust and make sound decisions when there’s no perfect answer.
