Safeguard.sh
← Concepts & Glossary
Detection & Analysis

Zero-Day Discovery

Finding novel vulnerabilities before they are publicly disclosed.

What is zero-day discovery?

A zero-day is a vulnerability that has not yet been publicly disclosed or assigned a CVE. Zero-day discovery is the practice of proactively finding these issues in the open-source code your applications depend on — before an adversary does, and before the maintainer publishes an advisory.

It is fundamentally different from traditional SCA. SCA matches your dependency versions against a disclosed-CVE database. Zero-day discovery assumes no database exists yet — the analyzer has to reason about the code directly and decide whether a pattern of behaviour is exploitable.

How it works

Safeguard pairs a deterministic program-analysis engine with an LLM reasoning layer. The pipeline runs in three stages:

  1. Structural scan. The engine builds call graphs and taint flows across every package in scope and isolates suspicious patterns — unvalidated deserialization, untrusted input reaching eval-like APIs, path traversal shapes, prototype pollution vectors.
  2. LLM hypothesis. Each structural candidate is handed to Griffin AI with the surrounding code context. The model hypothesises exploit conditions, drafts a proof-of-concept input, and scores confidence. Pure pattern scanners cannot do this — they have no way to read intent.
  3. Validation and disclosure. High-confidence hypotheses are validated against the code and, where appropriate, coordinated with the upstream maintainer under responsible disclosure. Customers get visibility into reachable zero-days in their own dependency graph before anyone files a CVE.

Why it matters

The CVE database is a lagging indicator. By the time a vulnerability shows up in NVD, it has often been in the code for months or years — and sophisticated attackers have had that same window to find it. Any program that only defends against disclosed CVEs is, by definition, always behind.

Zero-day discovery compresses that window. For enterprises running critical workloads on open-source, it shifts the question from "are we patched on the latest advisories?" to "are there exploitable bugs in our stack that nobody has named yet?" — which is the question that actually correlates with breach risk.

What value it adds

  • Catches what CVE-matching cannot

    Pattern scanners and SCA tools are blind to anything without an advisory. Zero-day discovery finds the unknown unknowns.

  • Compresses the attacker head-start

    If your analyzer finds the bug before disclosure, you patch before the exploit window opens — rather than racing the rest of the industry afterwards.

  • Produces evidence, not speculation

    Each finding comes with call-graph context and a drafted PoC. Engineering can reproduce it in hours instead of debating severity for weeks.

  • Builds leverage with upstream maintainers

    Coordinated disclosures turn your security program into a net contributor to the ecosystems you depend on — an increasingly tangible compliance asset.

  • Hardens tier-0 systems

    Pre-disclosure visibility is the only defensible story for regulators and customers asking "what about the vulns nobody knows about yet?"

How Safeguard uses it

Zero-day discovery is a first-class product surface in Safeguard. It builds directly on reachability and taint analysis, and is driven by Griffin AI's reasoning layer. See the full use-case page for examples and engine detail.

Zero-Day Discovery Use Case →Reachability Analysis →Griffin AI →

Find zero-days in your stack.

Point Safeguard at a repo. Get back reachable, pre-disclosure vulnerabilities with drafted PoCs.

Book a walkthroughBrowse all concepts