90 Zero-Day Exploits and Counting: Why Cybersecurity Is Now an SEO Problem

Most digital marketers don’t think about cybersecurity until something goes wrong. A website gets defaced. A client’s domain starts redirecting to a pharmacy spam page. A Google Search Console account lights up with manual action warnings for “hacked content.” By that point, the damage to organic visibility is already done, and the recovery timeline is measured in months, not days.

Cybersecurity and SEO have always been connected, but the scale of what’s happening right now makes it impossible to treat them as separate disciplines. Google’s Threat Intelligence Group published its annual zero-day review in March 2026, and the numbers paint a picture that anyone investing in organic search, link building, or content marketing needs to understand.

What Is a Zero-Day Exploit and Why Should You Care

Before getting into the data, it helps to understand what a zero-day actually is, because the term gets thrown around a lot without much explanation.

A zero-day vulnerability is a security flaw in software that the software maker doesn’t know about yet. No patch exists. No fix has been issued. The name comes from the fact that developers have had “zero days” to address the problem. A zero-day exploit is what happens when an attacker discovers one of these unknown flaws and uses it to break into a system before anyone on the defensive side even knows the door is open.

What makes zero-days particularly dangerous is the asymmetry. The attacker knows about the vulnerability. The software vendor doesn’t. The security team doesn’t. The users don’t. Until someone detects the intrusion or the flaw gets publicly reported, the attacker has unrestricted access through a hole that nobody is watching.

For website owners, this matters because every piece of software in your stack is a potential target. Your CMS, your hosting platform, your SSL VPN, your email server, the plugins running on your blog, the security appliance sitting at your network perimeter. If any of those have an undiscovered vulnerability, and someone finds it before the vendor does, your entire digital presence is at risk.

90 Zero-Days in a Single Year: What Google Found

Google Threat Intelligence Group (GTIG) published its annual zero-day review in March 2026, covering exploitation activity through the end of last year. The report tracked 90 zero-day vulnerabilities that were exploited in the wild during that period. To be clear about what “exploited in the wild” means: these aren’t theoretical vulnerabilities found in a lab. These are flaws that real attackers used against real targets in real attacks, before patches were available.

The 90 figure is higher than 2024’s count of 78, though lower than the record of 100 set in 2023. What stands out isn’t any single year’s number but the sustained elevation. Over the past five years, annual zero-day counts have fluctuated between 60 and 100, a range that would have been unthinkable a decade ago when the numbers sat in the low 30s. The floor has permanently risen, and that baseline isn’t coming back down.

Enterprise Software Is Now the Primary Target

The most consequential finding in the latest data is the continued shift toward enterprise targets. Nearly half of all zero-days exploited last year, 43 out of 90, targeted enterprise software and infrastructure. Both the raw number and the proportion (48%) reached all-time highs.

What does “enterprise software” mean in practice? Security appliances like firewalls and intrusion detection systems. Networking equipment like routers and switches. VPN products from vendors like Ivanti and SonicWall. Virtualization platforms like VMware. Email servers. Business applications. The entire category of software that organizations depend on to operate, including the infrastructure that websites run on top of.

Microsoft products alone accounted for 25 of the 90 zero-days. Google had 11. Cisco and Fortinet had 4 each. Ivanti and VMware had 3 each. Twenty other vendors were each hit with at least one zero-day.

The reason enterprise targets are so valuable to attackers is what comes after the initial breach. A compromised consumer device affects one person. A compromised enterprise appliance, a VPN concentrator, a firewall, an email gateway, gives attackers privileged access across entire networks. One vulnerability in one device can open the door to everything behind it. For organizations running web properties, that “everything” includes the servers, databases, and content management systems that power their online presence.

Edge devices are especially attractive because most of them don’t run endpoint detection and response (EDR) tools. Routers, switches, and security appliances sit at the perimeter of an organization’s network, but they’re often blind spots for security monitoring. An attacker who compromises an edge device can operate undetected for far longer than one who lands on a monitored endpoint. GTIG noted that 14 zero-days last year targeted edge devices, and that the true number is likely higher because the lack of monitoring means many compromises simply aren’t discovered.

Browsers Got Harder to Crack, So Attackers Went Around Them

Browser-based zero-days dropped to less than 10% of the total last year, a sharp decline from the browser-heavy years of 2021 and 2022. Chrome, Safari, and Firefox have invested heavily in sandboxing, memory safety improvements, and exploit mitigations over the past several years, and those investments are paying off. Exploiting a modern browser is significantly harder than it used to be.

But attackers don’t stop when one path closes. They adapt. The decline in browser exploits coincided with a rise in operating system vulnerabilities, which accounted for 44% of all zero-days last year. Mobile OS exploitation jumped from 9 zero-days in 2024 to 15. Desktop OS exploitation fluctuated between 16 and 23 annually.

The pattern matters because it shows how the threat landscape responds to defensive improvements. Browser hardening didn’t reduce the total number of zero-days. It redirected them. Attackers moved to operating systems, server infrastructure, and the enterprise tools that sit upstream from the browser. For website owners, that upstream infrastructure is exactly where your digital presence lives.

Who Is Doing the Exploiting and Why It Matters

GTIG was able to attribute 42 of the 90 zero-days to specific threat actors. The breakdown challenges some common assumptions about who is behind these attacks.

Commercial surveillance vendors (CSVs) accounted for the largest share, roughly 35% of attributed exploits. These are private companies that develop and sell hacking tools, often to government clients. For the first time since Google began tracking zero-day exploitation, CSVs surpassed traditional state-sponsored espionage groups. The surveillance industry is growing, its tools are proliferating to a wider customer base, and its capabilities are expanding. The exploits these vendors develop target the same consumer devices and enterprise platforms that everyone uses.

State-sponsored cyber espionage groups linked to China remained the most active single-country actor, responsible for at least 10 zero-days. These groups focused heavily on security appliances and edge networking devices, aiming to maintain persistent, difficult-to-detect access to strategic targets.

Financially motivated cybercriminals, including ransomware operators, were tied to 9 zero-days. Groups affiliated with the CL0P extortion brand targeted Oracle E-Business Suite customers. A Russian-linked group used a zero-day to distribute malware. The financially motivated category represents a higher proportion of total attributed exploits than in previous years, and these are the threat actors most likely to target businesses indiscriminately, including businesses whose primary asset is their web presence.

What Google’s CEO Said About AI and Zero-Days

The timing of the GTIG report coincided with some unusually candid public comments from Google CEO Sundar Pichai that put the zero-day problem in a broader context.

Speaking on the Cheeky Pint podcast with Stripe CEO Patrick Collison, Pichai framed cybersecurity as one of the hidden constraints on AI deployment, alongside memory supply and energy infrastructure. He wasn’t talking about it as a future concern. He described it as something that may already be happening, saying that AI models are going to break most existing software and that the breaking may have already started without anyone fully realizing it.

The conversation got more specific when someone mentioned that black-market prices for zero-day exploits might be falling, the theory being that AI is increasing the supply of discoverable vulnerabilities. If AI tools can scan codebases and identify flaws faster than human researchers, the supply of exploitable bugs goes up, and market dynamics push prices down. Pichai said he wasn’t surprised by that possibility.

What makes Pichai’s comments significant isn’t just the content but the source. Google operates one of the largest vulnerability research programs in the world through Project Zero and GTIG. When the CEO of that company says publicly that AI is going to break most existing software, and that it might already be happening, he’s speaking from an informed position.

Pichai also made a point about the coordination gap. He said the situation requires more coordination between companies, governments, and security researchers, coordination that isn’t happening today. He predicted a potential “sharp moment” ahead where the consequences of that coordination gap become impossible to ignore.

Google’s own threat intelligence team echoed this in the GTIG report’s 2026 forecast section. The report stated that AI will accelerate the race between attackers and defenders. On the offensive side, adversaries will use AI to speed up reconnaissance, vulnerability discovery, and exploit development. On the defensive side, AI-powered tools and agentic security systems will help detect and patch vulnerabilities before exploitation. The question isn’t whether AI reshapes cybersecurity. The question is which side benefits more, and how fast the shift happens.

For anyone running a website or managing digital assets, the implications are concrete. The volume of discoverable vulnerabilities in the software you depend on is likely to increase. The speed at which those vulnerabilities get exploited is likely to increase. The window between a flaw being discovered and a patch being available, which is already the defining characteristic of zero-day exploitation, could shrink even further on the attacker’s side while growing on the defender’s side.

Why This Is an SEO Problem

Everything above might read like a cybersecurity story that doesn’t belong on a digital marketing blog. But the consequences of these trends land directly on organic search performance, and they do so in ways that are difficult to reverse.

When a website gets compromised, the most immediate SEO impact comes from Google’s Safe Browsing system. Once Google detects malware, phishing, or unwanted software on a domain, it can flag the site with interstitial warnings. The red screen that says “The site ahead contains harmful programs” appears between your domain and every visitor trying to reach it through Chrome, which holds roughly 65% of global browser market share. Organic click-through rates don’t gradually decline when that warning appears. They effectively drop to zero.

But the Safe Browsing warning is just the most visible consequence. Compromised sites frequently get injected with spam content, hidden links, or redirects that serve different content to Googlebot than to regular users (a practice called cloaking). Google’s algorithms are designed to detect and penalize cloaking. A hacked site that’s been injected with pharmaceutical spam or casino links can trigger algorithmic suppression or manual actions that take weeks to resolve even after the hack itself is cleaned up.

Then there’s the backlink damage. If your domain gets flagged, publishers who link to you will start noticing. Sites that earned you coverage through digital PR campaigns or placed contextual links through link insertion may remove those links or add nofollow attributes to protect their own domain authority. Backlinks that took months to build through guest posting relationships can evaporate in days once a partner site’s editorial team sees the Safe Browsing flag. And those links don’t automatically come back when the warning gets lifted. You have to rebuild the trust, and in many cases, rebuild the links from scratch.

The recovery timeline is punishing. Google doesn’t immediately recrawl and re-evaluate a site that’s been cleaned up. Recrawl rates can slow down for flagged domains. Manual action reviews take time. And even after the technical all-clear, rankings that took quarters to build can take just as long to recover, assuming competitors haven’t filled the gap in the meantime.

What Marketing Teams Can Actually Do

Most marketing teams don’t have direct control over their organization’s security posture. They can’t manage patch cycles, configure firewalls, or audit VPN appliances. But they can take steps that reduce their exposure and speed up recovery if something does go wrong.

Understanding what software your web presence depends on is a starting point. Which CMS are you running, and is it current? What plugins are active, and when were they last updated? Is your hosting provider transparent about their patching practices? These aren’t questions that require a security engineering background to ask. They require the same operational awareness that any marketing team applies to their analytics stack or their ad platform accounts.

Google Search Console’s security issues report is a tool that many marketers have access to but rarely check proactively. Setting up alerts for security issues, manual actions, and unusual indexing spikes can give you early warning if something goes wrong.

Having a response plan matters too. Knowing who to contact, what steps to take, and how to request a Google review after a cleanup isn’t something you want to figure out for the first time during a crisis. Document it in advance. Include your hosting provider’s security contact, your developer’s escalation process, and the steps required to submit a reconsideration request.

The Bigger Picture

The latest zero-day data doesn’t exist in isolation. It sits alongside Pichai’s public warning about AI breaking software, alongside the GTIG forecast about accelerating offensive capabilities, and alongside a sustained multi-year trend of elevated exploitation. The threat environment isn’t going back to where it was in 2019 when the annual zero-day count was 32.

For digital marketers, this means cybersecurity awareness isn’t optional background knowledge. It’s operationally relevant. The sites that maintain their organic visibility over the long term won’t just be the ones with the strongest content, the best backlink profiles, or the most consistent publishing cadence. They’ll be the ones that didn’t get breached while doing all of those things.