It accounts for the number of days the cybersecurity professional is aware of the vulnerability, which is zero. The attack will be considered a Zero-Day attack until the vulnerability gets patched. Once reported, these attacks will be added to the Common Vulnerabilities and Exposures (CVE) list under zero-day attacks.