In 2026, the cybersecurity landscape is shifting. According to Google’s annual threat report, nearly half of the zero-day flaws exploited in 2025 targeted enterprise software, and not just any software: the very firewalls, VPNs, and security platforms that companies deploy to protect themselves. For regulated businesses, this raises a fundamental question: if your defenses can become the entry point, what really protects your data?
A zero-day vulnerability is a security flaw that no vendor has yet discovered and for which no patch exists. By definition, no antivirus, no firewall, and no detection rule can intercept it. The attacker knows about it. You don’t.
In 2025, Google identified 90 such flaws actively exploited in the wild, a 15% increase from 2024 (source: Google GTIG). But the most striking figure lies elsewhere: nearly half of these flaws targeted enterprise software (source: TechCrunch). Firewalls, VPNs, virtualization platforms: the tools companies buy specifically to protect themselves.
For businesses in regulated sectors (finance, healthcare, energy, public sector), this changes the equation. If the defense tools themselves become attack vectors, the question is no longer just « how do we protect ourselves better? » but « what would an attacker find if they got through anyway? »
The software protecting you is being targeted first
This is the central finding of Google’s annual threat report, published in March 2026. Cisco, Fortinet, Ivanti, and VMware are among the most targeted vendors. All have confirmed that attackers exploited their products on customer networks (source: TechCrunch).
Why these tools specifically? Because they tick every box from an attacker’s perspective. They are deployed everywhere. They have elevated access rights on the network. And most importantly, most edge devices (routers, switches, security appliances) are not covered by standard detection solutions (source: Google GTIG). In practice, this means an attacker can get in without triggering a single alert.
The exploited flaws are not even particularly sophisticated. Google points to problems known for years: forms that don’t properly validate input, incomplete authorization processes (source: Google GTIG). Basic errors, but present in critical software used by thousands of organizations.
It’s not the entry that causes the damage. It’s what’s found inside.
Against a zero-day flaw, no protection can guarantee that an attacker will never get in. The real question then becomes: once inside, what can they access?
In most organizations, the answer is: a lot. Data is grouped in centralized warehouses, copied into test databases, replicated for BI, duplicated in application caches. Each copy is an additional target. Each storage layer is another prize within reach.
A telling example? In 2025, the Clop group exploited flaws in Oracle E-Business Suite to extract sensitive HR data from dozens of organizations, including Harvard and the Washington Post (source: TechCrunch). The attack was nothing extraordinary from a technical standpoint. It was the volume of accessible data that made the incident so severe.
For a company subject to GDPR, NIS2, DORA, or HDS requirements, the consequence is direct: the scale of a breach is measured by what was stored, copied, and duplicated. The less you store, the less you expose.
What the numbers say
90 zero-day flaws exploited in 2025, up from 78 in 2024. An attacker only needs one. (Google GTIG)
48% targeted enterprise software, a historic record. And half of those specifically targeted security and network appliances. (Google GTIG / TechCrunch)
10% of ANSSI interventions in 2025 involved the healthcare sector, the 3rd most targeted in France. (ANSSI, Panorama 2025)
128 ransomware compromises reported to ANSSI over the year, primarily affecting SMEs, local authorities, and hospitals. (ANSSI)
Add more protections, or rethink the architecture?
The usual reflex when facing this kind of report is to invest in new tools. A new firewall. A more powerful EDR. An additional detection layer. This isn’t useless, but it amounts to adding locks on a door without asking what’s inside the room.
Google itself recommends designing architectures with native segmentation and minimal access built in from the start (source: Google GTIG). In other words: rather than trying to block every intrusion (which is impossible against a zero-day), design systems where an intrusion leads nowhere.
This is exactly iD4Connect‘s approach. Data is never stored or duplicated. It is processed during transit through autonomous DataCells, then released. The DataGraph orchestrates flows in real time. Nothing persists, nothing accumulates.
Imagine a burglar who picks a lock and walks into an empty house. That’s the principle. Not that the data doesn’t exist: it flows, it’s analyzed, it produces results. But it’s never sitting somewhere waiting to be taken.
This approach doesn’t replace your SIEM, your EDR, or your firewall. Your cybersecurity tools keep doing their job. But instead of protecting a vault full of data, they protect a perimeter where there is structurally nothing to steal.
Three questions to ask your CTO
1. How many copies of our data exist right now? Production databases, replicas, BI exports, test environments, application caches. Each copy is a target. Each copy widens the scope of a breach. And in many organizations, nobody has the exact number.
2. What would happen if an attacker got past our defenses today? Not « could they get in » (the answer is always yes, sooner or later), but « what would they find? » If the answer is « months or years of centralized data in a single location, » the risk is maximal.
3. Would our regulatory compliance survive a change of provider? Compliance that relies on a third party’s proper configuration is fragile. Compliance built into the architecture depends on no one. GDPR, NIS2, DORA, HDS: all covered by design, from day one (learn more).