We describe a method used to analyze zero-day attacks from data obtained on 11 million hosts. We identify 18 such vulnerabilities of which 11 were not previously known to be zero-day attacks. We show that a typical zero-day attack lasts 312 days on average and that, once disclosed, the volume of attacks exploiting them increases dramatically. Lessons learned from this exercise are discussed.