ATLANTA -- When the sensors feeding into Internet Security Systems' Global Threat Operations Center detected a new XML HTTP vulnerability early last November, attacks exploiting that vulnerability already were occurring across the Internet.

That's when members of the X-Force, ISS' 200-person R&D team, knew they had a "level zero" on their hands. Zero, as in zero day, means there is no gap between the public discovery of a vulnerability by security researchers and the launch by hackers of an exploit based on that vulnerability.

In years past, professionals at ISS and other security companies discovered potential vulnerabilities and turned that information over to the appropriate vendors, who then had weeks to send out fixes before the hackers could turn that information into a real threat. That window has been closing fast.

In 2005, 10% of attacks came within 48 hours of a vulnerability being discovered. In 2006, there were about 1.5 zero-day attacks a month, says Lamar Bailey, X-Force COO. Increasingly, zero days are being sold on the black market and used by cybercriminals to make a quick buck, X-Force researchers say.

Level zeroes are just one of many new threats pushing vulnerability research labs such as X-Force to their limits, says Gunter Ollmann, X-Force director. For example, using polymorphism techniques, attacks now can change on command to defeat signature detections. Also on the rise is fuzzing, which tests data fields for vulnerabilities by generating and filling them in with a barrage of bizarre text strings until they break.

These new threats are enough to keep members of the X-Force up nights -- literally.

"It's always about 2 a.m., when the bad guys come knocking at your door," says Chris Schueler, who hails from a security operations center background in the Army and who directs ISS' global Security Operations Center (SOC). "The number of calls that bump up in priority that are more severe are increasing so much that I'm worried we might be getting these types of calls all the time."

Click to see: Chris Schueler (background), director, ISS' global Security Operations Center

Schueler was one of the first people to jump into action when the HTML exploit was captured by X-Force sensors. Those sensors were running a combination of protocol analyses and assessment and virus-protection engines, and feeding the information into the X-Force Global Threat Operations Center (GTOC).