ZERO-DAY
A Dark Comedy Series
PILOT: “REFLECTED ATTACKS”
FADE IN:
COLD OPEN
INT. MERIDIAN FEDERAL CREDIT UNION — SERVER ROOM — 2:47 AM
Humming. The beautiful, indifferent humming of rack-mounted servers. Blue LED status lights pulse like sleeping heartbeats. Everything is fine. Everything is always fine at 2:47 AM.
SUPER: “The average time it takes an organization to detect a data breach: 197 days.”
SUPER: “The average time it takes Karen in Accounting to forward a phishing email: 4 seconds.”
A door SLAMS open. Fluorescent lights stutter on.
PRIYA OKONKWO-SHAH (32, South Asian-Nigerian, wearing a hoodie that reads “I VOID WARRANTIES,” hair in a chaotic bun secured with what appears to be a USB drive) sprints in holding a laptop and a gas station burrito.
She drops into a rolling chair. Opens the laptop. Stares.
PRIYA (to no one) No. No no no no no. Absolutely not. Not tonight. I have a thing tonight.
She takes a massive bite of the burrito. Types furiously.
PRIYA (CONT’D) (mouth full) You little— you beautiful little— that’s a reflected XSS. That is a TEXTBOOK reflected XSS. Who does that? Who leaves that open in 2024?
She pulls up a terminal. Green text cascades. She chews thoughtfully.
PRIYA (CONT’D) (to the servers) You know what you are? You’re a bait link in a phishing email. You’re the URL that looks trustworthy. You’re the “click here to confirm your account” that Grandma clicks every single time.
A BEAT. She looks at the burrito.
PRIYA (CONT’D) You’re also cold. Both of you. Cold and full of vulnerabilities.
Her phone BUZZES. She glances at it.
TEXT ON SCREEN: “MARCUS: where are you, the movie started, I got your popcorn, it’s getting stale, I’m eating your popcorn, it’s gone, where are you”
She types a response with one thumb without looking away from the terminal.
PRIYA (CONT’D) (typing on phone, narrating) “Server. Emergency. Don’t wait up. Yes again.”
She hits send. Her laptop DINGS. She looks at the screen.
Her face changes. The casual competence drains away.
PRIYA (CONT’D) (very quietly) Oh. Oh that’s not good.
She leans closer to the screen. Her burrito falls on the floor. She doesn’t notice.
PRIYA (CONT’D) That’s not a credit union problem.
She picks up her work phone. Dials. It rings. Rings. Rings.
VOICEMAIL (V.O.) You’ve reached the Security Operations Center of Meridian Federal. Please leave—
She hangs up. Dials again.
VOICEMAIL (V.O.) You’ve reached—
She hangs up. Dials a different number.
It rings once.
DEREK (V.O.) (instantly awake, which is somehow more alarming than groggy) Talk to me.
PRIYA Derek. The credit union job. It’s a pivot point.
DEREK (V.O.) To what?
PRIYA I don’t know yet. But whoever built this injection vector? They weren’t after the credit union.
Silence.
DEREK (V.O.) How long have we got?
Priya looks at the screen. Types something. Stares at the result.
PRIYA 197 days, give or take.
DEREK (V.O.) What?
PRIYA Joke. We have about six hours before East Coast business traffic starts and this thing wakes up and starts doing whatever it was built to do.
DEREK (V.O.) I’ll make calls.
PRIYA Derek—
DEREK (V.O.) Yeah?
PRIYA Make quiet calls.
A pause.
DEREK (V.O.) (and this is the most unsettling thing he’s said) I always do.
He hangs up. Priya stares at her phone. Looks at the servers. Looks at her burrito on the floor. Picks it up. Takes a bite.
PRIYA (to the servers) Six hours. Let’s dance.
SMASH CUT TO TITLE CARD:
ZERO-DAY
Title appears in clean white terminal font, then flickers, corrupts, resolves.
ACT ONE
INT. MERIDIAN FEDERAL CREDIT UNION — OPEN OFFICE — 8:14 AM
The kind of office that tried to be Google in 2019 and gave up by 2021. There’s a foosball table no one touches. A “COLLABORATION CORNER” with beanbags that have slowly deflated into sad, fabric puddles. Motivational posters that someone has, over time, subtly defaced. One reads “THERE IS NO ‘I’ IN TEAM” and someone has added “BUT THERE IS A ‘ME’ IF YOU’RE DYSLEXIC.”
DEREK VOSS (45, the kind of white guy who looks like a retired Navy SEAL but is actually a retired Navy SEAL, which makes it worse, wearing a button-down that costs $400 and looks like it costs $40) stands at the head of a conference table, coffee in hand, looking at four people like they are a mildly disappointing chess problem.
Priya sits at the table, having clearly not slept. Next to her:
FELIX TAMBOLI (27, Filipinx-American, the energy of someone who has had too much coffee and also is somehow coffee, wearing a shirt with a cartoon skull that reads “ETHICAL HACKER” which everyone finds both accurate and annoying). He’s spinning a pen. He’s always spinning something.
CASSANDRA “CASS” WHITMORE (38, Black woman, the dangerous stillness of someone who has seen every possible human disaster and has opinions about all of them, impeccably dressed in a way that suggests she’s the only adult in any room she enters). She has a legal pad. She is the only person with a legal pad. She is always the only person with a legal pad.
NEIL BRANNAGH (52, Irish-American, looks like a golden retriever that learned to do taxes, Senior Director of Client Services, NOT a security person, very much in the wrong meeting). He has a muffin.
DEREK Okay. Here’s where we are. Priya found a reflected cross-site scripting vulnerability in Meridian’s customer portal at approximately 2:50 this morning.
NEIL (muffin raised) Is that bad?
DEREK It’s a delivery mechanism, Neil.
NEIL For what?
DEREK That’s the question.
FELIX (not looking up from his laptop) Okay so I’ve been in the code for three hours and whoever built this is good. Like, annoyingly good. The injection point is in the search field of the member portal — totally standard, totally boring, the kind of thing that gets missed in every pentest because it’s so vanilla.
CASS But?
FELIX But it’s not just pulling data. It’s using the member portal as a mirror. The script bounces off the trusted domain, picks up a session token from anyone who clicks the right link, and then—
He pauses. Spins his pen.
FELIX (CONT’D) I lose it after that. The exfiltration endpoint is masked. Beautifully masked.
PRIYA It’s not going to the credit union. The credit union is just the bow on the package.
NEIL What package?
Everyone looks at him.
NEIL (CONT’D) I’m just— I’m asking because I’m on this calendar invite and I feel like I should contribute.
DEREK Neil, you’re here because Meridian is your client and I need you to not call them for the next forty-eight hours.
NEIL (offended) I call my clients every—
DEREK Neil.
NEIL (beat) Forty-eight hours. Got it.
DEREK (to the group) The payload is designed to activate when a specific type of user authenticates through the portal. Not just any member. The script has conditional logic — Priya?
PRIYA (pulling up her laptop) Yeah, so — okay. Here. The injection checks for session attributes before it does anything. Specifically it’s looking for users who have linked accounts. Not just a savings account. Linked accounts. The kind of linking you do when you’re moving money between institutions.
CASS (writing) What kind of institutions?
PRIYA That’s what I spent six hours on. I found three that the script is specifically fingerprinting for. A brokerage. A payroll processor. And—
She looks at Derek. Something passes between them.
DEREK Tell them.
PRIYA A government benefits disbursement service.
Silence.
FELIX (pen stops spinning) Which one?
PRIYA The federal one.
More silence.
NEIL (eating his muffin) Is that the bad one?
CASS Neil, they’re all bad. That one is catastrophically bad.
NEIL (still eating) Okay.
DEREK Here’s what we know. Someone built a very elegant, very patient attack. They planted it in a community credit union — the kind of institution that has forty thousand members, a two-person IT department, and a security audit budget of roughly “whatever’s left after the holiday party.” They’re using it as a reflected attack vector to harvest credentials from people who use federal benefits systems.
CASS Who are, by definition—
DEREK Vulnerable people. Yes.
CASS (writing faster) And we found this how?
PRIYA Routine pentest. Meridian hired us last month to do a vulnerability assessment. Standard stuff. I was doing the web app portion at 2 AM because—
FELIX Because you do everything at 2 AM.
PRIYA Because I work best at 2 AM, yes, and I found the injection point and I pulled the thread and the thread went somewhere unexpected.
DEREK The question before us is: what do we do with this thread?
CASS We report it. Immediately. To Meridian and to the relevant federal agencies.
DEREK (a beat too long) Yes. Obviously.
CASS Derek.
DEREK We will absolutely report it.
CASS Derek, what did you do?
DEREK I made some calls this morning.
CASS You said you’d make quiet calls.
PRIYA (to Felix) He always says that.
DEREK I reached out to a contact at the Cybersecurity and Infrastructure Security Agency—
CASS Good.
DEREK —and to a contact at a firm that does contract work for the current administration’s digital transition infrastructure.
CASS (pen down) Which administration?
Derek straightens his already straight collar.
DEREK The new one.
CASS There isn’t a new one yet.
DEREK There’s always a new one, Cass. Someone’s always transitioning into power. It’s the nature of—
CASS Derek. Which. Administration.
DEREK The Hargrove administration. The incoming one. They’re doing their digital onboarding — all the institutional accounts, the communications infrastructure, the benefits system handoffs—
FELIX (standing up slowly) Wait.
DEREK —and someone reached out to me six weeks ago about a security concern they couldn’t take through official channels—
FELIX WAIT.
Everyone looks at Felix.
FELIX (CONT’D) The incoming administration is doing their digital transition. They’re migrating all the federal accounts. All the institutional handoffs. And someone planted a reflected XSS in a credit union that fingerprints for federal benefits disbursement credentials—
He looks at Priya.
FELIX (CONT’D) Priya. The conditional logic. The session attributes it’s checking for. Is it looking for user credentials or administrator credentials?
A beat.
Priya’s face goes very still.
PRIYA I assumed user.
FELIX Did you confirm user?
She’s already opening her laptop.
DEREK (quietly) Felix—
FELIX Because if it’s fingerprinting for administrative credentials on the federal disbursement system during a transition period when every password is being reset and every account is being handed off—
PRIYA (staring at her screen) Oh.
FELIX Yeah?
PRIYA Oh no.
FELIX Yeah.
PRIYA It’s not looking for users.
She turns her laptop around. Everyone leans in. Neil leans in too, mostly for the social experience of leaning in.
PRIYA (CONT’D) It’s looking for whoever’s doing the handoff.
HARD CUT TO:
INT. A VERY NICE HOTEL BAR — DAY
A man sits alone. SENATOR ALAN GREER (62, the face of a man who has never once doubted himself, which is the most dangerous face there is, expensive suit, the kind of American flag pin that costs more than most people’s rent). He’s nursing a scotch. It’s 9 AM.
His phone buzzes. He looks at it. His expression doesn’t change, which is itself an expression.
He puts the phone face-down on the bar.
He takes a sip of scotch.
He almost smiles.
SMASH CUT BACK TO:
INT. MERIDIAN FEDERAL CREDIT UNION — CONFERENCE ROOM — CONTINUOUS
CASS I need everyone to understand that what I’m about to say is the correct answer and also that no one in this room is going to like it.
DEREK Cass—
CASS We shut it down. Right now. We patch the vulnerability, we notify Meridian, we file the appropriate disclosure reports, we document everything, and we let the relevant agencies handle what’s on the other end of that exfiltration endpoint.
FELIX But we don’t know what’s on the other end.
CASS That’s not our problem.
FELIX It kind of is though? Like, professionally?
CASS Our professional obligation is to our client. Meridian Federal Credit Union. They hired us to find vulnerabilities. We found one. We report it. Full stop.
PRIYA Cass, if we patch it now, whoever built this knows within hours. They go dark. We lose the thread.
CASS Then federal investigators follow the thread.
PRIYA Federal investigators who are currently in the middle of a transition and whose own administrative accounts might be the target?
A beat.
CASS (writing) This is a terrible situation.
PRIYA Yeah.
CASS I want that noted.
PRIYA Noted.
NEIL (who has finished his muffin) Can I ask a question?
Everyone looks at him with the specific exhaustion of people who have been asked this by Neil before.
NEIL (CONT’D) The people whose credentials this thing is stealing. The administrators doing the handoff. Are their accounts already compromised? Like, has it already happened?
Priya checks her screen.
PRIYA The script hasn’t fully activated yet. It’s in a dormant state. Waiting.
NEIL Waiting for what?
PRIYA (reading) For… a specific date.
She looks up.
PRIYA (CONT’D) Inauguration Day.
The room goes very quiet.
FELIX (slowly) The moment the new administration takes over the accounts. The moment every password gets reset and handed to a new owner. The moment the most powerful federal accounts in the country are at their most vulnerable—
DEREK (very quietly) Someone wants to be in the room when the keys get handed over.
NEIL (picking up his phone) I’m going to call Meridian.
DEREK Neil, do not—
NEIL I’m calling to reschedule our quarterly check-in. I’m not a monster, Derek.
He walks out. Everyone watches him go.
CASS (to Derek) The contact you called this morning. The one at the transition firm.
DEREK Yeah.
CASS Did they call you back?
Derek’s jaw tightens, almost imperceptibly.
DEREK Not yet.
CASS (making a note) That’s interesting.
DEREK It’s only been a few hours.
CASS (still writing) Still interesting.
END OF ACT ONE
ACT TWO
INT. PRIYA’S CAR — MOVING — DAY
Priya drives. Felix is in the passenger seat, laptop open, seat reclined at an angle that should be illegal. He’s eating chips. He’s always eating something.
FELIX Okay, so I’ve been mapping the exfiltration endpoint through three proxy layers and I keep hitting the same dead end. Whoever routed this is using a chain of compromised residential IPs — normal people’s home routers — as a relay network.
PRIYA How many nodes?
FELIX Seventeen that I can see. Probably more that I can’t.
PRIYA Seventeen compromised home routers as a relay chain. That’s not a teenager in a basement.
FELIX No. That’s time, resources, and a very specific kind of patience.
PRIYA Nation-state?
FELIX (mouth full) Or someone who wants it to look nation-state.
Priya glances at him.
PRIYA That’s a sophisticated distinction.
FELIX I contain multitudes. Also I found something.
PRIYA Tell me.
FELIX The injection script has a comment in it. In the code. Like, an actual human-readable comment. Which is either incredibly sloppy or—
PRIYA —incredibly intentional.
FELIX Right. And the comment is just a string of numbers. Twelve digits.
PRIYA Coordinates?
FELIX That’s what I thought. But they don’t resolve to any real location. They’re not coordinates. They’re not a date. They’re not a phone number. I ran them through everything.
PRIYA What are they?
FELIX I don’t know yet. But they were put there by a human who wanted them to be found. Maybe by the right person.
PRIYA Or as a trap for the wrong person.
Felix eats a chip thoughtfully.
FELIX You’re really fun to work with, you know that?
INT. MERIDIAN FEDERAL CREDIT UNION — CASS’S TEMPORARY OFFICE — DAY
Cass is on the phone. The door is closed. She’s using her own personal cell phone, not the work one.
CASS (into phone) I know what the protocol says, Marcus. I wrote half the protocol. I’m telling you this is different.
She listens.
CASS (CONT’D) Because Derek made calls before I knew about the situation. Because I don’t know what he said or who he said it to. Because in twelve years of working with Derek Voss I have learned that when Derek makes quiet calls at 4 AM, the quiet calls are never about what he says they’re about.
She listens.
CASS (CONT’D) I’m not accusing him of anything. I’m asking you to open a parallel track. Quietly. From your end.
She listens.
CASS (CONT’D) (dryly) Yes, I know everyone keeps saying quietly. It’s a recurring theme today.
She listens. Her expression shifts — just slightly. A flicker of something.
CASS (CONT’D) What do you mean you already know about the credit union?
She listens.
CASS (CONT’D) How long?
She listens.
CASS (CONT’D) (standing up) Marcus, how long have you known about the credit union?
She listens. Her face is doing the thing where it’s very carefully not doing anything.
CASS (CONT’D) Okay. Okay. Don’t do anything until I call you back.
She hangs up. Stands very still for a moment. Then she picks up her legal pad and writes something. Underlines it twice. Then she tears the page out, folds it, and puts it in her jacket pocket.
She opens the door. Derek is standing in the hallway, coffee in hand, looking at his phone.
CASS Derek.
DEREK (not looking up) Mm.
CASS The contact you reached out to this morning at the transition firm.
DEREK Yeah.
CASS What’s their name?
DEREK (still not looking up) Hawkins. Tom Hawkins. Why?
CASS No reason.
She walks past him. He watches her go. He looks at his phone.
He types a text: “She’s asking.”
He deletes it. Types again: “She knows.”
He deletes that too. Puts his phone in his pocket. Drinks his coffee.
INT. MERIDIAN FEDERAL CREDIT UNION — SERVER ROOM — DAY
Priya and Felix are back. Felix has set up what appears to be a secondary workstation using components he’s produced from a backpack that is somehow larger on the inside than the outside.
FELIX Okay. I’m going to do something that Derek would call “operationally inadvisable.”
PRIYA You’re going to poke it.
FELIX I’m going to poke it.
PRIYA We could just patch it.
FELIX We could just patch it.
A beat.
PRIYA Poke it.
FELIX (cracking his knuckles) Okay. I’m going to create a synthetic session. Fake credentials. Make it look like an administrative account from the disbursement system just authenticated through the portal. If the script responds—
PRIYA We see where it sends the data.
FELIX We see where it sends the data. One layer further down the chain. Maybe we jump a node.
PRIYA And if the script is smarter than we think and it detects the synthetic session?
FELIX Then we’ve told whoever’s watching that someone’s watching.
PRIYA And the script goes dark.
FELIX And we’ve lost the thread.
PRIYA So no pressure.
FELIX None at all.
He starts typing. Priya watches over his shoulder. The server room hums.
FELIX (CONT’D) (typing, not looking up) Can I ask you something?
PRIYA Now?
FELIX Quick question. Derek. You’ve worked with him for what, six years?
PRIYA Seven.
FELIX Do you trust him?
Priya doesn’t answer immediately. That’s an answer.
PRIYA I trust his competence.
FELIX That’s a very careful sentence.
PRIYA I’m a very careful person.
FELIX You do everything at 2 AM and you poke active malware for fun.
PRIYA Carefully.
Felix laughs despite himself. His fingers keep moving.
FELIX Okay. Synthetic session is… live.
They both watch the screen.
Nothing.
Nothing.
Nothing.
PRIYA It’s not—
FELIX Shh.
Nothing.
Then: a FLICKER. A single line of output.
Felix leans in so fast his nose almost touches the screen.
FELIX (CONT’D) (whispering) There you are.
PRIYA (whispering) What is it?
FELIX (tracing the line) It responded. It’s sending. And it didn’t go to the relay chain.
PRIYA Where did it go?
Felix types rapidly. The output cascades. He stops. Stares.
FELIX It went to a staging server. And the staging server is registered to a shell company. And the shell company—
He keeps typing.
FELIX (CONT’D) —is registered to another shell company. And that one—
More typing.
FELIX (CONT’D) (very quietly) Priya.
PRIYA Yeah.
FELIX That one is registered to a lobbying firm. A real one. With a real address. In Washington, D.C.
PRIYA What’s the firm?
Felix reads from the screen. His pen, for once, is completely still.
FELIX Greer Strategic Solutions.
A beat.
PRIYA Greer. Like—
FELIX Like Senator Alan Greer. Who is, as of last month, no longer a senator, because he lost his primary in the most spectacular fashion since—
PRIYA I know who he is.
FELIX And who is now, apparently, running a lobbying firm.
PRIYA And apparently building very patient, very elegant cyberattacks against federal transition infrastructure.
They look at each other.
FELIX Derek’s contact. The one at the transition firm.
PRIYA Tom Hawkins.
FELIX Do we know who Tom Hawkins is?
Priya is already on her phone, searching.
She finds something. Her face does the thing it did at 2:47 AM. The stillness.
PRIYA (showing him the screen) Tom Hawkins. Former chief of staff.
FELIX For who?
PRIYA For Senator Alan Greer.
The server room hums. The blue lights pulse. Everything was fine. Everything is very much not fine.
INT. MERIDIAN FEDERAL CREDIT UNION — HALLWAY — CONTINUOUS
Derek is on his phone. Walking. He turns a corner and nearly collides with Cass.
They both stop. They look at each other with the specific expression of two people who have just realized they’ve been playing the same game from opposite sides.
DEREK Cass.
CASS Derek.
DEREK Where are Priya and Felix?
CASS Server room.
DEREK What are they doing?
CASS (a beat) Their jobs. What are you doing?
DEREK My job.
CASS Which is?
DEREK (studying her) Protecting this firm.
CASS From what?
DEREK From the consequences of finding things we weren’t supposed to find.
CASS Whose consequences?
Derek looks down at his phone. Then back at Cass.
DEREK How much do you know?
CASS (patting her jacket pocket, where the folded paper is) Enough.
DEREK (long pause) I was approached eight weeks ago. Someone who knew about the transition vulnerabilities. They wanted us to— they framed it as a consulting arrangement. Advising on security gaps in the federal handoff process.
CASS Advising on how to exploit them.
DEREK They said patch them. Advise on how to patch them.
CASS And you believed that.
DEREK (and this is the most honest thing he’ll say all episode) I believed the check.
Cass looks at him for a long moment.
CASS Did you know about the credit union?
DEREK No. I found out this morning, same as you.
CASS But you called Hawkins before you told us what you found. Before you briefed your own team.
DEREK I was trying to—
CASS You were warning him.
DEREK I was trying to understand the situation.
CASS Derek. You warned him.
Derek doesn’t answer. That’s an answer.
Cass reaches into her pocket. Takes out the folded paper. Holds it but doesn’t give it to him.
CASS (CONT’D) My contact at CISA. He already knew about the credit union. Someone reported it six weeks ago. An anonymous tip. Very detailed. Specific enough to know exactly what to look for and where.
DEREK (slowly) Someone reported it.
CASS Someone who wanted CISA to know it existed. But not to patch it. Not yet.
DEREK (understanding dawning) Someone who wanted it monitored.
CASS Someone who’s been watching this thing from the other end for six weeks. Waiting for it to activate. Waiting to follow it back to whoever built it.
She hands him the paper. He unfolds it. Reads it.
His expression changes. Not dramatically. Just a subtle recalibration. The chess problem has new pieces.
DEREK (reading) This is—
CASS I know.
DEREK This changes—
CASS I know.
DEREK We’ve been—
CASS Running toward a fire that someone lit specifically so we’d run toward it. Yes.
A beat.
DEREK Reflected attack.
CASS (nodding slowly) We’re not the security team. We’re the payload.
The SOUND of running footsteps. Priya and Felix round the corner. They stop when they see Derek and Cass standing in the hallway, clearly mid-revelation.
FELIX (out of breath) Greer Strategic Solutions.
DEREK (still holding the paper) I know.
PRIYA Tom Hawkins.
DEREK I know.
FELIX You know?
DEREK I know now.
PRIYA (looking between Derek and Cass) What’s on the paper?
Cass and Derek exchange a look.
DEREK The script. The twelve-digit comment Felix found in the code—
FELIX How do you know about that?
DEREK Because CISA found it six weeks ago and they’ve been trying to decode it. And Cass’s contact just told her what it is.
Everyone looks at Cass.
CASS (measured) It’s a case number. An FBI case number. Specifically, it’s the case number for an ongoing investigation into Alan Greer’s financial activities. An investigation that Greer apparently knows about.
PRIYA He knows he’s being investigated.
CASS And he embedded the case number in his own malware. In the code. As a message.
FELIX A message to who?
CASS To whoever was watching. To the investigators. To say—
PRIYA (completing it) “I know you’re here.”
Silence.
FELIX (slowly) So the malware isn’t just about stealing credentials during the transition.
CASS No.
FELIX It’s about demonstrating capability. Showing that he can get inside federal systems. That he can compromise the transition process. Not to destroy it—
PRIYA As leverage.
CASS If you can access the accounts, you can corrupt them. Redirect funds. Disrupt the handoff. Make an entire incoming administration look incompetent on day one.
DEREK Or you can threaten to do that. And never have to actually do it.
PRIYA What does he want?
A beat. Then Neil appears at the end of the hallway. He’s holding his phone. He looks, for the first time, not like a golden retriever.
NEIL Hey. Sorry. I know I’m not supposed to be part of the—
(beat)
I just got a call from Meridian’s CEO. She says there’s a man in her office. He says he’s from the FBI. He’s asking about us.
Everyone looks at Neil.
NEIL (CONT’D) (looking at his phone) And he’s been there since 7 AM. Before Priya called Derek. Before any of this.
The weight of that lands.
PRIYA (very quietly) We weren’t the first ones here.
HARD CUT TO:
INT. MERIDIAN FEDERAL CREDIT UNION — CEO’S OFFICE — MOMENTS LATER
The team files in. Sitting across from MERIDIAN CEO LINDA PARK (55, the energy of someone who has survived seventeen audits and two recessions and has the reading glasses to prove it) is a man.
SPECIAL AGENT DARA OSEI (40, Ghanaian-American, the specific calm of someone who is never the most stressed person in any room because they have decided, on a philosophical level, not to be). He’s in a suit. He has a badge. He has a coffee from the lobby that he hasn’t touched.
He looks at the team as they enter. His expression doesn’t change.
OSEI (pleasantly) Priya Okonkwo-Shah, Derek Voss, Cassandra Whitmore, Felix Tamboli.
(beat)
Neil Brannagh. Senior Director of Client Services.
NEIL (reflexively) That’s me.
OSEI I know. Sit down, please.
They sit. All of them. Even Derek, which is notable.
OSEI (CONT’D) You found something last night.
PRIYA We found something last night.
OSEI Good. We’ve been waiting for someone to find it.
PRIYA You planted it.
A beat. Osei picks up his coffee. Takes a sip. Puts it down.
OSEI We didn’t plant it. But we found it before you did and we made a decision not to patch it.
CASS Because you wanted to use it.
OSEI We wanted to follow it. There’s a distinction.
DEREK (carefully) And you needed a private firm to find it independently so that—
OSEI So that when this goes to court, no one can argue entrapment or illegal surveillance. Yes. We needed a legitimate security assessment to surface the vulnerability organically.
FELIX (slowly putting it together) You knew Meridian would eventually hire someone for a pentest.
OSEI Meridian has a pentest every eighteen months. Like clockwork. We’ve been on a clock.
PRIYA And you needed us to follow the thread.
OSEI We needed someone good enough to follow the thread.
PRIYA (a beat) How did you know we’d be good enough?
OSEI (the closest he’ll come to a compliment) We didn’t know about Felix and Derek. We were counting on you.
Priya blinks. Felix looks at her. She very carefully doesn’t react.
OSEI (CONT’D) Here’s where we are. Greer knows we’re watching. He embedded the case number as a taunt — he thinks he’s untouchable. He thinks the leverage he’s built into this system protects him. He’s going to activate the script on Inauguration Day unless we give him what he wants.
DEREK Which is?
OSEI The investigation dropped. And two seats on the incoming administration’s infrastructure advisory board.
CASS (writing) He wants to be in the room.
OSEI He’s always wanted to be in the room. He just finally built a door.
NEIL (who has been very quiet) Can I ask something?
Everyone looks at him. Even Osei.
NEIL (CONT’D) The people this thing would hurt. If it activated. The people using federal benefits. The ones whose accounts would get compromised.
OSEI Yes.
NEIL How many?
OSEI (a beat) Potentially? Several hundred thousand.
Neil nods slowly. He puts his phone in his pocket.
NEIL Okay. What do you need us to do?
Everyone looks at Neil.
DEREK Neil—
NEIL I’m the one he doesn’t know about, right? You said you were counting on Priya. Greer’s people know about Priya and Derek and probably Cass. Do they know about me?
OSEI (studying Neil with new interest) No.
NEIL I call my clients every week. I’ve been calling Linda—
(nod to CEO LINDA)
—for four years. I know her assistant’s kids’ names. I know her preferred lunch order. I have a relationship.
(beat)
You need someone inside this building who looks like they belong here. Who doesn’t look like security. Who can move around without anyone thinking twice.
A long pause.
OSEI (to the room) Who is this guy?
DEREK (quietly, and it sounds like respect) Client Services.
SMASH CUT TO:
INT. SENATOR GREER’S HOTEL BAR — SAME TIME
Greer is still at the bar. Different scotch. His phone buzzes. He looks at it.
A text: “They found it.”
He almost smiles again. This time he lets it complete.
He picks up his scotch. Raises it slightly, to no one.
GREER (to his drink) Good.
HARD CUT TO BLACK.
END OF ACT TWO
TAG
INT. MERIDIAN FEDERAL CREDIT UNION — SERVER ROOM — LATER
The lights are lower. The team has dispersed. Priya is alone with the servers. She’s been here all day and she’ll be here all night and she knows it and doesn’t mind.
She’s eating a new burrito. She learned nothing.
Her laptop is open. The script is still there. Still dormant. Still waiting.
She types something. A message. Not into any system — just into a text file on her local machine. The kind of thing you write when you need to think out loud.
She types: “Reflected attack. The payload bounces off a trusted source to reach the target. The trusted source doesn’t know it’s being used. The target doesn’t know where the attack is really coming from.”
She stops. Thinks. Types more.
“We thought we were the security team. We were the payload. Osei thought he was running us. Greer thinks he’s running Osei. Everyone thinks they’re the trusted source. Nobody knows where the attack is really coming from.”
She stops again. Stares at the screen.
Types one more line.
“Twelve-digit case number. Greer embedded it as a taunt. But what if it’s not a taunt?”
She leans back. Eats her burrito. Looks at the ceiling.
PRIYA (to herself) What if it’s a warning?
She sits up. Starts typing. Fast.
Her phone buzzes. She ignores it. It buzzes again. She glances at it.
TEXT ON SCREEN: “MARCUS: I’m outside. I brought a different burrito. Let me in.”
She almost smiles. Types a response. Then stops.
Looks at her laptop.
Looks at her phone.
Types into her laptop instead: “The case number isn’t Greer’s case. Look up the case number.”
She opens a browser. Types in the twelve digits. Hits enter.
The result loads.
Her face goes through three distinct expressions in two seconds.
She picks up her phone. Not to text Marcus. Different contact.
It rings once.
OSEI (V.O.) I told you to get some sleep.
PRIYA The case number.
OSEI (V.O.) We know what it is.
PRIYA Do you know whose case it is?
A pause.
OSEI (V.O.) It’s Greer’s case.
PRIYA It’s not Greer’s case. I just looked it up. That case number belongs to an investigation opened eighteen months ago. Before Greer lost his primary. Before any of this.
OSEI (V.O.) (carefully) What investigation?
PRIYA The subject of the investigation is listed as a cybersecurity firm. Private sector. Mid-Atlantic region.
Silence.
PRIYA (CONT’D) Agent Osei. How long has your office been investigating Greer Strategic Solutions?
OSEI (V.O.) (very carefully) Six weeks.
PRIYA And how long has someone been investigating us?
A long pause.
OSEI (V.O.) Send me what you’re looking at.
PRIYA Already sent.
She hangs up. Sits in the server room. Blue lights pulse. Servers hum.
She looks at the script on her screen. Still dormant. Still waiting.
PRIYA (CONT’D) (to the servers) Who built you?
She takes a bite of her burrito. Chews.
PRIYA (CONT’D) And why do they want us to find out?
FADE TO BLACK.
TITLE CARD:
“ZERO-DAY”
In security, a zero-day vulnerability is a flaw that is known to the attacker but unknown to the defender.
The most dangerous zero-days are the ones where you don’t know which one you are.
FADE OUT.
END OF PILOT
ZERO-DAY was created by [CREATOR]. Produced by [PRODUCTION COMPANY]. All characters and events depicted are fictional. Any resemblance to actual cybersecurity incidents, governmental transitions, or lobbying firms with suspiciously elegant malware is entirely coincidental and also please don’t look too closely.
SERIES SETUP FOR SEASON ONE:
- WHO is investigating the firm, and why, and since when?
- What does Greer actually want — and is he the top of the chain?
- Neil Brannagh, it turns out, is more than Client Services. (He always was.)
- Derek’s “quiet calls.” How quiet? How many?
- The twelve-digit number leads somewhere else. It always leads somewhere else.
- Priya’s contact saved as “MARCUS” in her phone is not who she said he was.
FADE OUT.