Everything starts with a single exploit discovery, like a null-byte exception, buffer overflow, or unsanitized inputs. Then, you look for more. Once you have enough to formulate a full-blown attack, you can either wait, sell the information, or develop attacks based on those vulnerabilities. Once they get good enough, they’ll already have attacks ready for most common vulnerabilities allowing them to quickly cripple or download all information from the compromised systems.