I mostly agree with your post, except using a zero day on a small (especially self-hosted) server is very rarely blowing it. In fact I would bet the majority of self-hosted or small-time servers wouldn't have the first clue about how to figure out how you got in, let alone parsing logs to figure out the exploit. Assuming they even log sufficiently, hiring a forensics expert is almost certainly out of the question financially.