SummaryWith the development of the Internet of Things (IoT) technology, various attacks and threats have emerged. The advanced persistent threat (APT) refers to a class of advanced multiple‐steps attacks among diverse attack activities, which brings severe threats to the IoT systems ascribe to its pertinence, concealment, and permeability. However, the existing technologies and methods fail to timely recognize the APT attack activities (especially the zero‐day exploits) in a comprehensive scope. To address this problem, we propose a novel method of cyber situation perception for IoT systems, which based on zero‐day attack activity recognition within APT (CSPAPTM). Moreover, we also design an edge computing framework for applying CSPAPTM to the typical IoT systems. Specifically, we first provide a cyber situation perception ontology construction module for describing the APT attack activities. Then, a malicious C&C DNS mining method (MCCDRM) is proposed to control the APT malicious activity correlation analysis trigger, which can effectively decrease the computing overhead. Finally, we propose a zero‐day attack activity recognition method within APT (ZDAARA), which acts on system call instances to recognize the malicious activities, which cannot be detected by IDS. A relatively mature access control mechanism PO‐SAAC is also applied to our method. Through the coalescent of these methods, CSPAPTM can accomplish the cyber situation perception effectively by the zero‐day attack activities recognition in the IoT systems. The exhaustive experimental results demonstrate that the two kernel modules, that is, MCCDRM and ZDAARA in our CSPAPTM, can achieve both higher F1 score and acceptable false positive rate.