Summary
- Zscaler's real product is not a single gateway, agent or dashboard. It is a policy-enforcement fabric around the Zero Trust Exchange, including Zscaler Internet Access, Zscaler Private Access, Zscaler Digital Experience, data protection, browser isolation, CASB controls, cloud enforcement nodes, private access connectors and logs. The platform can shrink network exposure and centralize enforcement, but it also turns identity hygiene, device posture, TLS inspection choices, application segmentation and exception handling into daily production dependencies.
- The strongest evidence supports a bounded claim: Zscaler has a serious, scaled commercial platform and a broad public operating surface. Its Q3 fiscal 2026 materials reported $850.5 million in quarterly revenue, $3.525 billion in annual recurring revenue, 4,003 customers with more than $100,000 in ARR and 748 customers with more than $1 million in ARR (Zscaler Q3 fiscal 2026 results). Zscaler's public Trust and configuration endpoints also show separate status and routing surfaces for ZIA, ZPA and ZDX. Those facts prove scale and operational transparency, not that a customer's policies are correct, complete or reversible.
- The right buyer test is operational, not rhetorical. A security team should ask how quickly it can isolate a bad block, prove a missed exposure, bypass a broken SaaS flow without opening the whole network, fail over private access connectors, understand whether an outage is identity, endpoint, ISP, Zscaler, SaaS or customer policy, and roll back a change while preserving audit evidence. If reduced VPN, firewall and appliance work does not exceed the new cost of policy design, connector upkeep, certificate management, exception queues, logging integrations, user friction and vendor dependence, zero trust becomes a cleaner architecture diagram rather than a better operating model.
The Zero Trust Decision Is Only Valuable If It Can Be Undone
Zero trust is usually sold as a correction to an obvious weakness: traditional networks trust too much once a user or device is inside a perimeter. Zscaler's version is direct. Its platform page says the Zero Trust Exchange uses identity, destination, risk and policy to decide whether to grant, block, isolate or otherwise handle a session, and it describes one-to-one connections based on identity, context and business policies rather than broad network access (Zscaler Zero Trust Exchange). That is a coherent response to lateral movement, exposed private applications and the operational mess of backhauling cloud traffic through older network stacks.
The problem is that zero trust does not abolish trust. It moves trust into a decision system. A user is trusted because an identity provider says the account belongs to the right person, a group membership says the role is correct, a device posture result says the endpoint is healthy enough, a destination classifier says the app is known, a data rule says the content is or is not sensitive, and a policy says the combined context permits the action. Each input can be stale, incomplete or wrong. Each decision can block legitimate work or allow activity that should have been stopped.
That is why reversibility is the center of the Zscaler question. A product can enforce a policy quickly and still be operationally brittle if a bad policy takes too long to diagnose or reverse. A private app can disappear from the internet and still fail a business test if authorized users cannot reach it after a connector, identity or device posture problem. A data loss prevention rule can look precise and still generate a queue of false positives that teaches users to route around it. A TLS inspection program can reveal encrypted threats and still break pinned applications, privacy-sensitive services or unmanaged-device workflows.
The useful version of Zscaler is not "trust nothing." It is "make smaller decisions, collect enough evidence to know when a decision is wrong, and keep a bounded way back." That operating discipline is harder than buying the platform. It requires canary groups, exception design, test identities, clean ownership for application segments, preapproved bypass paths, transparent help-desk triage and logs that security, network and endpoint teams can all understand. Without those practices, zero trust can become a centralized source of user pain.
NIST's zero trust architecture model helps frame the issue. NIST SP 800-207 describes access decisions as policy decisions informed by multiple enterprise and external data sources, including identity, device state, threat intelligence and policy rules (NIST SP 800-207). That means a Zscaler deployment is not just a vendor service. It is a dependency graph. Zscaler can enforce, observe and broker, but the customer still supplies identity truth, device management, application inventory, acceptable-use policy, data classification and change management.
What Zscaler Owns, And What It Does Not
Zscaler owns a cloud security platform and the services it sells through it. The product boundary matters because the buyer's failure modes often sit outside Zscaler's direct control. Zscaler Internet Access is positioned as cloud-native secure web gateway and security service edge for internet and SaaS traffic, including TLS inspection, threat protection, cloud firewall, DLP and CASB-style controls (Zscaler Internet Access). Zscaler Private Access is positioned as zero trust network access for private apps, brokering direct one-to-one access between authorized users and specific applications without giving users network access (Zscaler Private Access). Zscaler Digital Experience is positioned as monitoring for user, device, network and application experience (Zscaler Digital Experience).
Those pieces are complementary, but they do not make Zscaler owner of the whole working day. The identity provider may be Microsoft Entra ID, Okta or another system. Device posture may depend on endpoint management, EDR, disk encryption, certificates, OS version and local agent health. ZPA private applications still run in the customer's data center, cloud VPC, SaaS tenancy or partner environment. ZIA still depends on the user's local network, ISP path, DNS behavior, browser, certificate store and the external application being visited.
ZDX can help isolate a performance problem, but it is not proof that Zscaler caused or solved that problem.
Zscaler's own 10-Q disclosure emphasizes the commercial side of that dependency. As of April 30, 2026, the company reported $6.4593 billion of remaining performance obligations and typical subscription and support terms of one to three years, with most contracts noncancelable during the term but terminable for cause if the company fails to perform (Zscaler April 30, 2026 Form 10-Q). This is not a casual tool purchase. Once a large enterprise commits, the operational burden shifts from choosing a gateway to living inside a multi-year policy and routing model.
Zscaler's scale is also clear. Its investor page reported more than $3.5 billion in Q3 fiscal 2026 annual recurring revenue, around $6.5 billion in RPO, 4,003 customers above $100,000 ARR, 748 customers above $1 million ARR, roughly 40 percent of the Global 2000 and more than 45 percent of the Fortune 500 (Zscaler investor relations). Scale is relevant because a security platform with this many large customers has real operating evidence behind it. It is also a reason to be precise. At that scale, the product is not judged by whether the architecture is modern. It is judged by whether policy mistakes, service changes, regional degradations and customer-specific exceptions can be handled without turning into broad outages.
The line between product ownership and customer ownership should be explicit in every deployment. Zscaler can provide the policy engine, enforcement points, client connector, cloud service edges, app connectors, logs, dashboards and integrations. The customer owns the policy intent: who should reach which app, from which device state, under what data conditions, with what fallback if a rule is wrong. A company that cannot define that intent should not expect a gateway vendor to infer it correctly.
Identity And Device Posture Are Inputs, Not Magic
Zscaler's zero trust approach begins with identity and context. Its platform page says identity verification relies on integrations with third-party identity providers, and it lists device posture, destination, content and threat intelligence among the risk factors used for access decisions (Zero Trust Exchange approach). That is the right shape for modern access control, but it puts heavy weight on data quality.
Identity is often messy. Groups are copied from old file-share permissions. Contractor accounts live longer than the contract. Emergency access is granted and never removed. Mergers create overlapping directories. Business units define roles differently. A clean Zscaler policy can still enforce dirty identity data. If a user's group membership is too broad, the policy can grant too much. If a user's group membership is stale or the SAML assertion is missing a needed attribute, the policy can block legitimate work. The enforcement layer is only as correct as the identity model feeding it.
Device posture has the same problem. Zscaler Help content describes device posture profiles as criteria evaluated on users' devices and says Client Connector evaluates posture profiles on a recurring basis, with new connections established based on updated postures (Zscaler device posture profile documentation). That cadence is useful, but it creates edge cases. A device may be compliant at the beginning of a session and noncompliant later. A posture signal may fail because the endpoint agent is unhealthy rather than because the device is risky. A strict rule can lock out a user during an OS update or EDR fault. A loose rule can let unmanaged or degraded devices keep reaching sensitive services.
The operating test is not whether the posture feature exists. It is whether the organization has a clear taxonomy of posture states and a non-punitive path for recovery. "Block all noncompliant devices" is simple only on slides. In production, security teams need graded responses: warn, isolate, require step-up authentication, restrict to browser access, deny high-risk apps, allow low-risk SaaS, open a remediation ticket, or grant a time-limited exception. If every posture mismatch becomes a hard denial, the system will generate pressure for bypasses. If every exception is manual and permanent, the system will decay.
This is where the company's core automation task becomes difficult. Zscaler can replace broad network trust with identity-, device- and app-aware access decisions. But the rightness of those decisions depends on customer-controlled identity lifecycle, endpoint hygiene, data classification and application ownership. A disciplined buyer should therefore test failure states before migration, not after. Remove a user's group. Break posture. Deactivate an identity provider test account. Expire a certificate. Change an app segment.
Watch what the user sees, what the help desk sees, what the security team sees and what rollback actually takes.
Private Access Reduces Blast Radius But Adds Connector Discipline
ZPA's pitch is strong because it attacks a real VPN weakness. The product page says ZPA brokers one-to-one connections between authorized users and specific apps, so users do not receive access to the corporate network and private apps are not exposed to the public internet (Zscaler Private Access). That design can reduce lateral movement and internet-facing attack surface. It also changes what must be operated.
Private access now depends on application segments, server groups, access policies, client forwarding behavior, app connectors and service edges. Independent integration documentation reinforces that operating surface: Axonius describes a ZPA adapter that reads app connectors, private service edges, applications, access policies, global policies and group data through ZPA APIs (Axonius ZPA adapter). That architecture avoids broad inbound exposure, but it makes connector availability, placement and inventory accuracy critical.
The customer still owns the app. If the database is slow, ZPA does not make it fast. If DNS inside the data center is inconsistent, ZPA can expose the inconsistency. If an application expects source IP trust, hardcoded legacy routes or broad subnet access, ZPA forces a redesign. If an application owner cannot say which ports, hostnames and user groups are legitimate, a ZPA policy either becomes overbroad or breaks work.
ZPA also requires operational redundancy. Connectors need outbound reachability, privileges, software maintenance and monitoring. Zscaler's public Private Access allowlist at config.zscaler.com exposes the practical shape of this dependency: connectors, private service edges and Client Connector need outbound TCP/UDP 443 access to Zscaler domains and published IP ranges (ZPA firewall allowlist). That is not exotic, but it is still infrastructure. Firewalls, proxies, routing, cloud security groups and regional egress controls can all break it.
A buyer should ask three connector questions before moving a sensitive app. First, can one connector fail without user-visible interruption? Second, can the organization prove which users and apps are affected when a connector group is unhealthy? Third, can app owners and network teams distinguish a ZPA failure from an application, DNS, certificate, identity or ISP failure within minutes? If the answer is no, replacing VPN may improve security while shifting outage diagnosis into a less familiar layer.
Private access also changes rollback. With a VPN, rollback might mean restoring a route, firewall rule or concentrator policy. With ZPA, rollback may mean changing an access policy, segment definition, connector group, forwarding profile or identity group. That can be better because it is narrower. It can also be harder if only a small team understands the ZPA policy graph. The best deployments treat rollback as a designed workflow, not a heroic admin action.
TLS Inspection Is Security Value And Compatibility Risk
ZIA's value proposition depends heavily on inspecting traffic that older perimeter appliances may miss. The ZIA product page says a cloud-native secure web gateway should inspect TLS/SSL-encrypted traffic and secure users without backhauling through legacy hardware (Zscaler Internet Access). Zscaler's SSL inspection leading-practices documentation recommends granular exemptions only as necessary and a default inspect posture for remaining traffic (ZIA SSL inspection leading practices).
That is a legitimate security argument. Malware delivery, phishing, command-and-control and data exfiltration often ride inside encrypted sessions. A security platform that cannot see enough traffic cannot enforce enough policy. But TLS inspection is not just a switch. It requires certificate deployment, browser and application trust, privacy boundaries, legal review, exception handling, performance testing and careful segmentation of traffic that should not be inspected.
The obvious failure mode is broken applications. Some software uses certificate pinning or unusual TLS behavior. Some financial, healthcare or personal services may be exempted for privacy or compliance reasons. Some developer tools, mobile apps or thick clients can behave differently from browsers. A policy that maximizes inspection can generate help-desk noise; a policy that exempts too much traffic can create blind spots. The economics of ZIA therefore depend on the organization's ability to maintain a living exemption register. Every exemption should have an owner, rationale, expiry date and compensating control.
TLS inspection also changes trust relationships. The enterprise root certificate becomes part of the security architecture. If the certificate is not deployed correctly, users see errors. If unmanaged or BYOD devices cannot receive the certificate, the organization needs a separate browser isolation, limited access or agentless plan. If a region or device class has partial certificate coverage, policy consistency falls apart. This is not a reason to reject TLS inspection. It is a reason to treat it as infrastructure, not a feature checkbox.
Zscaler's browser isolation and cloud browser products are partly a response to these edge cases. The browser isolation page says it integrates with ZPA, ZIA and inline data protection, and supports secure file-based productivity in isolated sessions (Zscaler Browser Isolation). Isolation can reduce risk for unmanaged devices or risky sites, but it has its own user-experience boundary. If isolation makes ordinary work awkward, users will seek unmonitored paths. If it is used only for high-risk workflows, policy must correctly identify those workflows.
The procurement test should include both positive and negative cases. Can ZIA block a known test category without blocking approved business sites? Can it inspect traffic from managed browsers without breaking critical SaaS? Can it exempt a certificate-pinned application without opening an entire user group? Can data loss policy detect a realistic sensitive record while avoiding common false positives? Can a support analyst see whether the block came from URL filtering, cloud app control, DLP, malware protection, TLS failure or another layer? These are mundane tests, but mundane tests are where a zero trust architecture earns its name.
Data Protection Is A Policy Quality Problem
Zscaler's data protection story spans inline DLP, CASB, endpoint controls and browser isolation. The DLP product page says the company aims to secure data across internet, email, endpoint, IaaS, private apps and risk posture in one platform (Zscaler Data Loss Prevention). The CASB page describes inline real-time controls and out-of-band API integrations for SaaS and cloud data at rest (Zscaler CASB). The private access page also places web DLP, endpoint DLP and browser isolation inside the ZPA product story (Zscaler Private Access data security).
The advantage is obvious: one policy system can see more channels than point tools. The risk is also obvious: data protection rules can be noisy, culturally sensitive and politically hard. A blocked file upload may be a successful leak prevention event. It may also be a salesperson trying to send an approved contract, a developer pushing logs without customer data, a lawyer using a sanctioned data room, or a user whose document matches a generic pattern. The system's value depends on how well the organization can separate those cases.
Zscaler's glossary for Exact Data Match says EDM looks for specific data values rather than general patterns, with the goal of improving accuracy and reducing false positives (Zscaler Exact Data Match). That is a useful technique, but it introduces data preparation work. Someone must choose the indexed data, protect it, refresh it, validate it and ensure it represents the regulated records that matter. Bad reference data creates bad enforcement.
Out-of-band CASB scanning has a different lag. API scanning can find risky file shares and data at rest after the fact. Inline controls can stop movement in real time. Both are useful, but they answer different questions. A buyer should not collapse them into a single "data protection" claim. Inline inspection is a traffic control. API scanning is a discovery and remediation control. Endpoint DLP is a device control. Browser isolation is an interaction control. Each has different blind spots, different evidence and different rollback paths.
The commercial promise is simplification: fewer point tools, fewer inconsistent policies and fewer blind channels. The operational price is centralization. A broad Zscaler DLP policy can affect web, SaaS, private app and endpoint behavior at once. That is powerful only if rule change is governed carefully. The best signal of maturity is not how many DLP rules exist. It is how many rules have owners, examples, approved exceptions, severity levels, measured false-positive rates and a documented business process for appeal.
Experience Monitoring Is A Tripwire, Not A Verdict
ZDX is important because zero trust can make the old network mental model less useful. If a user cannot reach a SaaS app, the cause may be device health, local Wi-Fi, ISP routing, DNS, identity, Zscaler policy, Zscaler service status, SaaS status, private app connector state, browser isolation or endpoint security software. ZDX is meant to give IT teams end-to-end visibility from devices across networks to applications, combining telemetry from device health, network path, synthetic and real user journeys (Zscaler Digital Experience).
That is valuable, but monitoring should not be mistaken for causality. A high user experience score does not prove that policy is correct. A poor score does not prove that Zscaler is the cause. ZDX can narrow the search space, but the organization still needs cross-team incident habits. Network teams, endpoint teams, identity teams, security teams and app owners must agree on what evidence decides a handoff.
Zscaler's public Trust surface illustrates why the distinction matters. The Trust site exposes separate clouds and products, including zscaler.net for ZIA, private.zscaler.com for ZPA and zdxcloud.net for ZDX through its public cloud catalog (Zscaler Trust global catalog). Its public status endpoint for zdxcloud.net showed a Call Quality Monitoring issue in early July 2026 while still stating that customers could access the ZDX portal. That is a narrow degradation, not a global outage. The lesson is that service status is component-specific. A monitoring feature can degrade while enforcement remains available; a customer app can fail while Zscaler status is green; a ZIA API incident can affect admin automation without stopping all user traffic.
This component view is exactly how buyers should think. A zero trust platform is a set of control planes, data planes, connectors, agents, policy stores, logs and user-facing services. They fail differently. A mature incident process does not ask, "Is Zscaler down?" It asks, "Which function, in which cloud, for which cohort, through which path, with which policy, changed at what time?" That question is slower to ask but faster to resolve.
The same is true for service desks. Users experience Zscaler as access allowed, access denied, app slow, browser isolated, file blocked or certificate error. They do not experience product names. Good deployment therefore includes user-facing reason messages, help-desk runbooks, policy-owner routing and escalation paths. If the help desk can only say "security blocked it," users will bypass the system whenever they can.
Logs And SIEM Integrations Decide Whether The Control Is Auditable
Zscaler's enforcement model produces value only if the resulting evidence is usable. The Help Portal describes Nanolog Streaming Service as a way to stream Zscaler Nanolog data to a customer's SIEM (Zscaler Nanolog Streaming Service). Google Security Operations documentation describes ingesting Zscaler NSS feeds for alert logs and notes that NSS can deliver web, firewall and DLP events through Cloud NSS or an NSS VM (Google SecOps Zscaler NSS feeds). IBM QRadar, Panther, Cribl and Axonius all publish Zscaler integration documentation or adapter guidance, which is a useful market signal that customers expect to operationalize Zscaler data outside the Zscaler portal.
The important word is "operationalize." A log feed is not automatically an investigation. Teams must preserve fields, normalize identities, map policy names, retain enough history, handle feed outages, correlate endpoint and identity events, and decide which alerts are worth waking someone. A Zscaler block without context may be noisy. A Zscaler allow event without identity quality may be weak. A DLP event without document ownership may be hard to adjudicate.
Integrator documentation also reveals the work. Google SecOps lists prerequisites such as privileged access to the ZIA admin portal, a configured NSS server or Cloud NSS feed, network connectivity and agent configuration. Axonius documentation for ZPA describes fetching application segments, access policies, global policies, app connectors, private service edges and group data through APIs, with OAuth client credentials and required permissions (Axonius ZPA adapter). That is useful, but it is not automatic. Someone must provision credentials, rotate them, scope permissions and monitor collection health.
Auditability should be part of the purchase case. If a risky session is blocked, can the security team prove which rule blocked it and why? If a legitimate session is blocked, can operations prove whether the rule, group, posture, connector, data classifier or service status caused the problem? If a private app was exposed outside ZPA because it was never segmented, can asset owners detect that gap? If logs are delayed, can incident response trust the timeline?
The logging question also affects rollback. A rollback without evidence is just a panic change. A good rollback changes the smallest policy component needed, records why, keeps the exception temporary and preserves the investigation trail. Zscaler can provide the policy surface and logs, but customers must design the evidence discipline.
Service Status Is A Dependency Surface
Public Zscaler Trust pages are valuable because they force a realistic view of the platform. Zscaler says its Trust site provides transparency around service availability and changes (Zscaler Trust). The public cloud catalog lists multiple commercial clouds and product domains, including ZIA clouds such as zscaler.net and ZPA, ZDX and other acquired or adjacent services. That separation matters. A single customer may depend on more than one cloud domain and more than one product plane.
The configuration site adds another angle. The public api.config.zscaler.com endpoint for zscaler.net returns machine-readable cloud enforcement node ranges with cities, IP ranges, hostnames, VPN and GRE fields in some records (Zscaler CENR JSON). The ZPA allowlist endpoint returns domains, ports, sources and IP ranges for connectors, private service edges and Client Connector (ZPA allowlist JSON). This is useful transparency, but it also shows how many external routing and allowlist details can enter a deployment.
Cloud service dependency is not unique to Zscaler. Every cloud security provider asks the customer to trust an external control plane and data plane. Zscaler's case is sharper because the product can sit directly in the path of everyday work. If the platform misclassifies traffic, if a region degrades, if an admin API fails, if a connector loses egress, if a certificate deployment breaks, if an ISP path to a service edge is poor, users feel it immediately.
The right response is not to avoid cloud security. It is to define blast radius. A mature customer knows which users use which Zscaler cloud, which critical apps require ZPA, which SaaS apps route through ZIA, which workflows rely on browser isolation, which policy changes affect executives, call centers or production operations, and which bypasses are approved for continuity. The wrong response is to design one global policy, enforce it everywhere and discover the edge cases during a business incident.
Status evidence should also be read carefully. Public pages often provide high-level signals, while detailed customer-specific status may live in the support portal. A public green status does not prove that a tenant-specific policy, connector group, user route or local ISP path is healthy. A public incident does not prove that every customer is affected. The operational discipline is to combine public status, tenant diagnostics, ZDX, logs, endpoint health and application telemetry into a single incident timeline.
The Economics Are About Work Displaced, Not Acronyms Purchased
Zscaler's commercial momentum is real. The company reported strong Q3 fiscal 2026 results, with quarterly revenue of $850.5 million, ARR of $3.525 billion and 25 percent year-over-year revenue and ARR growth (Q3 fiscal 2026 results). It also reported high gross margin metrics and large-customer growth on its investor page. Those numbers show willingness to pay and broad enterprise adoption. They do not prove a customer's return on investment.
The ROI question is specific. Zscaler can displace or reduce VPN concentrators, secure web gateway appliances, firewall backhaul, proxy stacks, remote browser isolation point tools, CASB point tools, DLP point tools, some monitoring tools and some network-security operations. It can also reduce breach exposure by hiding private apps, narrowing access, inspecting traffic and stopping data movement. Those benefits are valuable if they actually retire work.
The new cost stack is just as real. Customers must design access policies, migrate users, deploy Client Connector, manage certificates, maintain app connectors, classify data, tune DLP, build exceptions, integrate logs, train help desks, update identity groups, run incident playbooks, negotiate privacy review and maintain vendor-specific expertise. Some of that work replaces old work. Some adds work because the organization now has finer controls and therefore more decisions.
Pricing pages and data sheets show that Zscaler is packaged into platform bundles and add-ons rather than a single flat product (Zscaler pricing and plans). That is normal for enterprise security, but it makes line-item comparison weak. A buyer should compare operating models, not only subscription SKUs. A cheap VPN is expensive if it preserves lateral movement and complex firewall exceptions. A premium zero trust platform is expensive if the organization still keeps the old VPN, old proxy, old DLP and old CASB because migration never finishes.
Vendor dependence is part of the economic model. Once Zscaler sits in the access path, switching costs include policy translation, agent replacement, certificate changes, connector migration, logs, training, support relationships and user muscle memory. Open standards and broad integrations reduce some of that burden, but they do not erase it. The question is whether the dependency buys enough simplification and risk reduction to justify the loss of optionality.
The best procurement evidence comes from the buyer's own environment. Before full migration, measure current VPN incidents, firewall change volume, proxy exceptions, SaaS data events, help-desk tickets, endpoint posture coverage, identity group quality, remote-work latency and incident response timelines. Then run a Zscaler pilot against those denominators. If the pilot cannot show which old work disappears, it may only show that a new product can be configured.
Regulatory And Government Signals Are Useful, But Narrow
Zscaler has public evidence of regulated-market acceptance. The FedRAMP Marketplace lists "Zscaler Internet Access - Government (Secure Web Gateway - vTIC)" as FedRAMP Certified, Class C Moderate, with an as-of date of December 14, 2018 and multiple authorizations and reuses (FedRAMP Marketplace). That is meaningful. It shows that a government-oriented ZIA offering has passed a federal authorization process. It does not mean every Zscaler product, commercial tenant, customer policy or deployment pattern inherits the same assurance.
This distinction matters for regulated buyers. A FedRAMP listing is not a substitute for architecture review. A bank, hospital, government contractor or telecom operator still needs to know where logs go, which data is inspected, how certificates are handled, whether privileged access is in scope, which tenant and cloud are used, what service commitments apply, how incident notification works and whether local data residency or sovereign requirements change the deployment.
Zscaler's 10-K risk disclosures also remind investors that security and cloud-service companies face intense competition, renewal dependence, service disruption risk and the need to maintain trust (Zscaler fiscal 2025 Form 10-K). Those are standard public-company disclosures, not unique warnings. They are still useful because they frame the buyer's dependence in financial terms. A platform whose value depends on customer renewal, brand trust and service reliability must keep both product capability and operational credibility.
Independent analyst signals should be bounded in the same way. Zscaler announced that Gartner placed it as a Leader in the 2025 Magic Quadrant for Security Service Edge, and the company separately points to customer-review recognition in the SSE market (Zscaler Gartner SSE announcement). This is useful market validation, but it should not become outcome evidence for a specific enterprise. Analyst recognition does not answer whether a given company has clean identity data, resilient connectors, useful logs or a reversible policy process.
The regulatory and market story should therefore be read as "credible enough to evaluate seriously," not "safe enough to skip diligence." The diligence burden remains local.
How Buyers Should Test Bad Blocks, Missed Exposure And Recovery
A serious Zscaler evaluation should begin with failure, not features. Feature demonstrations naturally show the platform under controlled conditions. Enterprises need to know what happens when policy and reality diverge.
The first test is a bad block. Create a legitimate user, legitimate device and legitimate app. Then introduce one policy error at a time: remove a group, change a posture rule, over-tighten a DLP rule, misclassify a URL, alter a client forwarding profile or narrow an application segment. The pass condition is not merely that the block occurs. The pass condition is that the user receives a useful message, the help desk can identify the rule, the policy owner can validate the intent, and rollback can be scoped to the affected group without weakening the whole environment.
The second test is missed exposure. Pick an application that should be reachable only through ZPA. Verify whether any direct route, legacy VPN, firewall exception, public DNS record or cloud security group still exposes it. ZPA can hide applications that are placed behind it. It cannot automatically erase every older path. The migration is incomplete if users can bypass the zero trust path and still reach the app.
The third test is continuity. Disable one app connector in a lab group. Break outbound 443 from a test connector. Simulate an identity provider issue for a pilot cohort. Expire a test certificate. Route a group through a different forwarding profile. The pass condition is controlled degradation: the affected cohort is known, monitoring fires, logs explain the path, and a documented alternative exists for critical work.
The fourth test is observability. Send ZIA, ZPA and DLP events into the SIEM. Confirm that fields survive normalization: user, device, app, rule, action, location, connector, cloud, category, reason, timestamp and policy owner. Then ask an analyst to reconstruct a block without portal screenshots. If the evidence cannot be used outside the vendor console, incident response will be slower than the architecture suggests.
The fifth test is cost displacement. During the pilot, count which VPN groups can be retired, which firewall rules can be removed, which proxy exceptions disappear, which DLP tool overlaps are reduced and which help-desk tickets move. If old infrastructure remains because exceptions are too hard, Zscaler becomes another layer rather than a replacement. That may still be justified for security reasons, but it should not be sold as simplification.
The Decision
Zscaler is strongest when it is evaluated as a policy operating system for access, not as a magic replacement for network security. Its architecture is credible: use a cloud exchange, inspect traffic, broker private access, hide applications, enforce per-session policy, collect logs and monitor experience. Its commercial scale is substantial. Its public configuration and Trust surfaces show a mature service footprint. Its integrations show that enterprises can connect it to broader security operations.
The doubts are also substantial. Zero trust does not eliminate misconfiguration. It raises the importance of accurate identity, device posture, application inventory and data classification. Zscaler does not own the customer's SaaS apps, private applications, endpoint hygiene, identity governance, local networks, ISP paths, app connector placement or help-desk behavior. A buyer that ignores those dependencies can create a centralized control plane that is hard to diagnose and politically hard to change.
The company should therefore be judged by the reversibility of its controls. Can bad decisions be detected? Can policy be narrowed rather than globally bypassed? Can users keep working during regional or component degradation? Can logs support investigation without guesswork? Can DLP and TLS inspection be tuned without hollowing out the control? Can old network-security work actually be retired?
If the answer is yes, Zscaler can reduce attack surface, simplify access and make cloud-first work more governable. If the answer is no, the enterprise may still buy a powerful platform, but it will have moved trust from the network into a policy machine it does not fully understand. The difference between those outcomes is not the number of protected users. It is the organization's ability to make, observe and reverse access decisions during an ordinary workday.

