Security Posture & Intelligence

Score, Compare, Prove Progress

  • ZHERO
  • 5
  • Security Posture & Intelligence
3

Scroll Down

Start FREE Trial
Schedule a Demo
Watch the Demo Video

The Posture Tax

For most Zscaler admins, “are we in good shape?” is the hardest question to answer. Smart Analysis surfaces hundreds of findings. Pending Changes shows what has been touched. Reports show what is configured. None of them give you a single answer.

CISOs and security leaders ask, “show me a number.” They want a metric they can take to the board, watch over a quarter, and report against. Until recently, that number did not exist.

Security Posture & Intelligence is the category that quantifies your Zscaler configuration and Client Connector deployment into measurable, trackable scores, and gives you the tools to compare across profiles, platforms, and time.

A measurable security posture is the metric most Zscaler programs were missing. Now it ships, on day one.

From Findings to a Score

1. Surface

Smart Analysis Surfaces Issues

The Analysis Engine runs 1000+ checks across ZIA and ZPA continuously. Severity, category, and entity-type metadata are attached to every finding.
2. Quantify

Posture & Intelligence Quantifies

Two surfaces consume the findings and turn them into trackable signals: the Security Posture Dashboard for ZIA and ZPA configuration, and ZCC Fleet Health for the Client Connector deployment.
3. Close the Loop

Change Management Applies the Fix

When the team fixes a finding, the score moves. The board sees the improvement in the next report.
4. Prove

Proof Over Time

A one-off audit becomes continuous monitoring. A configuration-quality question becomes a quarter-over-quarter conversation.

Two surfaces, one outcome

ZHERO covers posture across all three dimensions of a Zscaler estate.

Security Posture Dashboard

Limited Availability across ZIA and ZPA

Universal across ZIA and ZPA configuration. The score you take to leadership: a single number and a sunburst that tells you where the work is needed most.

ZCC Fleet Health

On Experience Center

A holistic view of how your Zscaler Client Connector deployment scores, profile by profile, device by device. 4-vertical scoring, A to E fleet grade, virtualized drill-down into your enrolled device fleet.

Without ZHERO vs With ZHERO

When leadership asks “how secure is our Zscaler configuration?”

Without ZHERO

  • The admin compiles a manual report, pulls findings from the console, exports to Excel, builds a deck. Hours of work.
  • The deck shows symptoms, not a score. Comparison over time is impossible because each report is its own snapshot.
  • ZCC profile drift goes unnoticed: no console view shows which app profiles are missing zTunnel 2.0, which PAC files have legacy macros, which enrolled devices are stuck on old client versions.
  • Audits become archaeology, not telemetry.

With ZHERO

  • Security Posture Dashboard shows a single number, the trend, and the contributors.
  • ZCC Fleet Health shows the heatmap of every check across every app profile, sortable, drillable, exportable. Comparison between two profiles is a single click. Raw JSON diff is a single click. Drilling into your enrolled device fleet is instant.
  • The board gets a chart, not a story.
  • Audits become “open the dashboard, take the screenshot, attach to the report.”

Security Posture Dashboard: Capabilities

Limited Availability on ZIA + ZPA tenants. The universal posture score across both products.

Logarithmic Score Across ZIA and ZPA

A single metric, both products

  • Aggregates hundreds of Smart Analysis findings into one score
  • Logarithmic decay penalty model: sustained improvement beats short bursts
  • 2-decimal precision for granular tracking
  • Score applies to both ZIA and ZPA configuration in one number

Zoomable Sunburst

From the score back to the contributors

  • Category-level breakdown of what is driving the score
  • Click a slice to drill into the underlying findings
  • Visual proof of where the work is needed most

Findings Explorer

Drill from the score to the rule

  • See every finding contributing to the score
  • Filter by severity, category, entity type
  • One-click to the entity, one-click to the staged remediation

ZCC Fleet Health: Capabilities

On Experience Center, with the zhero-for-one feature flag.

4-Vertical Scoring

Each ZCC app profile scored 0 to 100

  • Security: machine token enforcement, SSL pinning, App Bypass scope, fail-open behavior, Loopback Restriction
  • Resilience: tunnel mode (zTunnel 1.0 vs 2.0), Redirect Web Traffic, LWF driver, recovery behavior
  • Deployment Quality: client version distribution, OS coverage, machine token nonce validity
  • Service Health: device state distribution, failed registrations, stale device detection

Composite fleet score with A to E grade so you can sort and remediate worst-first.

Executive Summary

At-a-glance fleet KPIs

  • Composite score and grade
  • Worst-offender profiles
  • Headline counters: devices, profiles, PAC files, machine tokens

One screen, one CISO answer.

Fleet Telemetry

Distribution charts

  • Client versions across the fleet
  • Tunnel modes (zTunnel 1.0 vs 2.0 split)
  • Device states (active, stale, failed)
  • OS breakdown

Profile Analysis Tables

Full-fidelity tables with ZCC enrichment

  • App Profiles, Forwarding Profiles, PAC Files
  • Device reach per profile
  • Security flags, tunnel modes, machine token status
  • Search and column customization built in

Profile & PAC Compare (3 modes)

High-Level, Side-by-Side, Raw JSON

  • High-Level Compare: interactive heatmap of security checks across profiles, broken down by platform
  • Compare App Profiles: side-by-side pivot of 2 or more profiles, sticky header, copy-to-clipboard, raw JSON diff (unified or inline) with Download both as JSON
  • Compare PAC: same pivot mechanics for PAC files, with built-in pattern recognition (subcloud-aware, static gateway, broad bypass, O365 bypass, legacy macro, single proxy)

Device Drill-Down

Drill into your enrolled device fleet

  • 9 drill-down kinds (by profile, OS, version, state, and more)
  • Virtualized list, instant filter
  • Column presets persisted locally
  • Dedicated ZCC Telemetry tab on the device drawer

Admin Check Overrides

For tenant-specific exceptions

  • Override any check verdict per tenant
  • Per-entry validation
  • Audit metadata (who changed what and when)
  • Dismiss-confirm guard on unsaved changes

Real-World Scenarios

Pre-Migration Audit

An organization is planning a zTunnel 2.0 rollout to its enrolled device fleet.

  • Open ZCC Fleet Health and switch to Compare App Profiles.
  • Pivot the app profiles against the zTunnel 2.0 readiness checks: the heatmap reveals profiles still on the minimum client version and profiles missing Redirect Web Traffic.
  • Filter the device drill-down to the affected profiles and export the device list.
  • Hand the list to the endpoint team.

Outcome: Weeks of manual cross-referencing become a 20-minute audit.

M&A Configuration Review

After acquiring a smaller company, the security team needs to compare the acquired ZCC configuration with their own before merging tenants.

  • Open Compare App Profiles and select profiles from each tenant.
  • Read the heatmap of all security checks side by side.
  • Open the raw JSON diff to expose configuration drift on machine token enforcement, App Bypass scope, and forwarding behavior.

Outcome: The merge plan emerges directly from the comparison, with no spreadsheet archaeology.

Quarterly Compliance Audit

The CISO needs to demonstrate that all production app profiles have specific security checks enabled (Disable Loopback Restriction, machine token nonce validation, fail-open behavior).

  • Open the High-Level Compare heatmap.
  • Filter the columns to those 3 checks.
  • Sort the profiles by composite score and export the matrix to PDF.

Outcome: Audit evidence in 5 minutes, not days.

Quarterly Posture Report for Leadership

A CISO needs material for the quarterly board update on Zscaler configuration health.

  • Open the Security Posture Dashboard for the current composite score.
  • Use the zoomable sunburst to point to the categories driving the score.
  • Open the Findings Explorer to enumerate the top contributors and the staged remediations.
  • Screenshot the dashboard and attach to the board deck.

Outcome: The board gets a single number and a clear path forward, in one screen.

Why It Matters

For the CISO

A board-readable metric you can take to leadership. Continuous tracking, not one-off audits. Proof of progress over time.

For the Security Operations Lead

Worst-offender list every week. Fleet-wide visibility on ZCC. Drill from the score to the entity to the staged fix in three clicks.

For the Zscaler Admin

The first time the question “is my ZCC deployment OK?” has an answer. The heatmap, the comparison, the device drill-down: tools that previously required Python scripts and weeks of manual analysis, now built into the console.

For Audit and Compliance

Tenant-isolated trail. Comparison and diff give M&A and migration audits a deterministic, repeatable output, exportable to Excel.

Watch a 4-minute demo:

Ready to put a number on your Zscaler posture?

Start Your Posture Journey!

Schedule a Demo
Start FREE Trial