Your Zscaler tenant now has a score your board can read
ZHERO scores your Zscaler tenant like a board report: ZIA, ZPA and ZCC each get their own score, and every point is explained by a specific finding.
Since v3, ZHERO gives every Zscaler tenant a posture score that reads like a board report: ZIA, ZPA and ZCC scored separately, one global grade for the tenant, and every single point explained by a specific finding you can act on. No black box, and no more guessing where you stand.
Most teams cannot answer “how safe is our Zscaler?”#
After years of assessments on production Zscaler tenants, the pattern is consistent: most teams are not aware of how weak their configuration actually is. Not because they are careless, but because the platform is huge, the console does not volunteer this information, and some of the checks that matter most are rare, tedious and easy to get wrong by hand.
The result is a quiet gap between perceived and actual posture. The deployment works, traffic flows, tickets get closed. Meanwhile the configuration accumulates weaknesses that nobody is measuring, so nobody is fixing them. These are the ones we find over and over during a first assessment:
- No resilience on the ZPA side. App Connectors without redundancy, single points of failure that only surface the day something goes down.
- SSL inspection coverage far lower than anyone assumed. The policy exists, but exceptions and scoping quietly exclude most of the traffic that should be decrypted.
- Client Connector profiles nobody designed for resilience or security. App profiles and forwarding profiles set up to “make it work” quietly leave part of the traffic outside inspection, DNS traffic being the classic example, and open blind spots, up to users who can disable the client on their own without the company ever noticing.
- Fundamental best practices missing. Blocking QUIC so traffic does not bypass inspection is a classic: well documented, quick to check, and absent surprisingly often.
- Obsolete configurations and outdated clients still deployed across the fleet, carrying behaviors and vulnerabilities that current versions fixed long ago.
None of these shows up as an incident until it does. That is the hidden cost: you pay it later, at the worst possible moment, or you pay it every day in risk you cannot see.
What “bad” actually looks like#
This is a real production tenant, a real customer, assessed with ZHERO:

44.53/100, Grade F. 495 active findings, 149 of them critical, on a tenant that was considered fine by everyone using it.
The team running this tenant is not incompetent. They simply had no instrument telling them where they stood. The finding wall below is what the score is made of: every tile is a check that failed somewhere in the configuration, sized by how many entities it affects and colored by severity.

Zombie App Connectors that are enabled but disconnected. SSL inspection policies still allowing legacy TLS versions. Catch-all policies hiding overly broad access. Application segments at risk. Each of these is a concrete, named issue on a concrete entity, and each one explains a precise share of the missing score points.
Why one number would lie to you#
A single “security score” for a Zscaler deployment sounds appealing, and at board level a global number is genuinely useful. But if that is all you have, the number lies by averaging. In the tenant above, ZIA sits at 65.63 while ZPA is at 36.74: one product is mediocre, the other is in serious trouble, and a blended score would tell you neither.
That is why ZHERO’s Security Posture dashboard scores the layers separately:
- ZIA and ZPA are different products with different policies, different failure modes and usually different owners. Each gets its own score.
- Zscaler Client Connector is configuration shared by both, deployed on every endpoint, so it gets a dedicated score instead of disappearing into either product.
- The global score sits on top, for the one conversation where a single number is the right level of abstraction: reporting upward.
You get the executive number and the operational truth behind it, without one pretending to be the other.
From a number to a plan#
A score you cannot explain is a liability in front of a board, and an insult in front of an engineer. So the scoring engine is transparent by construction: every point lost maps to a finding, every finding names the affected entities and proposes the change that recovers those points. The score history tracks how the number moves and attributes every change, so “why did we drop three points last Tuesday” has an answer.
This is the loop v3 is built around, from findings to fixes: read the score, open the findings that drag it down, turn them into shared to-do items your team tracks next to the entities themselves, and watch the recovered points show up in the trend. On the ZPA side, v3 also brings an infrastructure view that exposes connector health and single points of failure, the exact class of problem that never gets checked by hand.
The board conversation changes#
“How safe is our Zscaler?” used to get one of two answers: an honest “hard to say” or a confident number nobody could defend. A posture score with per-finding attribution and history gives you a third option: a grade that survives scrutiny, a trend that shows the work, and a drill-down for anyone who asks why.
The tenant above started at Grade F. The uncomfortable part is not the F: it is that before the assessment, nobody knew. If you run Zscaler and cannot put a number on your posture today, that is exactly the conversation we should have. Bring your tenant, and we will read your score together.
Frequently asked questions
How is the ZHERO posture score calculated?
ZHERO runs your configuration through a transparent scoring engine built on assessment templates. Each finding carries a defined impact on the score, so every point lost is attributable to a specific issue on a specific entity. There is no black box: you can always trace the number back to its causes.
Why are ZIA, ZPA and ZCC scored separately?
Because they are different layers of your deployment. ZIA and ZPA are two different products, each deserving its own score, while Zscaler Client Connector is configuration shared by both, so it gets a score of its own. A global tenant score sits on top for high-level, board-facing reporting.
Does ZHERO send my configuration anywhere?
No. ZHERO is a browser extension that reads your Zscaler configuration locally, on your machine, using your existing admin session. The assessment runs on-device and your configuration data never leaves your computer. The only thing that does is the score history: how the scores moved and which entities and users caused each change, with no configuration data attached.
How long does it take to see my first score?
Minutes. Once the extension is connected to your tenant, ZHERO evaluates the configuration against its full template library and produces the scores immediately. The score history then builds day by day, so trends and attribution get richer the longer it runs.