NewSecurity Posture is GA: a score your board can readRead the post
Feature · Security Posture

Security Posture Score, compare, and prove your Zscaler posture is improving.

For most Zscaler teams, "are we in good shape?" is the hardest question to answer. Security Posture & Intelligence turns hundreds of configuration findings into trackable scores: one dashboard for ZIA and ZPA configuration, one for your Client Connector fleet. A number your team can improve, and your board can read with confidence.

ZHERO posture scores for a real Zscaler tenant: four ring gauges showing Global 44.53 out of 100 (Grade F), ZIA 65.63, ZPA 36.74 and ZCC 42.50, over 495 active findings

One posture score across ZIA, ZPA and ZCC, built from 1000+ checks.

Why it matters

Two surfaces, one outcome

Feature
Security Posture Dashboard
Benefit
A single score across your ZIA and ZPA configuration, with a zoomable sunburst showing exactly what drives it
Outcome
One number for leadership, tracked over weeks, months and quarters, instead of one-off audit decks
Feature
Score trend with delta annotations
Benefit
Every score shift is annotated with the change that caused it, and the history lives in the audit log
Outcome
The board gets a chart with a clear trajectory, not a story reconstructed from snapshots
Feature
ZCC Fleet Health
Benefit
Every Client Connector app profile scored 0 to 100 across Security, Resilience, Deployment Quality and Service Health, rolled up to an A to E fleet grade
Outcome
The first real answer to "is my ZCC deployment OK?", sorted worst-first so your team knows where to act
Feature
Profile & PAC comparison
Benefit
Interactive heatmap of security checks across profiles, side-by-side pivots, raw JSON diff, and PAC pattern recognition
Outcome
Migration readiness, M&A reviews and compliance checks become minutes of comparison, not weeks of spreadsheets
Feature
Device drill-down at scale
Benefit
Drill from any profile or check into the affected devices, with 9 drill-down views that scale to 50,000+ devices
Outcome
From a fleet-wide grade to the exact device list your endpoint team needs, in a few clicks

Security Posture & Intelligence removes the posture tax: instead of reconstructing “are we in good shape?” from hundreds of findings and manual reports, your team tracks one measurable score for ZIA and ZPA configuration and an A to E grade for the Client Connector fleet. The result is confidence you can show, not just claim: a metric the board can read, with the audit trail to back it.

ZCC Fleet Health

Score and remediate your Client Connector fleet

App Profile, Forwarding Profile and PAC file define how every device connects, and each lives on a different console screen you can't even keep open side by side. ZCC Fleet Health scores every profile combination against best practice and reports two numbers: Equal weight, the quality of your profiles in the abstract, and Weighted by devices, the posture your users are actually exposed to.

  • Fleet telemetry surfaces the blind spots: devices with ZIA, ZPA or ZDX inactive, ghost devices and registration anomalies.
  • A coverage heatmap ranks every best-practice check across every profile, worst-first, so gaps like missing fail-close or legacy PAC macros show at a glance.
  • A remediation plan orders the fixes by impact, with a Score Recovery Waterfall projecting the grade you reach once they are applied.
ZHERO ZCC Fleet Health executive summary with two gauges, Equal weight and Weighted by devices, each with a four-vertical radar across Security, Resilience, Deployment Quality and Service Health
How it works

From findings to a score in four steps

Step 1

Surface

The Smart Analysis engine runs 1000+ checks across ZIA and ZPA continuously, attaching severity, category and entity metadata to every finding.

Step 2

Quantify

The Security Posture Dashboard aggregates those findings into a single score for both clouds. ZCC Fleet Health does the same for your Client Connector deployment, profile by profile.

Step 3

Improve

When your team fixes a finding, the score moves. Drill from the score to the contributing findings, and from each finding to the entity that needs attention.

Step 4

Prove

Score history is recorded in the audit log with actor and timestamp, exportable to Excel. A one-off audit becomes continuous, quarter-over-quarter evidence.

Without ZHERO vs With ZHERO

Without ZHERO
With ZHERO
Answering "how secure is our configuration?"
No clear method for a complete assessment, then hours compiling scattered findings into a manual deck that shows symptoms, not a score
A single number with its trend and contributors, on one dashboard
Progress over time
Each report is its own snapshot; comparison is impossible
Score history with annotated deltas, logged and exportable
ZCC profile drift
No console view shows which profiles miss zTunnel 2.0 or carry legacy PAC macros
A heatmap of every check across every app profile, sortable and drillable
Comparing profiles or PAC files
Manual exports cross-referenced in spreadsheets
Side-by-side pivot and raw JSON diff in one click
Audit evidence
Archaeology across consoles, exports and old decks
Open the dashboard, export the matrix, attach it to the report
FAQ

Questions, answered

Does my configuration data leave the browser?
No. Posture scoring is 100% client-side: the analysis runs in your browser and your configuration never leaves it. ZCC Fleet Health fetches data via API directly from your Zscaler tenant and aggregates it browser-side. Score history sync is opt-in and stored in ZHERO's tenant-isolated collaboration store.
Is Security Posture & Intelligence fully released?
Yes. ZCC Fleet Health shipped in v2.5.0 for Zscaler Experience Center tenants, and the Security Posture Dashboard is shipped for ZIA and ZPA configuration.
How is the posture score calculated?
The score aggregates Smart Analysis findings across ZIA and ZPA with 2-decimal precision, weighting each by severity, category and impact. The model rewards sustained improvement over short bursts, so the trend reflects real configuration hygiene.
Does it work at enterprise fleet scale?
Yes. The device drill-down is built for fleets of 50,000+ devices, with 9 drill-down views, locally persisted column presets, and one-click comparison across app profiles and PAC files.
What if a check does not apply to my environment?
Admin Check Overrides let you override any check verdict for tenant-specific exceptions. Every override is validated, tenant-isolated, and audited with who changed what and when.

Security Posture in action

Watch a 4-minute demo.

Ready to see Security Posture in your tenant?

Start Your Transformation!

Install in two minutes. No servers, no migration, no training.