CISOs Take Note: Zscaler Outpaces Rivals to Top CyberRatings / NSS Labs SSE Test

In a cybersecurity landscape increasingly dominated by sophisticated, stealthy attacks, organizations are under pressure to adopt robust Security Service Edge (SSE) solutions. For CISOs, it’s crucial to rely on independent, objective testing to make informed decisions to select a SSE vendor. CyberRatings.org ("CyberRatings"), with NSS Labs as its Official Testing Partner, conducts impartial and transparent evaluations of cybersecurity solutions, employing consistent methodologies across all products within a category, and delivers objective and reliable assessments to guide decision-makers.

And the NSS Labs SSE Threat Protection Comparative Test Report published by CyberRatings illuminates the vast performance disparities among SSE vendors, revealing just how critical it is to choose a solution capable of delivering consistent, comprehensive protection. Among a crowded field of seven solutions put to the test, only the Zscaler Zero Trust Exchange^TM platform scored 100% Security Effectiveness, leaving its competitors trailing in critical areas. This blog analyzes Zscaler’s performance, and what lessons CISOs and security practitioners can take from Zscaler’s industry-leading performance.

Uneven SSE Protection Across Vendors

According to the CyberRatings / NSS Labs report, Zscaler is the highest performer, with an overall 100% security efficacy rating in the test. While Zscaler, Versa, Fortinet, and Palo Alto Networks attained a “Recommended” rating, three vendors – Cisco, Cloudflare, and Skyhigh – earned “Caution” ratings due to below-average scores in security efficacy and false positive accuracy. The test lab results underscore a stark reality: security effectiveness among SSE solutions ranged from as low as 2.95% to a perfect 100%. Not all SSE products are equal: even among established brands, performance varied dramatically depending on the threat type. NSS Labs noted that while most vendors managed to handle basic threat scenarios like known malware and exploits, several fell short when confronted with evasion techniques, leaving organizations dangerously exposed.

High Performing Security Capabilities of the Zscaler Zero Trust Exchange

Comprehensive TLS/SSL Inspection at 100% Efficacy

Encryption is both a safeguard and a challenge in cybersecurity: it ensures data confidentiality but complicates the inspection of most traffic. Notably, Let’s Encrypt reported in December 2024 that over 80% of web traffic was HTTPS-encrypted, while Google’s Transparency Report revealed 95% of websites utilized HTTPS. This underscores the necessity of TLS/SSL inspection to counter threats exploiting encrypted channels for infiltration and data theft.

The CyberRatings / NSS Labs Report confirmed the Zscaler Zero Trust Exchange’s ability to inspect and process encrypted traffic at scale without compromising performance, earning a flawless 100% score in the test. By employing a cloud-native, zero trust architecture and operating across over 160+ global edge locations, Zscaler works to deliver seamless performance with minimal network latency.

100% Malware Detection and Blocking

Malware – ranging from traditional threats like viruses and Trojan horses to advanced forms like ransomware and spyware – remains one of the most pervasive and damaging threats. To address this, organizations require sophisticated solutions capable of identifying and neutralizing threats across all malware types.

During NSS Labs testing, the Zscaler Zero Trust Exchange prevented all 6,184 malware samples. Zscaler’s success is attributed to its zero trust architecture, large-scale TLS/SSL inspection, and its continuously evolving suite of malware detection engines tailored to combat the ever-expanding malware landscape.  Its Single-Scan, Multi-Action (SSMA) engine analyzes TLS/SSL packets in a single pass, ensuring efficient and rapid traffic inspection, ensuring there is no adverse impact on user experience.

Complete Exploit Prevention

Exploits targeting vulnerabilities listed in MITRE CVE and NIST NVD databases are a growing cyber risk. These attacks leverage weaknesses in both protocols and applications to breach systems.

In rigorous testing using the NSS Labs exploit repository that included a collection of internal, third-party, in-the-wild, and public exploits, the NSS Labs results show that the Zscaler Zero Trust Exchange blocked all 205 exploit attempts across vulnerabilities ranked critical, high, medium, and low. In order to defend against a full range of exploits, Zscaler employs a comprehensive, defense-in-depth strategy that encompasses large-scale TLS/SSL traffic inspection, Advanced Threat Protection, Intrusion Prevention System (IPS) functionality, and additional cutting-edge security measures to deliver enhanced protection. 

Defense Against Evasion Techniques at 100% Success

Threat actors increasingly rely on evasion tactics to bypass standard security barriers by disguising malicious payloads or exploiting weaknesses in delivery mechanisms. Malware-related evasions, such as packers, compressors, and HTML/HTTP obfuscation, are designed to obscure file-based payloads and evade detection tools reliant on signatures or hashes. Exploit evasions, on the other hand, manipulate real-time traffic delivery using techniques like HTTP chunked encoding, header manipulation, and layered JavaScript obfuscation to slip past defenses like intrusion prevention systems (IPS) and web application firewalls (WAFs). Just one unchecked evasion tactic can open the door for attackers to infiltrate systems undetected, making comprehensive evasion resistance a non-negotiable feature of any robust SSE solution.

In its rigorous evaluation, NSS Labs tested the Zscaler Zero Trust Exchange against 1,154 unique evasion techniques across 37 categories, covering 672 exploit-based attempts and 482 malware scenarios – including multi-layered, complex combinations designed to replicate real-world attack sophistication. 

Remarkably, where some SSE vendors struggled, the NSS Labs results showed that Zscaler successfully blocked 100% of these attempts, including evasions that other solutions often struggle to detect. By effectively neutralizing obfuscation layers and accurately identifying the original attack, Zscaler showcased its ability to combat even the most advanced tactics, delivering next-level protection for enterprises against today’s ever-evolving threat landscape.

False Positive Accuracy at 99.87%

False positives exacerbate “alert fatigue,” which can cause security teams to inadvertently disable critical defenses, leaving systems vulnerable. Zscaler mitigates this risk with superior precision.

NSS Labs tested the Zscaler Zero Trust Exchange against 1,514 false positive files distributed across a variety of system formats and against approximately 100,000 enterprise-specific samples. The platform delivered an impressive false positive accuracy of 99.87%, ensuring security teams and organizations can remain focused on genuine threats without being overwhelmed by inaccurate alerts.

By combining advanced security measures, global scalability, and industry-leading accuracy, the Zscaler Zero Trust Exchange continues to set the benchmark for effective, scalable, and high-performance cybersecurity solutions. Whether facing encryption challenges, malware, exploits, evasions, or false positives, Zscaler consistently delivers proven results, empowering enterprises to navigate the ever-evolving threat landscape with unmatched confidence.

The Competitive Breakdown: Why Zscaler Stands Out

The findings unveiled by CyberRatings and NSS Labs offer valuable insights to CISOs driving data-backed decision-making in an increasingly complex threat landscape. This CyberRatings / NSS Labs test was conducted free of charge, with neither CyberRatings nor NSS Labs receiving any compensation in return for participation, ensuring an impartial testing methodology for all vendors. And even a few percentage point fluctuations in the test results among vendors goes a long way in representing the efficacy of the different SSE offerings. Also, as noted in the CyberRatings / NSS Labs report, an SSE vendor’s refusal to participate in independent testing should be thoroughly investigated.

Zscaler emerged a leader in the latest SSE evaluation, earning a “Recommended” rating alongside Fortinet, Palo Alto Networks, and Versa Networks. As the only vendor to achieve a 100% security effectiveness score in the NSS Labs test, it is clear Zscaler outperformed other SSE vendors. 

Meanwhile, according to the report, Cisco, Cloudflare, and Skyhigh received “Caution” rankings due to critical test failures. Cato Networks and Netskope weren't included in this report – Netskope's high licensing costs and lack of responsiveness made testing impossible according to CyberRatings and NSS Labs. And Cato was explicit in their refusal to participate in the testing or allow CyberRatings to procure any license for any form of third-party validation, as noted in the report.

Zscaler pulled ahead by aligning its Zero Trust Exchange platform with cutting-edge innovations:

• Cloud-Native, Zero Trust Architecture: Designed for scalability and resilience, delivering consistent results without bottlenecks.
• Single-Pass Inspection: Zscaler’s SSMA engine reduces latency while simultaneously analyzing traffic layers and enforcing access policies.
• Global Edge Network: Over 150 edge locations ensure low-latency inspection and direct peering with SaaS services and providers.
• Continuous Security Updates: Zscaler's defense-in-depth architecture stays ahead of threats by leveraging live threat intelligence.

Conclusion

In a world where cyberthreats evolve faster than defenses, diligence in evaluating security solutions becomes paramount. Zscaler continues to prove its leadership with consistent performance validated by independent testing from organizations such as CyberRatings and NSS Labs. 

Additionally, Zscaler was also named a Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE) for the fourth consecutive year and achieved the highest placement for Ability to Execute.  

With over 1,000 reviews on Gartner Peer Insights™ and an impressive score of 4.65 out of 5 (as of May 2025), the Zscaler Zero Trust Exchange further proves its unmatched efficacy, processing over 500 billion daily transactions within its cloud-native, multitenant, proxy-based architecture.

At Zscaler, innovation drives our mission to deliver a cutting-edge SSE-based Zero Trust platform. We continuously enhance the Zero Trust Exchange to secure workforces, cloud workloads communications, IoT/OT access, and B2B connections, ensuring our customers are ready for future challenges.

Discover why Zscaler stands out in the 2025 CyberRatings and NSS Labs SSE Threat Protection Comparative Test Report – download the report here. 

Join our exclusive webinar for a deep dive into the CyberRatings SSE test results. Register now!

This blog post has been created by Zscaler for informational purposes only and is provided "as is" without any guarantees of accuracy, completeness or reliability. Zscaler assumes no responsibility for any errors or omissions or for any actions taken based on the information provided. Any third-party websites or resources linked in this blog post are provided for convenience only, and Zscaler is not responsible for their content or practices. All content is subject to change without notice. By accessing this blog, you agree to these terms and acknowledge your sole responsibility to verify and use the information as appropriate for your needs.