Future-Proof Your Security with the First Quantum-Ready Security Service Edge (SSE)

Zscaler has already made significant investment in providing customers with post-quantum cryptography (PQC) visibility and logging capabilities—and now we’re building upon that foundation to ensure our customers can realize true crypto-agility. That's why today, we are thrilled to announce that the leading Security Service Edge (SSE) is now quantum-ready:  Zscaler Internet Access inline inspection now supports hybrid PQC key exchange. 

This first-to-market capability allows your organization to decrypt and inspect quantum-encrypted traffic at scale, enforce your security policies, and defend against the emerging quantum threat landscape. With Zscaler’s proxy architecture, our new PQC key exchange capability also provides customers protection from “harvest now, decrypt later” (HNDL) attacks, even at the last mile if an application server does not support PQC yet.

Additionally, with this launch we can now secure customers’ IPsec VPN tunnels with post-quantum, pre-shared Keys (PPK) which securely connects our customers’ PPK-ready endpoints to Zscaler.  PPKs are an additional secret that both peers already share—and mixing it into the IKE key derivation results in IPsec keys that remain secure even if the Diffie-Hellman with Ephemeral keys (DHE/ECDHE) exchange is later broken by a quantum computer. In other words, it’s a post-quantum risk-mitigation mode for IPsec without requiring full PQC algorithms in the key exchange.

Why Hybrid PQC Key Exchange Matters

During the period of transition from classical to quantum-resilient encryption, hybrid PQC key exchange will act as a vital safety net. By combining a proven classical algorithm with a new quantum-resistant one, hybrid key exchange ensures that encrypted traffic remains secure even if one of the algorithms is compromised. This dual-layered approach provides robust protection against both current threats and the future risk of a quantum computer breaking today's standard encryption.

Hybrid PQC key change is also foundational to helping address several core customer challenges in a quantum world:

• Defending Against Quantum Threats: With HNDL attacks already a viable threat, protecting data in transit is paramount. Our new capabilities that utilize hybrid key exchange mitigate the HNDL threat by making it extremely difficult for attackers to later decrypt harvested data.
• Meeting Compliance Mandates: Governments are mandating PQC adoption to protect critical infrastructure and data. Zscaler enables you to get ahead of these requirements and prove compliance with detailed reporting on quantum cipher usage across your environment.
• Bolstering Business Continuity: The crypto-transition is a predictable, high-impact event. A proactive strategy with Zscaler’s approach leveraging hybrid key exchange prevents the disruption, loss of trust, and compliance failures that a reactive approach would cause.

Zscaler now provides real-time, deep inspection of PQC traffic, leveraging the NIST-standardized ML-KEM (FIPS 203) standard for post-quantum key exchange. Just as we do for classical encryption, Zscaler unlocks complete visibility and protection for PQC sessions, all without impacting performance. Our implementation of hybrid PQC key exchange is compliant with the draft-ietf-tls-echde-mlkem proposed standard and is fully compatible with Chrome, Firefox, Safari and other widely deployed clients as well as servers.

The Zscaler Zero Trust Exchange sits inline, and our cloud-native inspection engine seamlessly decrypts, scans and enforces security policy, and re-encrypts traffic before sending it onto its destination. Here’s how our quantum-ready inspection process works:

• Zscaler checks the TLS ClientHello message from the client: If the client indicates TLS 1.3 support and includes a hybrid PQC key exchange in its proposal, Zscaler Internet Access uses TLS 1.3 with a supported hybrid PQC key exchange group. This process is independent of server capabilities and allows PQC usage between client and ZIA even if the server does not support it. The supported TLS version and selected key exchange group is always logged so administrators can get valuable information about PQC support on the client side. Those same insights can help security and IT teams prioritize upgrading software that is not PQC ready.
• Zscaler sends TLS ClientHello to the server on behalf of the client: In the ClientHello message it indicates support for TLS 1.3 and includes all standard hybrid PQC key exchange methods in the offer. In the TLS protocol it is up to the server to choose from a supported list of key exchange algorithms. Zscaler Internet Access logs selected TLS version and cryptographic parameters for each session that allows administrators to understand the security posture and work with service providers to use PQC capabilities.
• Zscaler performs traffic inspection and applies security policies: all threat prevention, DLP and access control policies are applied transparently for the client and server without any configuration changes to current policies. This means Zscaler provides the same industry-leading threat detection and prevention to PQC sessions that Zscaler has applied to non-PQC traffic for years. 

New Capabilities to Secure Your Quantum Journey

This launch delivers two major innovations for the Zscaler platform:

SSL/TLS Inspection with ML-KEM: Perform full decryption and deep content inspection on traffic flows that were established using hybrid PQC key exchange. We automatically detect and negotiate TLS groups, applying all your existing security policies without any changes to configurations or impact on user experience. 

IPsec with Post-quantum Pre-shared Keys (PPK): Secure your branch office and data center connections with future-proof VPN forwarding to Zscaler. By mixing a pre-shared key into the IKE key derivation, the resulting IPsec keys remain secure even if the Diffie-Hellman exchange is later broken by a quantum computer. This provides a practical, quantum-resistant upgrade for IPsec that can be deployed today.

Begin the PQC Transition Journey Now

The shift to post-quantum cryptography is perhaps one of the defining security challenges of our time. With Zscaler, you can move from a reactive posture to a proactive one. Gain the visibility you need to stop threats hiding in PQC traffic, fortify your defenses against future decryption attacks, and meet emerging compliance mandates head-on.

The members of our partner ecosystem will also play an important role in helping customers along their journey to quantum-readiness. Zscaler will work with members of our partner ecosystem, including Ernst & Young and HCLTech, to do just that:

"We are thrilled to announce a strategic expansion of our partnership with EY, focused on delivering advanced Post-Quantum Cryptography (PQC) visibility through real-time crypto inventory capabilities. By leveraging Zscaler as the primary data source for cryptographic discovery, EY clients can now gain the comprehensive insights necessary to drive informed PQC migration and future-proof decision-making. This critical data allows EY’s expert consultants to help organizations develop robust, long-term security strategies tailored to their unique risk profiles. Together, we are simplifying the complex path to quantum safety and ensuring our clients remain resilient against emerging threats."
— Adam Berman, Global Alliances Director, Zscaler

“Post-Quantum Cryptography is becoming a strategic priority for enterprises committed to digital trust and total resilience. Through our collaboration with Zscaler, HCLTech is helping organizations accelerate crypto discovery, strengthen crypto-agility and secure communications against emerging quantum threats. Together, we are enabling ZIA customers to transition confidently to a quantum-safe future while meeting evolving compliance and regulatory expectations.”
— Prikshit Goel, VP and Global Practice Head, Cybersecurity, HCLTech

Ready to future-proof your security? Learn more about preparing for the quantum future: watch our launch event webinar where our product experts will walk you through our PQC inline inspection capabilities and how we can help your organization prepare for the quantum era.