Zscaler Fuels Zero Trust & AI Innovation While Acting as a Testbed for Emerging Products

Zscaler’s own IT department serves as customer zero to ensure delivery of superior technology to customers

Approximately 8,000 enterprises and government entities, including Global 2000 and Fortune 500 companies, rely on Zscaler for cloud-based services to secure their digital transformation journeys. As a pioneer in the zero trust security space, Zscaler continues to rapidly innovate and grow the capabilities of its unified platform. 

Zscaler’s internal IT and security team, Zscaler on Zscaler (Z on Z), plays a dual role. The group oversees and manages the company’s IT/security infrastructure, and it also collaborates closely with product teams and engineers to test new products and features as well as provide valuable insights into operational and value improvements.

“As Zscaler's own ‘customer zero,’ an important part of our mission is to leverage our platform to enhance operational excellence, ensure robust security, and innovate through continuous adoption of our solutions to demonstrate to our customers the real-world value and transformation enabled by Zscaler,” said Corey Burks, Director, Zscaler on Zscaler.

The building blocks of a solid zero trust security infrastructure

For many years, the foundation of Zscaler’s security infrastructure has been the Zscaler Zero Trust Exchange platform. An integral part of the platform, Zscaler Internet Access (ZIA) provides 9,000 employees and more than 5,000 contractors with direct, identity- and role-based zero trust access to the internet and 284 sanctioned SaaS apps (Salesforce, Workday, Okta, Microsoft 365, ServiceNow, G Suite, and more) and a risk-based approach to thousands of unsanctioned apps. Users have secure access to these resources from anywhere, anytime, and on any device—at home, on the road, or at any of Zscaler’s 10 offices. Zscaler Zero Trust Firewall provides 100% traffic inspection across all ports and protocols for all users at every location, while Zscaler Cloud Sandbox scans and quarantines suspicious files to protect against zero-day threats and unknown malware strains.

Zscaler Private Access (ZPA) delivers robust secure connectivity to approximately 3,794 private apps, primarily hosted in the AWS and Microsoft Azure cloud environments. Business-critical apps include Jira, Confluence, and other tools used in product development. 

The Zscaler corporate environment consists of a variety of IT devices—macOS, Windows, Linux, laptops, Android and iOS mobile phones, and a limited set of IoT devices, from water dispensers and espresso machines to printers, environmental sensors, TVs, and more. The Z on Z team uses agentless Zscaler Zero Trust Device Segmentation to isolate IoT devices into a network of one, automatically enforcing policies.

“By virtue of our implementation, Zscaler has no attack surface, as no public IPs are exposed to the internet. At the office level, we’ve completely eliminated the possibility of lateral movement of threats,” said Buckley Tole, Senior Director of Global Infrastructure.

Zscaler Digital Experience (ZDX) is another tool used daily by the help desk to gain visibility into connectivity and network issues and proactively troubleshoot and mitigate them before users are impacted. As Tole noted, Zscaler users stay productive and enjoy a consistently superior digital experience.

Robust, fine-grained data security—from endpoints to AI apps

Over the past few years, building out a robust data security strategy was a key initiative for the Z on Z team. The two most important goals were to protect Zscaler’s crown jewels—its intellectual property and other sensitive data—and monitor AI app usage.

The core infrastructure already provides always-on TLS/SSL traffic monitoring to prevent data exfiltration while blocking hidden malware and other encrypted threats. In addition, Zscaler Zero Trust Browser isolates web content in a safe environment to not only ensure that malware and other potentially malicious files never reach the user’s device, but also prevent data exfiltration and stop risky actions.

The team began by implementing stronger policies around business-critical data, such as source code, confidential documents, and other sensitive data. They tuned the rules over time and then deployed them in waves—first to small test groups and, later, department by department. Once that was completed, they built out exceptions for teams with valid use cases.

To further amplify data protection, the team deployed Zscaler Data Security to gain instant visibility into structured and unstructured data across 15 key SaaS apps. More recently, they rolled out Zscaler Endpoint DLP to extend consistent policies across all endpoints, including printers, removable storage, network shares, and personal cloud storage like Dropbox.

In addition, they implemented Zscaler Data Security Posture Management (DSPM), which provides deep visibility into sensitive data that lives within the cloud environment, along with a view into account misconfigurations and vulnerabilities. Zscaler DSPM automatically discovers, classifies, and inventories sensitive data and tracks exposure. This helps the team prioritize and remediate risks faster and with greater accuracy through actionable insights and event correlation.

These data security controls also help curb potential data loss and risky exposure from AI tools. For example, Zscaler DSPM’s AI-powered classification helps ensure precise AI training data and excludes sensitive data, preventing oversharing or data poisoning. Initially, the team took an aggressive stance on blocking AI usage, limiting users to authorized apps like ZChat, Zscaler’s proprietary in-house generative AI tool, and Google Gemini, but that practice has evolved.

“The biggest data security challenge we were facing was around the AI explosion,” said Jake Schuldt, IT Security Manager. “With strong, well-defined data usage rules in place, along with tools like Zscaler DSPM, we’re confident about our data security controls. Now we can make exceptions for research and security teams that can benefit from responsible use of public AI tools.”

Modernizing branch connectivity with a zero trust café-like experience

When Zscaler’s apps resided in the data center, its 10 branch offices relied on dual firewalls and redundant WAN switches for securing the network perimeter. But as Zscaler shifted to a cloud-first strategy, adopting SaaS apps and switching to a hybrid work model, it quickly became apparent that the legacy infrastructure would hinder agility and growth. Zscaler Zero Trust Branch was an important step toward implementing a modern, café-like model.

The process was methodical, starting with architectural reviews to foster full team alignment, moving on to successful pilots at selected sites, and, finally, an accelerated global rollout across all 10 sites that resulted in decommissioning 20 firewalls. 

The network team was pleased to see that Zero Trust Branch, unlike firewalls, could be deployed in hours, not days and with minimal disruption to users. Moreover, agentless zero trust segmentation was successfully implemented across IoT devices, with no interoperability or app challenges.

Today, with all traffic flowing through the Zero Trust Exchange platform, branch offices and remote workers benefit from direct zero trust access to apps from anywhere and on any device—no more backhauling or costly, complex appliances to manage and maintain. With access enforced at the app level rather than the network level, lateral threat movement has been eliminated and the attack surface significantly reduced. 

“With the Zero Trust Branch, it’s as if the user is a network of one—they only have access to authorized private apps and anything sitting on the internet. This was a significant uplift for us, as we were able to shrink our security footprint 99.9%,” said Tole. “The changeover to Zero Trust Branch also positively impacted Zscaler’s bottom line. Once we implemented Zero Trust Branch and phased out our firewalls, we realized cost savings of up to 43%.”

Burks added that this deployment reinforced the idea that the future of branch connectivity lies in less hardware, more cloud intelligence, and a zero trust approach that enables agility, security, and innovation. “For CIOs and CISOs, the lesson is clear: Zero Trust Branch is not just a technical upgrade—it’s a strategic shift that unlocks business value and resilience,” he added.

Securing developer workloads and data in the multicloud

Just like any other growing enterprise on a digital transformation path, Zscaler faced common security challenges as its multicloud environment grew exponentially. Due to the fluid, distributed nature of cloud workloads, the legacy approach lacked visibility into security gaps, anomalous behavior, and misconfigurations. Additionally, data flowing between clouds and workloads needed consistent policies enforceable at scale.

The IT team deployed Zscaler Zero Trust Cloud to secure ingress/egress workload traffic and workload-to-workload communication, segment mission-critical apps, and provide visibility into sensitive data and misconfigurations through real-time monitoring.

“By using Zero Trust Cloud in conjunction with DSPM, ZPA, and other zero trust technologies, we have significantly accelerated business innovation,” said Burks. “We successfully transformed our security infrastructure to be simpler, more efficient, and fully grounded in zero trust principles.”

The future is now: Innovations in secure use of AI

Along with continually fine-tuning the platform, the Z on Z team is deploying the latest innovations to expand the organization’s zero trust footprint. This includes Zscaler AI Guard, which acts as a proxy to inspect prompts and responses within AI models and large language models (LLMs) to prevent sensitive data loss, block prompt injection attacks, ensure trustworthy results, and adhere to compliance regulations.

“Now that we have launched AI Guard, we can begin to do better filtering on what's going in and out of different LLMs so we can ensure that we're not potentially leaking company data sets if we're using a publicly sourced LLM,” said Schuldt.

Expediting M&A integration fosters accelerated innovation

In addition to cost savings, operational efficiencies, improved security resilience, and a better user experience, the expansion of the Zscaler platform has also accelerated M&A integration for faster time-to-value. 

To expand its integrated security platform, Zscaler completed 12 acquisitions over a five-year time span. To add AI-powered managed detection and response (MDR) service to its security operations offerings, Zscaler acquired Red Canary. The Z on Z team worked closely with Red Canary’s team to identify business-critical apps and ensure they would work seamlessly with the Zero Trust Exchange. After only one month of rigorous testing, network integration was seamless and users were 100% operational on day one post-acquisition—a process that normally takes six months or longer.

Most recently, Zscaler acquired SPLX so that enterprises can secure their AI investments from development through deployment. Burks and Schuldt got involved five days prior to the deal close, quickly deploying ZIA and applying all DLP policies so SPLX users could transition easily and without disruption.

The power of Z on Z: A resilient and proven foundation for excellence

Z on Z is uniquely positioned to advance Zscaler’s business goals and provide value to its customers. On one hand, Zscaler’s zero trust infrastructure enables research, engineering, and product teams to build, deploy, and scale new apps and products for customers. On the other hand, the team has an opportunity to stress-test the latest Zscaler products in a real-world production environment before they are released to the customer base. This rigorous internal validation ensures product maturity and reliability.

Recent expansion of the internal zero trust platform has contributed to more efficient and secure internal operations and a more robust product portfolio for Zscaler customers. The IT and security team is making the most of nearly every Zscaler tool and feature in the current setup. Based on an assessment by an internal tool, utilization of the current Zscaler setup is at 93% for the 15 out of 16 products deployed.

Every new product is under close scrutiny to ensure issues are dealt with and necessary refinements are incorporated. Product leads, managers, and executives leverage the program to get feedback from the team on what improvements should be made from a day-to-day operational perspective, such as enhancements to the user interface and expanding the feature set. 

As a case in point, Schuldt explains his deep involvement in testing Zscaler Risk360. His input ultimately contributed to a more robust product: “A big part of my feedback early on was on how to enrich Risk360 reporting. For example, I suggested assessing and quantifying the business impact of resolving issues before actually doing the work. I also provided general feedback around enhancing metrics so we could track the value of long-term cybersecurity posture improvements resulting from our fixes.” 

With this approach, Zscaler demonstrates leadership by example and fine-tunes its emerging innovations.

“At Zscaler, we all experience firsthand the security, agility, and user experience promised to customers,” said Burks. “This transparency strengthens trust when we engage with CIOs and CISOs—we are not only advocates, but practitioners. In every sense, we are ‘drinking our own champagne’ every day.”