ZIA Innovation Launch [Part-1] - Where Packets Meet Policies: Unifying SecOps and NetOps

The most expensive friction in enterprise IT isn’t explosive—it’s the quiet kind that clogs progress, blurs accountability, and turns teamwork into turf wars.

Take NetOps and SecOps for instance. While networking teams crave agility and uptime, security teams demand precision, control, and zero trust discipline. The inherent conflict between these two goals leads to inefficiencies, security risks, and constant negotiations. 

It’s not that NetOps and SecOps don’t want to collaborate — they just lack an optimal way to do so without breaking each other’s stuff.

That brings me to the latest Zscaler Internet Access (ZIA) Innovation Launch, which is a series of upgrades greater than the sum of its parts—representing a strategic shift designed to eliminate operational drag, dissolve silos, and align velocity with control across the board.

Because fewer escalations, fewer surprise outages, and fewer 2AM war room calls? That’s something everyone can get behind.

Now, let’s unpack the features behind the promise.

1. Full-Packet Visibility: Deep Forensics, Now Built for the Cloud Age

Imagine switching from your regular iPhone camera to a 4K, high-frame-rate, night-vision-enabled lens— one that not only captures what happened but how, when, where, and why. 

That’s exactly what Zscaler’s Full-Packet Visibility brings to the table.

Many Zscaler admins already know ZIA logs over 200 fields of rich metadata. This includes granular details like what the user traffic looks like, who's the user, where is it coming from, what is the location, where exactly is the traffic going to, what is the destination URL, and which server they hit.

We took things several steps further last year.

Zscaler introduced Event-Based Packet Capture (PCAP), enabling organizations to capture the raw packets behind an alert—for over an year now. Whether it’s a suspicious DNS request, an anomalous IPS hit, or a misfired firewall rule — ZIA can trigger an automatic PCAP, giving analysts the raw data they need for deep investigation, retrospective analysis, and high-fidelity threat hunting, tied directly to that incident.

Additionally, it’s cloud-native and privacy-friendly. All packet captures are stored in your own AWS S3 bucket, giving you control over both access and retention. For industries like finance, healthcare, and the public sector, this ticks critical compliance boxes.

And, we’re not stopping at event-driven PCAPs.

We’re expanding to offer User-Based Capture. Now you can trigger captures for:

• Specific users (e.g. high-risk or privileged accounts)
• Specific traffic types (e.g. risky destinations or SaaS categories)
• Specific policy actions — with full granularity at each control layer

This lets you build targeted forensic coverage, without the noise or overhead of continuous capture — and without relying on legacy hardware appliances.

But wait, it gets even more compelling.

With the upcoming launch of packet capture with Vectra AI, you will be able to stream captured packets to the NDR platform recently positioned as the overall leader in the 2025 Gartner® Magic Quadrant™ for NDR. 

Here’s how it works:

• Captures are streamed directly from ZIA to your S3 bucket
• Vectra sensors replay that traffic for deeper detection capabilities and analysis
• You get correlation across both north-south and east-west traffic — including ZIA (internet-bound) and ZPA (private app) flows

So yes, you can now correlate threats across your cloud apps, private apps, hybrid workloads, and remote users — in one motion.

This isn’t just enhanced visibility. It’s complete traffic intelligence across your enterprise that’s:

• Policy-aware
• Cloud-delivered
• User-targeted
• And integrated into the rest of your detection stack

2. HTTP Header Controls: Small Fields, Big Power

ZIA has long offered deep access controls — bandwidth shaping, firewall enforcement, DNS/URL filtering — all amplified by SSL inspection at scale. But with our latest update, we’re handing you surgical control over HTTP headers — giving security and IT teams unprecedented policy precision.

So what does this unlock?

a. User-Agent Control

With the support for user agent as a header profile security teams finally get a way to gate browser behavior — without slowing down the business.

With User-Agent-Based Policies, you can:

• Allow only specific browser versions for select users (e.g., Chrome v135 for your QA team).
• Block outdated or vulnerable versions across the org.
• Run controlled test rollouts for newer browser versions before wider adoption.

b. Tenant-Based SaaS Controls

Modern enterprises live inside tools like Google Workspace and Microsoft 365. But there's a big difference between logging into your corporate OneDrive and syncing your personal Dropbox.

Now, with Custom Header Insertion, you can:

• Enforce tenant-specific access policies.
• Allow access to corporate SaaS tenants while blocking personal accounts.
• Prevent data leakage by ensuring confidential content never leaves the managed instance.

This is tenant enforcement without middleware. Native. Inline. Invisible to the user.

c. Referrer-Based Policies

For educational institutions, media houses, and content platforms, embedded content is both a feature and a risk. Now, you can apply Referrer-Aware Policies to control exactly how and where users engage with content.

Use cases include but are not limited to:

• Allowing YouTube only when launched via your official LMS
• Blocking access to direct YouTube links outside sanctioned learning flows
• Managing embedded content from unknown or unsanctioned sources

This means better controls for dev teams, educators, finance teams, and anyone dealing with SaaS sprawl.

All of this is built on a simple construct: define HTTP header profiles (User-Agent, Origin, Referrer), reuse them across policies, and apply controls where it matters most. Early beta customers are already seeing significant gains in policy efficiency and control.

3. Role Based Access Control 2.0: Delegation Without Compromise

In large enterprises, security isn’t one monolithic team—it’s a coordinated mesh of specialists: SOC analysts, threat hunters, data protection teams, NetOps engineers, IR teams, and more. But historically, access control hasn’t reflected that complexity.

With the latest updates to RBAC in ZIA, you can now define not just who gets access—but what they can see and do—based on their function, location, or organizational role.

We are talking fine grained control at a feature level. Whether it’s IPS, sandboxing, DLP, or reporting—you now have surgical precision over every toggle, every permission.

• Grant full access to IPS configuration for your Threat Detection team
• Allow read-only sandbox visibility to your IR function
• Delegate SaaS DLP controls to your data protection team
• Separate endpoint DLP and inline DLP management across sub-teams

What used to be one generic “security” permission can now be broken down into dozens of tailored roles—each mapped to the team’s actual job.

And this isn’t theoretical—early beta customers are already deploying this globally. One multinational enterprise now:

• Assigns a global admin to oversee all ZIA operations
• Delegates regional control (e.g., APAC, EMEA) to location-based admins
• Further breaks access down by business unit, with team-specific read/write or view-only access

Even these delegated admins can grant tiered permissions within their scope—enabling operational scale without losing oversight.

4. Endpoint Context: Bringing Application Intelligence to Access Policies

This release also introduces Application-Level Visibility at the endpoint, powered by Zscaler Client Connector and our Zero Trust Exchange platform—already deployed across 50M+ endpoints.

Here's how it works:

• We capture every application running on both Windows and macOS
• For each app, we gather:
  • Name, version, execution path, hash (MD5, SHA256)
  • Code-signing status (signed vs. unsigned)
  • Known/unknown/custom classification
  • Risk level (benign, suspicious, malicious)

This lets you flag anomalies like:

• Detect unknown C2 frameworks like Cobalt Strike variants—even if heavily obfuscated. Including version-level insight and execution path visibility, enabling enforcement even for customized payloads used in targeted attacks.
• Flag anomalies like chrome.exe running from non-standard paths (e.g., Desktop instead of Program Files)
• Spot fake binaries exhibiting suspicious CPU/memory usage
• Enforce inline IPS policies based on app identity and behavior—in real time

All of this intelligence feeds into your NSS logs, dashboards, and SIEM, arming SOC teams and threat hunters with unprecedented visibility into what’s running, where, and why.

5. Custom Cloud IPS Signatures: Detection, Your Way

Organizations often build their own apps—or deal with compliance mandates that demand Custom IPS Signatures.

Zscaler now lets you bring those custom signatures directly into ZIA’s cloud enforcement stack—so they apply inline to all traffic, for all users and workloads.

Key capabilities:

• Write and deploy custom IPS rules using Snort syntax
• Automatically apply signatures across internet-bound traffic
• Validate with integrated packet capture and replay to ensure signature quality
• Apply detection instantly at scale—without needing private infrastructure or hardware appliances

Combined with full-packet visibility, you now have an end-to-end loop for:

1. Capturing anomalous traffic
2. Investigating and creating custom signatures
3. Validating via packet replay
4. Enforcing policies at wire speed across your global footprint

All this intelligence flows back into your Zero Trust Exchange — reinforcing detection, access control, and response in one loop.

The Takeaway: Integration Was Yesterday. This Is Unification.

Security and networking teams have spent years working in parallel— occasionally aligned, often at odds, and consistently under pressure to deliver more with less.

With this latest wave of innovation, Zscaler isn’t just giving them more tools. It’s giving them shared context, shared intelligence, shared accountability, and shared momentum—all from a unified cloud-native platform.

So whether you're inspecting packets, tightening SaaS controls, enforcing least privilege access controls, or chasing anomalies on a rogue endpoint—ZIA lets you act faster, smarter, and more precisely. No silos. No swivel-chairing. No compromises.

The innovation engine’s still running, and the sequel’s got even more muscle. Watch this space as we unpack a fresh batch of features next week. Stay tuned for Part 2.

If you seek further information, do watch our webinar to get up to speed on all the features we launched this summer.

Have specific questions or want to explore how these innovations fit your environment? Connect with an expert.

And don’t miss our upcoming webinar series for a deeper, hands-on look at each new capability. Reserve your spot today.