Leveraging Zero Trust for More Accurate Exposure Prioritization

Vulnerability management is often compared to “searching for needles in a haystack” because a small group of findings create the greatest risk as potential gateways for attackers.

It’s no secret that the haystack keeps getting larger–it’s now more like a hundred-acre field. There were nearly 50,000 CVEs published last year, and Recorded Future reports that 42% of CVEs disclosed in the first half of 2025 had a public proof-of-concept exploit. Enterprise security teams invest in upwards of 45 different tools to monitor risk across an increasingly complex attack surface, often producing hundreds of thousands of findings. 

The good news? Attackers can do no significant harm with the vast majority of those findings. The bad news? Finding the handful that matter gets harder every day.

Organizations use lots of tactics to identify what’s “risky,” including threat intelligence feeds, asset criticality, adversary behavior tracking, and applying unique business context to influence prioritization. Your teams can (and should) apply as many risk signals as are available.

An equally effective prioritization factor – or deprioritization if you will – is to account for compensating controls that are already in place. That's exactly what Zscaler does by integrating context from our Zero Trust Exchange – our research identifies which vulnerabilities are mitigated by your zero trust policies, and we apply that context so you know where to focus instead. Let’s take a look at how Zscaler can help focus your efforts.

Deprioritize CVEs Mitigated by ZIA and ZPA

One of the most effective policy engines for mitigating vulnerabilities is your zero trust program. Very few security teams automatically apply these mitigations to prioritization scoring. In other words, despite the absence of a pathway for an individual vulnerability to be exploited, security teams spend valuable cross-functional resources deploying patches or system upgrades that are actually unnecessary, simply in response to a “critical” finding from a vulnerability scanner. It’s a textbook example of a “false critical” – teams simply have too many real issues to fix and too little time to waste resources on remediations that don’t impact risk.

Zscaler Exposure Management customers often see up to 80% reduction in “false critical” findings by applying context from any data source in their environment. One such source is ThreatLabz–a research organization within Zscaler that focuses on identifying and analyzing emerging threats, vulnerabilities, and attack techniques. The ThreatLabz team maintains a database of CVEs with information on how they're mitigated by different Zscaler products, including Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA).

Many Zscaler customers see a significant reduction in findings truly deemed critical because of the vulnerabilities proactively mitigated by zero trust policies. Let’s look at an example.

Focus on what’s risky in YOUR environment

Just because a vulnerability is known to be exploited in the wild doesn’t always mean it poses a critical risk in your environment. Consider the following example of CVE-2021-44228, a CISA KEV most commonly known as log4shell. ZIA’s Intrusion Prevention System (IPS) mitigates this particular vulnerability, as detailed in the ThreatLabz Threat Library.

Most vulnerability assessment tools would score this finding as critical, and with good reason: exploitation can result in Remote Code Execution. But Zscaler Unified Vulnerability Management (UVM) has automatically reduced the severity to a “medium” 4.7, recognizing the presence of a mitigating control in the form of ZIA.

UVM has logged the original CVSS score of 10 and the “original severity score” from the scanning tool, also a 10. But UVM goes on to create a contextual, risk-adjust score – let’s drill deeper into the explanation of that score:

All the tools in the environment report the finding as critical, but the vulnerability is fully mitigated by ZIA, taking it off the critical list entirely. 

As a matter of fact, the integrated ThreatLabz data has determined that all five findings associated with this ticket are mitigated by ZIA or ZPA policies, so the severity score has been automatically adjusted from 10 down to 4.7.

Most exposure management programs would fail to recognize the presence of mitigating controls. The ticket would be prioritized as a critical, and organizations would spend security and IT resources fixing a problem that poses no significant risk. By adjusting the severity score automatically, UVM keeps teams focused on the work that matters, the fixes that actually reduce risk.

Maximize the value of the tools you already have

Integrating ThreatLabz research and Zscaler Client Connector (ZCC) data into your exposure management program adds valuable context to help your security team focus on truly critical vulnerabilities in your specific environment. Zscaler customers have a wealth of data and telemetry in their existing deployments that can turbocharge exposure prioritization and risk mitigation, but benefitting from all that context requires an exposure management solution capable of assimilating that data.

Tool sprawl is often associated with complexity in exposure management. Dozens of siloed tools producing risk signals, none of which work together, and all contributing to the flood of data that prevents security teams from quickly identifying truly critical risk. 

Zscaler helps you channel the power of all those currently siloed tools and use the breadth of their insights to your advantage. By combining context from vulnerability scanners, cloud security tools, data security tools, identity and access management, IoT/OT security tools, threat intelligence feeds, and anything else with relevant data, organizations can use that rich context of the risk signals and mitigating controls in place to discern which findings truly represent risk. The haystack shrinks, even as the quantity of assets and findings grows larger.

Evolve to a holistic exposure management program with Zscaler

You may be closer than you think to building a holistic exposure management engine that helps your security team pull the needles from the haystack. Your investments in vulnerability scanning and cyber risk assessment tools can work together with Zscaler Exposure Management, and your zero trust policy engine serves as a great foundation for inline controls and mitigation.

With Zscaler Exposure Management, organizations can harness the power of contextual data and risk signals across the environment to deliver:

• Complete visibility of assets in a risk-based inventory
• Prioritized exposure findings, unified from every source
• Accelerated remediation leveraging your existing tools and workflows

Request a demo to see how your Zscaler products and existing security investments can come together to deliver better exposure management.