Security incident on record — May 2024 — unsuccessful data-extortion claim by IntelBroker; no customer data confirmed taken
▪ Editorial verdict
Zscaler ZPA is the enterprise ZTNA benchmark. The zero trust architecture where users never touch the network and the Application Connector model that exposes only specific applications without network exposure is the most mature implementation of the zero trust access principle in the market. The 150 plus global PoPs, Device Trust integration, and IRAP assessment make it the strongest choice for large enterprises building cloud-delivered access infrastructure.
The latency complaints in specific geographies and client reconnect issues on network changes are the most commonly noted operational concerns. Buyers should test in their target geographies before committing at enterprise scale.
The verdict: Zscaler ZPA is right for large enterprises building cloud-delivered ZTNA as part of a SASE architecture, particularly those replacing VPN with a cloud-native alternative. Organisations wanting simpler deployment at a lower cost should evaluate Cloudflare Zero Trust. Organisations wanting fully converged SASE should evaluate Cato Networks.
Zero-trust architecture where users connect to specific applications, never to the network. No inbound firewall rules required — applications are invisible to the internet. Scored 5 for the most complete app-level access isolation.
Sources: Zscaler ZPA documentation
Device posture checks
5 / 5
Zscaler Client Connector collects device health signals (OS patch, AV, MDM enrollment) and enforces posture at every connection. Scored 5 for comprehensive, continuous posture evaluation.
Sources: Zscaler documentation
OPERATIONSStrong
UX vs VPN
4 / 5
150+ global PoPs including Sydney/Melbourne — excellent regional performance. Scored 4 because some users report reconnection delays when switching networks, and the client can feel heavier than Cloudflare WARP.
Sources: G2 reviews, Zscaler documentation
IAM & MFA integration
5 / 5
Integrates with all major IdPs natively — Okta, Azure AD, Ping, OneLogin. Rich Conditional Access policy engine. Scored 5 for the broadest IdP integration depth.
Sources: Zscaler documentation
ANALYTICSStrong
Access & activity logs
5 / 5
Per-user, per-application session logging with 90+ day retention. Exports to SIEM. Scored 5 for the most detailed access logging in the category.
Sources: Zscaler documentation
TRUST & ECOSYSTEMStrong
Deployment flexibility
4 / 5
SaaS-only. No on-premises deployment option. Scored 4 because SaaS is the primary model — not suitable for air-gapped or strict data residency requirements.
Sources: Zscaler documentation
Strongest: App-level access control
Watch out for: Deployment flexibility
Strengths & limitations
Strengths
●Zero-downtime cloud delivery with 150+ global PoPs including Sydney/Melbourne
●Eliminates VPNs — users access only apps they need, never the network
●Rich identity and policy integration across all major IdPs
Watch out for
●Latency complaints more frequent than peers in some geographies
●Expensive — one of priciest ZTNA/SSE platforms
●Client agent reconnect issues on network changes
Best for
Large enterprises wanting cloud-delivered VPN-replacement ZTNA at global scale with full SSE in one platform.
Not suitable for: SMBs — minimum 250 users and enterprise pricing