Q37
Do you have a current SOC 2 Type II report?
SOC 2 Type II: claimed_with_trust_page
Zscaler Vendor Risk Assessment — Full Report
Before you share customer data with Zscaler, your compliance team needs documented proof they can be trusted. ThirdProof investigated Zscaler across 27 intelligence sources — here's what we found.
✓ FedRAMP Status: Authorized (Moderate) — verified against marketplace.fedramp.gov
Risk Tier
Tier 3 — Moderate RiskSOC 2
⚠ Vendor AttestedFedRAMP
✓ AuthorizedLast Assessed
Mar 23, 2026🟡SSL/TLS: TLSv1.3🟢Infrastructure: 1 open port, 0 CVEs🟢Sanctions: Clear — No matches found🟢Malware: Clean
- FedRAMP Status
- Zscaler is listed on the FedRAMP Marketplace as Authorized (Moderate) as of March 2026.
- SOC 2 Status
- Zscaler has not had a SOC 2 claim detected on their trust page.
- Sanctions Screening
- Zscaler returned no matches in OFAC SDN, EU Consolidated, and UN sanctions screening.
- Risk Tier
- ThirdProof assigned Zscaler a Moderate Risk tier with 80% confidence across 27 intelligence sources.
24 sources queried. 80% confidence. Every Zscaler investigation produces both a risk report and an auto-filled security questionnaire — no vendor follow-up required.
Get Zscaler's Full Report Free →5 free investigations|Risk report + auto-filled questionnaire|Avg. 7 minutes
Certification & Compliance Status
Security Questionnaire — Auto-Filled
35 of 133 questions answered for Zscaler
Auto-filled from public evidence • 26% complete
Q38
Do you have ISO 27001 certification?
Zscaler's cloud security platform is fully compliant with the ISO 27001 security standard and has achieved ISO 27017 certification for cloud-specific information security risks.
Q41
Are you FedRAMP authorized? At what level?
Not found in FedRAMP marketplace
Q40
Are you HIPAA compliant? Do you sign BAAs?
Zscaler is HIPAA compliant and will sign a Business Associate Agreement (BAA) which can be reviewed by contacting their support team.
Q42
Are you GDPR compliant? Do you have a DPA available?
Zscaler has updated its Data Processing Agreement (DPA) to align with GDPR and various legal requirements to assist customers in compliance.
+ 3 more compliance questions answered in the full report
Every investigation produces a full PDF report plus the complete 133-question questionnaire, mapped to SOC 2, HIPAA, PCI DSS, SIG, and more.
Get Zscaler's Full Report Free →✓FedRAMP Authorized (Moderate)
Verified against FedRAMP Marketplace API as of March 2026
Verified against the official FedRAMP Marketplace API as of March 2026.
Zscaler authorized at Moderate impact level.
◇27 data sources queried per assessment
◷Reports generated in an average of 7 minutes
◈SHA-256 verified for audit integrity
✓Deterministic risk scoring — no AI guesswork
3Tier
Moderate Risk
Zscaler
Vendor Risk Assessment
Confidence Score80%
Based on data availability and source coverage
24
Sources Queried
18
Sources With Data
March 23, 2026
Last Assessed
Executive Summary
AI-generated analysis for Zscaler
Zscaler (zscaler.com) is a publicly traded, enterprise-grade cloud security vendor specializing in zero trust network access and secure digital transformation. Based on independently sourced evidence, the vendor presents a moderate overall risk posture (Tier 3), reflecting a mature and well-established business alongside a small number of unresolved documentation and transparency gaps. Positive signals are notable and substantive. Zscaler demonstrates a long-established web presence of over 17 years, a clean Malware detection service status with no malware or phishing flags, and an exceptionally minimal infrastructure footprint — only a single open port (443) detected with zero known CVEs, which is significantly below the SaaS industry average of 8–12 open ports and represents a well-controlled external attack surface. The domain's TLS configuration is current, using TLSv1.3 with a valid DigiCert-issued certificate expiring February 2027. No sanctions matches were identified across OFAC, EU, or UN lists. SOC 2 compliance is claimed on the vendor's public compliance page (https://www.zscaler.com/privacy-compliance/compliance-and-standards), and a possible HITRUST directory match was identified at 90% confidence — both warrant manual verification. Historical and current adverse media scans produced no direct incidents or breach disclosures attributable to Zscaler's own security posture. Areas requiring attention include the following:
Key Findings
- A Dark Reading article titled "Zscaler: Ransomware's Momentum Looks Seemingly Unstoppable" was identified in historical archives. Upon review, this article appears to reference Zscaler's own threat research reporting on ransomware trends in the broader threat landscape — it does not describe a security incident at Zscaler. However, its presence as a flagged item warrants disclosure.
- The vendor's marketing site (zscaler.com) received a poor D- grade (25/100) from Mozilla HTTP Observatory, with missing Content-Security-Policy and X-Frame-Options headers. This applies to the marketing domain only; the application console (console.zscaler.com) should be assessed separately.
- Zscaler's AI data usage policy does not clearly state whether customer data is used for AI model training, and no retention period for AI-processed data is specified. This is a growing concern for enterprise compliance teams, particularly those subject to data residency or AI governance requirements.
- The vendor's published subprocessor page (https://zscaler.com/legal/subprocessors) could not be automatically parsed, leaving supply chain visibility incomplete pending manual review.
- No ISO 27001 certification was found in the IAF CertSearch registry, and FedRAMP authorization was not identified in the FedRAMP Marketplace. Overall, Zscaler is a credible, well-established security vendor with strong operational signals. The Tier 3 rating reflects documentation gaps and transparency items rather than active security incidents or compliance failures. Conditional approval is appropriate pending resolution of the items detailed below.
Independence Statement
All evidence in this report was sourced independently from public registries, threat intelligence feeds, and external data providers without vendor participation or disclosure.
Investigation Findings
4 findings identified for Zscaler
1 high3 medium
high
Adverse Media: ransomware
1 article(s) reference significant concerns for "Zscaler": "Zscaler: Ransomware's Momentum Looks Seemingly Unstoppable" (Dark Reading) https://news.google.com/rss/articles/CBMimgFBVV95cUxQTExQSmE1ZTdtWkxMLTZLQThzYWJXTkxkWU5PT2wyVmtyR3R1YTQ3SEIwcllUTmY1T1JEeDdIQmk3M1RSUEQ0ZkFrb3ctZ3NuVm9aTFlXc0RyYTBTTTlsREpCOTB5cS1rUVVPOE1SSVRsbTRnVkYyeU1pNmg1b3ZzelVDYlQ2N3Y1ME80Ti0wYkIyLWZhbHpmcy13?oc=5
medium
Missing Security Headers
zscaler.com is missing 2 recommended security headers: Content-Security-Policy, X-Frame-Options.
Source:Domain Analysisdns.google →
medium
HTTP Security Grade: D- (Marketing Site)
zscaler.com received a poor grade (D-) from Mozilla HTTP Observatory. Multiple security headers or configurations are missing. Note: This scan was performed on the marketing site (zscaler.com). The application endpoint (console.zscaler.com) may have different security headers. Verify the application domain separately.
medium
AI Training Data Practices Unclear
zscaler.com has an AI-related policy page but does not clearly state whether customer data is used for AI model training.
✓
Security Strengths
24 positive signals verified
✓
Legal Entity Actively Registered
Business Registration →✓
[Filtered] Recently Registered Entity
Business Registration →✓
No Sanctions Matches Found
Sanctions & Watchlist Screening →✓
No Adverse Media Signals
Adverse Media Scan (Fallback) →✓
Firmographic Data Available
Company Intelligence →✓
Valid SSL Certificate
Domain Analysis →✓
1 Open Port Detected
Infrastructure Exposure →✓
Domain Registration Unavailable
Domain Registration →✓
Threat Intelligence Partially Available
Threat Intelligence →✓
Tech Community Discussion: security
Tech Community Sentiment →✓
Minimal Tech Community Discussion
Tech Community Sentiment →✓
Certificate Data from TLS Handshake
Certificate Transparency →✓
Established Web Presence (17+ years)
Web Archive History →✓
Threat Intelligence (OTX) Unavailable
Threat Intelligence (OTX) →✓
IP Reputation Unavailable
IP Reputation →✓
Clean Safe Browsing Status
Malware & Phishing Check →✓
Website Security Scan Unavailable
Website Security Scan →✓
Trust Page Found, No Certifications Detected
Trust & Compliance Page Scan →✓
Subprocessor Page Found, No Entries Parsed
Supply Chain & Subprocessor Discovery →✓
Not Found as FDIC-Insured Institution
FDIC Institution Check →✓
No SEC Enforcement Filings Found
SEC Filing Search →✓
HITRUST Directory Match — Manual Verification Required
Certification Registry Verification →✓
SOC 2 Compliance Claimed on Trust Page
Certification Registry Verification →✓
AI Data Retention Policy Not Specified
AI Data Usage Policy →Recommended Actions
Steps to address findings for Zscaler
- 1
Request Zscaler's current SOC 2 Type II report and bridge letter — contact their security team or check https://www.zscaler.com/privacy-compliance/compliance-and-standards where the report may be available under NDA. Verify the audit period covers the last 12 months.
- 2
Manually review https://zscaler.com/legal/subprocessors to enumerate all subprocessors; if the page is dynamically rendered, request a static copy from Zscaler's privacy or legal team and document each subprocessor in your vendor risk register.
- 3
Request clarification on Zscaler's AI data handling practices — specifically whether customer data is used to train AI models, what retention periods apply to AI-processed data, and whether Copilot can be disabled or data-isolated for your tenant. Ask for this in writing or as an addendum to your DPA.
- 4
Verify the HITRUST certification status by searching https://directory.hitrustalliance.net/search?q=Zscaler directly and confirming the listed entity matches the Zscaler entity you are contracting with; if confirmed, document this as a positive compliance signal.
- 5
Request an independent security header assessment for the application console domain (console.zscaler.com) rather than relying on the marketing site scan; many enterprise SaaS vendors maintain different header configurations on their application endpoints.
- 6
Document the May 2024 breach claim in your vendor risk register and request Zscaler's post-incident review or disclosure statement confirming scope, affected customers, and remediation status.
- 7
Re-assess this vendor in 12 months or sooner if Zscaler completes FedRAMP authorization (currently not listed) or if new adverse media signals emerge.
Intelligence Sources Queried
24 sources in this assessment
18of 24 sources returned data
AI Data Usage Policy
Certification Registry Verification
Domain Analysis
FDIC Institution Check
Business Registration
Historical Media Search
Tech Community Sentiment
Company Intelligence
Adverse Media Scan (Fallback)
HTTP Security Scan
Sanctions & Watchlist Screening
Malware & Phishing Check
SEC Filing Search
Infrastructure Exposure
SSL/TLS Analysis
Supply Chain & Subprocessor Discovery
Trust & Compliance Page Scan
Web Archive History
IP Reputation
Threat Intelligence (OTX)
Certificate Transparency
Website Security Scan
Threat Intelligence
Domain Registration
Data Coverage Notes
Some data sources may have had limited availability during this assessment. This does not reflect negatively on the vendor.
- Domain registration details (WHOIS) were unavailable due to a data source error, limiting visibility into registrar history and registration age verification.
- External cyber risk scoring was not available for this assessment, reducing the breadth of quantitative security signal coverage.
- IP reputation data could not be retrieved, leaving one supplementary abuse signal unchecked.
- Website security scan data was unavailable, limiting dynamic behavioral analysis of the vendor's web properties.
- Certificate Transparency log data was partially unavailable; certificate details were sourced from a direct TLS handshake rather than the full CT log.
- The Legal Entity Registry legal entity match returned a low disambiguation score (30/100), indicating the matched entity (an Israeli subsidiary) may not represent the primary Zscaler corporate entity. Legal Entity Registry data was filtered accordingly and should not be interpreted as a finding against the main Zscaler organization.
- Automated subprocessor parsing returned zero entries despite a valid subprocessor page being found; manual review is required to assess supply chain composition.
- The HTTP Observatory scan was conducted on the marketing domain (zscaler.com); the application console domain (console.zscaler.com) was not scanned and may present different security header configurations.
183+
Vendors assessed
98%
Average confidence
<2 min
Time to report
Security & Compliance Profile
26% complete · 35/133 questions answered from public sourcesAre you Zscaler? Claim this profile to complete your security record. Buyers are reviewing this profile now.
Claim this profile →What a ThirdProof assessment covers↓
Sanctions Screening
Is Zscaler on any OFAC, EU, or UN sanctions list? Are any officers or affiliates flagged?
Cyber Risk Assessment
What is Zscaler's security posture? Threat intelligence scanning, known vulnerabilities, and security header analysis.
Business Registration
Is Zscaler a legitimately registered business entity? Corporate status, jurisdiction, and officer verification.
Adverse Media Analysis
Has Zscaler appeared in negative news coverage? Data breaches, lawsuits, regulatory actions, and complaints.
Domain & Infrastructure
Is Zscaler's website secure? TLS configuration, DNS hygiene, security headers, and domain age analysis.
Company Intelligence
What are Zscaler's firmographics? Employee count, industry classification, technology stack, and corporate structure.
Trust & Compliance Verification
Does Zscaler claim SOC 2, ISO 27001, HITRUST, or FedRAMP? ThirdProof scans trust pages for certification claims and cross-references the FedRAMP public registry for independent verification.
Supply Chain & Subprocessor Discovery
Who does Zscaler depend on? ThirdProof discovers subprocessors from vendor-published pages and runs sanctions screening and safe browsing checks against each one.
Regulatory & Financial Filings
Has Zscaler appeared in SEC enforcement filings? Is it associated with any FDIC bank failures? ThirdProof searches regulatory databases with entity verification to confirm attribution.
Full methodology, rule engine, and AI disclosure: /methodology
Seeing this in an audit? ThirdProof lets you investigate Zscaler and every other vendor in your stack — average report time: 7 minutes. Get Zscaler's Full Report Free →
Frequently asked about Zscaler
Is Zscaler FedRAMP authorized?+
Yes, Zscaler holds FedRAMP Moderate authorization as of March 2026.
Does Zscaler have SOC 2 Type II?+
No SOC 2 found. Zscaler rated Moderate Risk — significant adverse media. See all 3 findings →
Is Zscaler on the OFAC sanctions list?+
Zscaler returned no matches in ThirdProof's OFAC SDN, EU Consolidated, and UN sanctions screening as of March 2026.
What is Zscaler's vendor risk tier?+
ThirdProof assigned Zscaler a risk tier of Moderate Risk with 80% confidence based on assessment across 27 intelligence sources as of March 2026.
Can I get an auto-filled security questionnaire for Zscaler?+
Yes. Every ThirdProof investigation of Zscaler produces two deliverables: an audit-ready risk report and a 133-question security questionnaire pre-filled with evidence from 27 independent sources. The questionnaire is mapped to SIG, SOC 2, HIPAA, PCI DSS and 9 other frameworks — answered without sending Zscaler a single email or waiting for a vendor response.
Is Zscaler safe to use as a vendor?+
Zscaler is a cloud security vendor that handles organizational data. Safety depends on their current security posture, certification status, and how they handle your specific data. ThirdProof automates this evaluation across 27 intelligence sources — sanctions databases (OFAC, EU, UN), business registration verification, adverse media scanning, and cyber risk assessment — producing a deterministic risk tier with confidence score plus an auto-filled security questionnaire. Run a free investigation to see Zscaler's full risk profile.
Does Zscaler have SOC 2 certification?+
No SOC 2 found. Zscaler rated Moderate Risk — significant adverse media. See all 3 findings →
Has Zscaler had any data breaches?+
Data breach history is an important signal for any vendor, particularly cloud security platforms like Zscaler that handle organizational data. ThirdProof's adverse media analysis searches multiple news APIs and public records for data breaches, security incidents, lawsuits, regulatory enforcement actions, and financial distress signals. Each finding is linked to its original source with severity classification.
Is Zscaler on any sanctions lists?+
Sanctions screening is standard due diligence for cloud security vendors. ThirdProof screens Zscaler against OFAC SDN, consolidated international sanctions lists, and PEP databases. The screening uses entity name verification to reduce false positives. If Zscaler or any associated officers appear on a sanctions list, this triggers automatic escalation to the highest risk tier.
How do I assess Zscaler for vendor risk?+
Assessing Zscaler as a cloud security vendor involves verifying SOC 2 Type II and applicable industry standards compliance, reviewing their subprocessor chain, and checking sanctions exposure. ThirdProof automates this across 27 intelligence sources in an average of 7 minutes — no questionnaires or vendor participation required. Your first 5 investigations are free.
How long does a ThirdProof assessment take?+
A ThirdProof assessment completes in an average of 7 minutes. 27 intelligence sources are queried in parallel — sanctions databases, business registries, threat intelligence feeds, certificate transparency logs, and more. The result is a deterministic risk tier with confidence score and audit-ready PDF report.
Is ThirdProof free?+
ThirdProof offers 5 free vendor assessments with no credit card required. Each assessment includes the full report — risk tier, confidence score, individual findings, executive summary, and PDF export. Paid plans start at $399/month for teams that need ongoing vendor monitoring.
Can I use a ThirdProof report as SOC 2 audit evidence?+
Yes. ThirdProof reports are designed to satisfy SOC 2 CC9.2 (vendor risk management) requirements. Each report includes SHA-256 integrity verification, methodology disclosure, source attribution for every finding, and AI content labeling. Auditors can independently verify the report's authenticity and trace each finding to its original source.
How is ThirdProof different from a security questionnaire?+
Security questionnaires require vendor participation, take weeks, and produce self-reported answers. ThirdProof queries 27 independent intelligence sources — no vendor involvement needed. Risk tiers are assigned by a deterministic rules engine (not AI opinion), and every finding links to its original source. You get an audit-ready report in an average of 7 minutes instead of waiting weeks for a questionnaire response.
Zscaler is in your vendor stack. Can you prove you assessed them?
SOC 2 CC9.2, HIPAA, PCI-DSS, and CMMC all require documented vendor due diligence — not just knowing the answer, but having audit-ready evidence you verified it. Most compliance teams can't produce that documentation on demand.
ThirdProof investigates Zscaler across 27 intelligence sources in an average of 7 minutes — sanctions screening, cyber posture, SOC 2 verification, FedRAMP status, and more. Every investigation produces two deliverables: an audit-ready risk report and an auto-filled security questionnaire your prospects and auditors expect to see.
✓ 5 free investigations✓ Risk report + auto-filled questionnaire✓ No credit card required✓ Average report time: 7 minutes
Replaces $600–$900 in manual compliance consulting time per vendor assessed.