What is our primary use case?
It's primarily for end-user access to the public internet. We use the proxy functionality and the URL Filtering.
We have a global policy for all our users. While there are a few categories of URLs that we are not allowed to do SSL inspection on, the primary function for us is to do SSL inspection so that we can make use of the built-in anti-malware and antivirus—the advanced-threat features—within the platform. We do SSL inspection of some 80 percent of all the traffic and we can evaluate if it's malicious or not.
It is a cloud solution where pretty much everything is handled by Zscaler.
How has it helped my organization?
Zscaler has helped to reduce the time we spend managing security policies. That is very important to us. A lot of the features it has are AI-based decision-making. For instance, if we implement a sandboxing rule for how files of a certain type should be inspected, we also can activate the AI decision-making process. That way, even if a file is new to the sandboxing environment, it can still see that it is a PDF and has these and these characteristics. Based on that, the AI says that "No, this file is not malicious," even though it normally would have been quarantined and sandboxed and have gone through the whole analysis process. The AI helps out in minimizing the time to do that analysis. And that also helps in reducing the burden of someone actually having to do things manually.
If you count everything that was involved in managing the appliances, the lifecycle management, and support contracts, in our old environment, we have reduced the number of FTEs managing the environment from five or six to about two.
It has also definitely helped reduce the number of infected devices in our organization by proactively preventing attacks. Since we scan almost all of the traffic, we now see how much of the traffic is "malicious." In our environment, we block about 1.6 million threats every quarter, but we don't know the severity of those threats. Maybe 1 million of them are malicious content in some way, while half a million are adware. But there are real threats that are being blocked, like botnet callbacks, cross-site scripting, and browser exploits. On average, we are blocking about 500,000 threats per month.
What is most valuable?
There are a bunch of different capabilities that are valuable within the platform. We use quite a lot of them, but not everything. The ones that are most important to us are the URL Filtering and the application control.
For our needs, the cloud-native proxy architecture is a very good solution. We are moving away from on-prem appliances and moving more toward cloud-based solutions. Zscaler is a good fit for our strategy. This architecture helps with cyber threats because we inspect most of the traffic and we can see that a lot of threats are stopped directly in the secure web gateway. But there are parts of it that we don't use yet, like the DLP functions. Instead, we are using the Zscaler Cloud Sandbox feature for content that is downloaded as files. We detonate the document in a sandbox and see if it's malicious or not.
It's a very easy-to-learn and easy-to-use platform, even for me as a more non-technical person. I'm still able to do a lot of work in this platform.
What needs improvement?
The reporting functionality could be a bit easier to use. There is a reporting function, but it's quite hard to do any good reporting, from a user-management perspective. For example, if a department manager wants to know how his department is using the web, there is a way to get the data, but it's quite cumbersome to get it and show it well. And that's true for comparing between departments. It's quite hard to get a good report.
Another issue is that the API documentation could be a bit more up-to-date. They're implementing stuff, but not updating the documentation all the time.
Buyer's Guide
Zscaler Internet Access
March 2025
Learn what your peers think about Zscaler Internet Access. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
860,711 professionals have used our research since 2012.
For how long have I used the solution?
We have been using Zscaler Internet Access for the last five years.
What do I think about the stability of the solution?
Since we have global reach, we are seeing a bit more instability in Asia, primarily in China, but I'm not sure that it's related to Zscaler. I think it's more due to how China does things in terms of internet access.
What do I think about the scalability of the solution?
It scales very well, if you go for the cloud-based solution alone. In certain regions in the world, we have started to implement local appliances, like a VEN node, where we don't have good coverage from Zscaler's public data centers. But if you only use the public data centers, it's getting a lot better. A while back, there were 35 or 40 data centers that we could use globally, but now there are over 80. So the scalability is quite good for us.
How are customer service and support?
Zscaler's technical support team is good at what they do, and they help us fix our problems quite fast. I would rate them eight on a scale of one to 10. There's always room for improvement.
We have had issues from time to time where they don't really see our problem as a problem, but we, as a customer, are being affected. They have a few different ISPs that take care of traffic to and from their data centers, and when their ISP is not performing, we, as customers, are suffering. There have been occasions when we have seen that our traffic is being routed very strangely within the Zscaler network, but they don't see that as a problem. We do, because all of a sudden, all of our Swedish users are going to the data center in Norway instead of Sweden. For Zscaler that is not a problem because they are still doing their job. But for our users, it's complicated because Norway is not part of the European Union, whereas Sweden is. If they go through the VEN node in Oslo, Norway, we cannot reach stuff that is EU-regulated, such as export and import functions within the EU. That is a big part of what we do. At times, it has been hard to get the Zscaler TAC team to understand that this is a problem for us, as a company.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We used to have an on-prem solution doing pretty much the same thing as Zscaler, but as our strategy is cloud-first and internet-first, we thought that we should also use a cloud-based solution. We started to look at the alternatives, five or six years ago. What we saw was that there was only one, at the time, that was mature enough for our needs.
Since then, Zscaler has evolved quite a lot. In the beginning, there was no Zscaler Client Connector, an agent on your computer. It was all cloud-based, but that changed about a half a year after we started to use Zscaler. We assessed whether Zscaler fit our needs or not and we saw that for 75 or 80 percent of our needs, it was a good fit. Some aspects were not mature back then but they have matured over time.
How was the initial setup?
The initial deployment was quite straightforward. I wasn't really on board at the time the implementation of Zscaler took place, but overall, when new features and functionalities are added to the product, it's quite straightforward to implement them and to roll them out to large user groups, or globally. From a rollout perspective, it's quite easy to use.
Initially, one of our demands was that everything should be cloud-based, meaning we shouldn't have any agents on each computer. We learned the hard way that such an approach doesn't work well, because you need something to control the path from the user's computer to the Zscaler cloud. You need to be able to steer how the traffic goes. You can do that with PAC files. But ultimately, together with Zscaler, we figured out that a client was needed, at least for our needs.
What was our ROI?
Zscaler has helped us save costs by enabling us to decommission all of our legacy proxies. We had at least nine locations with appliances, and we had multiple appliances per location. It has helped us save money.
We have also seen ROI in terms of the cost of both the lifecycle management and the service and support contract that we previously needed. We have saved quite a lot there. I don't know the exact numbers, because I'm not in charge of the finances, but if you count the resources needed to manage the platform, we have saved up to 45 or 50 percent of the cost we used to have.
Which other solutions did I evaluate?
Back then, there weren't many other cloud-based solutions available. There were hybrid models, but we wanted a completely cloud-based solution.
At the time, Symantec had the beginning of a cloud-based solution, but it was very immature and it didn't work as well as Zscaler. Zscaler had been around since around 2010 and was five years into their journey, while Symantec was only a year or two into their journey. We opted for the most mature at that time.
Since then, we have looked at other solutions, including Netskope and a few others. They are similar in their design, but Zscaler has features in its design that make it stand out from the competitors. For instance, their scanning methodology is something like, "Scan once, analyze many times." That means there is a one-time scan of the traffic, but with multiple different threat engines, for antivirus and anti-malware, et cetera. And they do it only in the RAM memory of their cloud solution machines, which makes it super-fast. They can scan a lot of traffic in a very short amount of time. That part is something that a lot of other vendors are not doing. They're scanning in sequence, not in parallel.
What other advice do I have?
Make use of the Zscaler Client Connector as much as you can, with all of the functionality that comes with it. Also, do not allow the users to disable the Zscaler Client Connector, because then you don't know if traffic is actually going through Zscaler or not. If it's always on, you know that if something is not working, it's your policies that are doing something to the traffic. We used to make it possible for a user to disable the Zscaler Client Connector, which then made it impossible for us, as the team that troubleshoots problems, to know if the traffic was actually going through Zscaler or not. If you don't have that control, you don't know where the problem is. Now, at least we know that it's either on the client or it's on Zscaler or it's on the destination that they're trying to reach.
As for saving time with this system versus deploying and managing traditional network security hardware, it depends on how you build your management of the solution. We have opted for a solution where we manage everything centrally. We have one IT team that manages all of the Zscaler Internet Access policies and settings. But there is an option, and it's one of the strengths of Zscaler, to delegate control of parts or all of the solution to other teams. For instance, you could have URL Filtering policies that are managed by a local IT team in a given country. We don't do that. We manage everything from one team and we control everything, for our whole organization, from this management platform. We control the forwarding policies, the application access policies, the URL Filtering policies—pretty much everything.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.