Zscaler Platform Bundles
Comprehensive platform offerings to secure, simplify, and transform your business
Essentials Platform
Secure Internet Access (SWG)
Private Access (for 5% of users)
Also includes:
- Digital Experience for Platform
- Standard Versions: Data Protection (alert only), Sandbox, Firewall, Cyber Isolation, Zero Trust for Workloads (1GB/user/month)
RECOMMENDED
Zscaler Platform
Secure Internet Access (SWG)
Private Access (for all users)
Data Protection (inline web, all apps)
Also includes:
- Standard Versions: Digital Experience, Sandbox, Firewall, Cyber Isolation, Deception, Zero Trust for Workloads (2GB/user/month), Zero Trust SD-WAN (up to 10 sites)
Note: Zscaler Private Access, SaaS Security, DSPM, Deception, Unified Vulnerability Management, Zero Trust for Workloads, Zero Trust SD-WAN, Zscaler Digital Experience (ZDX) Advanced, ZDX Advanced Plus, and Device Segmentation are available as standalone products that do not require a platform bundle.
Add-ons
Add on advanced capabilities
Comprehensive, integrated threat protection for users, devices, and workloads
Both platform bundles come with the Cyberthreat Protection Standard package, which includes standard Sandbox, Firewall, Isolation, and correlated threat insights.
Advanced Modules
Sandbox Advanced
- Sandbox Standard: EXE, DLL from unknown sites
- Expanded file type support
- Quarantine by policy
- Instant AI verdict
- Sandbox API for 3,000 files/month/customer
- Detailed reports, incl. patient zero, zero day payload analysis
Firewall Advanced
- Firewall Standard: L3/L4 policies, basic DNS control
- Extensive FW rules framework
- Outbound FW with App ID, User ID; user, group, dept.-level rules
- Cloud IPS for non-web protocols
- DNS rules and DNS tunnel detection
- Full detailed FW logging, incl. reporting and dashboards
Cyber Browser Isolation Advanced
- Cyber Isolation Standard: Isolate unknown destinations
- Prevent up/download, control copy/paste/print; local browser rendering
- Mobile browser, policies on destination app, device, risk, user, and AI/smart isolation
- Isolate Office files, isolation + quarantine, download flattened PDF/CDR, browser-in-browser
- 1.5 GB/user/month of isolation traffic (upgradeable to unlimited isolation)
The most comprehensive private application access for any user, any app, any device
ZPA is available as part of the Essentials Platform (for 5% of users) and Zscaler Platform bundles in addition to the standalone in the ZPA Platform. Get complete value with the Private Access add-on:
AI-powered App Segmentation and Insights
- Unlimited app segments
- Ensures least privileged access with frequent AI recommendations (every 14 days)
- Provide recommendation reasons to help customers to make a choice of acceptance
- Visual insights on recommendations, user-app assignments, and policy utilization
- Download of details for offline analysis and reporting on user and app usage
- Easy import of apps into ZPA making it less error-prone
AppProtection
- Inspect Layer 7 app traffic and provide visibility for web or identity-based attacks
- Mitigate web risks including OWASP Top 10 such as SQL injection, cross-site scripting, and server-side request forgery
- Detect and identify Active Directory attacks such as kerberoasting and enumeration
- Zero-day threat protection with virtual patches against latest CVEs
- Detect and report suspicious browser-based activity
- Align with MITRE ATT&CK framework
A completely unified platform to secure all data types, across all channels
In addition to core data protection features, add-on modules are available:
Advanced Modules
Endpoint Protection
- Endpoint data discovery
- Print, personal cloud, removable storage, local network shares
- Monitor user activity (dashboards, reports, NSS feeds)
Email Protection
- Inline data protection (Exchange/Gmail)
- Out-of-band email API (Exchange/Gmail)
SaaS Security
- Out-of-band SaaS API (CASB) for all SaaS apps (except Exchange/Gmail)
- SaaS security posture management (SSPM)
- SaaS security for third-party apps
Browser Isolation (VDI Alternative)
- VDI Alternative and other managed devices use cases (cloud App Control, user/device risk based Isolation)
- 1.5GB/user/month (measured across all Isolation users)
Data Classification and Encryption
- Advanced classification, incl. EDM, IDM, OCR
- Sensitive file encryption
- Watermarking
- Privacy control-redaction
01 / 03
Actionable insights to reduce overall risk
Advanced Modules
Deception Advanced
- 300 customizable decoys (network, application, identity), deep packet inspection
- Ransomware detection, local scan/MiTM detection, 5 active file decoys, privilege escalation, defense evasion detection, triage
- Full SOC workflow: SIEM forwarding, orchestration and containment, ThreatParse rules
- Custom notifications and reports, RBAC, static IP allow-listing, API access
Risk360 Advanced
- Cyber risk quantification and reporting framework
- Granular risk factors derived from Zscaler and third-party security tools
- Financial exposure detail and board-ready reporting
- Actionable risk insights with policy and mitigation recommendations
Unified Vulnerability Management Advance
- Deduplication, contextualization, mitigating controls, and correlation of findings
- Context from 150+ sources (CVEs, assets, users, apps, identity, behavior + mitigating controls)
- Closed-loop integration with workflow tools
- Out-of-the-box visual reports for overall risk trends and analysis
Secure connectivity for branches, campuses, and factories, without VPNs or lateral threat movement
Standard
Includes up to 10 virtual sites with platform purchases of >500 users, and:
- Visibility, Zscaler Internet Access (ZIA), and Zscaler Private Access (ZPA)
- Up to 10 IoT devices/site
- 20 GB of traffic/month/site
Note: Device counts and traffic are aggregated across all sites
Advanced
Includes everything in Standard, plus:
- Gateway features (WAN, LAN, DNS, DHCP) and ISP path selection
- Up to 50 IoT devices/site included
- 100 GB of non-user traffic/month/site included
Note: Device counts and traffic are aggregated across all sites
Advanced Plus
Includes everything in Advanced, plus:
- Advanced firewall, IDS, IPS
- IoT/OT discovery and classification, tagging, IoT policy control
Note: Device counts and traffic are aggregated across all sites
Fast, direct, secure access to industrial systems and devices for third-parties and vendor technicians—with full governance controls.
Standard
Included with platform purchases of >500 users
- Up to 10 systems (RDP/VNC/SSH)
- 1 pair of App Connectors per system
- Up to 1 GB monthly data pooled across all systems
Includes:
- Full protocol isolation—SSH, RDP, VNC
- Interactive authentication
- Clipboard controls (text copy/paste)
- Sandboxed file transfer (with Advanced Cloud Sandbox)
- Just-in-time/time-bound access
Advanced
- Subscribed by number of systems (RDP/VNC/SSH)
- 1 pair of App Connectors per system
- Up to 10 GB monthly data per system pooled across all systems
Includes everything in Standard, plus:
- Credential vaulting and injection
- Emergency access1
- Cloud session recording and playback2
- Session monitoring
- Ushered access
- Emergency access for up to 100 users, not counted towards platform user count.
- Cloud recording for up to 10 hours/month per system, pooled across all systems; 365 days of cloud storage.
Security for workloads and servers with a modern zero trust architecture
Standard
- Basic controls to protect workloads using stateful filtering
- Comprehensive protection for apps deployed in the cloud or data center
Advanced
Everything in Standard, plus:
- Secure workload-to-internet access with deep packet inspection
- Log storage for regulatory compliance
- Source IP anchoring
- Sublocation-based workload segmentation
- Workload data leak protection
- Cyber protection for workloads with standard FW and DNS control
Advanced Plus
Everything in Advanced, plus:
- Inline data protection
- Advanced data classification
- Advanced FW protection for workloads, incl. Sandbox
- Cloud NSS and log recovery
AI-powered detection and resolution of app, network, and device issues to keep users productive
Modules
Standard
Ideal for organizations monitoring digital experiences from user devices, network paths, and applications.
Includes:
- Unified monitoring
- User experience
- Application
- Device health
- Network performance
- Email alerts
- 3 applications
- Poll at 15-minute intervals
- 3 alert rules
- Data retention: 2 days
Advanced
Comprehensive monitoring at scale for advanced IT support, service desk, network, and security needs.
Everything in Standard, plus:
- AI-powered root cause analysis
- All apps, plus Teams/Zoom/Webex call quality
- Read-only shareable URLs and user details snapshots
- Organization-wide device model and software version review
- Trend reports across apps, locations, devices, and networks
- Performance impact analysis of specific app or user data
- ITSM tool integration via API/webhooks
- 15 applications
- Poll at 5-min intervals
- 25 alert rules
- Data retention: 14 days
Advanced Plus
The ultimate DEM solution, with maximum visibility, altering, and troubleshooting capabilities.
Everything in Advanced, plus:
- Troubleshooting of device issues caused by active processes
- List incidents across applications, Zscaler data centers, last mile ISPs, and Wi-Fi
- Proactive user alerts for Wi-Fi/ISP issues
- Copilot AI assistant for instant troubleshooting and insights
- Web and network performance monitoring and analysis from Zscaler hosted locations
- 50 applications
- Poll at 5-min intervals
- 100 alert rules
- Data retention: 14 days