Can you test Zscaler when everything goes through the cloud?

Yes. We test from the user's perspective and from the network perspective. From endpoints, we test whether traffic actually routes through Zscaler or bypasses it via split tunnels, PAC file exceptions or direct connections. From the network using ShadowTap, we test whether internal traffic that should be inspected by ZIA is actually reaching the cloud proxy. The most common finding is traffic that bypasses Zscaler entirely. Standard validation costs $5,000 CAD.

We use ZPA for private application access. Can you test that?

Yes. ZPA replaces traditional VPN with zero-trust application access. We test whether ZPA policies actually enforce least-privilege access, whether application segments are properly isolated, whether connector configurations expose unintended services and whether users can access applications outside their authorized scope. The Comprehensive assessment at $12,000 CAD includes full ZPA testing alongside ZIA.

What if our users can bypass Zscaler by disconnecting the client?

This is a common finding. If users can disable the Zscaler Client Connector, disconnect from Zscaler or switch to a network where the PAC file does not apply, they bypass all Zscaler security controls. We test client tamper protection, fallback behavior and whether your organization has compensating controls for scenarios where Zscaler is not in the traffic path.

How do you test PAC file misconfigurations?

PAC files determine which traffic routes through Zscaler and which goes direct. Misconfigurations in PAC files can send sensitive traffic directly to the internet, bypassing all Zscaler inspection. We analyze your PAC file logic, test edge cases in the routing decisions and identify traffic categories that bypass Zscaler due to PAC file exceptions. We also test whether PAC file distribution is secure and whether users can override the PAC file settings.

Zscaler Validation

You Run Zscaler. Does Your Configuration Actually Stop Attacks?

Zscaler moved your perimeter to the cloud. We test if it holds.

Sherlock Forensics offers Zscaler security validation starting at $5,000 CAD. We test whether your Zscaler ZIA and ZPA deployments actually stop real attack techniques. Using our ShadowTap platform for internal network testing, we test split tunnel bypasses, PAC file misconfigurations, private access policy enforcement and SSL inspection coverage. You receive a detailed report showing what Zscaler blocked, what bypassed it entirely and specific remediation steps. Comprehensive validation with full ZIA and ZPA testing is available at $12,000 CAD.

Purchase Validation Book a Scoping Call

Common Misconfigurations

What We Find in Zscaler Deployments

Split Tunnel Bypasses

Zscaler Client Connector can be configured with split tunnels that send certain traffic directly to the internet, bypassing all Zscaler inspection. Tunnel exclusions for collaboration tools, cloud services and CDN domains create paths that attackers can exploit for command-and-control and data exfiltration. We test whether split tunnel configurations create exploitable bypass paths.

PAC File Misconfigurations

PAC files determine routing decisions for web traffic. Complex PAC file logic with cascading conditions, exception lists and fallback rules can send traffic directly to the internet under specific conditions. Attackers who understand PAC file logic can craft requests that match exception criteria and bypass Zscaler inspection entirely. We analyze and test your PAC file routing decisions.

Private Access Policy Gaps

Zscaler Private Access replaces VPN with application-level access. ZPA policies define which users can access which applications through which connectors. Overly broad application segments, misconfigured connector groups and permissive access policies can expose internal applications to unauthorized users. We test whether ZPA enforces least-privilege access.

SSL Inspection Exceptions

Zscaler ZIA performs SSL inspection in the cloud, but exception lists for application compatibility can create inspection gaps. Applications with certificate pinning, custom TLS implementations or compatibility issues get added to bypass lists. Each exception is traffic that Zscaler cannot inspect for threats. We test whether exception lists create exploitable security gaps.

Client Connector Tamper Protection

If users can disable, uninstall or bypass the Zscaler Client Connector, they bypass all Zscaler security controls. We test whether client tamper protection is effective, whether users can switch to unprotected networks and whether your organization has compensating controls for scenarios where Zscaler is not in the traffic path.

DLP and Cloud App Control Gaps

Zscaler's data loss prevention and cloud application controls depend on traffic visibility. Shadow IT applications, personal cloud storage and unapproved SaaS services may bypass DLP controls through split tunnels, PAC file exceptions or CASB gaps. We test whether sensitive data can leave your organization through paths Zscaler does not inspect.

Our Process

What We Test

Internal Network Testing

We deploy ShadowTap on your internal network, simulating a device that is not managed by Zscaler Client Connector. This tests whether internal traffic that should route through Zscaler actually does, and what happens when a device on your network bypasses the cloud proxy entirely. Your firewall protects the front door. We test the windows, the basement and the hallway.

Bypass Testing

We systematically test every potential bypass path: PAC file exceptions, split tunnel configurations, Client Connector tampering, DNS-based bypasses and direct IP connections. Each successful bypass represents traffic that flows outside Zscaler's visibility and inspection. This is the most critical test for any cloud proxy deployment.

ZPA Access Validation

We test ZPA access policies from multiple user contexts: authorized users, unauthorized users and users with partial access. We attempt to access application segments outside authorized scope, test connector isolation and verify that ZPA's zero-trust model actually enforces least privilege across your private application landscape.

Frequently Asked Questions

Zscaler Validation FAQs

Can you test Zscaler when everything goes through the cloud?: Yes. We test from the user's perspective and from the network. We test whether traffic actually routes through Zscaler or bypasses it via split tunnels, PAC file exceptions or direct connections. The most common finding is traffic that bypasses Zscaler entirely. Standard validation costs $5,000 CAD.
We use ZPA for private application access. Can you test that?: Yes. We test whether ZPA policies enforce least-privilege access, whether application segments are properly isolated and whether users can access applications outside their authorized scope. The Comprehensive assessment at $12,000 CAD includes full ZPA testing alongside ZIA.
What if users can bypass Zscaler by disconnecting the client?: This is a common finding. We test client tamper protection, fallback behavior and whether your organization has compensating controls for scenarios where Zscaler is not in the traffic path.
How do you test PAC file misconfigurations?: We analyze your PAC file logic, test edge cases in routing decisions and identify traffic categories that bypass Zscaler due to exceptions. We also test whether PAC file distribution is secure and whether users can override PAC file settings.

Validate Your Investment

Zscaler moved your perimeter to the cloud. Find out if it holds.

Standard Zscaler Validation: $5,000 CAD. Comprehensive Validation with ShadowTap internal testing, ZPA access testing and executive report: $12,000 CAD.

Purchase Validation

Ready to Test Your Zscaler?

Tell us about your Zscaler deployment and we will scope a validation assessment. Free scoping call, fixed-price quote, testing typically completed within 5-10 business days.

Call 604.229.1994

Phone: 604.229.1994
Burnaby Office: Burnaby, BC, Canada
Coquitlam Office: Coquitlam, BC, Canada
Related Pages: All Vendor Validations · ShadowTap Platform · NDR Validation