PLANS & PRICING

Simple subscription pricing,
set up in minutes

Secure every step of your transformation journey.

Take the next step

Zscaler Platform Bundles

Comprehensive platform offerings to secure, simplify, and transform your business

Essentials Platform

Start your zero trust journey with secure, reliable internet access and limited private access, with other Zscaler innovations.
Secure Internet Access (SWG)
Private Access (for 5% of users)

Also includes:

  • ZDX Standard: Pre-Set
  • Standard Versions: Data Security (alert only), Sandbox, Firewall, Cyber Isolation, Zero Trust for Workloads (1GB/user/month)

RECOMMENDED

Zscaler Platform

Unlock the complete SASE/SSE solution, including full internet access, private access, and data security.
Secure Internet Access (SWG)
Private Access (for all users)
Data Security (inline web, all apps)

Also includes:

  • Standard Versions: Digital Experience, Sandbox, Firewall, Cyber Isolation, Deception, Zero Trust for Workloads (2GB/user/month), Zero Trust SD-WAN (up to 10 sites)

Note: Zscaler Private Access, SaaS Security, DSPM, Deception, Unified Vulnerability Management, Zero Trust for Workloads, Zero Trust SD-WAN, Zscaler Digital Experience (ZDX) Advanced, ZDX Advanced Plus, and Device Segmentation are available as standalone products that do not require a platform bundle.

Add-ons

Add on advanced capabilities

01Inline Cyberthreat Protection

Comprehensive, integrated threat protection for users, devices, and workloads

Both platform bundles come with the Cyberthreat Protection Standard package, which includes standard Sandbox, Firewall, Isolation, and correlated threat insights.
Advanced Modules

Sandbox Advanced

  • Sandbox Standard: EXE, DLL from unknown sites
  • Expanded file type support
  • Quarantine by policy
  • Instant AI verdict
  • Sandbox API for 3,000 files/month/customer
  • Detailed reports, incl. patient zero, zero day payload analysis

Firewall Advanced

  • Firewall Standard: L3/L4 policies, basic DNS control
  • Extensive FW rules framework
  • Outbound FW with App ID, User ID; user, group, dept.-level rules
  • Cloud IPS for non-web protocols
  • DNS rules and DNS tunnel detection
  • Full detailed FW logging, incl. reporting and dashboards

Cyber Browser Isolation Advanced

  • Cyber Isolation Standard: Isolate unknown destinations
  • Prevent up/download, control copy/paste/print; local browser rendering
  • Mobile browser, policies on destination app, device, risk, user, and AI/smart isolation
  • Isolate Office files, isolation + quarantine, download flattened PDF/CDR, browser-in-browser
  • 1.5 GB/user/month of isolation traffic (upgradeable to unlimited isolation)
02Private Access

The most comprehensive private application access for any user, any app, any device

ZPA is available as part of the Essentials Platform (for 5% of users) and Zscaler Platform bundles in addition to the standalone in the ZPA Platform. Get complete value with the Private Access add-on:

Autonomous User-to-App Segmentation

  • Unlimited App Segments
  • AI-powered app recommendations based on live traffic analysis
  • Segmentation insights for continuous optimization
  • Bulk app import from 3rd party systems
  • Microtenants for localized, independent administration
  • Dual FQDN access check for easy migration from VPN to zero-trust

AppProtection

  • Mitigate web risks (including OWASP Top 10) with inline app traffic inspection
  • Detect Active Directory attacks (kerberoasting, enumeration)
  • Detect & respond to latest CVEs with virtual patches
  • Align with MITRE ATT&CK framework

ZPA for legacy apps (VOIP,S2C,etc.)

  • Support VoIP, Server-to-Client, and Network-Connected Applications
  • Accelerate zero trust access adoption for core applications while legacy network apps connect via VPN-like functionality

ZPA Business Continuity

  • Automatic failover when Zscaler cloud is not reachable
  • Supports authentication, access policy, app protection, micro tenants  and load balancing
  • Enroll new users when in business continuity mode
  • Comprehensive logging

ZPA Clientless Platform

  • Secure access from any browser for third-party users and unmanaged devices
  • Unified portal to access Private, SaaS and Web Apps, and privileged consoles
  • Verify device posture with Google Chrome Enterprise
  • Privileged access (RDP/SSH) for up to 10 systems per ZPA tenant
  • Add-on data protection with browser isolation and DLP
  • Can be purchased as Add-on for guest users

Browser Isolation

  • Browser Isolation for Private/SaaS Apps
  • Applicable for BYOD, B2B, VDI Replacement

01 / 04

03Data Security

A completely unified platform to secure all data types, across all channels

In addition to core data security features, add-on modules are available:
Advanced Modules

Endpoint Protection

  • Endpoint data discovery
  • Print, personal cloud, removable storage, local network shares
  • Monitor user activity (dashboards, reports, NSS feeds)

Email Protection

  • Inline data security (Exchange/Gmail)
  • Out-of-band email API (Exchange/Gmail)

SaaS Security

  • Out-of-band SaaS API (CASB) for all SaaS apps (except Exchange/Gmail)
  • SaaS security posture management (SSPM)
  • SaaS security for third-party apps

Browser Isolation 
(VDI Alternative)

  • VDI Alternative and other managed devices use cases (cloud App Control, user/device risk based Isolation)
  • 1.5GB/user/month (measured across all Isolation users)

Data Classification and Encryption

  • Advanced classification, incl. EDM, IDM, OCR
  • Sensitive file encryption
  • Watermarking
  • Privacy control-redaction

DSPM

  • Discover, classify and contextualize data-at-rest
  • Correlate risk, misconfigurations and exposure
  • Map security risk to compliance posture standards and benchmarks
  • Secure AI models, agents and services (AI-SPM)

GenAI Security

  • Find Shadow AI and enable safe use of public GenAI apps
  • Securely enable Microsoft Copilot and control risky oversharing
  • Protect enterprise-built AI apps across the full AI lifecycle

01 / 05

04Security Operations

Actionable insights to reduce overall risk

Advanced Modules

Deception Advanced

  • 300 customizable decoys (network, application, identity), deep packet inspection
  • Ransomware detection, local scan/MiTM detection, 5 active file decoys, privilege escalation, defense evasion detection, triage
  • Full SOC workflow: SIEM forwarding, orchestration and containment, ThreatParse rules
  • Custom notifications and reports, RBAC, static IP allow-listing, API access

Risk360 Advanced

  • Cyber risk quantification and reporting framework
  • Granular risk factors derived from Zscaler and third-party security tools
  • Financial exposure detail and board-ready reporting
  • Actionable risk insights with policy and mitigation recommendations

Unified Vulnerability Mgmt Advanced

  • Deduplication, contextualization, mitigating controls, and correlation of findings
  • Context from 150+ sources (CVEs, assets, users, apps, identity, behavior + mitigating controls)
  • Closed-loop integration with workflow tools
  • Out-of-the-box visual reports for overall risk trends and analysis
05Zero Trust Branch Pricing Model

Connect, secure, and segment your branches, campuses, and factories

SD-WAN

  • Traffic forwarding to ZIA, ZPA, Routed Tunnels or Direct to Internet
  • Intelligent app-aware path selection
  • WAN link monitoring
  • High availability
  • Local security policies 

Package sizing based on encrypted throughput

 

  • Small – Up to 200 Mbps
  • Medium - Up to 400 Mbps
  • Large - Up to 1 Gbps
  • X Large - Up to 10 Gbps

Device Segmentation

  • Agentless device isolation
  • Dynamic micro subnets
  • Asset discovery & profiling
  • MAC-based authentication

Package sizing based on number of endpoints

 

  • Small – Up to 200 endpoints
  • Medium - Up to 500 endpoints
  • Large - Up to 1000 endpoints
  • X Large - Up to 5000 endpoints

Deployment Options: ZT 400, ZT 600, ZT 800, ZT 8010, ZT VM

06Privileged Remote Access

Fast, direct, secure access to industrial systems and devices for third-parties and vendor technicians—with full governance controls.

Standard

Included with platform purchases of >500 users

  • Up to 10 systems (RDP/VNC/SSH)
  • 1 pair of App Connectors per system
  • Up to 1 GB monthly data pooled across all systems

Includes:

  • Full protocol isolation—SSH, RDP, VNC
  • Interactive authentication
  • Clipboard controls (text copy/paste)
  • Sandboxed file transfer (with Advanced Cloud Sandbox)
  • Just-in-time/time-bound access

Advanced

  • Subscribed by number of systems (RDP/VNC/SSH)
  • 1 pair of App Connectors per system
  • Up to 10 GB monthly data per system pooled across all systems

Includes everything in Standard, plus:

  • Credential vaulting and injection
  • Emergency access1
  • Cloud session recording and playback2
  • Session monitoring
  • Ushered access
  1. Emergency access for up to 100 users, not counted towards platform user count.
  2. Cloud recording for up to 10 hours/month per system, pooled across all systems; 365 days of cloud storage.
07Workload Communications

Security for workloads and servers with a modern zero trust architecture

Standard

  • Basic controls to protect workloads using stateful filtering
  • Comprehensive protection for apps deployed in the cloud or data center

Advanced

Everything in Standard, plus:

  • Secure workload-to-internet access with deep packet inspection
  • Log storage for regulatory compliance
  • Source IP anchoring
  • Sublocation-based workload segmentation
  • Workload data leak protection
  • Cyber protection for workloads with standard FW and DNS control

Advanced Plus

Everything in Advanced, plus:

  • Inline data security
  • Advanced data classification
  • Advanced FW protection for workloads, incl. Sandbox
  • Cloud NSS and log recovery
08Digital Experience Monitoring

AI-powered detection and resolution of app, network, and device issues to keep users productive

Modules

Standard

Ideal for organizations monitoring digital experiences from user devices, network paths, and applications.
 

Includes:

  • Unified monitoring
    • User experience
    • Application
    • Device health
    • Network performance
  • Email alerts
  • 3 applications
  • Poll at 15-minute intervals
  • 3 alert rules
  • Data retention: 2 days

Advanced

Comprehensive monitoring at scale for advanced IT support, service desk, network, and security needs.
 

Everything in Standard, plus:

  • AI-powered root cause analysis
  • All apps, plus Teams/Zoom/Webex call quality
  • Read-only shareable URLs and user details snapshots
  • Organization-wide device model and software version review
  • Trend reports across apps, locations, devices, and networks
  • Performance impact analysis of specific app or user data
  • ITSM tool integration via API/webhooks
  • Device events dashboard
  • 15 applications
  • Poll at 5-min intervals
  • 25 alert rules
  • Data retention: 14 days

Advanced Plus

The ultimate DEM solution, with maximum visibility, altering, and troubleshooting capabilities.
 

Everything in Advanced, plus:

  • Troubleshooting of device issues caused by active processes
  • List incidents across applications, Zscaler data centers, last mile ISPs, and Wi-Fi
  • Proactive user alerts for Wi-Fi/ISP issues
  • Copilot AI assistant for instant troubleshooting and insights
  • Monitor critical SaaS and custom web apps 24/7 from Zscaler data centers
  • Enterprise-wide visibility into device health and hardware usage dashboard
  • Identify ISP bottlenecks across the internet
  • 50 applications
  • Poll at 5-min intervals
  • 100 alert rules
  • Data retention: 14 days