NSS Labs Reports Zscaler Zero Trust Exchange Results Under SSE v3.0 Preview
NSS Labs reported results from an SSE Threat Protection evaluation of Zscaler Zero Trust Exchange using a preview of an updated v3.0 methodology, citing an overall Security Effectiveness score of 98.85% alongside low false positives. The findings address how enterprise SSE products perform against evasions without prior vendor knowledge of test attacks.
Research Overview
NSS Labs released an SSE Threat Protection evaluation for Zscaler’s Zero Trust Exchange (ZTE), describing the testing as an early preview of an upcoming SSE Threat Protection Methodology update labeled v3.0. The company said the v3.0 approach is more demanding than earlier SSE tests.
The updated methodology shifts from tunnel-based to agent-based SSE testing to reflect modern enterprise deployment patterns, and it includes latency testing. NSS Labs described its testing as adversarial, stating that vendors do not receive the specific attacks, tactics, or techniques in advance.
Key Findings
NSS Labs reported an overall Security Effectiveness of 98.85% for ZTE, paired with an exploit block rate of 99.05% based on 311 of 317 exploits. The report also cited exploit evasion resistance of 100%.
For malware, NSS Labs reported a malware block rate of 98.65% using 4,807 of 4,873 samples, plus 100% block rate against handcrafted malware built to evade signature and reputation-based detection via behavioral analysis and sandboxing. It also reported malware evasion resistance of 100% and false positive accuracy of 99.63%.
Technical Breakdown
NSS Labs stated that the test evaluated ZTE across categories that included blocking performance by exploit severity levels, malware stopping rates, and evasion resistance across multiple techniques. The report described ZTE as resisting 100% of 583 tested evasion techniques across 15 categories, including packers, compressors, and HTTP content and header manipulations.
NSS Labs also reported incorrect blocking of 15 of 4,098 legitimate samples, citing a 0.4% incorrect block rate. It said the results included a 100% block rate for Critical, High, and Medium exploits and 98.26% for Low-rated exploits, producing the 99.05% overall exploit block rate.
Operational Impact
NSS Labs described resistance to evasions as a factor with weight in the test results, because a successful evasion can enable an attacker to bypass an entire class of threats. The report presented the evasion results alongside false positive accuracy and incorrect blocking figures.
NSS Labs said ZTE was tested using a recommended or default configuration aligned with “Secure-by-Default” principles. It also stated that its SSE Threat Protection Test Report for Zscaler ZTE is available for download at no charge and that additional SSE vendor evaluations under v3.0 are planned over the following months.
NSS Labs’ v3.0-preview SSE Threat Protection evaluation for Zscaler Zero Trust Exchange reported 98.85% overall Security Effectiveness, 99.05% exploit blocking, 98.65% malware blocking, 100% evasion resistance, and 99.63% false positive accuracy. This Blog Signals brief is a fact-based summary of the vendor blog.