Which is an example of Inline Data Protection?
D
Explanation:
Inline Data Protection is the process of inspecting data as it transits the network in real time,
enforcing policies that prevent sensitive data from being leaked or transmitted improperly. Blocking
the attachment of a sensitive document in webmail represents inline data protection because it
intercepts and controls data transmission at the network level, stopping sensitive content before it
leaves the organization.
Preventing copying to a USB drive is endpoint control and does not happen inline in network traffic.
Preventing sharing in OneDrive is cloud access security broker (CASB) activity, often done through
API integrations, not inline network control. Analyzing M365 tenant security is an audit or advisory
activity, not real-time inline protection.
Therefore, the correct example of inline data protection in Zscaler's cloud security services is blocking
the attachment of a sensitive document in webmail.
Which attack type is characterized by a commonly used website or service that has malicious content
like malicious JavaScript running on it?
A
Explanation:
A Watering Hole Attack targets users by compromising a website or service that is commonly visited
by the intended victims. The attacker injects malicious content such as malicious JavaScript or
malware into the website, so when the user visits the site, their system gets infected. This attack
relies on the trust users have in popular or legitimate websites and exploits it by turning those sites
into infection vectors.
Pre-existing Compromise refers to attacks where the target environment is already compromised
before the attack is recognized, but it does not specifically describe malicious content injected into
popular websites. Phishing Attack involves deceiving users to click malicious links or reveal
credentials, not compromising websites directly. Exploit Kits are automated tools that scan for
vulnerabilities and deliver exploits but are not characterized by the use of commonly used websites
hosting malicious scripts.
The study guide clearly explains Watering Hole Attacks as a method where attackers infect trusted
websites frequented by target users to deliver malicious payloads.
What is the name of the feature that allows the platform to apply URL filtering even when a Cloud
APP control policy explicitly permits a transaction?
A
Explanation:
The feature that allows Zscaler to apply URL filtering even when a Cloud App control policy explicitly
permits a transaction is called Allow Cascading. This feature ensures that even if a cloud application
is permitted by the Cloud App control policy, the URL filtering policy can still be enforced. This is
useful in cases where granular URL control is needed on top of cloud app permissions, providing
layered security controls.
The study guide clearly explains that Allow Cascading enables URL filtering policies to cascade or take
precedence and thus still inspect and potentially block URLs even if the cloud app is allowed by
policy. This allows administrators to fine-tune access and ensure additional inspection layers on web
traffic .
Which proprietary technology does Zscaler use to calculate risk attributes dynamically for websites?
B
Explanation:
Zscaler uses a proprietary technology called Zscaler PageRisk to calculate risk attributes dynamically
for websites. PageRisk assesses the risk level of a website based on a variety of dynamic factors,
including the site's content, reputation, and behavior, helping to identify potentially harmful or
suspicious sites in real time.
This dynamic risk scoring allows Zscaler to enforce security policies more effectively, blocking or
allowing access based on calculated risk rather than static lists alone. The study guide specifies that
PageRisk is integral to the platform's adaptive security posture and URL filtering capabilities .
Which list of protocols is supported by Zscaler for Privileged Remote Access?
A
Explanation:
Zscaler supports RDP, VNC, and SSH protocols for Privileged Remote Access. These are commonly
used protocols for remote management and privileged user sessions, allowing secure access to
internal applications or systems without exposing the network or requiring VPN connections.
The study guide clearly states that Privileged Remote Access capabilities focus on these protocols to
ensure secure, monitored, and controlled remote sessions for administrators and privileged users,
supporting remote desktop and shell access securely .
An administrator would like users to be able to use the corporate instance of a SaaS application.
Which of the following allows an administrator to make that distinction?
B
Explanation:
Cloud application control is the feature that allows an administrator to distinguish and enforce
policies specifically on the corporate instance of a SaaS application. This enables granular control,
allowing users to access the approved corporate SaaS while restricting access to personal or
unauthorized instances. Out-of-band CASB generally provides visibility but does not enforce real-
time distinctions in this context. URL filtering with SSL inspection and Endpoint DLP serve different
purposes, such as content inspection and endpoint data protection, respectively.
The study guide explains that Cloud Application Control policies identify and enforce controls based
on SaaS application instances, providing precise policy enforcement aligned with corporate SaaS
usage requirements.
How does Zscaler Risk360 quantify risk?
D
Explanation:
Zscaler Risk360 quantifies risk by computing a risk score that is based on the number of remediations
needed in comparison to the industry peer average. This approach allows organizations to
understand their relative security posture by evaluating how many issues require remediation and
benchmarking that against peers in the industry. This methodology enables prioritized risk
management and provides context around the urgency and scale of remediation activities necessary
to reduce risk.
Unlike simply counting risk events or focusing on time to mitigate, Risk360 uses this comparative
remediation-based scoring to give a comprehensive view of risk. It does not compute separate scores
for each of the four breach stages but rather aggregates remediation efforts and benchmarks them to
industry standards.
This is confirmed by the study guide's explanation of Risk360's scoring method, highlighting the use
of remediation counts compared to peers as the basis for risk scoring.
What is the recommended minimum number of App connectors needed to ensure resiliency?
A
Explanation:
The recommended minimum number of App connectors to ensure resiliency in Zscaler Private
Access is 2. Having at least two App connectors provides redundancy, so if one connector fails or is
unavailable, the other can continue to provide access without interruption. This recommendation is
critical to maintaining high availability and fault tolerance for internal application access.
The study guide specifies this minimum to ensure continuity and reliability of application access
through ZPA.
What method does Zscaler Identity Threat Detection and Response use to gather information about
AD domains?
B
Explanation:
Zscaler Identity Threat Detection and Response gathers information about Active Directory (AD)
domains primarily by running LDAP queries. LDAP queries allow the system to retrieve user and
domain information directly and accurately from the AD infrastructure, enabling detection and
analysis of identity threats and suspicious activities.
The study guide highlights the use of LDAP queries as a reliable and standard method for accessing
AD domain data in this security context.
What does a DLP Engine consist of?
C
Explanation:
The DLP (Data Loss Prevention) Engine in Zscaler consists of DLP Dictionaries. These dictionaries
contain the sensitive data patterns, keywords, and identifiers used to detect sensitive information in
network traffic. They serve as the foundation for defining what content should be inspected and
protected.
While DLP policies and rules govern how the engine acts, the engine itself fundamentally depends on
these dictionaries to identify sensitive data accurately. The study guide states that DLP Dictionaries
are key components that power the detection capabilities within the engine.
A user is accessing a private application through Zscaler with SSL Inspection enabled. Which
certificate will the user see on the browser session?
D
Explanation:
When SSL Inspection is enabled and a user accesses a private application through Zscaler, the user
will see a Zscaler generated MITM (Man-In-The-Middle) Certificate on their browser session. Zscaler
intercepts and decrypts SSL/TLS traffic at the Service Edge and then re-encrypts it before forwarding
it to the client, presenting its own certificate to maintain the security of the connection while
enabling inspection.
This allows Zscaler to inspect encrypted traffic for threats and policy enforcement transparently
without exposing the original server’s certificate. The study guide clarifies this mechanism under SSL
Inspection details.
What Malware Protection setting can be selected when setting up a Malware Policy?
C
Explanation:
The valid Malware Protection setting selectable when configuring a Malware Policy in Zscaler is
Block. This setting instructs the platform to block malicious files or activities detected by malware
scanning engines.
Other settings like Isolate or Bypass are not standard malware policy actions in Zscaler’s malware
protection configuration. The “Do Not Decrypt” option relates to SSL inspection settings, not
malware policy actions. The study guide specifies “Block” as the primary malware policy action to
enforce protection.
Which are valid criteria for use in Access Policy Rules for ZPA?
A
Explanation:
Valid criteria for Access Policy Rules in ZPA include Group Membership, ZIA Risk Score, Domain
Joined, and Certificate Trust. These attributes allow granular policy decisions based on user identity,
device posture, and risk context.
Options including password are invalid as passwords are not used as policy criteria; similarly, SNI and
Branch Connector Group are more relevant to other controls. The study guide lists these user and
device attributes explicitly as policy criteria within ZPA access policies.
Which type of attack plants malware on commonly accessed services?
D
Explanation:
A Watering Hole Attack is characterized by attackers planting malware on websites or services that
are commonly accessed by their intended victims. The goal is to infect users who visit these trusted
sites by injecting malicious code or malware. This type of attack leverages the trust users place in
frequently visited services to deliver malware covertly.
Other options like Remote Access Trojans, Phishing, and Exploit Kits are attack types but do not
specifically involve compromising commonly accessed services to plant malware.
What does the user risk score enable a user to do?
C
Explanation:
The user risk score enables organizations to configure stronger user-specific policies to monitor and
control user-level risk exposure. This score reflects a user's risk posture based on behaviors and
detected anomalies and helps in tailoring security policies to address individual risk levels.
While the score gives insight into user risk, it is primarily designed for adaptive policy enforcement
rather than direct compromise detection or cross-company comparison. The study guide highlights
that user risk scores drive policy adjustments to better secure user activity.