Austin, TX — June 9, 2026 — NSS Labs, the independent authority on cybersecurity product testing, today released the results of its latest Security Service Edge (SSE) Threat Protection evaluation of the Zscaler Zero Trust Exchange (ZTE). The product achieved overall Security Effectiveness at 98.85%, demonstrating strong, broad-spectrum protection against advanced threats while maintaining a very low false positive rate.
Notably, this test was conducted using an early preview of the NSS Labs forthcoming, substantially updated SSE Threat Protection Methodology (v3.0) — a more demanding evaluation than prior SSE tests. Achieving near-complete coverage against this tougher standard underscores the maturity and resilience of Zscaler’s cloud-delivered security platform.
The updated v3.0 methodology shifts from tunnel-based to agent-based SSE testing to better reflect how modern enterprises deploy these products, adding latency testing. It’s important to note that NSS Labs applies an adversarial testing approach: vendors do not receive the specific attacks, tactics, or techniques in advance, simulating the unpredictability of real-world threat environments.
Key Findings
| Measure | Result |
| Overall Security Effectiveness | 98.85% |
| Exploit Block Rate (311 of 317) | 99.05% |
| Exploit Evasion Resistance | 100.00% |
| Malware Block Rate (4,807 of 4,873) | 98.65% |
| Handcrafted Malware (Sandbox Protection) | 100.00% |
| Malware Evasion Resistance | 100.00% |
| False Positive Accuracy | 99.63% |
Across the categories evaluated, the Zscaler Zero Trust Exchange:
- Blocked 100% of exploits rated Critical, High, and Medium, and 98.26% of those rated Low, for an overall exploit block rate of 99.05%.
- Stopped 98.65% of malware samples, including a 100% block rate against handcrafted malware designed to evade signature and reputation-based detection through behavioral analysis and sandboxing.
- Resisted 100% of all 583 tested evasion techniques across 15 categories — spanning packers, compressors, and HTTP content, transfer-encoding, and header manipulations — indicating strong traffic-normalization and inspection consistency.
- Incorrectly blocked only 15 of 4,098 legitimate samples (0.4%), allowing 100% of legitimate websites and the vast majority of business-critical files.
NSS Labs noted that resistance to evasions carries significant weight in its test results, because a single successful evasion can allow an attacker to slip an entire class of threats past a security product undetected.
“The only way to know whether an SSE offering works is to test it, and our updated methodology raises the bar on resisting evasions,” said Vikram Phatak, CEO of NSS Labs. “Zscaler’s strong results should give enterprises real confidence in the platform.”
Zscaler’s Zero Trust Exchange (version 6.2r.2604.0.0_prod.54.f985a37bc_114) was tested using the recommended or default configuration, consistent with “Secure-by-Default” principles.
The full NSS Labs SSE Threat Protection Test Report for the Zscaler Zero Trust Exchange is available for download at no charge. NSS Labs intends to publish additional SSE vendor evaluations under the v3.0 methodology over the next few months.