Zscaler just expanded Zero Trust SASE with a new ZAgent Framework and a pile of new security capabilities aimed at the messy parts of enterprise security: unmanaged devices, business partners, cloud workloads, Kubernetes, and all the weird places legacy architecture goes to die.
The ZAgent Framework
The big move is the ZAgent Framework. Think of it as agentic AI for SASE operations. Not "AI sprinkled on a dashboard so someone can put it in a press release." Actual agents that help admins manage, troubleshoot, validate, and configure parts of the environment using natural language inside the Zscaler Experience Centre.
Because right now, too many security teams are still playing whack-a-mole across consoles, tickets, scripts, firewall rules, and tribal knowledge held together by one guy named Steve who has not taken PTO since 2018.
One of the first pieces is the Zscaler Digital Experience Agent. Its job is to help admins figure out where user experience problems are coming from before everyone starts blaming the security stack like it stole their lunch money.
Bad Wi-Fi? ISP issue? Endpoint problem? Local device chaos? The agent helps isolate the actual root cause before it becomes a full-blown help desk rodeo.
Browser-Based Access
Zscaler also expanded browser-based access with a Zero Trust Browser Extension and an Enterprise Browser built on Chromium. These are designed for unmanaged and BYOD devices where the old answer was usually some sad combination of VDI, VPN, and prayer.
The browser becomes a control point into the Zero Trust Exchange. It brings access controls, localized data protection, and browser detection and response across device types. Translation: you can give people access without handing them the keys to the entire haunted mansion.
Third-Party Access
For third-party access, Zscaler introduced Zero Trust B2B Connectivity through a B2B exchange. This is aimed at customers and external partners who need to access applications in both directions without exposing networks, building a rat's nest of firewall rules, or maintaining site-to-site VPNs like it is still 2009 and everyone has a BlackBerry clipped to their belt.
There is also a new endpoint sandbox for files that come from offline sources like removable storage. Because yes, somehow, in the year of our Lord 2026, USB sticks are still wandering into enterprises like feral raccoons carrying malware in a trench coat.
This extends Zscaler's sandboxing approach beyond cloud inspection into endpoint, API, and inline channels.
Cloud Coverage
Zscaler also expanded workload protection in public cloud environments.
A new Zero Trust Gateway for Google Cloud Platform joins existing support for AWS, giving customers a more consistent way to apply policy controls to workload-to-workload and workload-to-internet traffic across multiple cloud providers.
That matters because most enterprises do not have "a cloud." They have several clouds, multiple teams, seventeen exceptions, three abandoned proof-of-concepts, and one production workload nobody wants to admit is business critical.
Zscaler is also adding microsegmentation for Kubernetes environments, including Google Kubernetes Engine. The goal is to limit lateral movement between virtual machines and containers without requiring code changes.
That last part matters. Because the moment security says, "We just need developers to rewrite the app," everyone in the room starts looking at the ceiling like there is a spider up there.
The Bigger Picture
The broader message is pretty clear: SASE and zero trust are moving beyond managed employee laptops. The new battleground is everything else: contractors, partners, BYOD, cloud workloads, containers, APIs, and whatever AI systems are about to start talking to each other at machine speed while humans are still looking for the mute button.
Zscaler says its cloud processes more than 750 billion daily transactions, giving the platform a massive source of operational and threat data.
Jay Chaudhry, Founder, Chairman, and CEO of Zscaler, framed the shift around the limits of legacy network security.
"Legacy SASE was built in the post-pandemic rush, based on a firewall and VPN model for a network perimeter that no longer exists. In a world of AI with distributed users, partners, and cloud workloads, that model leaves enterprises exposed. Security in the AI era has to be dynamic. With this expansion of Zero Trust SASE, we are giving organizations one platform that secures every communication and simplifies operations through agentic AI, without the cost and complexity of legacy infrastructure."
— Jay Chaudhry, Founder, Chairman & CEO, Zscaler
Adam Geller, Chief Product Officer of Zscaler, pointed at the operational pain security teams are dealing with every day.
"Security teams are spending too much time stitching together fragmented tools and reacting to misconfigurations they should never have to see. By embedding our ZAgent Framework into Zscaler's platform, we are making SASE management largely autonomous, with root cause analysis, drift detection, and policy validation all happening via agents in the platform. Combined with browser-based access and PQC readiness, this gives organizations a foundation that can scale with their AI initiatives."
— Adam Geller, Chief Product Officer, Zscaler
Analysts have been saying the same thing in different words: zero trust and SASE cannot just be about managed employee devices anymore. That was the opening act. The main event is securing access across third parties, unmanaged devices, multi-cloud workloads, and distributed environments where the perimeter has been dead so long it should have its own Dateline episode.
"The SASE market is undergoing a fundamental shift as organizations realize that legacy network security approaches cannot keep pace with the scale of the AI era. Today's modern, AI-driven enterprise needs Zero Trust protections across everything from unmanaged devices and B2B partners to multi-cloud workloads. Zscaler's introduction of the ZAgent agentic AI framework goes beyond basic automation and redefines how enterprises can manage and scale security across all these areas within a single, unified architecture."
— John Grady, Principal Analyst, Omdia
Zebra Technologies was cited as a customer using the platform as it expands its AI initiatives.
"As we accelerate our AI initiatives, data security and operational agility are our top priorities. Legacy VPN and firewall models have failed to provide the granular control and visibility required for a distributed workforce and multi-cloud environment. Zscaler's Zero Trust SASE platform gives us the confidence to innovate rapidly. By leveraging the ZAgent Framework and the new Zero Trust Browser, we can secure every connection, whether it involves employee BYOD devices or cloud workloads, all while dramatically simplifying our security management."
— Brad Skibitzki, CISO, Zebra Technologies
Bottom Line
The enterprise attack surface is no longer a clean little network diagram with boxes and lines. It is users, devices, partners, workloads, containers, browsers, APIs, and AI systems all smashing into each other at speed.
Legacy network security was built for a world that does not exist anymore.
Zero Trust SASE is being rebuilt for the one we actually live in.