ZDTA Sample Questions Answers

Zscaler OneAPI uses OAuth-style token acquisition through ZIdentity. The administrator or automation client sends a POST request with required parameters such as client credentials to the ZIdentity token endpoint, then uses the returned access token for API calls. Option A (The administrator needs to send a POST request along with the required parameters to ZIdentity"s token endpoint) is correct because token retrieval is performed by POSTing to the ZIdentity token endpoint.

Why the other options are incorrect:

B. The administrator needs to send a GET request along with the required parameters to ZIdentity's token endpoint: A GET request retrieves resources; it is not used to submit client credentials to the OAuth token endpoint.

C. The administrator needs to logon to the ZIA portal to generate the access token with Super Admin role: The ZIA portal manages Internet Access policy and service configuration, not the unified identity or OneAPI token endpoint workflow unless the stem says so.

D. The administrator needs to logon to the ZIA portal to generate the access token with API Admin role: The ZIA portal manages Internet Access policy and service configuration, not the unified identity or OneAPI token endpoint workflow unless the stem says so.

A watering-hole attack compromises a legitimate website or service that the intended victims already trust and commonly visit. The attacker plants malicious active content, such as injected JavaScript or exploit code, so users are infected during normal browsing instead of being lured to an obviously suspicious site. The answer is Option D (Watering hole attack) because it specifically describes malware hosted on a commonly accessed service, which is the defining trait of this attack type.

Why the other options are incorrect:

A. Remote access trojans: A remote access trojan gives an attacker interactive control over a compromised host after infection.

B. Phishing: Phishing starts with social engineering: fake messages, links, or login pages. The question describes a legitimate common website being seeded with malicious JavaScript.

C. Exploit kits: Exploit kits automate exploitation after a victim reaches malicious content. They can be used inside an attack chain, but the scenario is naming the watering-hole delivery pattern.

Zscaler inspection policies are order-sensitive: the first matching rule determines the inspection action. When an administrator needs to inspect everything except one URL category, the exception must appear above the broad inspect-all rule. Otherwise the generic rule matches first and the exception is never reached. Option B (First the policy for the exception Category, then further down the list the policy for the generic "inspect all.") is correct because the category-specific bypass must be evaluated before the generic inspection rule.

Why the other options are incorrect:

A. Both policies are incompatible, so it is not possible to have them together: The policies are compatible when ordered correctly. The specific bypass rule must be evaluated before the broad inspect-all rule.

C. First the policy for the generic "inspect all", then further down the list the policy for the exception Category: Putting the inspect-all rule first catches the traffic before the category exception can run. The category bypass must sit above the generic inspect rule.

D. All policies both generic and specific will be evaluated so no specific order is required: SSL inspection rules are order-sensitive. A broad generic rule placed above the exception can catch the traffic first and prevent the bypass rule from taking effect.

Zero Trust connections are designed to be independent of network location as a source of trust. The Zero Trust Exchange brokers access based on identity, device posture, application entitlement, and policy, not on whether the user is inside a static corporate network. Option C (They are independent of any network for control or trust) is correct because control and trust come from policy and context, not from the underlying network.

Why the other options are incorrect:

A. They require that SSH inspection be enabled: RDP, SSH, and VNC are privileged remote access protocols for desktop, shell, and graphical administration.

B. They are dependent on a fixed / static network environment: A fixed network dependency is the legacy trust model. Zero Trust removes that dependency by making identity, context, and application policy the trust boundary.

D. They require IPv6: IPv6 may be supported in parts of a network, but Zero Trust connections do not require IPv6 as a design principle.

Zscaler alerting is not limited to email. Alert Rules and detection/response notifications can be sent through webhooks or integrated with collaboration, ITSM, UCaaS, and other third-party tools depending on configuration. Option D (Email or webhook support to third-party applications) is correct because email and webhook-based integrations support external notification workflows.

Why the other options are incorrect:

A. Only via command-line scripts: Command-line scripts can automate tasks, but they are not the built-in alert-forwarding method named in the Zscaler workflow.

B. Manual log downloads uploaded to external tools: Manual log export is slow and human-driven; it is not suitable for automatic alert forwarding.

C. Built-in Zscaler-only tools with no external integrations: A Zscaler-only toolset would keep alerts inside the platform, while the tested workflow sends alerts outward.

Workflow Automation is used to notify users or teams when a DLP-related workflow needs attention. For end-user notification, enterprise collaboration tools such as Microsoft Teams and Slack are practical because they keep the message inside a controlled business channel. Option A (Notifications in MS Teams / Slack) is correct because Teams and Slack notifications are the supported user-notification path in this scenario.

Why the other options are incorrect:

B. SMS text message: SMS is a generic notification channel. Zscaler Workflow Automation for this use case sends collaboration notifications through tools like Teams or Slack.

C. Automated phone call: Automated phone calls are not the normal DLP workflow-notification method in this Zscaler scenario. The supported peer-collaboration channels are Teams and Slack.

D. Twitter post with custom hashtag: A Twitter/X post would be public and inappropriate for a DLP event. Zscaler uses controlled enterprise notification channels, not social posting.

Zscaler SaaS Security Posture Management evaluates supported SaaS platforms for risky configurations, posture gaps, and compliance issues. Google Workspace is one of the supported SaaS environments for posture assessment, whereas storage or collaboration tools in the other choices do not match this SSPM support item. Option D (Google Workspace) is correct because Google Workspace is the supported SaaS platform in this question.

Why the other options are incorrect:

A. Amazon S3: Amazon S3 is cloud object storage, not the SaaS collaboration suite named by the tested SSPM support item.

B. Webex Teams: Webex Teams is a collaboration app. The question’s intended application/control is not Webex Teams.

C. Dropbox: Dropbox is cloud storage. It is a common SaaS destination, but it is not the application identified by the scenario’s correct answer.

A Zscaler Client Connector Forwarding Profile determines how traffic is steered to the Zscaler cloud and what fallback behavior applies. For Tunnel 2.0, the profile defines how the client behaves when the preferred DTLS tunnel cannot be established, including fallback to TLS where configured. Option A (Fallback methods and behavior when a DTLS tunnel cannot be established) is correct because DTLS fallback behavior is a Forwarding Profile function.

Why the other options are incorrect:

B. Application PAC file location: A PAC file tells the client or browser which proxy path to use for matching destinations.

C. System PAC file when off trusted network: Trusted Network detection decides whether the device is on a known corporate network using signals such as DNS servers, search domains, gateways, or hostname resolution.

D. Fallback methods and behavior when a TLS tunnel cannot be established: TLS tunneling is the fallback encrypted transport when DTLS is unavailable.

Zscaler PageRisk, specifically the Page Risk Index, is the proprietary scoring capability used in ZIA to evaluate the risk of web pages dynamically. Instead of relying only on static URL blocklists, PageRisk uses a multi-data algorithm that considers page content and domain characteristics. Page-content signals include risky scripts, suspicious iFrames, XSS indicators, vulnerable controls, and other active content. Domain signals include reputation, hosting location, age, and relationships to risky top-level domains. The verified answer is Option B (Zscaler PageRisk) because PageRisk is the Zscaler technology used for real-time website risk scoring.

Why the other options are incorrect:

A. Third-Party Sandbox: A sandbox detonates files to observe malicious behavior. PageRisk is a web-page/domain scoring engine, and Zscaler uses native sandboxing rather than a third-party PageRisk service.

C. Browser Isolation Feedback Form: Browser Isolation renders risky pages remotely to protect the endpoint. A feedback form would collect input; it would not calculate real-time web risk.

D. Deception Controller: The Deception controller manages decoys, lures, and honeytokens for intruder detection. It is about lateral-movement detection, not public website scoring.

URL Filtering remains a core first line of web defense even in a cloud and HTTPS-heavy world. It controls access by category, risk, and destination before deeper controls such as DLP, sandboxing, or isolation are applied. TLS inspection improves visibility; it does not make URL Filtering obsolete. Option A (URL Filter is the most commonly used web filtering technique in the arsenal. It acts as first line of defense) is correct because URL Filtering is still a commonly used first-line web-filtering control.

Why the other options are incorrect:

B. In a modern cloud world, access to all Internet sites and cloud applications should be granted by default. URL Filtering is no longer needed: URL Filtering controls web destinations by category, URL, risk, and action such as allow, block, caution, or isolate.

C. URL Filtering has been replaced by CASB functionality through blocking access to all Internet sites and only allowing a few corporate applications: Out-of-band CASB works through SaaS APIs to inspect or remediate content already sitting inside cloud applications.

D. URL Filtering is outdated and no longer needed. The rise of HTTPS leads renders URL Filtering ineffective as all traffic is encrypted: URL Filtering controls web destinations by category, URL, risk, and action such as allow, block, caution, or isolate.

Zscaler Bandwidth Control shapes traffic from the user's perspective by managing outbound flows. Inbound traffic and localhost traffic are not shaped in the same manner because the control point is the egress direction where user traffic leaves toward Zscaler and destinations. Option A (Outbound traffic is shaped. Inbound or localhost traffic is unshaped) is correct because Bandwidth Control shapes outbound traffic only.

Why the other options are incorrect:

B. Outbound or inbound traffic is shaped. Localhost traffic is unshaped: Inbound shaping would control return traffic, which is not how Zscaler Bandwidth Control is applied from the user perspective.

C. Inbound traffic is shaped. Outbound or localhost traffic is unshaped: Inbound shaping would control return traffic, which is not how Zscaler Bandwidth Control is applied from the user perspective.

D. Localhost traffic is shaped. Outbound or Inbound traffic is unshaped: Inbound shaping would control return traffic, which is not how Zscaler Bandwidth Control is applied from the user perspective.

URL Filtering can send traffic to Browser Isolation only when the policy can determine that the user's browser is supported for isolation handling. The User Agent field provides that browser and client context, so it must be defined for Browser Isolation behavior to work correctly in the URL Filtering rule. Option B (User Agent) is correct because User Agent is the required field for applying the isolation action.

Why the other options are incorrect:

A. Groups: Groups target which users the URL rule applies to. Browser Isolation still needs User Agent so Zscaler can determine browser support/handling.

C. Departments: Departments are user attributes for rule targeting. They do not tell Zscaler whether the browser session can be isolated.

D. Device Trust: Device Trust is a posture/context signal. Browser Isolation depends on User Agent information for browser-specific handling.

Cloud Browser Isolation protects users by rendering risky web content in a remote browser environment instead of on the endpoint. URL Filtering can use Isolate as an action, so users may still access selected untrusted sites while scripts, active content, and browser-exploit risk remain separated from the device. Option B (A new malicious file was detected by the sandbox due to an “allow and scan” First-Time Action in the sandbox policy) is correct because isolation is an enforceable URL Filtering action, not a separate manual workaround.

Why the other options are incorrect:

A. Zscaler's AI/ML based Smart Browser Isolation was triggered due to a users accessing a newly-registered domain: Browser Isolation renders web content remotely so active content never executes directly on the endpoint.

C. A new malicious file was detected by the sandbox due to an “quarantine” First-Time Action in the sandbox policy: Cloud Sandbox detonates and observes suspicious files to identify unknown or advanced malware behavior.

D. Zscaler detected a HIPAA violation with in-band Data Protection scanning: An in-band HIPAA DLP violation would be inline data-protection scanning. The scenario is asking about the specific log/report signal identified by the correct answer.

Zscaler Client Connector is the endpoint agent that connects users to the Zero Trust Exchange from any location. It handles authentication, traffic steering, tunnel creation, posture collection, and integration with ZIA, ZPA, and ZDX. Option A (Client connector) is correct because Client Connector is the endpoint component.

Why the other options are incorrect:

B. Private Service Edge: A Private Service Edge is an enforcement point deployed for private access, not a user endpoint component.

C. IPSec/GRE Tunnel: IPS inspects traffic inline for exploit signatures and attack patterns, then blocks or resets offending sessions.

D. App Connector: An App Connector connects users to private apps through ZPA. It is not the data-protection or SaaS control tested in this question.

When migrating from an on-premises proxy to Tunnel Mode, leaving legacy browser or system proxy settings in place can create loops or conflicting forwarding paths. Best practice is to enforce no proxy configuration so Client Connector owns traffic steering cleanly through the configured tunnel. Option B (Enforce no Proxy Configuration) is correct because Tunnel Mode should not depend on legacy proxy auto-configuration.

Why the other options are incorrect:

A. Execute a GPO update to retrieve the proxy settings from AD: A GPO can push Windows settings, but using it to reapply old proxy configuration works against Tunnel Mode best practice.

C. Use Web Proxy Auto Discovery (WPAD) to auto-configure the proxy: WPAD auto-discovers proxy settings; it can accidentally preserve legacy proxy behavior during a tunnel-mode migration.

D. Use an automatic configuration script (forwarding PAC file): A PAC file tells the client or browser which proxy path to use for matching destinations.

Zscaler Access Control Services support Zero Trust by enforcing segmentation and conditional access instead of allowing broad network reach. Preventing lateral movement requires connecting users to specific applications and limiting what they can discover or reach beyond that entitlement. Option B (It protects from potential zero-day threats and advanced persistent threats) is correct because segmentation and conditional access are the controls that reduce lateral-movement risk.

Why the other options are incorrect:

A. It protects sensitive data from leaving through external channels: Stopping sensitive data from leaving is DLP. Cloud Sandbox focuses on detecting unknown malware and advanced threats through detonation.

C. It protects cloud workloads from lateral movement: Cloud workload lateral-movement protection is segmentation/zero trust networking. Sandbox is about suspicious file behavior analysis.

D. It protects users from known malicious files and attacks: Known malicious-file blocking relies on signatures and reputation; sandboxing is mainly for suspicious or unknown objects.

ZDX Score is a normalized digital-experience score used to represent how well a user or application is performing. It is expressed on a 1-to-100 scale, making degraded application, network, and endpoint experience easy to compare across users, locations, and time windows. Option A (1-100) is correct because 1-100 is the ZDX scoring range.

Why the other options are incorrect:

B. 1-10: A 1-10 scale is too coarse for ZDX. ZDX uses a 1-100 score so administrators can see more granular experience changes.

C. 1 - 1000: A 1-1000 scale would imply excessive precision that ZDX does not present. The product score is the simpler 1-100 user-experience scale.

D. 0 - 50: A 0-50 range is not the ZDX scale. ZDX scores are represented on a 1-100 scale.

Advanced Firewall extends standard firewall capabilities with DNS Tunnel and DNS Application Control. Those controls detect and manage DNS-based tunneling, command channels, or application behavior that simple network-service rules cannot adequately control. Option D (DNS Tunnel and DNS Application Control) is correct because DNS Tunnel and DNS Application Control are advanced firewall features.

Why the other options are incorrect:

A. Destination NAT: Destination NAT rewrites destination addresses. The tested Advanced Firewall value is DNS tunnel/application control, not NAT translation.

B. FQDN Filtering with wildcard: FQDN filtering applies rules to domain names, including wildcard domain patterns where supported.

C. DNS Dashboards, Insights and Logs: DNS resolves names to IP addresses; it is a support service, not an access protocol or scoring engine by itself.

Client Connector profile changes do not always take effect at the moment an administrator saves them. App Profile policy settings such as logout password follow the client's scheduled policy-refresh behavior. The tested interval for these policy updates is sixty minutes. Option D (Policy updates occur every 60 minutes, so the logout password will be in effect after the next scheduled update) is correct because the new logout password is applied after the next scheduled policy update.

Why the other options are incorrect:

A. Policy updates happen in real time, so the new logout password is in effect as soon as the change is saved: The logout password is an App Profile control that prevents users from casually signing out or disabling the client.

B. The new logout password will be in effect after the Activate button is clicked in the Admin portal: The logout password is an App Profile control that prevents users from casually signing out or disabling the client.

C. The new logout password will be in effect after the user clicks Update Policy on the client: The logout password is an App Profile control that prevents users from casually signing out or disabling the client.

Out-of-band CASB protects data at rest in supported SaaS repositories by connecting to the provider through APIs. Google Drive is a supported cloud storage/collaboration application where files, sharing links, and sensitive content can be inspected and remediated after storage. Option C (Google Drive) is correct because Google Drive is a SaaS data-at-rest use case.

Why the other options are incorrect:

A. Yahoo Mail: Yahoo Mail is webmail. It can be controlled by ZIA, but the scenario’s target is Google Drive cloud storage.

B. Twitter: Twitter/X is a social media service. It is not the cloud file-sharing destination used in the scenario.

D. Facebook: Facebook is a social platform. It does not represent the Google Drive storage action being tested.

Certificate-pinned applications fail when an inspection proxy substitutes a trusted Zscaler certificate for the origin certificate. The application expects the server certificate or public key to match a pinned value and therefore rejects the inspected session. The fastest way to diagnose this is to inspect SSL logs for failed client handshakes, certificate errors, or bypass candidates. Option A (They could look at SSL logs for a failed client handshake) is correct because SSL logs show the handshake failure pattern created by certificate pinning.

Why the other options are incorrect:

B. They could reboot the endpoint device: Rebooting may clear a local issue, but certificate pinning is a TLS validation problem. Logs are the right first place to confirm the failed handshake.

C. They could inspect the ZIA Web Policy: ZIA Web Policy controls web access outcomes. A pinned-certificate failure shows up in SSL/TLS handshake behavior, so SSL logs are more direct.

D. They could look into the SaaS application analytics tab: SaaS analytics show application usage and risk. They will not show the client TLS handshake failure that reveals certificate pinning.

Zscaler's Microsoft 365 optimization model is designed to reduce latency and avoid breaking Microsoft-recommended connectivity patterns. The Office 365 One Click rule automatically applies recommended bypass/optimization behavior for Microsoft 365 traffic, including exemption from SSL inspection and other web-policy processing where required. Option C (Multiple distributed DNS resolvers providing local results) is correct because the immediate effect is optimized M365 handling rather than blanket inspection or blocking.

Why the other options are incorrect:

A. Single DNS resolver with forwarders providing centralized results: DNS resolves names to IP addresses; it is a support service, not an access protocol or scoring engine by itself.

B. Private MPLS in each branch office providing connection: Private MPLS backhaul keeps traffic on the old hub-and-spoke path instead of sending users directly to the nearest cloud service.

D. Optimized TCP Scaling for maximum throughput of files: TCP scaling can improve throughput for some flows, but it does not choose the nearest Microsoft 365 service endpoint.

Zscaler File Type Identification uses more than a file extension because attackers can rename files to bypass simple checks. The inspection process evaluates magic bytes, MIME type, and file extension to classify files more accurately before applying File Type Control policy. Option C (Magic bytes, mime type and file extension) is correct because those are the three inspection levels tested here.

Why the other options are incorrect:

A. Mime type, file extension and file size: MIME type is metadata declaring the content type of a transferred object.

B. File extension, content type and file size: File extension is the visible suffix such as .exe or .docx; it is useful but easy for attackers to rename.

D. Magic bytes, mime type and MS Office version: Magic bytes are header values inside a file that reveal the real file type even if the extension is changed.

Identity Threat Detection and Response focuses on identity risk, particularly in directory environments such as Active Directory. To evaluate AD objects, relationships, permissions, and risky identity configurations, ITDR needs directory-level data rather than raw packet captures or firewall summaries. Option B (Reduces identity related risks) is correct because LDAP queries are the standard mechanism for collecting structured AD domain information for identity-risk analysis.

Why the other options are incorrect:

A. Prevents Patient Zero Infections: Patient Zero prevention is malware-first prevention. ITDR reduces identity risk by finding credential, privilege, and directory exposures.

C. Prevents connections to Embargoed Countries: Embargoed-country blocking is geo/access policy. ITDR is focused on identity threats, not destination-country filtering.

D. Blocks malicious traffic by dropping packets: Dropping packets is firewall/IPS behavior. ITDR analyzes identities and permissions rather than acting as a packet filter.

Tamper proofing prevents users or malware from disabling or altering Client Connector after installation. The installer must include the explicit anti-tampering flag to activate that protection during deployment. Option D (--enableAntiTampering) is correct because --enableAntiTampering is the command-line parameter for this control.

Why the other options are incorrect:

A. --secureInstall: --secureInstall sounds like a hardening flag, but the ZCC installer parameter for tamper proofing is --enableAntiTampering.

B. --antiTamper: Anti-tampering prevents local users from disabling or removing Client Connector protections.

C. --disableTampering: Anti-tampering prevents local users from disabling or removing Client Connector protections.

Microsoft Information Protection labels imported into ZIA are used as criteria in DLP policy enforcement. A custom DLP policy can inspect data in motion and take actions based on the sensitivity labels attached to documents. Option D (Creating a custom DLP Policy) is correct because MIP labels are consumed in DLP policy logic, not in PAC, file type, or posture policies.

Why the other options are incorrect:

A. Creating a custom DLP Dictionary: A custom DLP Dictionary defines match patterns. Imported MIP labels are used in DLP policy conditions/actions, not turned into a dictionary.

B. Creating a SaaS Security Posture Control Policy: SSPM checks SaaS tenant configuration, risky settings, and compliance posture.

C. Creating a File Type Control Policy: File Type Control classifies and restricts uploads or downloads by file type, regardless of filename tricks.

Client Connector periodically refreshes policy, forwarding, and administration settings so endpoint behavior aligns with the latest portal configuration. The standard check interval tested here is sixty minutes. Option B (Every 60 minutes) is correct because the client typically checks those settings every 60 minutes.

Why the other options are incorrect:

A. Every 120 minutes: Every 120 minutes would delay policy, forwarding, and administration setting updates beyond the normal client refresh interval. The tested interval is sixty minutes.

C. Every 90 minutes: Every 90 minutes is not the standard ZCC refresh interval for policy, forwarding, and administration settings. The tested interval is sixty minutes.

D. Every 80 minutes: Every 80 minutes is not the normal ZCC setting-refresh cadence. Client Connector typically checks those settings every sixty minutes.

For a new cloud-gen firewall configuration, a default block posture is the safer baseline. Administrators should explicitly permit required business traffic and preserve required Zscaler service rules instead of leaving a broad default allow that weakens least-privilege design. Option A (Block all traffic) is correct because block all traffic is the recommended default-deny stance.

Why the other options are incorrect:

B. Permit all traffic: Permit-all firewall posture lets unexpected services leave the network until later rules stop them.

C. Disable the firewall: Disabling the firewall removes the enforcement layer instead of creating a safe default rule set.

D. Allow only web traffic (ports 80/443): Allowing only ports 80/443 would ignore valid non-web business traffic that may need explicit firewall rules.

Intermediate CA rotation reduces exposure if a certificate were mishandled and keeps the inspection trust chain short-lived. Zscaler's rotation model for intermediate CA certificates uses a short validity window rather than long-lived static certificates. Option C (Certificates are rotated every seven days and have a 14-day expiration) is correct because the tested rotation policy is seven-day rotation with a fourteen-day expiration.

Why the other options are incorrect:

A. Certificates are rotated every 90 days and have a 180-day expiration: Ninety-day rotation and 180-day expiration would leave intermediate certificates active much longer than the Zscaler inspection model described here.

B. Lifetime certificates have no expiration date: Lifetime certificates would never expire, which is the opposite of good inspection-certificate hygiene. Zscaler uses short-lived intermediate certificates.

D. Certificates are issued dynamically and expire in 24 hours: A 24-hour expiration would be unnecessarily short and is not the documented intermediate CA timing in this exam item.

Z-Tunnel with Local Proxy creates a local loopback proxy on the endpoint. Applications send traffic to that loopback listener, and Client Connector then forwards the traffic toward Zscaler according to profile and policy. Option C (ZTunnel with Local Proxy) is correct because the loopback address behavior is specific to ZTunnel with Local Proxy.

Why the other options are incorrect:

A. Enforced PAC mode: Enforced PAC pushes proxy rules to the system or browser. The loopback forwarding behavior is specifically Tunnel with Local Proxy.

B. ZTunnel - Packet Filter Based: Z-Tunnel is Client Connector tunneling used to steer endpoint traffic to the Zscaler cloud.

D. ZTunnel - Route Based: Z-Tunnel is Client Connector tunneling used to steer endpoint traffic to the Zscaler cloud.

Downloaders are malware whose primary job is to retrieve and install additional payloads. They are frequently used as a first-stage infection because the initial file can be small and then pull ransomware, RATs, infostealers, or other malware after execution. Option C (Downloaders) is correct because a downloader's purpose is specifically to deliver other malware.

Why the other options are incorrect:

A. RAT: A remote access trojan gives an attacker interactive control over a compromised host after infection.

B. Maldocs: A malicious document uses macros, embedded objects, or exploit content to run code when opened.

D. Exploitation tool: An exploitation tool attacks a vulnerability. A downloader is the malware type whose purpose is to fetch and install additional malware.

Malware scanning has practical file-size limits because the service must inspect objects inline without creating unacceptable latency. The tested Zscaler limit for Malware Protection scans is 400 MB. Larger files require different risk handling, policy design, or sandbox workflows depending on deployment requirements. Option D (Zscaler scans files up to 400 MB) is correct because it states the 400 MB scan limit.

Why the other options are incorrect:

A. Zscaler scans all files regardless of size: Scanning every file regardless of size would create unrealistic latency and resource requirements. Zscaler documents a maximum scan size instead.

B. Zscaler scans files only if they are below 100 MB: A 100 MB limit understates the documented malware-scan size limit. The tested maximum is 400 MB.

C. Zscaler scans files up to 500 MB: A 500 MB limit overstates the documented malware-scan size limit. The tested maximum is 400 MB.

ZDX application scoring aggregates the user experience observed during the selected time period. The tested calculation uses each user's lowest experienced value for that application, then averages those lowest values across the users who accessed it. This prevents a brief severe degradation from being hidden by otherwise healthy samples. Option A (Zscaler takes all the users that accessed the application for the selected time period and finds the lowest value each user would have experienced for the application. The lowest values for each user are added together and divided by the number of users) is correct because it describes the user-based lowest-value aggregation model.

Why the other options are incorrect:

B. Zscaler considers a single user that accessed the application for the selected time period and finds the lowest value that user would have experienced for the application. The lowest values for that user are added together and divided by the number of all users in the organization: This only considers one user, then divides by all users, which would distort the application score. ZDX computes the app score from all users who accessed the app in the selected period.

C. Zscaler takes sample set of users that accessed the application for the selected time period and finds the lowest value each user would have experienced for the application. The lowest values for each user are added together and divided by the number of sample set of users: A sample set could miss users with poor experience. The tested ZDX calculation uses all users who accessed the application, then averages their lowest experienced values.

D. Zscaler takes the lowest value for each application for a set of users, for time intervals based on the selected time range. The application with the lowest value represents your applications score for that time interval: This shifts the calculation from users to applications. ZDX application score is based on users’ lowest experience for that application, not on picking the lowest application across a set.

Advanced Threat Protection defends users from malicious active content, phishing, exploit behavior, C2 callbacks, and risky web destinations. It works as part of ZIA's inline security stack, often alongside TLS inspection, Cloud Sandbox, DNS security, IPS, and URL categorization. Option C (Malicious active content) is correct because malicious active content is the security object ATP is designed to detect and block.

Why the other options are incorrect:

A. Vulnerable JavaScripts: Vulnerable JavaScript describes risky script behavior or client-side code, but it is narrower than the full ATP active-content category.

B. Large iFrames: An iFrame is an embedded page frame; suspicious iFrames can be a signal, but size alone is not the ATP protection category.

D. Command injection attacks: Command injection targets an application or server by passing operating-system commands through vulnerable input fields.

Device posture must be re-evaluated regularly because endpoint state can change after access is granted. The maximum default frequency tested here is fifteen minutes, which gives Zscaler a relatively current view of compliance conditions. Option A (15 minutes) is correct because posture profile evaluation can occur every fifteen minutes by default.

Why the other options are incorrect:

B. 2 minutes: Two minutes would create much more frequent posture evaluation than the default maximum cadence. The tested default maximum frequency is fifteen minutes.

C. 5 minutes: Five minutes is more frequent than the default maximum posture-profile evaluation cadence. The tested value is fifteen minutes.

D. 10 minutes: Ten minutes is still shorter than the default maximum posture-profile evaluation cadence. The correct default maximum is fifteen minutes.

Zscaler alerting is not limited to email. Alert Rules and detection/response notifications can be sent through webhooks or integrated with collaboration, ITSM, UCaaS, and other third-party tools depending on configuration. Option D (In addition to email, notifications, based on Alert Rules, can be shared with leading ITSM or UCAAS tools over Webhooks) is correct because email and webhook-based integrations support external notification workflows.

Why the other options are incorrect:

A. Email is the only method for notifications as that is universally applicable and no other way of sending them makes sense: Email and webhooks forward alerts to people or third-party systems for response workflows.

B. In addition to email, text messages can be sent directly to one cell phone to alert the CISO who is then coordinating the work on the incident: Email and webhooks forward alerts to people or third-party systems for response workflows.

C. Leading ITSM systems can be connected to the Zero Trust Exchange using a NSS server, which will then connect to ITSM tools and forwards the alert: NSS is for log streaming to analytics/SIEM destinations. Alert-rule notifications use email and webhook integrations, including ITSM or UCaaS tools.

Zscaler Zero Trust Automation uses RESTful API architecture. REST aligns with standard HTTP methods such as GET, POST, PUT, and DELETE and is the expected API style for OneAPI and Zscaler automation workflows. Option D (REST) is correct because REST is the API architectural style used.

Why the other options are incorrect:

A. JSON-RPC: JSON-RPC is a remote procedure call style; Zscaler automation APIs are REST-style resources and methods.

B. SOAP: SOAP is an XML-based protocol with envelopes and operations; it is not the REST style used for Zscaler automation.

C. GraphQL: GraphQL lets clients query exactly shaped data through a schema; Zscaler Zero Trust Automation uses REST instead.

ZPA Access Policy rules use identity, user/group, device posture, and contextual signals to decide private-application access. Valid criteria are enforcement attributes that ZPA can evaluate, such as group membership, risk score, domain-joined state, and certificate trust. Option A (Group Membership, ZIA Risk Score, Domain Joined, Certificate Trust) is correct because all listed criteria are legitimate policy inputs for ZPA access decisions.

Why the other options are incorrect:

B. Username, Trusted Network Status, Password, Location: Trusted Network detection decides whether the device is on a known corporate network using signals such as DNS servers, search domains, gateways, or hostname resolution.

C. SCIM Group, Time of Day, Client Type, Country Code: SCIM provisions and synchronizes users, groups, and attributes between an identity provider and Zscaler.

D. Department, SNI, Branch Connector Group, Machine Group: Machine Group is used for machine identity grouping in some policy contexts, but it is not the same as the listed posture or access criteria set.

The ZDTA study guide frames common breaches around a four-step lifecycle: discover the attack surface, compromise an entry point, move laterally, and exfiltrate data. Finding the attack surface is the reconnaissance phase in which attackers search for exposed VPNs, firewalls, applications, ports, or public services. Option B (Prevent Compromise) is correct because attack-surface discovery is one of the documented stages.

Why the other options are incorrect:

A. External Attack Surface: Attack surface is the set of exposed services, addresses, applications, and entry points an attacker can discover.

C. Data Loss: Data Loss is a Risk360 risk area. The four cyberattack steps in the guide are attack surface, initial compromise, lateral movement, and data exfiltration.

D. Lateral Propagation: Lateral propagation is a Risk360/risk concept. The attack-lifecycle step named in the guide is lateral movement.

DLP notification templates can send evidence to the right reviewer or auditor when a policy is triggered. An email notification template is the mechanism that can include or forward a copy of the data that matched the DLP rule, depending on policy configuration and privacy requirements. Option A (Email Notification Template) is correct because it is the DLP notification method used for auditor review.

Why the other options are incorrect:

B. NSS Log Forwarding to SIEM: NSS forwarding sends logs to a SIEM for analysts. End-user DLP coaching or notification is handled by user-facing notification/workflow channels.

C. SMS Text Message via PagerDuty: PagerDuty SMS alerts are operations notifications. The DLP user-notification method in the question is meant to inform or coach the user directly.

D. Zscaler Client Connector pop-up message: Zscaler Client Connector is the endpoint agent that steers traffic, authenticates users, reports posture, and supplies ZDX telemetry.

ZIA Malware Protection is an inline security control that blocks malicious files or objects detected through signatures, reputation, and threat-intelligence checks. The policy action must stop the malicious transfer rather than simply route, isolate, or change TLS behavior. Option A (Malware protection) is correct because Block is the malware policy action that prevents the identified malicious content from reaching the user.

Why the other options are incorrect:

B. File reputation: File reputation checks whether an object is known good or bad. The question’s answer is about the behavior-analysis control for unknown files.

C. SHA-256 hashing: SHA-256 hashing is a cryptographic integrity/hash function. It does not execute a suspicious file or observe behavior the way Cloud Sandbox does.

D. Site reputation: Site reputation scores web destinations. It does not detonate or analyze the file itself.

ZPA App Connectors are the outbound-only brokers that make private applications reachable through the Zero Trust Exchange. For resiliency, Zscaler recommends at least two App Connectors so traffic can continue if one connector is unavailable, being upgraded, or overloaded. Option A (2) is correct because a two-connector minimum provides the basic high-availability pattern for private application access.

Why the other options are incorrect:

B. 6: Six connectors would be more than the minimum for a single resilient ZPA deployment. The exam asks for the recommended minimum, and two connectors provide the basic active redundancy pattern.

C. 4: Four connectors can be a valid larger design for capacity or multiple sites. It is not the minimum number needed to avoid a single connector failure.

D. 3: Three connectors can add extra capacity, but Zscaler’s basic resiliency recommendation starts with a pair, not an odd three-connector minimum.