Tier 3 / Tier 4 Engineering

Zscaler Engineering

Deployment, recovery, performance, and stabilization across ZIA, ZPA, and ZDX. The escalation authority called when standard implementations break — and the architecture work that prevents that from happening in the first place.

What we engineer

Three platforms, one operational discipline. Each gets designed, deployed, and supported as a production system — not a checkbox deliverable.

ZIA

Internet Access

Inline cloud proxy with TLS inspection, DLP, CASB, advanced threat prevention, and policy that scales beyond the IP-rule era.

Policy framework built around business intent, not subnet
TLS 1.3 inspection with cert-pinning exception handling
DLP rules tuned for healthcare PHI and PCI cardholder data
CASB integration for SaaS posture and shadow IT discovery
Inline GenAI controls for ChatGPT, Copilot, agent-mode tooling

ZPA

Private Access

ZTNA replacing the VPN. Users connect to applications, not networks. Third-party access is scoped per app, per session, with full audit.

App Connector topology designed for the actual workload footprint
Browser Access for unmanaged endpoints and contractors
Segment group design that maps to business ownership
Active Directory tree integration without legacy network exposure
Posture-aware access tied to EDR signal

ZDX

Digital Experience

End-to-end visibility into the user experience — from the endpoint through the cloud edge to the app — and the engineering work that makes the data actionable.

Probe design tuned to the apps that actually matter to the business
Baseline establishment and drift detection
Root cause triage workflows for help desk and SRE handoff
Correlation with ZIA and ZPA telemetry for full-path diagnosis
Reporting that survives a board-level conversation

Failure category coverage

The production-blocking issue classes we've engineered through and built escalation playbooks for. These are the categories that decide whether a Zscaler deployment stays in production or rolls back at 2 a.m.

TLS inspection cert-pinning conflicts

App Connector tunnel instability

QUIC fallback breaking inline DLP

IdP claim mapping drift after IdP change

Conditional access evaluation loops

Browser Access certificate chain breaks

Tenant policy bloat & rule evaluation cost

PAC file regression after edge change

SAML / SCIM provisioning desync

M365 / Teams traffic exemption regression

Posture API failures from EDR outages

CASB API rate-limit cascades

DLP false positives on legitimate workflows

Cross-tenant resource access after M&A

Encrypted SNI / ECH visibility loss

DNS-over-HTTPS bypass paths

Latency regressions from policy depth

App Connector capacity / load balancing

Segment group sprawl & access drift

Third-party contractor offboarding gaps

ZDX probe coverage blind spots

SCIM provisioning storms post-merger

Endpoint posture / Falcon signal lag

GenAI / agent-mode prompt exfil paths

Compliance evidence generation drift

Multi-tenant routing during cutover

Rollback safety & staged-policy testing

Integration patterns

The seams where Zscaler meets the rest of your stack. Designed to fail safe, log everything, and survive vendor changes.

Identity providers

Single source of identity wired to SAML / OIDC, with conditional access policy mirrored across the IdP and Zscaler control planes so they don't drift.

Entra IDOktaPingSCIM

Endpoint & EDR

Device posture signal fed into ZPA access decisions. Quarantine paths defined for unhealthy endpoints. No surprise loss of access during EDR outages.

CrowdStrike FalconDefender for EndpointPosture API

SIEM & SOAR

NSS feeds and API connectors to your SIEM, with detection-engineering input on what telemetry actually drives a credible alert.

SplunkSentinelXSIAMNSS

Cloud (AWS / Azure)

App Connectors deployed in the right VPCs/VNets, posture management integrated, identity federation done once and done correctly.

AWSAzureVPC peeringPrivate endpoints

CASB & SaaS

API-mode CASB for posture and inline-mode for control. Shadow IT discovery wired to a sanctioned-app workflow that doesn't antagonize the business.

M365Google WorkspaceSalesforceServiceNow

AI / GenAI tooling

Inline visibility for ChatGPT, Copilot, Gemini, Claude, and agent-mode workflows. Prompt-level DLP and exfiltration prevention with policy carve-outs for sanctioned workflows.

ChatGPTCopilotClaudeAgent mode

Post-merger stabilization playbook

The repeatable sequence for combining two Zscaler estates without taking either down. Proven at 120K+ user scale.

Tenant audit & baseline

Full inventory of both tenants — policies, App Connectors, segments, conditional access. Identify drift between intended state and live config. Establish a "do not change" set for the cutover window.

Identity unification

Single IdP for the combined entity, SCIM into Zscaler from one source, claim mapping rationalized. Old IdP kept warm for safe rollback until cutover stabilizes.

Policy convergence

Reconcile the two policy frameworks into one. Carve out exception rules for the inherited apps that need migration, with a sunset date for every exception.

App Connector consolidation

Migrate App Connectors into the surviving tenant in waves, by business unit, with rollback drills before each wave. Capacity planning sized for the combined estate, not the average.

Stabilize & decommission

Run dual-tenant for the validation window. Decommission the absorbed tenant only after the new posture passes a full audit cycle. Document everything for the next M&A event.

Platform expertise

Arduwyn engineers across the full Zscaler platform — and the systems it has to integrate with.

Zscaler platform

ZIAZPAZDXZWAZTBBranch ConnectorCloud ConnectorRisk360

Integration ecosystem

CrowdStrike FalconMicrosoft Entra IDMicrosoft AzureMicrosoft Defender

Engage

Have a Zscaler problem that needs an engineer?

Whether it's a new deployment, a stabilization, or a Tier-3 escalation — tell us the constraint. We respond within one business day.

hello@arduwyn.com See architecture approach