The complexity and sophistication of today’s cyber threats demand a unified defense that doesn’t just detect threats but enables detailed investigation, rapid mitigation, and proactive prevention before damage occurs. If you’re a SOC analyst or security engineer who’s tired of stitching together partial views of remote-user and Security Service Edge (SSE) traffic, this is for you.Zscaler, the AI Security Platform Built on Zero Trust, and Vectra AI empower SOC teams to achieve operational resilience. By combining Zero Trust access, AI-driven threat visibility, and automated response, organizations can eliminate blind spots, detect threats faster, and maintain secure, uninterrupted operations across hybrid and cloud environments.This post gives you a technical understanding of how the Zscaler + Vectra AI integration works under the hood.Let’s look at three common SOC use-cases we hear from our customers. Use Case 1: Neutralize “low-and-slow” Command and Control (C2C) trafficSOC teams frequently investigate outbound connections that look normal at first glance. Take for example, C2 traffic that disguises itself as HTTPS requests to a major Content Delivery Network (CDN), using Domain Fronting where the DNS request shows a legitimate domain, but the HTTP Host header triggers a hidden malicious destination. In this instance, the traffic would be periodic and will not trip obvious blocks. Of course, blocking CDNs is not an option, and chasing IP reputation is futile because the destinations keep changing. That’s often by design. In this attack pattern, the threat actor uses Fast Flux DNS and Domain Fronting to rotate infrastructure frequently – sometimes every 15 minutes – so destination-based controls (URL filtering, IP reputation, static deny lists) struggle to keep up. You end up with suspicion, but not a clean handle to scope the activity without breaking legitimate cloud usage. Zscaler Internet Access (ZIA) provides detection for this suspicious traffic but the lateral movements need to be stitched with east-west traffic detected anomalies that are not internet bound. The Zscaler and Vectra AI integration changes your threat hunting workflow by focusing on the TLS handshake fingerprint and pattern validation.With Zscaler Internet Access (ZIA) integrated into Vectra AI, you can hunt on stable signals even when destinations churn. ZIA can capture selected internet-bound sessions as PCAPNG (based on your capture policy with a rich set of criteria) and forward those captures to a customer-owned AWS S3 bucket. Vectra AI then ingests those PCAPNGs using a dedicated AWS vSensor, driven by an event pipeline that makes the sensor near real time ingestion for quick detection and hunting. Operationally, that’s what makes remote-user internet traffic analyzable even when it never traverses a corporate tap point reducing blind spots for SOC team that need data driven hunting with improved automated playbooks.In this scenario, the JA4 fingerprint stays constant even as destinations change, and that consistency helps you distinguish a customized Sliver C2 framework or new Cobaltstrike profile from standard browser miming traffic.Instead of blocking “AWS”, you can act precisely and promote the verified fingerprint/pattern into Indicators of Compromise (IOC) or risk trigger and take targeted enforcement in ZIA. This is the practical advantage of this integration: you improve response accuracy while minimizing false positives and avoiding collateral damage to legitimate cloud usage. Figure 1 : Vectra NDR finding slow and hidden C2C traffic from captured traffic Vectra AI ingests ZIA PCAPNGs using a dedicated AWS vSensor, driven by an event pipeline that enables near real-time analysis. By focusing on stable signals like the TLS handshake fingerprint (JA4) and behavioral patterns, the integration allows you to hunt for “low-and-slow” C2 traffic even as threat actors rotate infrastructure frequently to evade destination-based controls. Use Case 2: Driving Early Detection with Unified SSE VisibilityIn this scenario, you’re dealing with what modern SOC operations actually look like at scale: strong security controls are firing, attackers are probing, and you have to prioritize fast. Zscaler Advanced Threat Protection sandboxing surfaces suspicious artifacts as intended, giving you early indicators that something is not right. The challenge is not that the controls are failing—it’s that a motivated attacker can generate multiple adjacent signals (downloads, staging, retry attempts) and your team needs to answer the next question quickly: is this activity progressing into reconnaissance, lateral movement, or private app targeting?The Zscaler + Vectra AI integration drives attack stage clarity instead of simple alerting as early from recon stage before it starts compromising and moving laterally in the connected network . Vectra AI’s behavioral analytics surface a very indicator—a cautious, recurring horizontal port sweep and enumeration behavior—so you can focus on what the host is doing next, not just what it downloaded. In this scenario, the laptop attempts SMB/445 connections to roughly 50 internal IPs and shows enumeration patterns against private applications—especially SMB, RDP, and SSH paths targeting higher-value systems. Deception signals from Zscaler (like Kerberoasting-related indicators) further increase confidence that this isn’t benign user behavior.This is difficult precisely because each signal can be argued in isolation. A burst of suspicious artifacts can reflect attacker experimentation, limited scanning can be misconfiguration, and private app access attempts can resemble legitimate IT workflows. What you need is attack-stage context—behavior plus access context—connected fast enough that you can contain it, while the attacker is still in reconnaissance and enumeration.This is where running both integration lanes matters. ZIA gives you an internet-traffic view through PCAPNG ingestion for suspicious and SOC interesting traffic As described in the Zscaler and Vectra AI Deployment Guide, Vectra AI sensors and ZPA logs generated by LSS track behaviors undertaken by remote workers. These logs are preferably sourced from a dedicated App Connector Group used only for LSS, contain data related to the activities brokered through App Connectors used for ZPA traffic, and—when forwarded to the Cognito Brain—form the basis of this integration. The Vectra AI Brain serves as an enterprise log receiver in ZPA parlance.In practice, this combined view lets you connect the dots quickly: what the host is doing on the internet through ZIA, what it’s attempting against private apps through ZPA-brokered access, and what Vectra AI is prioritizing behaviorally. With high-confidence signals in hand, your SOC can shift from investigation to containment by applying targeted enforcement in ZIA—and, where appropriate, tightening access via ZIA and ZPA policies—so the device is constrained while you complete the response. After you stabilize the incident, you can strengthen posture using what you learned—updating criteria and policies in Zscaler based on impact and known advisories—so you reduce unnecessary noise while keeping the controls that matter. Figure 2: Vectra NDR finding suspicious Active Directory recon for Private Applications By ingesting ZPA logs alongside on-premises telemetry, Vectra AI applies sophisticated behavioral analytics to east-west traffic, surfacing lateral movement and internal reconnaissance as they occur. This unified visibility for remote-user behavior allows SOC teams to move beyond basic alerting and prioritize threats based on high-confidence actions against private applications. Use Case 3: Detecting Compromised Identities & “Living off the Land” within SaaS AppsModern attackers no longer “break in”; they “log in.” By using stolen session tokens or sophisticated phishing, they bypass Multi-Factor Authentication (MFA) and “live off the land” within SaaS platforms like Microsoft 365 or Google Workspace. They use legitimate administrative features—such as creating enterprise searches for keywords like “Merger,” “Password,” “Secret,” or “Contract,” configuring OAuth access to privileged services, or setting up Mail Forwarding Rules—to steal data without ever triggering a malware alert.Vectra AI flags the identity behaving strangely—for example, when a non-admin user suddenly starts creating automated flows with external connectors they have never used before. Zscaler provides the “What”: it shows that this same user is accessing crown-jewel applications and applications that are rare for that user. By correlating the source internal IP from App Connector with the ZPA LSS logs and Vectra AI telemetry, the SOC team can hunt for instances where a legitimate SSH session is being used for unauthorized “Lateral Movement,” and identify abnormal or rare access patterns based on frequency and the number of endpoints the compromised identity is attempting to access over time. The SOC uses Zscaler to “Terminate” the ZPA session and updates ZPA policy to require Step-up MFA for any SSH access to that SQL segment.This stops “fileless” attacks where no malware is present. By combining Vectra AI’s focus on who is behaving abnormally with Zscaler’s visibility into what they are touching, the SOC team can catch the attacker during the “Exploitation” phase—before they can complete a large-scale data breach. Figure 3: Vectra NDR finding suspicious SaaS access from a compromised identityBy leveraging this unified SASE visibility, your SOC can rapidly identify and isolate compromised accounts attempting to “live off the land” through unauthorized lateral shifts or stealthy data exfiltration.Figure 4: Zscaler and Vectra AI Quick view: What You Need to EnableIf you want to run use case 1, you need ZIA visibility in Vectra. Customers using ZIA with Vectra AI have two options: on-premises capture (the older method supported for years) and the newer PCAP ingestion method. If your priority is visibility for remote users and modern ZIA deployments, PCAP ingestion is the path you’ll typically implement.If you want to run use case 2, you need that same ZIA visibility plus ZPA context. That means enabling ZPA LSS and forwarding those logs—preferably from a dedicated App Connector Group used only for LSS—into the Vectra AI Brain as the enterprise log receiver.Most importantly, giving visibility to compete SASE platform for specific use cases is just a start for SOC journey, depending on tooling, automation and playbooks this can help SOC for many more use cases like DNS Behavioral Baselining, encrypted tunnels visibility, baselining access to critical applications, insider misuse for rare access attempts, spike or unusual or suspicious activity for data transfer and customer specific Traffic investigations for Living off the Land anomalies from legitimate tools. Note: this post intentionally avoids step-by-step UI instructions; the Zscaler and Vectra AI deployment guide covers those details. The point here is to help you map each use case to the lane(s) you must deploy and the kind of evidence you should expect to gain. These scenarios are different—one is about evasive outbound behavior and the other is about early containment across attack stages—but the operational payoff is the same. You’re building a repeatable evidence pipeline across SSE traffic so you can validate faster and act with confidence.If interested, you can do a quick “outcome check” that matches the investigation you care about. For the first use case, generate a small amount of representative outbound TLS traffic from a test user and confirm the end-to-end chain works in practice: your ZIA capture policy results in PCAPNG objects in the S3 location you configured, the ingestion path is active, and you can complete the pivot that matters—spotting the same stable JA4 fingerprint pattern across endpoints. For the second use case, confirm the same ZIA ingestion path and then validate that ZPA LSS logs are landing in the Vectra AI Brain and are usable as investigation context, because your ability to connect behavior to private-app access context is what makes earlier containment possible.When those pivots work end-to-end, you’re not just “integrated.” You’re operational—able to hunt with better evidence, contain earlier when warranted, and feed what you learn back into tighter policy and more automation over time.Interested to hear more? Please reach out to your Zscaler and Vectra AI account team members.
[#item_full_content] The complexity and sophistication of today’s cyber threats demand a unified defense that doesn’t just detect threats but enables detailed investigation, rapid mitigation, and proactive prevention before damage occurs. If you’re a SOC analyst or security engineer who’s tired of stitching together partial views of remote-user and Security Service Edge (SSE) traffic, this is for you.Zscaler, the AI Security Platform Built on Zero Trust, and Vectra AI empower SOC teams to achieve operational resilience. By combining Zero Trust access, AI-driven threat visibility, and automated response, organizations can eliminate blind spots, detect threats faster, and maintain secure, uninterrupted operations across hybrid and cloud environments.This post gives you a technical understanding of how the Zscaler + Vectra AI integration works under the hood.Let’s look at three common SOC use-cases we hear from our customers. Use Case 1: Neutralize “low-and-slow” Command and Control (C2C) trafficSOC teams frequently investigate outbound connections that look normal at first glance. Take for example, C2 traffic that disguises itself as HTTPS requests to a major Content Delivery Network (CDN), using Domain Fronting where the DNS request shows a legitimate domain, but the HTTP Host header triggers a hidden malicious destination. In this instance, the traffic would be periodic and will not trip obvious blocks. Of course, blocking CDNs is not an option, and chasing IP reputation is futile because the destinations keep changing. That’s often by design. In this attack pattern, the threat actor uses Fast Flux DNS and Domain Fronting to rotate infrastructure frequently – sometimes every 15 minutes – so destination-based controls (URL filtering, IP reputation, static deny lists) struggle to keep up. You end up with suspicion, but not a clean handle to scope the activity without breaking legitimate cloud usage. Zscaler Internet Access (ZIA) provides detection for this suspicious traffic but the lateral movements need to be stitched with east-west traffic detected anomalies that are not internet bound. The Zscaler and Vectra AI integration changes your threat hunting workflow by focusing on the TLS handshake fingerprint and pattern validation.With Zscaler Internet Access (ZIA) integrated into Vectra AI, you can hunt on stable signals even when destinations churn. ZIA can capture selected internet-bound sessions as PCAPNG (based on your capture policy with a rich set of criteria) and forward those captures to a customer-owned AWS S3 bucket. Vectra AI then ingests those PCAPNGs using a dedicated AWS vSensor, driven by an event pipeline that makes the sensor near real time ingestion for quick detection and hunting. Operationally, that’s what makes remote-user internet traffic analyzable even when it never traverses a corporate tap point reducing blind spots for SOC team that need data driven hunting with improved automated playbooks.In this scenario, the JA4 fingerprint stays constant even as destinations change, and that consistency helps you distinguish a customized Sliver C2 framework or new Cobaltstrike profile from standard browser miming traffic.Instead of blocking “AWS”, you can act precisely and promote the verified fingerprint/pattern into Indicators of Compromise (IOC) or risk trigger and take targeted enforcement in ZIA. This is the practical advantage of this integration: you improve response accuracy while minimizing false positives and avoiding collateral damage to legitimate cloud usage. Figure 1 : Vectra NDR finding slow and hidden C2C traffic from captured traffic Vectra AI ingests ZIA PCAPNGs using a dedicated AWS vSensor, driven by an event pipeline that enables near real-time analysis. By focusing on stable signals like the TLS handshake fingerprint (JA4) and behavioral patterns, the integration allows you to hunt for “low-and-slow” C2 traffic even as threat actors rotate infrastructure frequently to evade destination-based controls. Use Case 2: Driving Early Detection with Unified SSE VisibilityIn this scenario, you’re dealing with what modern SOC operations actually look like at scale: strong security controls are firing, attackers are probing, and you have to prioritize fast. Zscaler Advanced Threat Protection sandboxing surfaces suspicious artifacts as intended, giving you early indicators that something is not right. The challenge is not that the controls are failing—it’s that a motivated attacker can generate multiple adjacent signals (downloads, staging, retry attempts) and your team needs to answer the next question quickly: is this activity progressing into reconnaissance, lateral movement, or private app targeting?The Zscaler + Vectra AI integration drives attack stage clarity instead of simple alerting as early from recon stage before it starts compromising and moving laterally in the connected network . Vectra AI’s behavioral analytics surface a very indicator—a cautious, recurring horizontal port sweep and enumeration behavior—so you can focus on what the host is doing next, not just what it downloaded. In this scenario, the laptop attempts SMB/445 connections to roughly 50 internal IPs and shows enumeration patterns against private applications—especially SMB, RDP, and SSH paths targeting higher-value systems. Deception signals from Zscaler (like Kerberoasting-related indicators) further increase confidence that this isn’t benign user behavior.This is difficult precisely because each signal can be argued in isolation. A burst of suspicious artifacts can reflect attacker experimentation, limited scanning can be misconfiguration, and private app access attempts can resemble legitimate IT workflows. What you need is attack-stage context—behavior plus access context—connected fast enough that you can contain it, while the attacker is still in reconnaissance and enumeration.This is where running both integration lanes matters. ZIA gives you an internet-traffic view through PCAPNG ingestion for suspicious and SOC interesting traffic As described in the Zscaler and Vectra AI Deployment Guide, Vectra AI sensors and ZPA logs generated by LSS track behaviors undertaken by remote workers. These logs are preferably sourced from a dedicated App Connector Group used only for LSS, contain data related to the activities brokered through App Connectors used for ZPA traffic, and—when forwarded to the Cognito Brain—form the basis of this integration. The Vectra AI Brain serves as an enterprise log receiver in ZPA parlance.In practice, this combined view lets you connect the dots quickly: what the host is doing on the internet through ZIA, what it’s attempting against private apps through ZPA-brokered access, and what Vectra AI is prioritizing behaviorally. With high-confidence signals in hand, your SOC can shift from investigation to containment by applying targeted enforcement in ZIA—and, where appropriate, tightening access via ZIA and ZPA policies—so the device is constrained while you complete the response. After you stabilize the incident, you can strengthen posture using what you learned—updating criteria and policies in Zscaler based on impact and known advisories—so you reduce unnecessary noise while keeping the controls that matter. Figure 2: Vectra NDR finding suspicious Active Directory recon for Private Applications By ingesting ZPA logs alongside on-premises telemetry, Vectra AI applies sophisticated behavioral analytics to east-west traffic, surfacing lateral movement and internal reconnaissance as they occur. This unified visibility for remote-user behavior allows SOC teams to move beyond basic alerting and prioritize threats based on high-confidence actions against private applications. Use Case 3: Detecting Compromised Identities & “Living off the Land” within SaaS AppsModern attackers no longer “break in”; they “log in.” By using stolen session tokens or sophisticated phishing, they bypass Multi-Factor Authentication (MFA) and “live off the land” within SaaS platforms like Microsoft 365 or Google Workspace. They use legitimate administrative features—such as creating enterprise searches for keywords like “Merger,” “Password,” “Secret,” or “Contract,” configuring OAuth access to privileged services, or setting up Mail Forwarding Rules—to steal data without ever triggering a malware alert.Vectra AI flags the identity behaving strangely—for example, when a non-admin user suddenly starts creating automated flows with external connectors they have never used before. Zscaler provides the “What”: it shows that this same user is accessing crown-jewel applications and applications that are rare for that user. By correlating the source internal IP from App Connector with the ZPA LSS logs and Vectra AI telemetry, the SOC team can hunt for instances where a legitimate SSH session is being used for unauthorized “Lateral Movement,” and identify abnormal or rare access patterns based on frequency and the number of endpoints the compromised identity is attempting to access over time. The SOC uses Zscaler to “Terminate” the ZPA session and updates ZPA policy to require Step-up MFA for any SSH access to that SQL segment.This stops “fileless” attacks where no malware is present. By combining Vectra AI’s focus on who is behaving abnormally with Zscaler’s visibility into what they are touching, the SOC team can catch the attacker during the “Exploitation” phase—before they can complete a large-scale data breach. Figure 3: Vectra NDR finding suspicious SaaS access from a compromised identityBy leveraging this unified SASE visibility, your SOC can rapidly identify and isolate compromised accounts attempting to “live off the land” through unauthorized lateral shifts or stealthy data exfiltration.Figure 4: Zscaler and Vectra AI Quick view: What You Need to EnableIf you want to run use case 1, you need ZIA visibility in Vectra. Customers using ZIA with Vectra AI have two options: on-premises capture (the older method supported for years) and the newer PCAP ingestion method. If your priority is visibility for remote users and modern ZIA deployments, PCAP ingestion is the path you’ll typically implement.If you want to run use case 2, you need that same ZIA visibility plus ZPA context. That means enabling ZPA LSS and forwarding those logs—preferably from a dedicated App Connector Group used only for LSS—into the Vectra AI Brain as the enterprise log receiver.Most importantly, giving visibility to compete SASE platform for specific use cases is just a start for SOC journey, depending on tooling, automation and playbooks this can help SOC for many more use cases like DNS Behavioral Baselining, encrypted tunnels visibility, baselining access to critical applications, insider misuse for rare access attempts, spike or unusual or suspicious activity for data transfer and customer specific Traffic investigations for Living off the Land anomalies from legitimate tools. Note: this post intentionally avoids step-by-step UI instructions; the Zscaler and Vectra AI deployment guide covers those details. The point here is to help you map each use case to the lane(s) you must deploy and the kind of evidence you should expect to gain. These scenarios are different—one is about evasive outbound behavior and the other is about early containment across attack stages—but the operational payoff is the same. You’re building a repeatable evidence pipeline across SSE traffic so you can validate faster and act with confidence.If interested, you can do a quick “outcome check” that matches the investigation you care about. For the first use case, generate a small amount of representative outbound TLS traffic from a test user and confirm the end-to-end chain works in practice: your ZIA capture policy results in PCAPNG objects in the S3 location you configured, the ingestion path is active, and you can complete the pivot that matters—spotting the same stable JA4 fingerprint pattern across endpoints. For the second use case, confirm the same ZIA ingestion path and then validate that ZPA LSS logs are landing in the Vectra AI Brain and are usable as investigation context, because your ability to connect behavior to private-app access context is what makes earlier containment possible.When those pivots work end-to-end, you’re not just “integrated.” You’re operational—able to hunt with better evidence, contain earlier when warranted, and feed what you learn back into tighter policy and more automation over time.Interested to hear more? Please reach out to your Zscaler and Vectra AI account team members.
