When the tools become the workforce: inside Zscaler's agentic security pitch in Vienna - Zenith Live

So, AkzoNobel is a paints and coatings company. So we paint planes, boats, cars. You may know the papaya orange maybe on the McLaren. So we have a variety of things. And of course we also make paint for your home or those types of things. So from a size point of view, we have around 35,000 employees. We operate in 150 countries. We have 126 sites, of which 122 will get the branch connector. So that's in process. From an IT point of view, we're providing technology to support basically all the back ends, but also all the way to the OT environment. So keeping all this safe, different factories, locations, headquarters and the like.

So I think maybe first of all, it's three companies that I deployed Zscaler with, not four yet, so there are some people here that have a few more. But if you look at AkzoNobel, we started back in 2014 with Zscaler Internet Access. A few years ago, we started with ZPA, I think initially for instance with Russia and to secure a few things. In the meantime, we fully deployed that. We're now also since October starting the deployment of the branch connector. We're about halfway there. You just alluded to the SIM card. So rather than replacing Wi-Fi in warehouses because it wasn't good enough for the scanners, we now in several sites also have deployed the SIM. We're also implementing ZPA for secure dial-in into the factories.

Digital experience. So we were with the CFO with his team on the manufacturing side, and Teams was really terrible. So we said 'Hey, what is going on?' And then two weeks later, the network team told me internet utilization was 46%, and that was it. That was the time that ZDX became available. I think we were one of the first customers. So really seeing basically what happens to your applications, to your users is of big benefit.

So basically we have 995 connected sites. Most of them were connected with business-grade internet. So as part of the whole idea to go to an internet-only environment, we want to get rid of all the firewalls, all the SD-WAN by the end of the year. Then of course we need to have a solution for the factories, because with the PLCs you can't load the agents on them. So that's how we came to the branch connectors. We started, I think we had the first site back in October. We're now halfway through, so we'll do 122 sites. And it's really, if you look at it, with zero trust you can add all kinds of layers. I think with Zscaler, we're eliminating layers while eliminating complexity. And I think you had one quote: 'If you can reach it, you can breach it.'

When we deployed, Socomec was the first site. So I told my SI: 'Break it.' And then a few days later, he came back: 'Hey, I can't find it.' So that was the whole thing. Yeah, okay, work is designed.

So we plan to do a merger with Xalta, which is mainly an American company but they also have a global footprint. So they are not a Zscaler customer. But we will basically implement the ZPA clients on their side and then to connect from them to us, we will implement the cloud connectors into selected places because they still have a fairly traditional network. And that basically will allow us full connectivity on day one without physically connecting the networks. That's really one of the things. As mentioned, what is coming is the completion of the branch connector rollout, getting rid of SD-WAN, getting rid of the firewall. So all of that is coming. And of course, in terms of AI, currently we do a lot of enterprise agents. We will start in Q3 with also citizen development, and then of course you get into a whole range of new challenges where I think also Zscaler has some interesting products to help manage that totality. It's fun to work with progressive customers like yours who challenge us, and you allow us to challenge you, and we all make progress together.

Thank you, Jay.

Thank you.

Thank you, Jay. Thank you, Jay, for inviting me on stage and talking about our journey. Siemens Healthineers is a global medtech player. So perhaps the majority of you don't know exactly what a medtech player is. If you or one of your relatives go to the hospital for a good reason like a birth or something, you are most likely diagnosed with one of our systems, by probability higher than 60%. So for diagnostics, it's a CT or MRI. If it's for an illness, then we have the systems who help you to get back to a better quality of life. It's about oncology care, cardiovascular care, neurovascular care. So this is what we are. We are present in more than 70 countries. We are a spin-off of Siemens because we are a pure medtech player focusing on healthcare, pioneering healthcare for everyone, everywhere, sustainably. This is our mission. And our backbone is innovation, and this brings us together with Zscaler. With the spin-off, I think we found a great partner who is also an innovation leader who helps us to go into the future.

Yeah, so with our strength in patient screening and precision therapy, connected by healthcare AI. You already see in our products there's a lot of digital. You cannot be a market leader in medtech without having a strong digital foundation. So therefore, we are a business enabler, a business driver. If IT gets disrupted somewhere around the world, there's a patient at serious risk. And this is the mantra which every one of our 75,000 employees has in his genes. So every disruption has an impact on the quality of life of someone. One of your relatives in the audience who may be at a hospital, who has a heart attack, a stroke, who got a critical diagnosis, he needs our help. At the same time, we have threats like we all have in the industry. There are cybersecurity threats out there. We have regulatory compliance. Jay talked about GDPR, localization, nationalization, which makes it difficult to build global networks and global security. And then for sure, technology, technology like AI. AI is like every technology a great lever to bring us to a better world. At the same time, it's a threat because it can be used by all the enemies we have outside there who are trying to hijack us. And healthcare is a top target. You just saw it in the US with the Change Healthcare incident, where a payer—and it's just a payer, but he's managing all of, not all, but 80% of the reimbursement of the doctors, of the universities, of the hospitals in the US—got hijacked by a ransomware attack, which at the end leads to the fact that no customer, no healthcare provider knew if they could provide this service. So for sure they service the patient, but it took a while until you could switch from digital back to analog. And the overall damage was $872 million, so almost $1 billion in costs. And for me, more important, I don't know how many lives suffered or even how many deaths had been caused. So that's why ransomware is not just for us a business threat; it's a threat for life.

Yeah. We started with a spin-off from Siemens and we said, 'Okay, let's use the opportunity not just as we have done it in the past, building a network with firewalls, copying the legacy we have.' We started with Zscaler. We had a great innovation partner with you, and I'm very thankful for my team. Couple of you are here, couple of you in the US. So the users are the first one: replacing VPN and firewall, building a Zscaler foundation for everyone, and making sure that we have Zscaler always on. I still remember the discussion when our engineers said, 'Okay, let's turn it off. I can do much more stuff if I turn it off.' But for good reasons, we are over this. Then we went to the separation, the M&A acceleration you could call it, during the pandemic. We merged together. It was an acquisition, but from a culture point of view, I would say we merged two market leaders merged together with Varian, an oncology treatment global player. And we could use Zscaler to provide the Varian colleagues direct access to our core assets to build, particularly the engineering, these routes, particularly in the sales and engineering environment, and then stepwise forward. With that, we could scale up the connectivity from, I would call it, quarters or even years to weeks and months in order to get access for the right people to the right asset and not providing access to everyone everywhere. So security was built in, I would call it.

And then we are now going, which is very exciting. We are not so far as Kurt is with AkzoNobel, but we are now bringing zero trust to our OT area. The next big change management field is the OT environment, and we want to use the branch connector really to drive there more security by connecting the different, I would call it, cells in the factory, not just each factory, and drive it forward because we believe at a certain point in time there will be an incident, and the better we have micro-segmented our factories, the better we are. A proof point for us was the acquisition from the Vates, a radiopharmacy distribution network. So many localized sites across Europe, and we could connect each of those sites. So this showed us, together with you and the great innovators from Zscaler, it's possible.

It's all about B2B connectivity. And we are emerging. We want to get out of the classical way of connecting with partners. And you mentioned this: the next risk is in the supply chain. And we are in healthcare; you are very much connected. You have connectivity to our customers, you have connectivity to suppliers. And bringing this on a zero trust network without firewalls would be the last phase that we can assume.

Oh, where we are? First, we have AI in our product since 2014. We at the moment have 110 FDA-cleared, publicly available, more than 110 products you can buy as a healthcare provider. So AI is in our company. That's why we have a lot of AI innovation. Engineers are running around with it. And we see we use Zscaler in the first level for the surveillance. We know where AI is and who is using what model, where the data streams are. We also asked, and had a discussion with the board: should we block it? And it was a clear rejection. Don't block it. We need the innovation. Try to guide it. And this is our mantra. We don't want to be the blocker, the one who stops doing things. We want to guide the user, not restricting innovation, but guide them to do it in the right way. And if we can do this with having more intelligence in Zscaler, talking to the users, guiding them with the knowledge base we have, this would be the next thing.

Great.

Please welcome to the stage Zscaler Executive Vice President, AI Security and Strategic Initiatives, D Shivakumar.

Good morning. I'm here to talk about what's top of mind for everyone: AI. AI has not just changed how we think about our work, but how we live our life. Before I talk about how we are using AI and how we are innovating with AI to secure AI everywhere, something very important: I'm going to talk about a lot of new innovation. You have seen me talk about this slide over the years; you must have it memorized by now. Safe Harbor applies. Lot of new innovation coming your way. So as I said, AI is changing the way we live. I wake up in the morning, I converse with AI. I sleep by planning my day with the AI tools that I use every single day. It has a profound impact on the way we are working and thinking as a human being. Four years ago when ChatGPT came out, everyone said we don't want to use it in the enterprise. Today, everyone is enabling the safe use of AI within their organizations. And the tool set that we are using to use AI in our work, in our daily life, is increasing. We have seen an exponential growth in the AI tools that have been introduced in the last couple of years. The first set of security controls around AI needed deep visibility. This is what we started by introducing in the market three years ago: visibility into what your employees are using when they use GenAI applications on the internet. Many of you are using it today. You have deep visibility into applications that your employees are using. And not just what these apps are, we also had to understand what they are writing inside these products. AI also brought newer protocols: Microsoft Copilot uses WebSocket. We rolled out WebSocket inspection. There are newer protocols like SSE and protobuf that are being introduced with AI. We are adding support to decrypt that too. And now we have seen an explosion of AI tools inside the enterprise, whether these are MCPs, these are agentic applications and IDEs that we are seeing inside our environments. AI is also getting deeply embedded everywhere on the internet. What you're seeing is chatbots and AI in supply chain getting embedded inside websites that we go to for day-to-day work. For example, what you're seeing here is a chatbot inside a very famous restaurant's website from where you can order food. But what people are doing instead of ordering food is basically solving complex math problems, burning very expensive tokens. That's a problem you don't want to be dealing with, blowing up your cost. The answer cannot be 'have a human in the loop' while you are waiting for people to order food. To solve this problem, what we introduced was deeper asset-level visibility, which is not just focused on what we see on the internet, but starts discovering assets based on what employees are running on their laptops, their devices, what kind of AI tools you are using in public cloud, as well as where AI is embedded inside your source code, and look at the full AI bill of materials. So assets that we really care for from an AI perspective are models, your MCPs, your agents, your data sets, and agentic applications. Now, assets in the AI world also have deep lineage with identities, not just human identities but roles, permissions and non-human identities, as well as the data that it connects to, and it could be classified data. Understanding that data becomes very, very important. So what we provided to you, as Jay talked about the AI Protect portfolio we introduced earlier this year, is visibility of AI assets with lineage to identity and data. Now what we are seeing is the explosion of agents in this ecosystem. Most of the agentic traffic until recently that we were seeing in enterprises was agents embedded inside SaaS applications. Now we are at the cusp of agents going mainstream and being deployed in our enterprises, whether they are in public cloud or deployed on user devices. And the challenge with agents is they are everywhere. You need to find agents no matter where employees are using them. They could be running in a secure container in public cloud versus on a user's device as a native agentic application in services like Copilot or Agent Core. And agents either assume human identities as our digital twin, or they have a service principal identity when they're autonomous. The challenge it creates is there is no fine-grained authorization in between. So when the agent has to perform a task, we are looking at two extremes. Agent authorization becomes very challenging. And what is also important with agents is to understand the intent with which these agents and applications are built. If you don't understand that, we can't create real policies around agents, not just based on signature-based security or regular expression-based DLP that has worked well in the internet era. You need to create intent-based policies for agents. And that's the challenge which most of the security tools and networks that we have built were not built to solve. Many of us use different tools in our security tool set. You have identity providers, you have EDR providers, you have API gateways, and everyone is bringing some level of visibility for AI. So if you have an identity provider which tells you what agents are logging in, they don't give you enough information on fine-grained authorization. You look at your EDR, which has good context at a process level of what's going on on the endpoint, but it doesn't have the context, intent, and the data lineage. When you look at your AI or API gateways, they were built to handle API traffic and are now being front-ended to your MCPs, but again no context around the lineage of data and what is the intent of these applications. So the tool sets keep coming, but the visibility stays fragmented. We saw this trend early, about nine months ago. We started looking at what pieces of the puzzle we have solved on our security portfolio and the visibility that we have built in the last three or four years, and how we bring this picture together. That's where we introduced our AI Protect portfolio with three major swim lanes: one, AI Asset Management, which is the inventory of all your AI assets everywhere with the risk that is tied to these assets, finding that and correlating that; second swim lane, Securing AI Access, how you enable secure access for your employees, your workforce, your contractors to AI applications, sanctioned AI applications that you have been building; and the third swim lane, Securing AI Apps and Infrastructure itself. So we made the acquisition of a very exciting Europe-based company called Splx last year, which is an AI red-teaming platform with which you can do red teaming on AI assets such as models, MCP gateways now, and AI applications. And then AI Guardrails, intent-based policies for applications that you are building that are talking to your model. The landscape of AI is also very dynamic, so compliance becomes a big problem. You have to do continuous posture assessment of your AI application. So AI Governance and Compliance is something we do on an ongoing basis, including coverage for the EU AI Act. Now, the agentic enterprise needs a new platform for a couple of reasons. Jay talked about how we will have millions of agents. In fact, every human identity will probably have anywhere between 10 to 40 agents, and a lot of sub-agents are spawned based on the task that you need them to do. The control plane of security was not built at that scale. So you need to build something that scales with the number of agents and entities that it could create. With that framing in mind, we started working towards what we call our Zero Trust AI Security Platform. And the best thing about this, that our customers will love, is it is built on the same Zero Trust Exchange that you've been using to secure your other entities. And it is an extension of our platform. So three big innovations that we are introducing on this platform—and I'm going to go deeper and show you a demo of each one of them—are AI Access Graph, AI Broker, and AI Endpoint Security. Access Graph is about connecting the dots, telling you how data, identities, and various assets connect to AI, and giving you a full view of your AI across your enterprise. AI Broker is an AI gateway which also has an agent registry and has coverage for newer protocols such as MCP and MCP broker built into it. And we are seeing every employee moving towards deploying agentic applications on endpoints, AI assistants on endpoints. So bringing full visibility and control on the endpoint for AI as well. The way we are bringing this together: as you have seen, we have the Zero Trust Exchange, which is where we take your internet traffic, private application traffic, and have built our gateways. AI Broker becomes part of this to build policies around your AI applications. We extend this to cover every single endpoint from where traffic for AI is coming: whether that's your user devices, SaaS services where AI is embedded, your MCP servers that you're using as a broker for your APIs or for your agentic applications, your native AI agents, your private endpoints in public cloud, and use AI Access Graph as I said to connect all the dots and build the policies which are intent-based on top of it. Before I go deeper into what these new innovations are, we also have been continuously innovating on our AI Protect portfolio. So AI Protect starts with AI Asset Management, and in AI Asset Management we bring visibility with inline traffic, everything that's happening on the endpoint, as well as we scan your public cloud environments and discover all AI assets and AI-native platforms in there, as well as source code repositories. We are in early access for our endpoint, and I'll show you what it does. And we have our public cloud scanning as well as source code repos generally available that you can start deploying today. Now, as I mentioned, visibility in AI starts with how people are going to the internet, how they're accessing the internet. We had about 300-plus applications that we covered earlier from an AI visibility perspective, and we had started with a URL category which has about 12,000 domains on it today, which is table stakes. But as I said, AI is getting embedded everywhere. You need deep visibility into AI. And this is where we have grown from 300-plus apps to 2,900 apps. And another thing that we are solving: a lot of you are now deploying AI on your websites and your public-facing assets. It becomes very difficult to understand what AI endpoints are exposed. So we are introducing a new capability called AI Attack Surface Summary, where we can, completely outside-in, by scanning your namespace, we can tell you which AI assets like your public AI apps, your APIs, your MCPs and tooling are exposed on your website and your public-facing internet assets, and give you an attack surface analysis of that. So this is something which is coming soon. While the visibility for public AI and visibility and controls around 2,900-plus apps is generally available to our customers today, we also support things like prompt extraction from more than 300 applications, and I will show you a demo of that as well. Now, double-clicking on what we are doing on the endpoint. So as many of you know, we have our client that runs on about 60 million user devices today, the client connector. Using that, we can show you which users are using what AI applications, who's using Copilot, who's using Codex, who's using AI assistants like OpenFlow. What we are introducing now are the deeper hooks or sub-agents that can be installed inside these applications. So with AI Endpoint Security, we bring you deep visibility of your AI assets when these hooks start running inside your AI applications. Broadly, we are looking at three broad vectors on the endpoint: browsers, where most of the users are using AI; we have a browser extension that we brought with the acquisition of SquareX a few months ago, which brings deep browser detection and response capabilities, but also deep controls on what AI is doing on the endpoint, what is happening with your copilots like Microsoft Copilot, and deep visibility, data protection controls, and intent-based policies for your copilots; and then deep visibility and control inside agentic applications like Claude Code and Codex etc. So from a visibility perspective, let me walk you through a demo of the level of visibility that you can get from this platform. It starts with a full overview of what is running on your endpoint, discovering all the apps and various versions of that, and what policies are running on that. Then you can basically see all the attack types that are originating, mapped to the OWASP framework, as well as the risks that are tied to your AI applications. Then we basically show you all the AI assistants that your employees are using on their device. I personally use Hermes quite a bit, and it gives me access to the latest models, but you also get exposed to a lot of threats with these AI assistants if they are not configured properly. So in this case, what you can also see is on this specific user with the Hermes agent, you actually have API keys exposed on the endpoint. The user has installed a local MCP server through which this agent is calling out, as well as what you can see: the shared credentials and the full configuration of this agent, including the heartbeat and skills file that is running. You get full visibility into it, and you can control what these agents or assistants can do. Then we look at your AI IDEs, any VS Code-based application like Windsurf or Cursor, with full lineage of what agents it is spawning on the endpoint, and you can see the full footprint and landscape of it. Then you can also see the extensions that it installs and all the coding workspaces that your developers are running. Then what we look for is local AI models. A lot of AI models are becoming smaller in footprint and they could be embedded on the user's device itself. We bring you full visibility of that. Even your Chrome browser runs a nano model today. So what actions it can perform: we give you visibility and control around it. You can also detect models that are behaving in a suspicious way. In this case, what you're seeing is a DeepSeek model which is actually claiming or spoofing the identity of a Llama model. We can detect these kinds of anomalies. And we can also see if your models have threats embedded in them. In this case, you're seeing a malicious pickle file, a Python file, which is actually inside the model that the model is trying to download. We can prevent your models from accessing it. And then we also detect risky models, like something that can create legal liability. We can block that from executing on the end-user device as well. Now we also bring all the AI apps, as I mentioned, not just the VS Code agentic applications, and we also show you all the packages, software packages that these agents are deploying and downloading. So bringing full AI bill of materials: software libraries, extensions that connect to your agents. Now let's take a look at how deep we go on AI agents. We bring the full exposure graph of all the artifacts that AI agents are downloading and are using for various tasks, and we can tell you how many of these are suspicious, risky, or are exposed. You can actually do deep skill analysis to see what the surface area of a given skill is. Does it have any embedded files or scripts inside? We can tell you what the data blast radius of that skill is. Can it actually access files on the endpoint and take certain actions? Data sensitivity and the trust score of a given agent. Then we also audit the skills. We go deeper into the skills and build a skill map on what it can do on the endpoint. So in this case, I click on a suspicious skill, and what you are able to see here is the local skill map and the full configuration and execution of this skill, and then running it against a YARA rule set, and then being able to say what does anything in the skill look suspicious? Like the size of a skill file for example, or embedding of scripts inside. So we can detect all of that and bring full visibility to you on that. So all of this is something that you will be able to access starting the first week of July. The product is going into early access. We're working with design customers. And it could be deployed by installing these hooks or sub-agents inside your AI agentic applications on the endpoint. We also give you AI in the browser. We can allow your users to use ChatGPT, for example, with the corporate identity while blocking the personal identity. In this case, you can see that users can go only to corporate, while we block personal. But let's say you want your employees to use the personal ChatGPT—they're paying a $20 subscription for it—while you use another application like Microsoft Copilot. Using a browser extension, we can prevent the data from going across the boundary of two applications in the same browser. So deep controls of what happens inside the browser. Now let's take a look at a demo where I'll show you how we actually secure what's happening on the endpoint. I'm going to show you a device takeover attack that is happening through an agentic application and how Zscaler protects the service using our back end. So what you're looking at is a Codex interface. I'm running a basic query: 'Give me a list of all the skills,' and one of the skills that I've downloaded from the marketplace is Tax Saver Skill. I'm trying to save taxes; it's that time of the year. I put all my financial information in there and ask Codex here to basically tell me how I can save my taxes. So Codex detects that I have a Tax Saver skill on my client, and it starts running that analysis for me. What is happening behind the scene is that there is a malicious backdoor being opened on the attacker's device which has embedded the skill with a malicious file. So the attacker wants to see what personal data I'm running on this laptop. They got root access to my machine, and they can execute a command, and they can actually see, for example, my CRM data that's on my endpoint. What is happening also is the Tax Saver skill actually has a malicious instruction, and it has an embedded Python file which is actually allowing this remote control or takeover of the user's device. Now let's take a look with the Zscaler agent or hook running inside Codex. The user is doing the same thing. They basically execute the same command. But what happens now is: before the skill is executed, our agent starts running and starts analyzing that skill file. So you'll see a different outcome. What you're going to see is we are preventing that reverse shell attack using our sub-agent. We basically halt this skill from executing because we see hidden command execution inside that agent. And using that, the user was not able to use it, and we also can remove such skills from the code. So very powerful: full visibility, full control of what's happening on the endpoint. Now let's move to the second frontier: what we do in the public cloud. So we already scan your public clouds to figure out AWS, Azure, GCP environments: what AI is being used, find all AI assets. This has been available. Now what we are introducing is full runtime detection of your AI agents that are deployed in your environment. So what you're seeing is our Zscaler AI Security Console. All the capabilities by the way I'm talking about are in the same console. So all products of Zscaler that secure your AI are available here. You see the primary kinds of assets that we are finding. A new kind of agent that we introduced recently is the AI agents. You can see where these agents are running. I can click on agents in AWS, and I can get a full picture of the agentic workflows these agents are creating, discover and investigate the risks tied to these agents as well. For example, here I want to see what my orchestrator for OrderBot agent is doing. Here, by clicking on that agent, I'm able to actually visualize the full risk: what level of access this agent has. And usually your orchestrator agents can create more agents, sub-agents. We actually can give you click-through of those sub-agents as well. In this case, I can look at the high-level information. You can see that this agent has no guardrails configured, and no customer-managed custom PII configured on it. Then you can also see this agent has access to sensitive data, and you can click and see all the data classification labels for example, and you can also see the tools it calls. It also has access to public internet; probably it is connected to your supply chain. But we also detect if it is connecting to risky MCP servers for example. So full visibility of data identity lineage to what's running on the public cloud for you in terms of agent footprint. Looking at source code repos, we already do static code scanning of public cloud and code repos like GitHub. Now we are introducing runtime scanning of your code in public cloud as well. So in this case, what you're looking at is basically runtime analysis with the full lineage. But if you click on the configuration, you are seeing which account ID, which account name in AWS this specific agent is running, and which region it is running. And if you have a Python script or Python code that we are executing, we'll tell you at which line in your code we find an anomaly. So we can also tell you if there's a code execution risk that is not fully covered. And then you can click on understanding how this agent is connecting to various assets within your environment, and also full line-by-line analysis of your source code is available with it. You can click on the orchestrator agent here, and then you can see the full analysis of this specific agent that actually shows you the identity, the orchestrator's landing graph, which workload it is connected to, what kind of capabilities and risks are tied to this, and how do you remediate that. So going from static to dynamic code analysis with full visibility of every asset type tied to agents in public cloud. We support full scanning of public cloud source code. Today we are working to extend the source code scanning on endpoint to the endpoint AI security; that will come later this year as well. Now let's talk about AI Access Graph. So in AI Access Graph, we are basically looking at three broad vectors: discover every AI asset, whether this is your agents, your applications, your data, and also find every relationship between your AI assets, and then discover the risk and prioritize risk across. Many of you use graph-based security products, and one of the challenges with graph-based products is as you create or connect more entities to it, the graph relationships become very complex to triage. One of the good things about the Symmetry acquisition that we made is that it creates a concept of distributed graph. So you can say, 'Here's my graph for the endpoint, public cloud, or certain identity type,' and you can then investigate things across and then correlate that across multiple different graphs. It makes triage and scale much easier for these types of findings as well as risk analysis. So bringing visibility for AI has been easy. We have been doing it. What has been harder is how you bring the lineage of data and identity with AI, especially when identities are complex, especially with roles, groups, permissions, as well as non-human identities. And then this gets scattered across different places like public cloud, SaaS, on-premises. How do you bring all of that together, and then being able to connect the dots, understand the full blast radius of every identity or action that AI can do, mapping permissions, and finding overall risks and remediating those risks? So what I'm going to do next is show you a demo of this AI Access Graph connected with AI agents. What you're seeing here on the screen next is basically the full universe of your data, identities, and AI. This is a real demo of the product as it exists, and we are integrating AI into it which you are able to start using now. It is a universe with different galaxies of your public cloud, your private endpoints, your endpoint, and your SaaS application clusters. What I'm doing is I'm going to interact with an AI agent where I'm just running a very simple query: 'Show me all the PII across all my environments.' So you see basically where my PII is sitting in public cloud, SaaS applications, dev tools, in a very visual way. Then I basically run another query: 'Amongst these, which of these PII data is accessible to AI agents, and where are they deployed?' So you are basically seeing: they are deployed in AWS, Bedrock, Foundry, and what these supply chains are; you get full visibility into that. Next, I'm basically running another query to ask the graph to show me all the dormant identities that I have. And identities could be roles, groups, permissions as well. Next, I'm saying: 'How many of these are actually external identities?' So you basically want to see if contractors have access to PII data, right? So I find four contractor identities here. And then we basically want to further analyze it. We want to see which of these don't have MFA configured. And now I see one single contractor identity which has access to PII and doesn't have MFA configured as well. And we can see that specific user. Next, what we want to do is understand the blast radius of that specific identity, and now you can see what that identity can do within your environment, and you can remediate that risk. Now I want to understand where I have cross-tenant operations and identities that have access to it. So again, I'm seeing the same identity which has no MFA, access to PII, with the access running here. I want to understand that endpoint and what's happening on that endpoint next. So I can click on that endpoint with deeper integration of our Endpoint AI Security that I talked about. We can actually show you what actions are happening on the data. For example, PII is uploaded on that endpoint, data that user is touching, and being able to take definitive actions on that. So full visibility and control of everything from public cloud to full identity lineage, data lineage, agentic lineage in a single graph. This is the power of the Access Graph that we are bringing together. Now let's move to the second area of AI Protect, which is Secure AI Access. Here, thousands of customers are using this capability where you can basically say 'Microsoft Copilot is my sanctioned application; I want to block access to everything,' and you can build very deep, granular controls on access of those applications. Now, one of the things that we are also bringing here is a chat-like view of all the prompt extraction and response extraction we're doing. We already support prompt extraction for more than 300 applications and response extraction for 40 different applications. Security teams who are doing investigations and for AI governance use cases want to see it like how we see IMs, right? What did the user say? What did the other user respond? In this case, the other user is an agentic application. You can see the full conversation, and then you can see anomalies such as a response from the user actually has a DLP violation, but then the user is trying to ask for sensitive information, for example M&A information, for which you can't build DLP dictionaries; where the intent-based policies are kicking in where we are running the detectors in our AI Guard that detect, for example, topics such as M&A without creating any dictionary. So full view of what that conversation was, what was the response of the model or application with and without guardrails, in an iMessage or chat-like conversation which is easy to understand and contextualize. We also have integrated with both Anthropic's compliance APIs and ChatGPT's APIs to extend our AI Guardrails for chats or prompts that are not coming through us inline, and being able to extend policies to those frameworks as well. This has been generally available for a few months now. Moving to the third area of our portfolio, which is Securing AI Apps and Infrastructure itself. Now here, the focus is to basically secure the whole lifecycle of AI applications: from when people are building AI apps, when they're deploying it in production, to runtime. As I mentioned, you don't do red teaming on AI assets only when you are building them or deploying them. You have to do continuous AI red teaming on your assets. You have to do asset management, AI posture management on an ongoing basis, as I showed you in the earlier demo. And when you operationalize these applications, you need runtime controls through our AI Guard platform. Talking about red teaming: a couple of new innovations that we are introducing there. Apart from model and application coverage, now we are introducing red teaming on MCP servers. And we have built an AI agent that can automate creating AI actions on applications for which we don't have pre-built connectors. So we support about three dozen different models and applications on which you can do red teaming. A lot of times, customers want to extend red teaming to some new application that needs us to do some form of forward-deployed engineering to work with you, some level of configuration for a couple of days. Now that work can be done by an AI agent. Then you have about 25 different probes including custom probes that you can write based on your business context, apart from the predefined probes we have. And then you can simulate 5,000 different attacks on your environments. We have hundreds of customers using this product today. Talking about MCP red teaming, which is a new capability: you can get information about all the MCPs that you are seeing in your environment using our inline product. If you use ZIA, we provide visibility of all public MCPs we discover. We discover endpoint MCPs, and with our public cloud scanning, we discover all your MCPs in public cloud. You can say, 'These are my sanctioned MCPs in the graph, and I want to do red teaming on that.' And then you can basically see the full heat map of that red teaming exercise and what remediation actions you can take on it. We are also introducing a standalone Prompt Hardening service. This has been available by the way for our customers who do AI red teaming with us. When you do red teaming, we can basically see what prompts your application systems are generating based on your testing guardrails, and then we suggest hardened prompts to you. Now we have made it a standalone service that it can actually work without AI red teaming. We have customers, like an IoT customer, who basically have said, 'I use AWS Bedrock; can you give me prompt hardening as a native service on Bedrock or Agent Core?' So you can make a call to it, and it actually analyzes your prompt. It tells you if your prompt is not hardened, what is required to harden your prompt. So this has been something we've been working on based on a lot of customer demand. It's available now. Another powerful capability that we are bringing out sometime in July timeframe is our AI Compliance Heat Map. We already have the compliance visibility for actual things like NIST AI Risk Management Framework, OWASP Top 10 for AI, EU AI Act. What we were lacking was a heat map through which you can actually make it actionable. So this heat map will actually show you different kinds of controls for a given standard, and then tell you where your hotspots are and what action you can take to remediate that risk. So turning AI governance into board readiness. This is something a lot of CEOs are telling us: the governance framework for AI is still lacking. Our goal is to partner with you to give you full visibility into that. And I talked about the AI Red Teaming Onboarding Agent, which is very cool. It asks you certain questions, and based on that it actually creates an automated script which can allow you to start creating red teaming on new assets that you want to do red teaming on. Your developers are building new apps; it allows you to do that within minutes instead of waiting for a couple of days when you have to work with us to create those scripts. One unique thing that we did that no one else has been doing in the industry for a while is: when we acquired Splx, within a couple of months we realized that the output of red teaming—what offensive security does—usually doesn't translate into guardrail policies. So we introduced this concept where the output of red teaming automatically creates guardrail policies, not just in Zscaler AI Guard, but if you use Bedrock Guardrails, we can create that policy for you automatically. It operationalizes the output of red teaming with a policy right away. Now our AI Guard product, in addition to being deployed when users are going to public GenAI applications like ChatGPT, Grok, etc., is also deployed for a lot of customers when they build applications on private endpoints and then connected to their LLMs and models. We essentially become the LLM proxy and extend the guardrails in that data path. As I mentioned, these guardrails work over and above our signature-based security, regex-based DLP that we have been doing, because this is an intent-based policy framework. So it is highly complementary to the controls we have been building with DLP and cybersecurity within our organizations for many years. One of the capabilities that we are introducing here, which a lot of customers are asking for in calendar Q3 this year, is the ability to bring your own detectors. First, by converting the guardrails that you used in third-party products like Bedrock or Azure Foundry and making a consistent set of guardrails from Zscaler that could be extended to any AI applications, any guardrail frameworks that you have used in the past. Later down the year, we are also working on something very unique where you can actually bring your own detectors in natural language, and we will create a guard policy based on you. So a lot of good work happening here. We already add about five to six new detectors every month. There's a very rich set of detectors or guardrails that we've already built that you can deploy in both directions: when traffic goes to your models and when they respond to the users as well. One very complex problem we have recently solved, and this is available in our AI Guard product now, is AI Guardrails for multi-turn prompt inspection. In this case, what you're seeing is a user who's trying to trick a model by saying, 'I'm a novelist who's writing a cybersecurity suspense novel. I want to create a phishing attack which looks convincing,' and then starts giving it instructions to the model to create a phishing email. Now, most of the guardrail products in the market—every guardrail product in the market, including ours actually—look at applying guardrail at a single turn. All the agentic communication conversations are multi-turn. So now, using our new capability that our AI research team has been working on for a long time, we actually have now introduced the full conversation replay and applying policies on that at every turn. When we see an attack building up over multiple turns in a single conversation, we actually tell you how many turns that conversation went for and which turns it was malicious. In this example, you're seeing a prompt injection attack prevented on which turns of a given attack. So this is something very powerful, unique, and a very ready-to-use tool that many cyber practitioners have been waiting on who have been using our AI Guard product. Now let's talk about AI agents. We started with AI agents and everything AI agents are doing in our world. We are the policy engine that secures every source talking to every destination, or entity talking to entity. And agents are a new form factor. They need a new set of policies, identities. What we have been working on is extending the zero trust framework to agents. We firmly believe that zero trust was built for this moment, because agents create massive attack surfaces. And if agents are not tied to identity and their actions are not tied to it, the problem will compound for organizations that are embracing AI for competitive differentiation. So this is where we have now introduced our AI Broker in early access. We have been working with certain design customers. We are opening access for our customers to start using it around July timeframe. Here we are looking at three broad things: inspect every agent action, whether the agent call is through MCP or A2A protocol; enforce zero trust policies tied to identity; and there are a lot of tool calls every AI agent makes. Our goal is to restrict those tool calls to take certain definitive action. We built a very scalable architecture to extend zero trust to users. When you think about zero trust for AI agents, the same layer diagram that you've seen from Zscaler applies, but identity for agents is different: more than authentication, you need to solve the authorization problem of agents as well, and understand the agent risk in context of the user and independently, and then allow it to do certain tasks by understanding the intent and being able to do intent-based policies on that. This AI Broker, where the agentic traffic will eventually come, and we are building the data path: if you're a ZIA customer, ZPA customer, we will have that identification. We'll send this traffic to the broker. You can configure your agentic endpoints like MCPs to send traffic to us directly. We'll have multiple functionalities and capabilities here. We are starting with early access on our MCP Broker. This is something a lot of organizations have been asking us, because MCP gateways are the first thing that organizations are deploying to allow agentic access. We are also rolling out our Agentic Registry in early access, where you can register agents and MCPs as well, with an observability layer at a transaction level or at a conversation level. And what we are also integrating is the word 'guardrails' as intent-based policies here. Agent authorization, as I mentioned, with Symmetry providing the Access Graph, we'll be introducing something that will be unmatched to anything else that you've used anywhere else. Now let me show you a quick demo of how MCP Broker works. What you're seeing is my Cloud Copilot interface here. I'm basically in Zscaler. Those of you who use our One API platform also know that we have an MCP gateway there. So I actually have deployed a Zscaler MCP gateway for One API behind this AI Broker. So I'm basically running a command: 'Show me all the app segments that I am entitled to as a service.' I see two app segments that I have access to. Now I'm also able to take certain action—but I should not, because I have those two calls enabled for me. In this case, what I'm able to do is delete an app segment, which I normally should not. And using the MCP gateway that we have built, I can actually delete the app segment. What you are able to see on the console here in AI Guard is basically all your MCP gateways are registered here. You can either have built-in MCP gateways that you can configure publicly, or in this case I have a user-managed gateway that I have configured here, and that gateway is the Zscaler MCP gateway. Now what I'm doing is I'm actually seeing there are 26,332 tool calls available here. I'm going to go ahead and create a policy here. And the policy basically for this specific administrator is restricting the tool access to only five toolboxes. So essentially I'm restricting this user's access to only read-only policies that they can access through this MCP gateway. Now the same user is going and trying to delete another app segment here. And in the output, you basically see that decision was blocked with a 'forbidden' access because what's happening behind the scene: if I go back to the console, there is a denied action you will see in the observability layer where I can actually show you the action that user performed, the authentication was correct, but it was blocked by us. So you can actually see full observability around it. Now I talked about a lot of products. We have been building a lot of new things and a lot of new innovations that we're bringing to our AI security portfolio. Essentially, we started with a series of products that were solving your use cases, and now we are bringing it through the same platform and contextualizing the same diagram that you saw earlier on how these bags fit into this puzzle board, and you get an entire platform to secure AI everywhere. Another thing that we have been working towards is building a partner ecosystem on top of our AI Security Platform. Last month we introduced our AI Guardian program, in which we actually rolled out our partnership with all the major global system integrators, and they are leveraging our products like AI Asset Management to build services around it that can help you detect and secure AI everywhere. This week we actually extended that program to also bring technology partners to this AI Guardian program. So we have partners across hyperscalers, across frontier labs, both Anthropic and OpenAI are working with us. We have hardware and AI vendors and identity and SaaS vendors like Saviynt working closely with us as well. And this is something we will be extending even further: deep integrations with these products and deep integration with the technology stack of these companies. One of those spotlight partnerships that I want to go a bit deeper on in our conversation today is with Anthropic. And I would like to invite Brett Andrews, who is the Cybersecurity Lead at Anthropic, who came all the way from New York to be with us, to spend some time with us, to join us and talk about shared philosophies between Zscaler and Anthropic around zero trust and everything we've talked about so far. Brett, please join me on the stage.

Who doesn't know about Anthropic here? Anyone? All right. So, tell us a bit about yourself first, your role at Anthropic, and what do you do day-to-day at Anthropic?

Thanks for having me here, D. So I've been in the cybersecurity industry for about 20 years now. I've been at Anthropic since 2024, wearing a variety of different security hats. My most recent role, I serve as a bridge between our customers and our internal security team, trying to propagate best practices outward to the cybersecurity community as a whole, and also listen to our customers and understand what their cybersecurity needs are, how they're using our products, and identifying opportunities where we can work together to improve the product as a whole.

That's great. Now, Jay briefly mentioned about Project Glass. It helps us secure the SDLC. You have been working with cyber defenders across the globe, and you recently expanded this program. Tell us a bit about, as a cybersecurity practitioner within Anthropic, how do you see this program evolving, and some of your key insights on that program?

Sure. The mission of Project Glass fundamentally is to enable defenders to secure the most critical networks with maximal impact ahead of offensive cybersecurity capabilities, by gaining access to world-class frontier models. So I think besides Project Glass, it's important to note that what we're really talking about here is these models are enabling velocity to become the key variable in any sort of cybersecurity context. And that's true whether you're using a Claude Opus class model or a Claude Sonnet class model. And so what we're trying to do is spread these best practices to all sorts of different companies and enable them, whatever model they're using, to really take advantage of that velocity and get ahead of the curve in terms of building their defense program before an attacker can have a commensurate capability.

And as you started alluding to, I think everyone knows that Anthropic is more than just Project Glass. And a lot of cyber companies and you know, infrastructure companies are using Anthropic for different use cases. What common use cases in cybersecurity are you seeing out there?

Sure. I think that's a good question. I would say the most common use cases that we're seeing are the rapid identification of vulnerabilities within their own code bases and own applications. We have a variety of different partners who've published material on this. Some have found as many as 2,600 vulnerabilities in one code base, where they're able to now take that, prioritize it, remediate it. And those are all holes that an attacker could have leveraged or exploited in their programs.

Yeah. And I think there's also a lot of focus on building new products with AI as well. One of the things that we have done, which our audience would know, is the AI Broker that I just talked about is something we actually started building with Claude Code, with Opus and Sonnet models, and 80% to 85% of the code is built with AI. So it's fascinating how fast things are turning around.

Yeah, I'd love to hear more about that.

So a lot of interesting work going on in that space from us. But let's turn towards something that we read about a couple of weeks ago. It was fascinating that you guys have started thinking about zero trust as a framework for AI agents. And I'm pretty sure you've been engaged in the white paper that came out from Anthropic about building a zero trust framework for Anthropic. As you know, Zscaler is known as a zero trust company. So great to see great minds thinking alike. But tell us how did you guys start thinking about zero trust in connection with agents, and what are you doing in that space?

Well, I think the most important aspect of that conversation is probably to remember that as these models improve, they're improving at an exponential rate. The average length of a task that an AI agent can complete is doubling approximately every seven months. And so at that rate, they're becoming commensurate effectively with, or comparable to, what you would consider a traditional employee in a lot of ways. And that leads to a convergence between the way that we treat an AI agent from an identity and security perspective and an employee from an identity and security perspective. The big difference being an AI agent can operate at a scale and a speed that is in many ways very challenging for a traditional security or IT program to handle. So when you think about your IT onboarding process or your IT offboarding process for that matter, when you're dealing with the scale and speed that these AI agents operate at, making sure that your processes can keep up with that is a real challenge.

Yeah. And also, I think I'm pretty sure you guys are hearing from enterprises that as people—not just engineers but non-engineers—start using Claude Code, there's code being generated everywhere. We rolled out integration with your compliance APIs a while ago. What other actions are you taking to secure the usage of these applications on the endpoint itself?

Yeah. I think obviously the compliance API is a huge win for the enterprise in terms of being able to really be transparent and provide that level of visibility as you were talking about, for whether it's executives or board-level visibility of what the AI applications are doing. I think the other piece that we see is that we've released a tool called Cloud Security. That is a managed service where you can use that to basically take advantage of the kinds of best practices that we're trying to propagate through Project Glass and other initiatives, and basically run that against your own code bases to identify vulnerabilities in the same way that we would be using in any other program. I also see it as a very open ecosystem, especially with capabilities like hooks that you have introduced in Claude Code and Claude Work, where practitioners like us can have deep hooks with the controls that we were talking about. So it is something that can safely enable the use of AI everywhere for our customers.

Andrew, we could keep talking for a long time. We did yesterday over dinner. But thanks for joining us here and sharing your insights. Thank you.

Thank you so much for having us.

All right. So, interesting partnerships, new set of frontiers we are opening, working with companies like Anthropic. Now, wrapping up my presentation, I would love for you all to know more about what we are doing. Three big innovations that we rolled out: AI Access Graph, AI Broker, AI Endpoint Security in early access. They are going available for you to learn to play with. We have an AI Security Cafe where you can see live demos of them. You can actually go to our breakouts and actually see the in-depth demos of the fluffy demos that I did, as I call them: deep tech demos. And the key point that I want to leave with you is, apart from these three major innovations, there are 16 major enhancements we did in AI Protect. These are fascinating sets of requests that many of you already are testing and playing with. Please spend time learning more about it. Our vision and our mission is to secure AI everywhere. You have AI; we secure AI everywhere. Whether it's endpoint, whether it's public cloud, whether it's a private endpoint in your data center, or inside a SaaS application, we want to be the partner of choice working with you to secure AI everywhere. Please visit some of these breakouts and demos in the AI Cafe. These are happening today, and you will get to learn more, and provide your feedback, and we learn from you as well. With that, I'll wrap up the presentation and hope you have a good rest of Zenith Live. Thank you.

Please welcome to the stage Zscaler Chief Marketing Officer, Silvija Fredo.

Hello. What a morning it has been. But I've got one more announcement for you. You've heard us talk about technology and what it takes to secure the enterprise. But the reality is organizations are moving fastest today and operate with the smallest margins of error. Seconds matter. Decisions happen in real time. Welcome to the family, Zscaler. Ladies and gentlemen, I'm excited to announce our newest global partnership with Aston Martin Formula 1 team. What excites us most about this partnership is not just what happens on the track, but what it represents. Formula 1 is the most data-centric sport in the world today. And together with Aston Martin, we're proud to build this partnership centered on speed, innovation, performance, and of course, resilience. I'd love to welcome to share the stage with me the Director of Global Partnership at Aston Martin, Chris Jones.

Welcome to the family.

Thank you. It's great to be here today. Great to see you all.

Let's go check out the car.

She's stunning.

She is. So, what's next? Which Grand Prix?

Austria. Following this weekend's time with the branding from Zscaler going live. And then the home of Formula 1, our home race, Silverstone. The first race you'll see us at as well.

Yes. The race that the world will see us together. See us coming.

Absolutely.

So, you're in the world of Formula 1. Walk us through what it's like. Talk to us about the world of Formula 1 from your eyes.

We spend a lot of time on an airplane, a little time in hotel rooms. But it's the pinnacle of motorsport, the most technology-advanced sport in the world. Data, technology, innovation, precision engineering. Everything we do is measured by the clock. Win or lose, it's tenths or thousandths of a second. The ability to make decisions under pressure is immense. For us, these technology partnerships are deeper than just branding. They're about utilizing the technology within our organization and making our business better. So today, we're really proud to announce the partnership with Zscaler and look forward to success both on and off the track.

Thank you. It's so great to have you here. It's great to have the car here. For everyone else enjoying the break, we welcome you to have a look at this beautiful machine outside on the floor. Thank you for being here.