Practice Free ZDTA Zscaler Digital Transformation Administrator Exam Questions Answers With Explanation

The ZDTA study guide frames common breaches around a four-step lifecycle: discover the attack surface, compromise an entry point, move laterally, and exfiltrate data. Finding the attack surface is the reconnaissance phase in which attackers search for exposed VPNs, firewalls, applications, ports, or public services. Option D (Find Attack Surface) is correct because attack-surface discovery is one of the documented stages.

Why the other options are incorrect:

A. Find Cash Safe: That phrase describes a physical-world target, not a step in the cyberattack lifecycle.

B. Find Email Addresses: Email and webhooks forward alerts to people or third-party systems for response workflows.

C. Find Least Secure Office Building: That phrase describes a physical-world target, not a step in the cyberattack lifecycle.

Trusted Network Detection relies on observable network signals from the endpoint. Hostname/IP resolution, DNS server, and DNS search domain are valid criteria because they indicate whether the device is attached to a known corporate network. Option D (DNS Search Domain, DNS Server, Hostname Resolution) is correct because it lists supported trusted-network criteria.

Why the other options are incorrect:

A. Hostname Resolution, Network Adapter IP, Default Gateway: Default Gateway can identify a local network path, but it is not always one of the exact trusted-network criteria set in this item.

B. DNS Servers, DNS Search Domain, Network Adapter IP: DNS Search Domain is a trusted-network signal because corporate networks commonly push recognizable suffixes to endpoints.

C. Hostname Resolution, DNS Servers, Geo Location: DNS Server criteria identify a trusted network by checking whether the endpoint sees expected internal resolver addresses.

The PAC file associated with the Forwarding Profile helps Zscaler Client Connector identify how traffic should be forwarded and which ZIA Service Edge path should be used. The App Profile assigns the Forwarding Profile, but the forwarding PAC is the mechanism that drives service-edge selection logic for ZIA traffic. Option B (The PAC file used in the Forwarding Profile) is correct because the Forwarding Profile PAC is the relevant steering mechanism.

Why the other options are incorrect:

A. The IP ranges included/excluded in the App Profile: App Profile include/exclude ranges influence what traffic the client should handle. The question asks how the ZIA Service Edge is identified, which comes from the forwarding PAC logic.

C. The PAC file used in the Application Profile: A PAC file tells the client or browser which proxy path to use for matching destinations.

D. The Machine Key used in the Application Profile: A machine key identifies the installed device/client context; it is not the PAC/service-edge steering mechanism.

When SSL Inspection policy bypasses a transaction, Zscaler does not decrypt and re-sign the session. Instead, the proxy passes the TLS connection through so the browser receives the real origin-server certificate. This behavior is used for pinned applications, privacy categories, and traffic that should not be decrypted. Option C (When traffic is exempted in SSL Inspection policy rules) is correct because bypassed SSL Inspection rules preserve the server certificate in the user's browser session.

Why the other options are incorrect:

A. When traffic contains a known threat signature: Threat signatures trigger security handling such as blocking or inspection. Passing the real server certificate happens when SSL inspection is bypassed.

B. When web traffic is on custom TCP ports: Custom TCP ports affect traffic handling and forwarding. They do not automatically make Zscaler present the real origin certificate to the browser.

D. When user has connected to server in the past: Past connection history does not decide certificate presentation. The SSL Inspection policy action for the current transaction does.

A ZIA Location represents a network egress point such as a branch, campus, or data center. A Sublocation divides that location into logical traffic groups, commonly to separate employee traffic, guest traffic, IoT networks, or departments so different policies and reporting can apply. Option A (The section of a corporate Location used to separate traffic, like traffic from employees from guest traffic) is correct because a sublocation is a subdivision of a corporate location for traffic separation.

Why the other options are incorrect:

B. The section of a corporate Location that sends traffic to a Subcloud: A subcloud is not how ZIA sublocations are defined for policy and reporting.

C. Every one of the sections in a Corporate Location that use overlapping IP addresses: Overlapping IP space is an addressing challenge; a sublocation is used to separate traffic inside a larger location.

D. A way to separate generic traffic from that coming from Client Connector: Separating generic traffic from Client Connector traffic is not the purpose of ZIA sublocation design.

Botnet Protection targets command-and-control behavior, including known C2 destinations, suspicious command traffic, and unknown C2 patterns detected through analytics or AI/ML. IPS and YARA-style content analysis are used to identify C2-like traffic and malicious patterns, not general malware categories alone. Option B (Connections to known C & C servers, Command traffic (sending / receiving), Unknown C & C using AI/ML) is correct because Command and Control traffic is the botnet behavior being protected against.

Why the other options are incorrect:

A. Malicious file downloads, Command traffic (sending / receiving), Data exfiltration: Malicious-file downloads and data exfiltration are important protections, but Botnet Protection specifically focuses on C2 destinations and command traffic.

C. Connections to known C & C servers, Detection of phishing sites, Access to spam sites: Phishing starts with social engineering: fake messages, links, or login pages. The question describes a legitimate common website being seeded with malicious JavaScript.

D. Vulnerabilities in web server applications, Unknown C & C using AI/ML, Vulnerable ActiveX controls: C2/botnet controls detect hosts communicating with known or suspected command-and-control infrastructure.

Zscaler Bandwidth Control shapes traffic from the user's perspective by managing outbound flows. Inbound traffic and localhost traffic are not shaped in the same manner because the control point is the egress direction where user traffic leaves toward Zscaler and destinations. Option A (Outbound traffic is shaped. Inbound or localhost traffic is unshaped) is correct because Bandwidth Control shapes outbound traffic only.

Why the other options are incorrect:

B. Outbound or inbound traffic is shaped. Localhost traffic is unshaped: Inbound shaping would control return traffic, which is not how Zscaler Bandwidth Control is applied from the user perspective.

C. Inbound traffic is shaped. Outbound or localhost traffic is unshaped: Inbound shaping would control return traffic, which is not how Zscaler Bandwidth Control is applied from the user perspective.

D. Localhost traffic is shaped. Outbound or Inbound traffic is unshaped: Inbound shaping would control return traffic, which is not how Zscaler Bandwidth Control is applied from the user perspective.

Zscaler supports forwarding methods such as GRE, IPSec, HTTP CONNECT-style proxy tunnels, and Zscaler proprietary microtunnels depending on the use case. SSTP is a Microsoft VPN tunneling protocol, not a supported Zscaler tunnel type for this platform context. Option D (Secure Socket Tunneling Protocol (SSTP)) is correct because SSTP is the unsupported tunnel option.

Why the other options are incorrect:

A. Generic Routing and Encapsulation (GRE): GRE is a location tunnel method normally used from branches or data centers to Zscaler service edges.

B. HTTP Connect Tunnels: HTTP CONNECT tunnels proxy TCP sessions through an HTTP proxy path; they are not Zscaler Tunnel 2.0 DTLS/TLS transport.

C. Proprietary Microtunnels: A Microtunnel is the per-application communication channel ZPA creates between the user and the private app.

Before a new App Connector starts the connector service, it must be provisioned into the correct ZPA App Connector Group. The group provisioning key is copied to the connector's local provisioning-key path so the connector can enroll and join the intended group. Option A (Copy the group provisioning key to /opt/zscaler/var/provision key) is correct because the provisioning key must be installed before starting zpa-connector.

Why the other options are incorrect:

B. Monitor the peak CPU and memory utilization of the AC: CPU and memory metrics can show connector load, but they do not prove the connector is registered, reachable, and healthy in ZPA service status.

C. Schedule periodic software updates for the app connector group: An App Connector Group is a set of connectors deployed near applications to provide outbound-only reachability.

D. Check the status of the new App Connector in the administration portal: Checking portal status is useful after deployment, but the scenario asks what to communicate before deployment so the VM/container team builds the connector correctly.

A Zscaler Client Connector Forwarding Profile determines how traffic is steered to the Zscaler cloud and what fallback behavior applies. For Tunnel 2.0, the profile defines how the client behaves when the preferred DTLS tunnel cannot be established, including fallback to TLS where configured. Option A (Fallback methods and behavior when a DTLS tunnel cannot be established) is correct because DTLS fallback behavior is a Forwarding Profile function.

Why the other options are incorrect:

B. Application PAC file location: A PAC file tells the client or browser which proxy path to use for matching destinations.

C. System PAC file when off trusted network: Trusted Network detection decides whether the device is on a known corporate network using signals such as DNS servers, search domains, gateways, or hostname resolution.

D. Fallback methods and behavior when a TLS tunnel cannot be established: TLS tunneling is the fallback encrypted transport when DTLS is unavailable.

Zscaler alerting is not limited to email. Alert Rules and detection/response notifications can be sent through webhooks or integrated with collaboration, ITSM, UCaaS, and other third-party tools depending on configuration. Option D (In addition to email, notifications, based on Alert Rules, can be shared with leading ITSM or UCAAS tools over Webhooks) is correct because email and webhook-based integrations support external notification workflows.

Why the other options are incorrect:

A. Email is the only method for notifications as that is universally applicable and no other way of sending them makes sense: Email and webhooks forward alerts to people or third-party systems for response workflows.

B. In addition to email, text messages can be sent directly to one cell phone to alert the CISO who is then coordinating the work on the incident: Email and webhooks forward alerts to people or third-party systems for response workflows.

C. Leading ITSM systems can be connected to the Zero Trust Exchange using a NSS server, which will then connect to ITSM tools and forwards the alert: NSS is for log streaming to analytics/SIEM destinations. Alert-rule notifications use email and webhook integrations, including ITSM or UCaaS tools.

Zscaler's Microsoft 365 optimization model is designed to reduce latency and avoid breaking Microsoft-recommended connectivity patterns. The Office 365 One Click rule automatically applies recommended bypass/optimization behavior for Microsoft 365 traffic, including exemption from SSL inspection and other web-policy processing where required. Option C (Multiple distributed DNS resolvers providing local results) is correct because the immediate effect is optimized M365 handling rather than blanket inspection or blocking.

Why the other options are incorrect:

A. Single DNS resolver with forwarders providing centralized results: DNS resolves names to IP addresses; it is a support service, not an access protocol or scoring engine by itself.

B. Private MPLS in each branch office providing connection: Private MPLS backhaul keeps traffic on the old hub-and-spoke path instead of sending users directly to the nearest cloud service.

D. Optimized TCP Scaling for maximum throughput of files: TCP scaling can improve throughput for some flows, but it does not choose the nearest Microsoft 365 service endpoint.

Legacy firewalls introduce performance risk because they were designed around centralized perimeter enforcement and hardware capacity limits. Cloud and remote-work traffic creates encrypted, high-volume flows that can overwhelm appliance-based inspection and force inefficient backhauling. Option C (Gen AI Insights Logs) is correct because performance degradation is a real business risk of legacy firewall architecture.

Why the other options are incorrect:

A. SaaS Security Logs: SaaS Security logs cover API/CASB activity in SaaS tenants. Prompt visibility for generative AI applications belongs in Gen AI Insights logs.

B. Web Insights Logs: Web Insights logs summarize web traffic activity; Gen AI prompt visibility belongs in Gen AI Insights where enabled.

D. Advanced Firewall Logs: Advanced Firewall logs show firewall sessions and network applications, not Gen AI prompt content.

Zscaler SaaS Security Posture Management evaluates supported SaaS platforms for risky configurations, posture gaps, and compliance issues. Google Workspace is one of the supported SaaS environments for posture assessment, whereas storage or collaboration tools in the other choices do not match this SSPM support item. Option D (Google Workspace) is correct because Google Workspace is the supported SaaS platform in this question.

Why the other options are incorrect:

A. Amazon S3: Amazon S3 is cloud object storage, not the SaaS collaboration suite named by the tested SSPM support item.

B. Webex Teams: Webex Teams is a collaboration app. The question’s intended application/control is not Webex Teams.

C. Dropbox: Dropbox is cloud storage. It is a common SaaS destination, but it is not the application identified by the scenario’s correct answer.

ZIA Malware Protection is an inline security control that blocks malicious files or objects detected through signatures, reputation, and threat-intelligence checks. The policy action must stop the malicious transfer rather than simply route, isolate, or change TLS behavior. Option A (Malware protection) is correct because Block is the malware policy action that prevents the identified malicious content from reaching the user.

Why the other options are incorrect:

B. File reputation: File reputation checks whether an object is known good or bad. The question’s answer is about the behavior-analysis control for unknown files.

C. SHA-256 hashing: SHA-256 hashing is a cryptographic integrity/hash function. It does not execute a suspicious file or observe behavior the way Cloud Sandbox does.

D. Site reputation: Site reputation scores web destinations. It does not detonate or analyze the file itself.

ZPA App Connectors are the outbound-only brokers that make private applications reachable through the Zero Trust Exchange. For resiliency, Zscaler recommends at least two App Connectors so traffic can continue if one connector is unavailable, being upgraded, or overloaded. Option A (2) is correct because a two-connector minimum provides the basic high-availability pattern for private application access.

Why the other options are incorrect:

B. 6: Six connectors would be more than the minimum for a single resilient ZPA deployment. The exam asks for the recommended minimum, and two connectors provide the basic active redundancy pattern.

C. 4: Four connectors can be a valid larger design for capacity or multiple sites. It is not the minimum number needed to avoid a single connector failure.

D. 3: Three connectors can add extra capacity, but Zscaler’s basic resiliency recommendation starts with a pair, not an odd three-connector minimum.

Cloud Browser Isolation protects users by rendering risky web content in a remote browser environment instead of on the endpoint. URL Filtering can use Isolate as an action, so users may still access selected untrusted sites while scripts, active content, and browser-exploit risk remain separated from the device. Option B (A new malicious file was detected by the sandbox due to an “allow and scan” First-Time Action in the sandbox policy) is correct because isolation is an enforceable URL Filtering action, not a separate manual workaround.

Why the other options are incorrect:

A. Zscaler's AI/ML based Smart Browser Isolation was triggered due to a users accessing a newly-registered domain: Browser Isolation renders web content remotely so active content never executes directly on the endpoint.

C. A new malicious file was detected by the sandbox due to an “quarantine” First-Time Action in the sandbox policy: Cloud Sandbox detonates and observes suspicious files to identify unknown or advanced malware behavior.

D. Zscaler detected a HIPAA violation with in-band Data Protection scanning: An in-band HIPAA DLP violation would be inline data-protection scanning. The scenario is asking about the specific log/report signal identified by the correct answer.

In ZPA, Server Groups define back-end server reachability and are associated with App Connector Groups that can resolve and check those servers. Dynamic Server Discovery lets the mapped connector groups discover or resolve application servers and perform health checks before traffic is steered. Option D (Server Groups are configured for Dynamic Server Discovery so that mapped Connector Groups can DNS resolve and make health checks toward the application) is correct because Server Groups provide the discovery/health-check relationship to the mapped Connector Groups.

Why the other options are incorrect:

A. Server Groups are configured for Dynamic Server Discovery so that mapped Connector Groups can then DNS resolve individual application Segment Groups: A Server Group groups application servers and maps them to App Connector Groups that can reach those servers.

B. Connector Groups are configured for Dynamic Server Discovery so that mapped Server Groups can DNS resolve and advertise the applications: A Server Group groups application servers and maps them to App Connector Groups that can reach those servers.

C. Connector Groups are configured for Dynamic Server Discovery so that ZPA can steer traffic through the appropriate Server Group: A Server Group groups application servers and maps them to App Connector Groups that can reach those servers.

ZIA Malware Protection is an inline security control that blocks malicious files or objects detected through signatures, reputation, and threat-intelligence checks. The policy action must stop the malicious transfer rather than simply route, isolate, or change TLS behavior. Option B (Block) is correct because Block is the malware policy action that prevents the identified malicious content from reaching the user.

Why the other options are incorrect:

A. Allow: Allow would permit the file or activity. A sandbox or malware policy often needs to hold, block, or analyze suspicious content instead of simply allowing it.

C. Unwanted Applications: Unwanted Applications is a software/category control. Malware-policy behavior is about malicious content handling.

D. Malware Protection: Malware Protection blocks known malicious objects. Sandbox behavior is used when a file needs detonation or verdict analysis.

Exact Data Match protects structured sensitive data by converting source values into secure hashes before they are used by Zscaler cloud enforcement. The on-premises EDM VM performs indexing locally so raw customer data is not uploaded into the Zscaler cloud. Only hashed values are used for matching. Option C (To automate the indexing process by creating hashes for structured data elements) is correct because the VM automates indexing and sends hashed data, not clear sensitive records, to the cloud.

Why the other options are incorrect:

A. To local analyze cloud transactions for potential PII exfiltration: Local analysis of cloud transactions describes inline inspection behavior. EDM’s on-premises VM is used before enforcement to hash/index structured data safely.

B. To replicate sensitive data across all organizational servers: Replicating sensitive data everywhere would increase exposure. EDM avoids sending raw sensitive structured data to Zscaler by hashing/indexing it locally.

D. To store sensitive data securely and prevent unauthorized data access: Secure storage is a general data-security objective. The EDM VM’s job is not to become a vault; it prepares hashed indexes for matching.

OneAPI authentication is based on modern token-based identity, aligned with OIDC/OAuth concepts through ZIdentity. OIDC is preferred for API authentication because it supports structured token validation and controlled access for automation clients. Option A (OpenID Connect (OIDC)) is correct because OIDC is the preferred authentication approach for OneAPI.

Why the other options are incorrect:

B. Transport Layer Security (TLS): TLS protects the transport channel. It does not identify the client or provide the OAuth/OIDC identity layer used for OneAPI authentication.

C. Security Assertion Markup Language (SAML): SAML is for browser SSO. OneAPI access tokens come from an OAuth/OIDC-style token endpoint flow, not from a SAML login assertion.

D. System for Cross-domain Identity Management (SCIM): SCIM keeps users, groups, and attributes synchronized. It does not authenticate an API client or issue OneAPI access tokens.

ZPA grants access only after the request satisfies the authorization and security conditions in policy. This is core Zero Trust behavior: identity is verified, context is checked, device posture may be evaluated, and least-privilege rules determine whether a segmented private app is reachable. Option A (After passing criteria checks related to authorization and security) is correct because access is conditional on passing the defined criteria, not on merely initiating a connection.

Why the other options are incorrect:

B. Immediately upon connection request for best performance: Immediate access would skip the Zero Trust decision. ZPA first checks identity, context, posture, and policy before creating the private-app connection.

C. After a short delay of a random number of seconds: Random delay is not a security control in ZPA. Access is granted or denied predictably after the rule conditions are evaluated.

D. After verifying the user password inside of private application: The private application may still have its own login, but ZPA conditional access is decided before the user reaches that app. ZPA is the access broker, not the application password checker.

For a new cloud-gen firewall configuration, a default block posture is the safer baseline. Administrators should explicitly permit required business traffic and preserve required Zscaler service rules instead of leaving a broad default allow that weakens least-privilege design. Option A (Block all traffic) is correct because block all traffic is the recommended default-deny stance.

Why the other options are incorrect:

B. Permit all traffic: Permit-all firewall posture lets unexpected services leave the network until later rules stop them.

C. Disable the firewall: Disabling the firewall removes the enforcement layer instead of creating a safe default rule set.

D. Allow only web traffic (ports 80/443): Allowing only ports 80/443 would ignore valid non-web business traffic that may need explicit firewall rules.

At launch, Zscaler Client Connector must determine which tenant and identity flow apply to the user's domain. The Zscaler Central Authority provides this discovery information so the client can direct authentication to the correct IdP and service cloud. Option B (Zscaler Central Authority) is correct because Central Authority is the initial lookup point for domain and IdP context.

Why the other options are incorrect:

A. Zscaler Private Access (ZPA) Portal: The ZPA portal manages private access configuration. At launch, Client Connector first needs cloud/domain discovery, which is handled through Central Authority.

C. Zscaler Internet Access (ZIA) Portal: The ZIA portal manages Internet Access policy after tenant selection. It is not the first discovery service that maps the user domain to the correct IdP.

D. Zscaler Client Connector Portal: Zscaler Client Connector is the endpoint agent that steers traffic, authenticates users, reports posture, and supplies ZDX telemetry.

Experience Center is the unified management console for Zscaler for Users administration. It provides a single administrative entry point for internet and SaaS access, private applications, digital experience monitoring, and endpoint agent configuration. Option C (Experience Center) is correct because Experience Center is the unified console, whereas OneAPI is automation-focused.

Why the other options are incorrect:

A. identity Admin Portal: Identity Admin Portal focuses on identity administration, while the Experience Center is the broader unified console.

B. Mobile Admin Portal: Mobile Admin Portal/Client Connector administration is for endpoint-agent configuration, not the identity-policy component in the stem.

D. One API: OneAPI is the automation API layer. Administrators use Experience Center as the unified graphical console.

After ZIA validates the user's authentication, Client Connector provides the authentication token to the Client Connector Portal so the device can be registered. That registration ties the authenticated user, device, and enrollment state together for policy, posture, and service entitlement decisions. Option C (To enable the portal to register the user’s device and pass the registration to Zscaler Internet Access) is correct because the token enables device registration and passes that registration to ZIA.

Why the other options are incorrect:

A. To bypass multifactor authentication (MFA) during the enrollment process: Bypassing MFA would weaken assurance. The token exchange registers the device/session with Zscaler; it is not a shortcut around the IdP or MFA policy.

B. To immediately grant the user access to Zscaler Private Access resources: A valid login proves identity, but it does not grant every private resource. ZPA still applies access policy, posture, and app-segment entitlement.

D. To share the authentication token with the SAML IdP to validate the user session: The SAML IdP issues the authentication assertion. Device registration after that belongs to the Zscaler Client Connector Portal and ZIA token workflow.

Advanced Threat Protection defends users from malicious active content, phishing, exploit behavior, C2 callbacks, and risky web destinations. It works as part of ZIA's inline security stack, often alongside TLS inspection, Cloud Sandbox, DNS security, IPS, and URL categorization. Option A (Cloud App Control) is correct because malicious active content is the security object ATP is designed to detect and block.

Why the other options are incorrect:

B. URL Filtering: URL Filtering controls web destinations by category, URL, risk, and action such as allow, block, caution, or isolate.

C. Advanced Threat Protection: Advanced Threat Protection blocks malicious active content and related threats. The question is asking for the policy feature named by the configured category, which is not ATP here.

D. Mobile Malware Protection: Mobile Malware Protection focuses on mobile-device malware. The tested ZIA feature is broader web/cloud enforcement rather than mobile-only protection.

A ZPA microtunnel is the per-application communication channel created after the user is authenticated and authorized. It carries traffic from the user side through the Zscaler service edge to the App Connector path for the internal application. Option D (To create an end-to-end communication channel to internal applications) is correct because the M-Tunnel is built for private application communication, not endpoint-to-endpoint or IdP connectivity.

Why the other options are incorrect:

A. To provide an end-to-end communication channel between ZCC clients: ZCC-to-ZCC communication would be peer endpoint connectivity. A ZPA microtunnel is created from the user side toward a specific internal application.

B. To provide an end-to-end communication channel to Microsoft Applications such as M365: Microsoft 365 optimization uses local breakout, DNS locality, and inspection bypass where Microsoft recommends it for performance.

C. To create an end-to-end communication channel to Azure AD for authentication: Azure AD communication is part of authentication. The microtunnel carries private-application traffic after access is authorized.

Advanced Threat Protection defends users from malicious active content, phishing, exploit behavior, C2 callbacks, and risky web destinations. It works as part of ZIA's inline security stack, often alongside TLS inspection, Cloud Sandbox, DNS security, IPS, and URL categorization. Option C (Malicious active content) is correct because malicious active content is the security object ATP is designed to detect and block.

Why the other options are incorrect:

A. Vulnerable JavaScripts: Vulnerable JavaScript describes risky script behavior or client-side code, but it is narrower than the full ATP active-content category.

B. Large iFrames: An iFrame is an embedded page frame; suspicious iFrames can be a signal, but size alone is not the ATP protection category.

D. Command injection attacks: Command injection targets an application or server by passing operating-system commands through vulnerable input fields.

Zscaler DLP separates detection logic from enforcement policy. Dictionaries contain the sensitive-data patterns, keywords, identifiers, regexes, or fingerprinted data that identify protected information. DLP engines use those dictionaries to evaluate content, and DLP rules or policies decide the enforcement action. Option C (DLP engines) is correct because the detection foundation of a DLP engine is the dictionary content it evaluates against traffic or files.

Why the other options are incorrect:

A. Hosted PAC Files: A PAC file tells the client or browser which proxy path to use for matching destinations.

B. Index Tool: Index Tool suggests the hashing/indexing utility itself. In Zscaler DLP terminology, the protected content matching object is the IDM/EDM template or dictionary construct named by the answer.

D. VPN Credentials: VPN credentials authenticate remote network access. They are not a DLP matching method for identifying sensitive documents.

Trusted Network Detection relies on observable network signals from the endpoint. Hostname/IP resolution, DNS server, and DNS search domain are valid criteria because they indicate whether the device is attached to a known corporate network. Option C (Hostname/IP, DNS Server and DNS Search Domain) is correct because it lists supported trusted-network criteria.

Why the other options are incorrect:

A. DNS Server, DHCP Server and Hostname/IP: DNS Server criteria identify a trusted network by checking whether the endpoint sees expected internal resolver addresses.

B. DHCP Server, DNS Search Domain and Hostname/IP: DNS Search Domain is a trusted-network signal because corporate networks commonly push recognizable suffixes to endpoints.

D. Hostname/IP, DNS Search Domain and DHCP Server: DNS Search Domain is a trusted-network signal because corporate networks commonly push recognizable suffixes to endpoints.

Workflow Automation is used to notify users or teams when a DLP-related workflow needs attention. For end-user notification, enterprise collaboration tools such as Microsoft Teams and Slack are practical because they keep the message inside a controlled business channel. Option A (Notifications in MS Teams / Slack) is correct because Teams and Slack notifications are the supported user-notification path in this scenario.

Why the other options are incorrect:

B. SMS text message: SMS is a generic notification channel. Zscaler Workflow Automation for this use case sends collaboration notifications through tools like Teams or Slack.

C. Automated phone call: Automated phone calls are not the normal DLP workflow-notification method in this Zscaler scenario. The supported peer-collaboration channels are Teams and Slack.

D. Twitter post with custom hashtag: A Twitter/X post would be public and inappropriate for a DLP event. Zscaler uses controlled enterprise notification channels, not social posting.

Blocked Countries is the Advanced Threat Protection feature used to restrict website access based on geographic location. It gives administrators a geographic control to reduce exposure to destinations associated with embargoed, high-risk, or disallowed regions. Option C (Blocked Countries) is correct because the control is based on country/geography, not malware type.

Why the other options are incorrect:

A. Spyware Callback: Spyware Callback blocks outbound C2-style communications. It does not describe the browser exploit category in ATP policy.

B. Botnet Protection: C2/botnet controls detect hosts communicating with known or suspected command-and-control infrastructure.

D. Browser Exploits: Browser Exploits are attacks against browser vulnerabilities. The question’s correct category is the one named by the tested ATP setting, not generic browser exploit handling.

Zscaler DLP separates detection logic from enforcement policy. Dictionaries contain the sensitive-data patterns, keywords, identifiers, regexes, or fingerprinted data that identify protected information. DLP engines use those dictionaries to evaluate content, and DLP rules or policies decide the enforcement action. Option A (DLP Rules) is correct because the detection foundation of a DLP engine is the dictionary content it evaluates against traffic or files.

Why the other options are incorrect:

B. DLP dictionaries: DLP dictionaries hold the sensitive-data patterns, keywords, identifiers, or fingerprinted values used for detection.

C. DLP Engines: DLP Engines evaluate dictionaries and conditions, but Boolean logic is used when rules combine match conditions into policy logic.

D. DLP identifiers: DLP identifiers are individual match elements, while the broader engine/dictionary structure does the content detection work.

Inline Data Protection means Zscaler is inspecting data while it is actively moving through an inline traffic path, not after the file is already stored or copied locally. In ZIA, inline DLP evaluates web, SaaS, and webmail uploads in real time by using DLP engines, dictionaries, EDM/IDM, OCR, and other content-inspection logic. That is why Option D (Blocking the attachment of a sensitive document in webmail) is the verified answer: the sensitive document is attached to webmail and Zscaler can stop that outbound transaction before the content leaves the organization.

Why the other options are incorrect:

A. Preventing the copying of a sensitive document to a USB drive: USB-drive blocking is endpoint/data-in-use protection. It stops a local copy action, while inline DLP stops sensitive content as it moves through ZIA traffic.

B. Preventing the sharing of a sensitive document in OneDrive: OneDrive sharing control is normally SaaS API/CASB enforcement against a file already stored in OneDrive. The webmail attachment case is live data-in-motion inspection.

C. Analyzing a customer’s M365 tenant for security best practices: M365 tenant analysis checks configuration posture, permissions, and risky settings. It gives visibility and recommendations; it does not block a user upload in real time.

A Deception Landmine is endpoint software that plants decoy artifacts such as fake credentials, files, processes, or lures. Those artifacts are designed to attract attackers who are moving laterally or harvesting credentials, causing high-fidelity alerts when touched. Option C (Software agent installed on endpoints, such as desktops or laptops on a network. These agents deploy decoy credentials, files, processes, and lures to other decoys at endpoints) is correct because a Landmine is an endpoint agent that deploys deception lures from the endpoint.

Why the other options are incorrect:

A. Agentless plug-in installed on endpoints, such as desktops or laptops on a network. These plug-ins deploy decoy credentials, files, processes, and lures to other decoys at endpoints: Deception uses decoys, fake credentials, lures, and traps to expose intruders who are exploring the environment.

B. Software agent installed on a centralized server in datacenter or in cloud. The agents running in the server deploy decoy credentials, files, processes, and lures to other decoys at endpoints: Deception uses decoys, fake credentials, lures, and traps to expose intruders who are exploring the environment.

D. Agentless plug-in installed on endpoints, such as desktops or laptops on a network. These plug-ins auto rotates decoy credentials, files, processes, and lures to other decoys at endpoints: Deception uses decoys, fake credentials, lures, and traps to expose intruders who are exploring the environment.

Strict Enforcement requires the installer to know both which Zscaler cloud to enroll against and which policy token authorizes the enforcement configuration. The cloudName parameter directs the client to the correct cloud, while policyToken applies the required strict-enforcement policy during enrollment. Option A (cloudName and policyToken) is correct because those two options are the required installer inputs.

Why the other options are incorrect:

B. userDomain and deviceToken: userDomain tells Client Connector the user login domain so it can route enrollment toward the right IdP.

C. cloudName and deviceToken: cloudName tells the installer which Zscaler cloud or tenant environment the client should use.

D. userDomain and policyToken: userDomain tells Client Connector the user login domain so it can route enrollment toward the right IdP.

Z-Tunnel 2.0 extends forwarding beyond web proxy traffic by securing all IP unicast traffic through DTLS/TLS tunnels to the Zero Trust Exchange. This enables Cloud Firewall and other controls to inspect all TCP and UDP ports, and ICMP where supported, rather than only browser HTTP/HTTPS flows. Option C (Zscaler Client Connector will encapsulate the user's traffic in DTLS/TLS tunnels to the ZTE) is correct because Tunnel 2.0 is the all-ports-and-protocols forwarding model for Client Connector.

Why the other options are incorrect:

A. Zscaler Client Connector will encapsulate the user's traffic in GRE tunnels to the ZTE: Zscaler Client Connector is the endpoint agent that steers traffic, authenticates users, reports posture, and supplies ZDX telemetry.

B. Zscaler Client Connector will encapsulate the user's traffic in IPSec tunnels to the ZTE: IPS inspects traffic inline for exploit signatures and attack patterns, then blocks or resets offending sessions.

D. Zscaler Client Connector will encapsulate the user's traffic in HTTP Connect tunnels to the ZTE: Zscaler Client Connector is the endpoint agent that steers traffic, authenticates users, reports posture, and supplies ZDX telemetry.

Platform Services provide shared foundations that other Zero Trust Exchange services consume. These include identity, policy framework, TLS decryption, device posture, logging, APIs, and other common capabilities that support ZIA, ZPA, ZDX, and related services. Option D (Platform Services) is correct because Platform Services are the common dependency layer.

Why the other options are incorrect:

A. Access Control Services: Access Control Services enforce user and application access decisions. They sit on top of the shared platform foundations rather than providing those foundations themselves.

B. Digital Experience Monitoring: Digital Experience Monitoring measures performance and user experience. It relies on the platform services layer for identity, policy, and telemetry foundations.

C. Cyber Security Services: Cyber Security Services inspect and block threats. They are consumers of the common platform layer, not the base layer that other services depend on.

Device posture must be re-evaluated regularly because endpoint state can change after access is granted. The maximum default frequency tested here is fifteen minutes, which gives Zscaler a relatively current view of compliance conditions. Option A (15 minutes) is correct because posture profile evaluation can occur every fifteen minutes by default.

Why the other options are incorrect:

B. 2 minutes: Two minutes would create much more frequent posture evaluation than the default maximum cadence. The tested default maximum frequency is fifteen minutes.

C. 5 minutes: Five minutes is more frequent than the default maximum posture-profile evaluation cadence. The tested value is fifteen minutes.

D. 10 minutes: Ten minutes is still shorter than the default maximum posture-profile evaluation cadence. The correct default maximum is fifteen minutes.