Back to MCP Servers

Zscaler MCP Server

Official Zscaler MCP server for AI-driven management of Zero Trust Exchange platforms including ZIA, ZPA, ZDX, ZCC, ZIdentity, and more.

Security by Zscaler OAuth2 active
GitHub Docs
Overview

The Zscaler Integrations MCP Server is the official Model Context Protocol server from Zscaler for managing the Zero Trust Exchange platform through AI agents. It exposes a unified interface to multiple Zscaler products including Zscaler Internet Access (ZIA), Zscaler Private Access (ZPA), Zscaler Digital Experience (ZDX), Zscaler Client Connector (ZCC), ZIdentity, Microsegmentation (ZMS), Workload Segmentation (ZTW), External Attack Surface Management (EASM), and Z-Insights. The server is powered by the official Zscaler Python SDK and authenticates against the OneAPI unified credential system.

The server ships with roughly 382 tools grouped into service-specific toolsets. By default it operates in read-only mode, exposing only list_* and get_* style operations. Write operations require the --enable-write-tools flag and an allowlist via --write-tools, while delete operations additionally require a server-side HMAC-SHA256 confirmation token with a 5-minute TTL, which mitigates prompt-injection attacks against destructive actions. Tool calls can be audited via --log-tool-calls with sensitive arguments redacted.

It is maintained officially by Zscaler under the zscaler GitHub organization, released as open source under the MIT license, and supports three transports: stdio (default), SSE, and streamable-http. It works with Claude Desktop (manual config or one-click extension), Claude Code, Cursor, and other MCP-compatible clients, and supports container deployments to targets such as Google Cloud Run and Amazon Bedrock AgentCore.

Tools

Tool Description
ZIA toolset Manage Zscaler Internet Access security policies, URL filtering, firewall rules, DLP, sandbox, rule labels, and admin configuration. Approximately 166 read/write tools.
ZPA toolset Manage Zscaler Private Access application segments, segment groups, server groups, connector groups, and access policies. Approximately 109 read/write tools.
ZDX toolset Query Zscaler Digital Experience monitoring data: device metrics, application performance, alerts, and user experience analytics. Approximately 31 tools.
ZCC toolset Read-only device management for Zscaler Client Connector. 4 tools.
ZIdentity toolset Read-only access to identity and access management entities such as users, groups, and OneAPI client metadata. 10 tools.
ZMS toolset Microsegmentation: list agents, policies, and segmentation entities. 20 read-only tools.
ZTW toolset Workload Segmentation read/write tools for managing workload policies and rules. 19 tools.
EASM toolset External Attack Surface Management: enumerate discovered assets, exposures, and findings. 7 read-only tools.
Z-Insights toolset Read-only analytics across Zscaler products. 16 tools.
Meta toolset Always-on meta tools for discovering enabled toolsets, listing available tools, and obtaining confirmation tokens for destructive operations.
Setup Guide

Prerequisites

  • Python 3.11 or higher
  • uv package manager (recommended) or pip
  • Zscaler OneAPI client credentials (created in the ZIdentity admin console)
  • API client must have the required service scopes for the toolsets you plan to use

Installation

Install via uv:

uv tool install zscaler-mcp

Or from source:

git clone https://github.com/zscaler/zscaler-mcp-server.git
cd zscaler-mcp-server
uv pip install -e .

Environment variables

Create a .env file containing your OneAPI credentials:

ZSCALER_CLIENT_ID=your_client_id
ZSCALER_CLIENT_SECRET=your_client_secret
ZSCALER_CUSTOMER_ID=your_customer_id
ZSCALER_VANITY_DOMAIN=your_vanity_domain
# Optional: set to "beta" for Beta tenants
# ZSCALER_CLOUD=beta
# Optional: PEM key as alternative to CLIENT_SECRET
# ZSCALER_PRIVATE_KEY=...

Claude Desktop configuration

Edit claude_desktop_config.json:

{
  "mcpServers": {
    "zscaler-mcp-server": {
      "command": "uvx",
      "args": ["--env-file", "/absolute/path/to/your/.env", "zscaler-mcp"]
    }
  }
}

Use absolute paths for the env file. Relative paths will fail.

Enabling write tools

Write operations are disabled by default. To enable, append flags to the server command:

zscaler-mcp --enable-write-tools --write-tools "zia_create_*,zpa_update_*"

Delete operations additionally require a single-use HMAC-SHA256 confirmation token (5-minute TTL) returned by the meta toolset.

Use Cases
  • Query ZIA URL filtering, firewall, and DLP rules in natural language to audit policy posture before a change window.
  • Triage ZDX user experience issues by asking an agent to correlate device health, application latency, and active alerts for a specific user.
  • Inventory ZPA application segments, segment groups, and access policies during a Zero Trust migration to map who can reach what.
  • Investigate EASM findings and Z-Insights analytics to summarize external exposures and recent threat signals for a weekly security review.
  • Automate controlled ZIA/ZPA policy edits via an AI agent using the gated write-tools allowlist plus confirmation tokens for safety.
Example Prompts
  • "List all ZPA application segments in the Production segment group and show which access policies reference them."
  • "Show me ZDX devices reporting poor experience scores for Microsoft 365 in the last 24 hours."
  • "Summarize current ZIA URL filtering rules that block the Gambling category and tell me which rule labels they use."
  • "Pull the latest EASM findings classified as high severity and group them by discovered domain."
  • "Using the meta toolset, list all enabled toolsets and tell me which write tools are currently allowed."
Pros
  • Officially maintained by Zscaler under the zscaler GitHub org, MIT licensed, and powered by the official Zscaler Python SDK.
  • Broad product coverage with about 382 tools spanning ZIA, ZPA, ZDX, ZCC, ZIdentity, ZMS, ZTW, EASM, and Z-Insights.
  • Strong safety defaults: read-only by default, allowlist-gated write tools, and HMAC-SHA256 confirmation tokens required for delete operations.
  • Multiple transports (stdio, SSE, streamable-http) and documented deployment patterns including Google Cloud Run and Amazon Bedrock AgentCore.
Limitations
  • Requires a Zscaler tenant and OneAPI client credentials, so it is not useful without an existing Zscaler subscription.
  • Python 3.11+ and uv are required, and absolute paths must be used in MCP client configs, which adds friction on Windows.
  • Several toolsets (ZCC, ZIdentity, ZMS, EASM, Z-Insights) are read-only, so write workflows are not uniformly available across products.
Alternatives
  • Cloudflare MCP servers for managing Cloudflare Zero Trust, WARP, and Access policies.
  • Wiz MCP integrations for cloud security posture and threat findings via AI agents.
  • Building a custom MCP server on top of the Zscaler OneAPI directly when you need narrower scope or custom guardrails.
More Security MCP Servers
Bitwarden
Local-first MCP server for Bitwarden. Manage vault items, generate passwords, share secrets via Send, and administer organizations through the Bitwarden CLI and public API.
Conviso
MCP server for the Conviso Platform. Lets AI agents query software assets, vulnerabilities, security projects, and AppSec risk metrics.
CrowdStrike Falcon
Official CrowdStrike MCP server connecting AI agents to the Falcon platform for detections, threat intel, hosts, vulnerabilities, and security automation.
DataGrail
Provider-hosted MCP server for DataGrail's Vera privacy platform. Manage DSRs, opt-outs, data mapping, consent, and risk assessments from AI tools.