Zscaler Security Operations · Slack-Native

Your entire Zscaler stack.
One Slack command.

Incident response, policy management, threat intelligence - all through /zmate. Confirmed before anything executes. Audited where it happened.

No infrastructure changes required · Works with your existing Zscaler credentials
#incident-response
AS
alex.sharma10:42 AM
/zmate lockdown
Z
ZmateAPP10:42 AM
Pending lockdown for compromised@corp.io
This will execute immediately:
  • ZPA DENY access policy rule at rank 1 - SAML email match
  • ZIA URL filtering rule - blocks ALL categories for this user only
  • Disable 4 ZPA app segments - belt-and-suspenders
  • Activate ZIA configuration
/zmate confirm  ·  /zmate cancel TTL 5:00
AS
alex.sharma10:42 AM
/zmate confirm
Z
ZmateAPP10:42 AM
Lockdown complete - compromised@corp.io
  • ZPA DENY rule created  [rank 1]
  • ZIA per-user URL block active + activated
  • 4 app segments disabled
● LOCKDOWN ACTIVE
The problem

It's 11 PM. A credential is compromised.
How long does containment actually take?

Without Zmate
  • 1Open ZPA admin portal, navigate to Access Policy
  • 2Create a DENY rule - form, SAML attributes, users
  • 3Drag rule to rank 1 in the reorder UI
  • 4Switch tabs to ZIA - create per-user URL block rule
  • 5Navigate to App Segments - disable each one individually
  • 6Activate ZIA. Verify everything actually applied.
~15–25 min of portal navigation under pressure
With Zmate
  • 1Type /zmate lockdown user@corp.io
  • 2Read the confirmation - see exactly what executes before it runs
  • 3Type /zmate confirm - ZPA + ZIA + segments in one shot
~8 seconds. Audit trail in Slack. No portal opened.

No new data processor

Zmate passes commands to your Zscaler environment via the official MCP server and returns results to Slack. Your tenant data never leaves your own infrastructure - no third-party storage, no data egress.

Confirm before every write

Every write operation requires an explicit /zmate confirm. The confirmation message shows exactly what will execute - rule names, IDs, scope - before a single API call is made.

Audit trail at zero cost

Every command, confirmation, and result lives in your Slack channel history. No separate SIEM integration or audit log pipeline needed. Compliance reviews start and end in the channel they happened.

<10s
Median lockdown time
9
Zscaler products covered
60+
Commands available
2-step
Every write operation
Who it's for

Built for Zscaler Security Teams:
SOC Engineers, Admins, and CISOs.

01 / 03
Operations Team
On-call engineers running incident response. No portals. No runbooks. Just commands that work at 11 PM.

Use cases

Contain a compromised account in seconds
ZPA DENY rule at rank 1, ZIA per-user block, all segments disabled - one command, confirmed before it runs.
/zmate lockdown <email>
Triage a digital experience incident instantly
App score, trend, worst-affected users, and active alerts - one response, no dashboard.
/zmate triage <app>
Block malicious IPs and domains without a portal
Firewall rules, DNS blocks, and URL categories from any Slack channel with full audit trail.
/zmate firewall block <ip>
02 / 03
Security Admins
Policy engineers managing the ZPA and ZIA stack. CRUD operations without ever opening the admin portal for routine changes.

Use cases

Manage ZPA infrastructure from Slack
Create and delete segment groups, review access rules, enable or disable segments and connectors on demand.
/zmate segment-group create <name>
Manage ZIA network objects and policy rules
IP source/destination groups, rule labels, time intervals, auth exemptions - all writable from Slack with confirmation.
/zmate ip-source-group create <name> <ips>
Review identity, groups, and per-user policy
ZID identity lookup, group memberships, ZPA access rules scoped to a specific user - the full picture in one command.
/zmate user <email>
03 / 03
CISOs & Security Leads
Executives who need threat trends, shadow IT exposure, and attack surface visibility - without opening a dashboard.

Use cases

Full security posture snapshot on demand
Infrastructure health, 7-day incident trends, ZEASM findings, shadow IT exposure, cert expiry - one command, board-ready output.
/zmate report
External attack surface and threat trends
ZEASM findings by severity, lookalike domains impersonating your org, and 7/14-day ZINS incident trend lines.
/zmate attack-surface
Daily digest - no dashboard required
Automated morning briefing: incidents, shadow IT, ZDX worst apps, cert expiry, and ZEASM findings - delivered to any channel.
ZMATE_DIGEST_CHANNEL=<channel>
Capabilities

Everything your Zscaler stack can do.
From the channel you're already in.

User lockdown & isolation

Full containment in one command — ZPA DENY at rank 1, ZIA per-user URL block, all app segments disabled. Or push to CBI browser isolation to keep them working under surveillance. Lockdown and unlock require an MFA code at confirm time — two-factor protection for your highest-impact actions.

/zmate lockdown · /zmate isolate

Firewall, DNS & URL blocking

Cloud firewall rules with port-level scoping, DNS-layer domain blocking, and URL category rules - created and activated from Slack in seconds. Every write confirmed before it runs.

/zmate firewall · /zmate dns-block

ZDX experience & deep traces

Real-time app scores, per-user experience breakdowns, AI root-cause analysis, and full deep trace results - DNS, TCP, TTFB, cloud path, device health - without opening a dashboard.

/zmate triage · /zmate analyze

Threat intelligence & ZEASM

Live cyber incidents, 7/14-day threat trends, external attack surface findings, and lookalike phishing domains - proactively posted to your alert channel before anyone has to ask.

/zmate findings · /zmate threat-trends

Policy & infrastructure CRUD

Full lifecycle for ZPA segment groups and server groups. ZIA network objects - IP groups, rule labels, time intervals. PRA credentials and provisioning keys. All confirm-gated.

/zmate segment-group · /zmate rule-label

Executive reporting

Full posture snapshots, shadow IT CASB reports, firewall posture by location, web traffic geography, and a configurable daily digest - no portal, no BI tool, no meeting.

/zmate report · /zmate shadow-it-report
Setup

Three steps to deploy Zmate. No new infrastructure.

01

Connect credentials

Provide your Zscaler API credentials and Slack bot tokens. Point Zmate at your tenant. One-time setup, under ten minutes.

02

Type a command

Use /zmate <command> in any channel. Read exactly what will change before anything executes.

03

Confirm to execute

Type /zmate confirm. The result and full audit trail live in Slack history - permanently.

Full Command Surface

Every Zscaler product. One interface.

9 product areas, 60+ commands. All confirmed before execution. All audited in Slack.

ZIA - Internet Access · 35+ commands
$
url-block / url-unblockAdd or remove any URL from a managed block category - creates rule and category on first use, activates instantly
$
firewall block / unblockCloud firewall rules scoped to any IP, optionally with TCP/UDP port restrictions - confirm before create
$
dns-block / dns-unblockDNS-layer domain blocking via cloud firewall DNS rules - fastest containment path for C2 domains
$
shadow-it / shadow-it-reportDiscover unsanctioned SaaS apps, block by category, and get an executive CASB risk summary
$
dlp / ssl-rules / file-type-rulesReview all web DLP rules, SSL inspection policies, and file type control rules in one command
$
ip-source-group / ip-dest-groupCreate and delete IP source and destination groups - supports DSTN_IP, DSTN_FQDN, DSTN_DOMAIN types
$
rule-label create / deleteManage ZIA rule labels used to tag and organize policy rules across all ZIA policy types
$
auth-exempt list / add / removeManage authentication exemption URLs - add trusted destinations to bypass ZIA auth without portal access
$
sandbox / sandbox-statsList sandbox policy rules and review submission statistics - top blocked file hashes and categories
$
network-services / time-intervalsBrowse all ZIA network service definitions and time-based policy intervals for schedule-aware rules
ZPA - Private Access · 20+ commands
$
lockdown / unlock <email>Instant containment: DENY rule at rank 1 with SAML email condition + disable all app segments. Fully reversible. MFA-protected — requires authenticator code at confirm time.
$
isolate / de-isolate <email>Push any user into CBI browser isolation - keeps them working while eliminating unmonitored exfil paths
$
segment enable / disableEnable or disable any named app segment instantly - no portal navigation, change reflected immediately
$
segment-group create / deleteFull lifecycle for ZPA segment groups - create by name, delete by name, confirm-gated
$
connector enable / disableEnable or disable any named app connector - useful for drain-and-replace maintenance workflows
$
access-rules / forwarding-rulesReview all ZPA access policy rules and forwarding rules - full rule listing with conditions and actions
$
timeout-rules / app-protectionReview ZPA timeout policies and app protection (inline WAF) rules for all configured applications
$
pra-creds / pra-cred deleteList all PRA credentials and delete by ID - essential for offboarding and credential rotation workflows
$
provisioning-keys / deleteList all ZPA provisioning keys and delete by ID and type - connector or service_edge key lifecycle
$
segments / connectors / server-groupsFull inventory of all ZPA app segments, connectors, server groups, segment groups, and certificates
ZDX - Digital Experience · 12 commands
$
triage <app>Automated incident brief: current score, score trend, worst-affected users, and active alerts - one response, no dashboard required
$
analyze <email> <app>Start ZDX AI-powered root cause analysis - polls until complete, returns structured findings with contributing factors
$
deeptrace <email> <app>Start a full ZDX deep trace - auto-resolves device and probe IDs, no manual lookup required
$
deeptrace-status <device> <trace>Full trace results: DNS resolution, TCP handshake, TTFB, cloud path hop latency, device health metrics, top processes
$
zdx-user <email>Per-user experience breakdown across all ZDX applications - score, trend, and alert status per app
$
alert-history [--days N]Historical ZDX alert timeline for any lookback window - essential for post-incident review and reporting
$
experience / alertsReal-time application scores across all ZDX-monitored apps, and current active alert list
$
zdx-devices / softwareFull ZDX device inventory and software listing - device health, version tracking, and enrollment status
ZCC - Client Connector · 3 commands (read-only)
$
devicesFull inventory of all enrolled ZCC devices - OS, version, enrollment status, and assigned user across the entire org
$
zcc-policiesList all ZCC forwarding profiles - review which profiles are active and what traffic they govern
$
user <email> - ZCC sectionThe /zmate user command includes ZCC device enrollment for the specified user - correlated with ZID and ZPA data
ZID - Zscaler Identity · 4 commands
$
zid user <email>Full identity profile: display name, login, domain, IdP source, status, and complete group membership list with privileged group flagging
$
zid group <name>Group detail: description, full member listing - useful for verifying group scope before policy changes
$
user <email> - identity sectionThe /zmate user command includes the full ZID identity section - groups, domain, IdP - alongside ZCC, ZPA, ZDX, and ZIA data
$
offboard <email>Offboard checklist: ZCC devices, ZID group memberships with privileged group warnings, active ZPA lockdown and isolation controls
ZINS - Insights & Analytics · 8 commands
$
incidents [severity]Live cyber incident feed with severity filter - active threats categorized by type, location, and impact across your tenant
$
threat-trends [--days 7|14]7 or 14-day incident trend line with daily breakdown, top threat categories by volume, and trend direction vs prior period
$
shadow-it-reportCASB analytics: total app count, high-risk app count, top 10 apps by transaction volume - exec-ready shadow IT exposure summary
$
firewall-summaryFirewall posture analytics: traffic breakdown by action (allow/block/bypass) and by location - identify policy gaps by site
$
web-trafficWeb traffic geography: top 10 countries by volume - surface anomalous egress patterns and geographic risk distribution
$
report - ZINS sectionThe /zmate report command includes the full ZINS 7-day incident summary and top threat categories as part of the posture snapshot
ZEASM - External Attack Surface · 3 commands (license required)
$
findings [severity]External attack surface findings filtered by severity - critical, high, medium, or low. Asset, description, and risk context per finding.
$
lookalike-domainsPhishing and lookalike domains actively impersonating your organization - catch brand abuse before users are targeted
$
attack-surfaceExecutive-facing snapshot: findings by severity, open count, lookalike domain count - one command, shareable output
$
Alert poller (background)When ZMATE_ALERT_CHANNEL is set, new ZEASM findings are posted automatically every 30 minutes - no polling required
From the field

What Zscaler security engineers say about Zmate.

"We ran a tabletop drill - account flagged as compromised at 11 PM. Before Zmate, containment was a fifteen-minute portal fumble even with the runbook open. With Zmate it was one command, and another to confirm before it ran. That confidence - knowing exactly what would happen before it happened - is what made it usable under pressure."
Sr. Security Engineer · DiGiForces
FAQ

Common questions about Zmate
and Zscaler security automation.

Zmate is a Slack bot that wraps your Zscaler security stack — ZIA, ZPA, ZDX, ZCC, ZID, and ZINS — in /zmate slash commands. Security teams can execute incident response, policy management, and reporting directly from Slack. Every write operation goes through a confirm/cancel flow so nothing changes without explicit approval.
Run /zmate lockdown user@company.com in Slack. Zmate queues a full lockdown — a ZPA DENY rule at rank 1 scoped to the user's SAML email, disabling all ZPA app segments, and a ZIA URL filtering rule blocking all categories for that user only. Because lockdown is a high-impact action, it requires double confirmation: type /zmate confirm <6-digit code> where the code comes from your authenticator app (Google Authenticator, Authy, or 1Password). The whole flow takes under 30 seconds.
Zmate has a Starter tier that is free and covers all read operations — listing rules, viewing ZDX scores, and querying policies. The Pro tier unlocks all write operations including lockdown, firewall blocking, URL filtering, and policy management. Contact hello@zmate.io for Pro pricing.
Initial setup takes under 10 minutes. You need four Zscaler API credentials (client ID, client secret, customer ID, vanity domain), a Slack bot token, and a Slack app token. Once configured, the bot connects and all 60+ commands are immediately available. No Zscaler configuration changes are required.
Zmate connects directly to your Zscaler tenant using the official Zscaler MCP server. No command data is stored or processed by third parties. The Enterprise Runner option lets you self-host Zmate entirely within your own infrastructure with zero data egress, including air-gapped deployment options.
Yes. The Enterprise Runner option lets you run the Zmate Docker container entirely within your own infrastructure. Your Zscaler credentials and command data never leave your environment. This is ideal for organizations with strict data residency or air-gap requirements.
Yes. Lockdown and unlock have built-in two-factor protection. Every write command already requires an explicit /zmate confirm — but for lockdown and unlock specifically, that confirm step also requires a 6-digit MFA code from the admin's authenticator app (Google Authenticator, Authy, or 1Password). This means executing a lockdown requires both access to the Slack workspace and physical possession of the admin's phone. Admins set this up once with /zmate mfa setup, which generates a secret and walks through the Fly secrets registration. Each admin has an independent secret — one admin's key never affects another's.
Zmate supports ZIA (Internet Access) for URL filtering, firewall rules, DNS blocking, and DLP; ZPA (Private Access) for app segments, access policy, and connectors; ZDX (Digital Experience) for monitoring, alerts, and deep traces; ZCC (Client Connector) for device inventory; ZID (Identity) for user and group lookup; and ZINS for threat intelligence and CASB reporting.
Run /zmate unlock user@company.com to reverse a lockdown. Zmate deletes the ZPA DENY rule, re-enables all ZPA app segments, and removes the ZIA URL filtering rule. If the bot has restarted since the lockdown, it falls back to a name-based search to find and remove the rules automatically.
Zmate does not intercept or proxy your Zscaler traffic — it only issues API commands when you explicitly request them. If the bot is offline, your Zscaler policies remain exactly as last configured. No automated rollbacks occur. Pending confirmations expire after 5 minutes and are discarded on restart.

Next time it's 11 PM
and a credential is compromised -
you'll be ready.

Three commands. Full audit trail. No portal tab opened.