Zscaler MCP server
Drive ZIA, ZPA, ZDX, and Zscaler Identity from your AI agents with a single OneAPI credential.
About
Connect Tracecat to Zscaler to drive the full SASE stack for SOC analysts and network engineers running risky user investigations and Zero Trust response. You can pivot from a user's device health in ZDX to the application segment they were trying to reach in ZPA with one OneAPI credential. From there, audit ZIA URL category blocks, review ZPA segments, and triage EASM exposures with write tools gated behind explicit approval before they execute against your production tenant.
Setup
- 1
Sign in with OAuth
You'll authorize Tracecat to access Zscaler on your behalf. No API keys to manage.
- 2
Select the
Zscalertile in the Tracecat MCP catalogOpen the
MCP catalogin your workspace, select theZscalertile, and complete the OAuth flow. - 3
Enable
Zscalerin your agentIn your
ai.agentaction orAgents→toolstab, selectZscalerfrom theMCP integrationsdropdown.
Tools
zia_list_rule_labels | List labels attached to ZIA firewall and URL filtering rules. |
zpa_list_application_segments | List ZPA application segments with their connector groups and segment groups. |
zpa_create_application_segment | Create a new ZPA application segment to publish an internal app. |
zpa_delete_application_segment | Remove a ZPA application segment as part of decommissioning. |
zia_create_rule_label | Create a ZIA rule label for tagging firewall and URL filtering rules. |
zdx_list_devices | List devices monitored by Zscaler Digital Experience with health scores. |
zidentity_list_users | List users provisioned in ZIdentity with their group and role assignments. |
easm_list_assets | List external attack surface assets discovered by Zscaler EASM. |