The correct answer is D. Located anywhere and built on IPv4 or IPv6. In Zero Trust architecture, the network and application access model is not tied to a specific physical location, branch, or data center. Zscaler’s Zero Trust guidance emphasizes that users, devices, and applications can be securely connected in any location , which is a core shift away from legacy perimeter-based designs. The architecture is also described as IP independent , meaning policy and access decisions are not fundamentally anchored to traditional network constructs such as fixed addressing or trusted subnets. This is why Zero Trust can operate across modern environments regardless of where workloads reside.

The option about VPN concentrators is incorrect because VPN-based architecture is associated with legacy remote-access models that extend network trust and expose services differently from Zero Trust. In contrast, Zero Trust reduces implicit trust, avoids broad network-level access, and focuses on secure, application-aware connectivity. Therefore, the most complete and accurate answer is that a Zero Trust network can be located anywhere and built on IPv4 or IPv6 , rather than being limited to a legacy transport or perimeter model.

The correct answer is B . In Zero Trust architecture, content stored in Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS) environments should not be assumed safe simply because it resides in a cloud platform. Zscaler’s security model emphasizes that trust must be established through inspection and policy , not by location alone. The TLS/SSL inspection architecture shows that inline inspection is necessary to evaluate content moving through encrypted sessions, while Zscaler’s broader data protection model also includes out-of-band assessment for content already stored in cloud services.

This aligns with the Zero Trust principle that applications and content can exist anywhere, but they are not automatically trustworthy because of where they are hosted. Cloud providers secure the platform, but they do not guarantee that every uploaded file, shared object, or stored dataset is safe, compliant, or free from malware or data exposure risk. At the same time, saying content should never be trusted is too absolute; Zero Trust is about verification , not blanket denial. Therefore, the most accurate answer is that cloud-stored content should be treated as risky until inspected , whether inline during transfer or out of band while at rest.

In Zero Trust architecture, policy enforcement is conditional and context-based , not limited to a simple binary allow-or-block model. Zscaler’s reference architectures explain that policy is evaluated using the full user context, including identity, device posture, location, group membership, and other conditions. Access decisions are therefore based on whether specific policy conditions are true, rather than only on static network attributes such as source IP address. For example, the same authenticated user may be allowed access from a managed device at headquarters but denied from an airport, even with the same credentials.

Zscaler documentation also shows that Zero Trust policy can go beyond simple pass or deny outcomes by applying additional controls . In DNS Security and Control, requests can be allowed, blocked, or modified. In ZIA policy development, Cloud App controls allow more granular outcomes than standard allow/block, such as restricting specific actions, applying quotas, or controlling what a user can do inside an application. This reflects the Zero Trust principle that enforcement is adaptive, granular, and tied to business and security context rather than network location alone.

The correct answer is B. False . Zero Trust architecture does not treat identity and context as a one-time, fixed decision. Zscaler’s architecture guidance shows that access is based on ongoing context , including user identity, device posture, location, and other factors that can change over time. For ZIA, policy assignment evaluates the user, device, location, group, and more to determine which policies apply. For ZPA, user access is matched against current conditions such as location, device posture, user group, department, and time of day .

Zscaler documentation also describes reauthentication intervals and session timeout controls, which further shows that identity and authorization are not treated as permanently settled after one decision. In addition, device posture checks can be repeated over time, and a failed posture check can cause a different policy to be applied.

This is fundamental to Zero Trust: trust is continually evaluated , not granted once and assumed valid for an arbitrary period such as 48 hours. Therefore, the statement is false because identity and access context must be revisited as conditions change.

The correct answers are A and B . In Zero Trust architecture, risk scoring is broader than a simple connection decision. It is derived from multiple forms of context and telemetry so that policy can adapt based on changing conditions. Option A is correct because risk can be informed by both inline observations and out-of-band analysis. This reflects the Zero Trust principle of continuous assessment rather than one-time trust establishment.

Option B is also correct because modern risk evaluation includes the security posture of cloud-hosted services , including known configuration weaknesses, missing controls, misconfigurations, compliance gaps, and other exposures. This aligns with Zero Trust thinking because access and trust decisions should account for more than identity alone; they should also reflect the security condition of the service being accessed.

Option C describes content inspection and data protection , which are critical controls, but that is not the best definition of calculating and delivering a risk score. Option D is incorrect because Zero Trust risk is not only about initiator context . It also considers application, service, transaction, and environmental conditions. Therefore, the two correct answers are A and B .

The correct answer is A . In Zscaler’s architecture, the Zero Trust Exchange is not just a packet-forwarding firewall or a single appliance. It is the cloud-delivered policy and security fabric that evaluates access through the core Zero Trust sequence of verify, control, and enforce . The architecture documents describe Zero Trust access as depending on establishing identity, evaluating context, and then applying the appropriate control for that specific request. ZPA guidance explains that users are evaluated for context such as location, device posture, groups, and time of day, and access is granted only if the request matches the required policies.

Option B is incorrect because the Zero Trust Exchange is not limited to a hardened enterprise data center appliance. Option C is incorrect because Zscaler explicitly provides inline controls such as firewalling, DLP, and related inspection services. Option D is also incomplete because the Zero Trust Exchange does more than pass traffic through; it makes access and security decisions. Therefore, the best architecture-aligned answer is that the Zero Trust Exchange carries out the Zero Trust process of Verify, Control, and Enforce as part of completing the transaction.

The correct answer is C . In Zero Trust architecture, policy enforcement is not based on a single attribute such as identity, time, or location alone. Zscaler’s guidance states that policy decisions evaluate the entire user context , including the user, machine, location, group, and more . It also provides examples where the same user can be allowed or denied access depending on device posture , location, and other conditions.

The ZPA architecture similarly explains that access policy rules are built from application segments , SAML attributes , client types , and posture profiles , with additional context such as network location and device posture. That means effective policy enforcement depends on knowing the full access context : who the user is, what application is being requested, what device is being used, the posture of that device, and any other policy conditions tied to the request.

Options A, B, and D are each only partial inputs. Time of day, location, and verified identity can matter, but none of them alone is sufficient. The best and most complete answer is full context of the user, app, device posture, and related attributes .

The correct answer is D. The cloud . Zero Trust architecture assumes that applications are no longer confined to traditional on-premises data centers. Zscaler’s Universal Zero Trust Network Access (ZTNA) guidance reflects that private applications increasingly exist across public cloud, private cloud, and data center environments , and users must securely access them without being placed on the network. This shift is one of the main reasons legacy castle-and-moat models are no longer sufficient.

In older architectures, applications were commonly protected by network location, perimeter firewalls, and DMZ-based publishing patterns. But as applications move to cloud environments, those location-based controls become harder to manage and less effective. Zero Trust instead applies identity, device posture, context, and application-specific policy, regardless of where the workload is hosted. Zscaler specifically positions ZPA and Universal ZTNA to support access to applications in public cloud instances , private cloud environments, and internal data centers through the same policy-driven model.

Because the long-term trend is away from fixed perimeters and toward distributed application hosting, the most accurate answer is that data center applications are moving to the cloud .

The correct answer is A . In Zero Trust architecture, dynamic risk assessment produces decision-support outputs that help determine how each access request should be handled. Zscaler’s identity and policy guidance explains that policy decisions are made by evaluating factors such as the user, device, location, group, and more to determine which policies apply. This means the output of risk assessment is not a packet capture or an operational maintenance workflow; it is the contextual information used to classify the request and enforce the appropriate control outcome.

This aligns closely with the idea of categories, criteria, and insights attached to an access request. Categories help classify the transaction or destination, criteria define which conditions are being evaluated, and insights provide the context needed to allow, restrict, deceive, isolate, or block. By contrast, a full PCAP is a troubleshooting artifact, not a core policy output. Backup and restore processes are administrative operations, and ML-based application segmentation is a separate discovery or segmentation capability rather than the direct output of dynamic risk assessment. Therefore, the best Zero Trust answer is that dynamic risk assessment produces contextual outputs tied to each access request so policy enforcement can be precise and adaptive.

The correct answer is D. For every access request. Zero Trust architecture does not assume that a user, device, or session remains trusted after an initial decision. Instead, access is evaluated request by request , using current identity and contextual information. Zscaler’s ZPA guidance explains that when a user authenticates, context such as location, device posture, user group, department, and time of day is evaluated, and when the user attempts to access a resource, that context is matched against policy to determine whether access should be allowed.

ZIA guidance reinforces the same principle by stating that policy assignment evaluates the user, device, location, group, and more to determine which policies apply. That means policy enforcement is not limited to high-risk sessions, nor is it applied only once to all future traffic from a source. It is also not restricted only to already authorized users, because the authorization decision itself is part of the evaluation. In Zero Trust, each access request is independently assessed and enforced according to current policy and context. That is why the best answer is for every access request .