Zscaler MCP — agentic threat model
The Zscaler MCP agent possesses an exceptionally high risk profile due to its ability to administer core enterprise security infrastructure (ZPA, ZIA, ZCC). Compromise or unauthorized tool execution via this MCP server could lead to complete network compromise, disabling of security controls, and sensitive data exfiltration.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.40 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.50 | |
| Multi-Agent Interactions | 0.70 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — the description does not specify the underlying foundation LLMs used to drive the MCP server or process user queries.
Not certain from the listing — while the agent accesses Z-Insights analytics and EASM attack-surface data, details about vector databases, RAG pipelines, or data lineage are not specified.
The agent acts as an MCP server exposing Zscaler administration and query tools. Threats include tool misuse (unauthorized configuration changes to ZPA/ZIA/ZCC) and insecure tool integration where malicious prompts could trigger destructive administrative actions.
The agent is deployed as an MCP server, requiring hosting and integration with Zscaler APIs. Threats include exposure of highly sensitive Zscaler API keys/secrets, container compromise, and unauthorized network access to the MCP server.
Not certain from the listing — the description does not mention specific evaluation frameworks, guardrails, or monitoring tools for the MCP server itself, though it accesses ZDX/Z-Insights.
Managing Zscaler (ZPA/ZIA/ZCC) involves critical enterprise security policies. Threats include lack of fine-grained authorization (AuthZ) for the agent, leading to unauthorized policy modifications, privilege escalation, or compliance violations.
As an MCP server, it is designed to be consumed by other LLM clients/agents. Threats include A2A trust abuse, where a compromised client agent triggers destructive administrative actions on Zscaler via this MCP server.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).