← All articles

Why Zscaler can be a problem for phishing defense

GottaPhish Team · July 2, 2026

Secure web gateways like Zscaler are a genuine pillar of modern defense: they inspect traffic at scale, block known-bad destinations, and enforce policy no matter where a user sits. But relying on one blindly can become a problem: no web proxy stops all phishing, and treating it as a complete answer creates a dangerous false sense of security. Here is why Zscaler — like any proxy — can leave you exposed, and why the human layer still matters.

What a secure web gateway does well

A cloud proxy sits inline between users and the internet and adds real value:

These controls block a large volume of commodity phishing every day. The blind spots below are not a knock on any single vendor — they are structural limits that apply to the entire category.

Where modern phishing gets through

Newly registered and short-lived domains

Reputation systems need history. A domain registered an hour ago, used for a two-hour campaign, and abandoned has no track record to flag. Threat intelligence often catches these domains after the campaign window has closed.

Time-of-click versus time-of-scan

A proxy evaluates a page when it is requested. Attackers exploit that with benign-first pages that serve harmless content to scanners and switch to the phishing payload only for real victims — using geofencing, referer checks, device fingerprinting, and CAPTCHA gates to tell them apart.

Scanner / sandbox IP  → harmless "under construction" page
Targeted victim + token → live credential-harvesting page

TLS inspection gaps

TLS inspection is powerful but rarely universal. Certificate pinning, break-glass exclusions, unmanaged and BYOD devices, and privacy carve-outs mean some traffic is passed through uninspected. Phishing that lands in an inspection gap is effectively invisible to the proxy.

Abuse of trusted, legitimate hosting

Increasingly the phishing content lives on infrastructure a proxy should not block wholesale:

Blocking these platforms outright is not viable for most organisations, so attackers borrow their reputation.

AiTM proxies and session-token theft

The hardest case: adversary-in-the-middle kits relay the real login page in real time and steal the authenticated session cookie, bypassing MFA. The page content is genuine, the certificate is valid, and the domain may be brand-new — there is little for a signature-based control to catch.

The phishing you most need to stop is precisely the phishing engineered to look identical to legitimate traffic. That is a hard problem for any inline filter, by design.

Defense in depth, not a single wall

A gateway is one layer. Resilience comes from stacking independent controls so that a miss at one layer is caught at another:

The user who pauses, distrusts a too-urgent message, and reports it is not a fallback for failed technology. In a well-designed program they are a sensor that feeds your SOC signal no proxy can generate on its own.

How GottaPhish helps

No web proxy stops all phishing — a gateway like Zscaler always leaves gaps, and treating it as a complete answer creates a dangerous false sense of security. GottaPhish and its expert support team measure what your gateway cannot guarantee: whether real people, on real devices, resist the phishing that slips past the proxy. Our authorized simulations reproduce the exact techniques that evade web filtering — benign-first cloaking, trusted-hosting lures, and adversary-in-the-middle session theft — safely and with full auditing, while our experts help you design the scenarios, deploy the campaigns, and interpret the per-user and per-department exposure data. The result is targeted training and clear dashboards that turn your workforce into a reliable reporting layer complementing Zscaler rather than depending on it.