ZDTA Zscaler Digital Transformation Administrator Free Practice Exam Questions (2026 Updated)

Certificate-pinned applications fail when an inspection proxy substitutes a trusted Zscaler certificate for the origin certificate. The application expects the server certificate or public key to match a pinned value and therefore rejects the inspected session. The fastest way to diagnose this is to inspect SSL logs for failed client handshakes, certificate errors, or bypass candidates. Option A (They could look at SSL logs for a failed client handshake) is correct because SSL logs show the handshake failure pattern created by certificate pinning.

Why the other options are incorrect:

B. They could reboot the endpoint device: Rebooting may clear a local issue, but certificate pinning is a TLS validation problem. Logs are the right first place to confirm the failed handshake.

C. They could inspect the ZIA Web Policy: ZIA Web Policy controls web access outcomes. A pinned-certificate failure shows up in SSL/TLS handshake behavior, so SSL logs are more direct.

D. They could look into the SaaS application analytics tab: SaaS analytics show application usage and risk. They will not show the client TLS handshake failure that reveals certificate pinning.

Zscaler alerting is not limited to email. Alert Rules and detection/response notifications can be sent through webhooks or integrated with collaboration, ITSM, UCaaS, and other third-party tools depending on configuration. Option D (In addition to email, notifications, based on Alert Rules, can be shared with leading ITSM or UCAAS tools over Webhooks) is correct because email and webhook-based integrations support external notification workflows.

Why the other options are incorrect:

A. Email is the only method for notifications as that is universally applicable and no other way of sending them makes sense: Email and webhooks forward alerts to people or third-party systems for response workflows.

B. In addition to email, text messages can be sent directly to one cell phone to alert the CISO who is then coordinating the work on the incident: Email and webhooks forward alerts to people or third-party systems for response workflows.

C. Leading ITSM systems can be connected to the Zero Trust Exchange using a NSS server, which will then connect to ITSM tools and forwards the alert: NSS is for log streaming to analytics/SIEM destinations. Alert-rule notifications use email and webhook integrations, including ITSM or UCaaS tools.

Malware hidden inside HTTPS can only be evaluated after the encrypted session is inspected. ZIA's proxy architecture uses TLS Inspection to decrypt the flow, then malware protection engines compare content, signatures, and reputation indicators against known risks before the session is re-encrypted or blocked. Option C (TLS Inspection decrypting traffic to compare signatures for known risks) is correct because TLS inspection is the enabling layer for malware scanning inside encrypted web traffic.

Why the other options are incorrect:

A. Deception creating decoy files for malware to discover: Deception uses decoys, fake credentials, lures, and traps to expose intruders who are exploring the environment.

B. Application Segmentation of users to specific private applications: An Application Segment defines private app reachability by FQDN/IP, ports, and related settings.

D. Data Loss Protection comparing saved filenames for known risks: Comparing saved filenames is weak and easy to evade. Malware scanning inside HTTPS requires TLS inspection so the file content can actually be evaluated.

Tenant Restriction lets ZIA distinguish the approved corporate tenant of a SaaS application from personal or unmanaged tenants. That matters when the user is on an unmanaged device, because the administrator may allow the corporate tenant only from trusted or managed contexts. Option A (Tenant Restriction) is correct because Tenant Restriction is the SaaS-specific control that enforces corporate-tenant access boundaries.

Why the other options are incorrect:

B. Identity Proxy: Identity Proxy helps broker identity and authentication flows for SaaS access. Tenant Restriction is the control that separates corporate SaaS tenants from personal ones.

C. Out-of-band Application Access: Out-of-band CASB works through SaaS APIs to inspect or remediate content already sitting inside cloud applications.

D. SaaS Application Access: SaaS Application Access is a broad access concept. The specific ZIA feature that blocks unmanaged-device access to a SaaS tenant is Tenant Restriction.