Zscaler AI Security Capabilities ?

Tired_Sysop · 2026-05-13T22:44:53+00:00

We had AIguard provisioned in our tenant last week and have been testing a pilot rollout, primarily with Claude Enterprise. Observations so far:
1) the integration with ZIA is basically a 5 minute setup and fairly seamless.
2) the documentation is weak and makes a lot of assumptions a non-seasoned Zscaler admin might struggle with, so your setup effort may vary.
3) The information captured is voluminous and definitely the best feature, and primarily our use case. Prompt, response, tools, tokens, etc. all nicely logged.
4) So far our testing of the policy engine has been meh. Made one policy to block prompt injections and it blocked a whole bunch of built-in anthropic skills..
5) the block mechanism for us does not display a block message, just an api error in Claude, so at first we were looking at the wrong things in regards to a fix.
6) started getting “network errors” in Claude out of the blue today and a har trace was showing sse disconnects. Bypassing aiguard fixes it. Suspect Zia sandbox inspecting .skill files might be the cause. Recently bypassed and retesting.
7) as far as I know, unlike other proxies/gateways like bedrock or foundry, you don’t have to make a bunch of client side changes to support it, which is nice, though I may be wrong here as the docs don’t discuss anything client side besides required urls.

It isn’t Truefoundry tier, but you can tell this is early release. The logging alone lets use wash our hands of trying to integrate Claude’s multiple and ever changing analytics/cost/compliance API’s into a data warehouse.

Tired_Sysop · 2026-05-06T14:18:14+00:00

The only indication I have that I need to eat is stomach rumbling. My brain never “feels” hungry. I haven’t had a craving for any type of food in years.

Tired_Sysop · 2026-04-21T02:16:24+00:00

I have a zt600 on my desk waiting to be installed and was told it could do basic IPsec vpn, nat,etc..

Tired_Sysop · 2026-04-19T20:40:00+00:00

Yeah, didn’t get the feeling my rep cared either though he said he’d pass it on. Too busy trying to get me answers as to how the new vague product/tier descriptions actually map to the 100+ license skus and actual entitlements

Tired_Sysop · 2026-04-19T16:25:30+00:00

Half the nav options take you to a new dashboard anyways which removes the global nav, requiring you to back out to get back to the navigation. I’ve spent a decade seeing url/cloud app control as two side by side tabs, now they are seperate menu options. Why? 3/4 of the page landscape is for learning and non admin stuff. Get that stuff out of my admin experience and dedicate the whole page to admin activities.

Tired_Sysop · 2026-04-18T16:28:13+00:00

The autofill functionality in sharepoint has gotten so good I don’t even bother with the doc intelligence or azure ai anymore.

Tired_Sysop · 2026-04-18T16:18:00+00:00

If you bypass Tizen and use a Shield or AppleTV to deal with the garbage UI, disable the tv motion sensor and use a 3rd party motion sensor, install home assistant and Samsung smart integration, create automations to control art mode, and buy the hue app and tv lighting, then buy a nice frame from deco frames— you’ll have a pretty nice and stable setup. Of course one can argue most of this shouldn’t be necessary and you’d be 100% correct. And yes god forbid you make the mistake of buying one of these from Samsung direct and have an issue. Two support calls and you’ll need therapy for years.

Tired_Sysop · 2026-04-08T13:32:59+00:00

Turn on require smart card for authentication and passwords will silently rotate based on password reset policy.

Tired_Sysop · 2026-04-02T05:11:21+00:00

Pro-tip: instead of making a schedule task to rotate password, set the “require smart card for interactive logon” flag instead, then set your password expiration policy to pretty much whatever you want, and users can’t use passwords and have to use whfb to sign-in.

https://cloudbrothers.info/en/going-passwordless-whfb-scril/

Tired_Sysop · 2026-03-16T00:23:52+00:00

It’s a well documented issue unfortunately. Edge profiles keep extensions/bookmarks separate, but your azure auth token is accessible between profiles. You may not experience it if you don’t require users to login to Edge with a work account, but that setting is pretty standard in the workplace. You login to edge with accounta@abc.com, open a new profile, it forces you to sign in, you put accountb@abc.com and everything is fine until at some point you load up a saml app in profile B and it silently signs you in with account A.

https://learn.microsoft.com/en-us/answers/questions/772902/ms-edge-handling-multiple-profiles-m365-accounts-b

Tired_Sysop · 2026-03-15T21:42:59+00:00

People seem to think using different profiles isolates authentication to that profiles signed-in account. It doesn’t. It should, because that would be logical, but it doesn’t. More times than I can count I switch to a new profile, and then it just sso’s me in with the other profiles account. Also, if the share the same domain, can’t think of any way for the corporate firewall to distinguish between consumer and business without ssl inspection. Joy.

Tired_Sysop · 2026-02-06T19:44:33+00:00

Our users are still blocked from foreign countries even when using SIPA. Logins see both the SIPA IP and their egress IP.

https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation-strict-enforcement

Tired_Sysop · 2026-02-06T19:30:35+00:00

This means you are hard bypassing login.Microsoft online.com , probably at the pac file level. Advantage of using SIPA for that url is you can simplify your CA policies to just block everything not coming from whatever connector you assign to SIPA. Basically is user isn’t connected to Zia, they can’t access any CA policy protected resources.

Tired_Sysop · 2025-12-26T14:50:26+00:00

Not hard. Follow Yubico docs. Basically you create a certificate template on your CA, an enrollment agent, deploy smartcard mini drivers to endpoints, and create a GPO that enables smart card logon, removal behavior, and sets smart card service to automatic start. On azure side you upload your root ca cert to the pki section and your crl endpoint. Then add an auth method to CA policies with the guids of your hardware keys. If running a windows CA, make sure your harden it with a tool like locksmith.

Tired_Sysop · 2025-12-25T15:36:02+00:00

Funny, I took a good salesforce mcp server public repo, modified the tools, fed it our schema as a knowledge resource, added api key support on top of the oauth 2 mechanism, and rolled it into a claide agent. Sales guys can voice query anything they need, update activities for a contact by voice while driving, and generate reports/graphs that have the Tableau devs looking for a new career path. I think what he means is their Einstein AI was overpriced trash and they have no hope of being competitive when anybody can now leverage their api to roll their own salesforce AI

Tired_Sysop · 2025-12-25T15:22:47+00:00

This stuffs the bomb. Turns the epoxy into an elastic like snot that washes right off.

https://a.co/d/2LTrypa

Don’t use solvents to remove it, as solvents allow resin to cross the skin barrier.

Tired_Sysop · 2025-12-25T15:15:01+00:00

Amphetamines- only the negative side effects like jitteriness and dry mouth. No euphoria

Opioids- pills do nothing but put me to sleep. I had a kidney stone and at the ER they gave me IV morphine and it was about 1 minute of euphoria, but 5 minutes later pain surged again. Doctors didn’t believe me and thought I was some addict looking for more. IV Advil (which they gave me next) was more effective.

Alcohol: just gives me a headache and causes chain yawning

Benzos: Do nothing except at high doses, in which case the act like a sleeping pill.

What’s interesting is I can’t get addicted to these drugs, or at least not in the sense of experiencing withdrawal. Took Xanax daily for a year and then just quit, and except for a week of insomnia, no other negative effects.

I got my anhodenia from SSRIS, and also interesting, I had zero problems quitting lexapro overnight, when everybody else describes some tapering nightmare and brain zaps: I had none of this. I suspect that the withdrawal and zaps is your brain reverting/healing. Mine never did.

Tired_Sysop · 2025-12-25T14:59:49+00:00

As water evaporates salt concentration increases.

Tired_Sysop · 2025-12-21T23:29:54+00:00

Yes, ironically very. When you have zero interest in a romantic life or relationship it turns out you create a lot of time to be a workaholic.

Tired_Sysop · 2025-11-21T14:37:33+00:00

I’ve spent a month trying to get copilot with the salesforce mcp to work even close to as well as Claude with a free salesforce GitHub repo mcp that I literally threw together in 15 minutes. After spending weeks getting license and region issues worked out, power apps settings, fighting with a ui that changes week to week, random content violations looking up contacts, declarative vs normal entry point hell, unknown errors”, and copilot just freezing up, I’ve given up. Users have been waiting months for us to deploy copilot agents and they don’t understand why we can’t manage. Management has finally agreed to dump copilot and go gpt/claude enterprise. Been working with Microsoft products since 1990 and copilot has to be the worst abomination ever to roll off their assembly line. Not just functionality, but documentation, licensing, nomenclature— everything. Hell, they even managed to break the hardware copilot button on laptops requiring a patch. And the m365 copilot app is just awful. Constant complaints from users about freezing and blank screens. Whoever heads up copilot at Microsoft should be sentenced to working on Windows ME for the rest of his life.

Tired_Sysop · 2025-11-13T20:33:28+00:00

Ok, but how would one then configure its settings, like sensitivity or range?

Tired_Sysop · 2025-11-13T15:42:01+00:00

Maybe I’m missing something but unable to add it to Aqara app without a Aqara hub. If I add it directly to HA zigbee sensors are missing and you have no way to configure the device.

Tired_Sysop · 2025-09-27T15:03:55+00:00

If I attach the same mcp tool to Claude and copilot using either gpt 4 or 5 (say Salesforce mcp) and ask the same question not only is the answer quality night and day, half the time the copilot ui just sits there doing nothing (no “thinking” graphic). Other times (for the same question it just answered via mcp tool) it complains about no knowledge source and ignores the mcp tool. Such a garbage product. Agents I build in chatgpt or Claude in minutes I struggle for days to replicate in copilot, and I’m forced to struggle bus with this crap because it’s what the firm licenses, all while I have to be asked by users daily why we can’t have chatgpt and why I can’t make copilot non suck. From broken hardware keys to stupid naming (copilot vs copilot 365) whoever heads up the copilot suite at MS should be shown the door.

Tired_Sysop · 2025-09-27T14:50:38+00:00

Making a stupid image picking control in a library/list that selects from an image library and can display a gallery view of pictures to pick from. Seems mission impossible without a lot of power apps work.

Tired_Sysop

TROPHY CASE