Zscaler's per-seat model looks simple — until you add up tier complexity, seat count disputes, and multi-product bundles. This guide breaks down ZIA and ZPA pricing tiers, how enterprise seat counts are defined, and the negotiation tactics that produce real savings at renewal.
This guide is part of our cybersecurity software licensing pillar. Zscaler built its business on a conceptually simple licensing model: per-seat subscription for cloud-delivered security services. Unlike traditional network security vendors that charge per device or per throughput, Zscaler charges per protected user — a model that aligns well with remote work environments where the number of devices per user has grown to 2–4 on average.
In practice, Zscaler's licensing complexity comes from three sources: the tiered product structure (four tiers per product with substantially different feature sets), the separate but related ZIA and ZPA product lines, and the growing portfolio of additional products (Zscaler Digital Experience, Zscaler Deception, Zscaler Data Protection) that extend the base platform.
Zscaler's fiscal year ends July 31, the same as Palo Alto Networks. This creates an interesting dynamic for organisations evaluating both as SASE alternatives — both vendors are most motivated to compete in July. The optimal negotiation timeline involves obtaining formal competitive bids from both vendors in May–June for a decision at the end of July, maximising fiscal-year-end pressure on both sides simultaneously.
Zscaler Internet Access (ZIA) provides Secure Web Gateway (SWG), cloud firewall, DNS filtering, CASB, DLP, and SSL inspection as a cloud service. It replaces traditional on-premise proxy infrastructure and complements or replaces MPLS-based internet breakout architectures.
Want independent help negotiating better terms? We rank the top advisory firms across 14 vendor categories — free matching, no commitment.
| ZIA Tier | Indicative Price/User/Year | Key Features |
|---|---|---|
| Business | $80–110 | SWG, Cloud Firewall, DNS Security, SSL Inspection, basic CASB |
| Business Plus | $110–140 | Business + Advanced CASB, Cloud DLP (basic), Sandbox |
| Transformation | $140–170 | Business Plus + Advanced DLP, Advanced Sandbox, UEBA, SaaS Security |
| Unlimited | $170–200 | Transformation + Deception, Risk360, Digital Experience Monitoring, all features |
The gap between ZIA Business and ZIA Unlimited is 2–2.5x in per-user cost. Most enterprises actually need Transformation or Unlimited for complete DLP and advanced threat protection, but Zscaler account teams will often quote Business or Business Plus as the entry point and then upsell during deployment. Understand your actual data protection and compliance requirements before selecting a tier — many enterprises overpay for Unlimited features they don't configure or use.
Zscaler Private Access (ZPA) provides Zero Trust Network Access (ZTNA) — replacing traditional VPN with application-specific access that doesn't grant broad network access. ZPA is licensed separately from ZIA, but most enterprise accounts purchase both. ZPA tiers mirror ZIA's structure.
| ZPA Tier | Indicative Price/User/Year | Key Features |
|---|---|---|
| Business | $60–85 | App-specific ZTNA, browser isolation (basic), MFA integration |
| Business Plus | $85–115 | Business + Privileged Remote Access, ZPA Private Service Edge |
| Transformation | $115–150 | Business Plus + App Protection, AI-powered app segmentation |
| Unlimited | $150–190 | Transformation + Deception for private apps, Risk360, all features |
For organisations purchasing both ZIA and ZPA, combined per-user costs range from $140–390 per user per year depending on tier selection. Enterprise accounts typically purchase ZIA Transformation + ZPA Business Plus as a common starting configuration, landing at $225–320 per user per year before negotiated discounts.
Zscaler has expanded beyond ZIA and ZPA into adjacent security categories. These add-on products create both expansion revenue opportunity for Zscaler and additional negotiation leverage for buyers who can credibly commit to (or defer) additional products in the commercial negotiation.
Get the IT Negotiation Playbook — free
Used by 4,200+ IT directors and procurement leads. Oracle, Microsoft, SAP, Cloud — all covered.
| Product | Category | Indicative Price | Notes |
|---|---|---|---|
| Zscaler Digital Experience (ZDX) | Digital Experience Monitoring | $25–45/user/year | Network path troubleshooting, app performance visibility |
| Zscaler Deception | Decoy-based threat detection | $15–30/user/year | Included in Unlimited tier; add-on for lower tiers |
| Zscaler Data Protection | Enterprise DLP | Varies (included above Transformation) | Email DLP, endpoint DLP add-ons available |
| Zscaler Risk360 | Cyber risk quantification | $10–20/user/year | Included in Unlimited; standalone option available |
| Zscaler Workload Communications | Workload ZTNA | $30–60/workload/year | Server-to-server zero trust segmentation |
Seat count methodology is the most common commercial dispute in Zscaler negotiations. Zscaler's standard licensing is based on "named users" — the number of user accounts in your identity provider or Active Directory. Most enterprises find their named user count in the identity provider significantly exceeds the number of active employees.
Common seat count inflation sources include: service accounts (which may number in the thousands for large enterprises), contractor accounts that were never deprovisioned, shared accounts, former employees whose accounts were not deleted, and integration accounts. Before accepting Zscaler's proposed seat count, audit your identity provider to establish the actual number of active, human users requiring Zscaler protection.
The following methodology arguments are effective in seat count negotiations:
Enterprises that audit seat counts before renewal typically reduce their Zscaler licensing baseline by 15–30%, before any pricing negotiation begins.
The Zscaler vs Palo Alto Prisma Access competitive dynamic is the strongest leverage point in SASE negotiations. Both are credible enterprise SASE platforms — the technical differences are significant but not decisive for most use cases. The commercial differences are what drive enterprise decisions.
| Dimension | Zscaler | Palo Alto Prisma Access |
|---|---|---|
| Per-user price (Transformation equivalent) | $140–170/user/year | $150–220/user/year |
| Architecture | Cloud-native (proxy-based) | Cloud-delivered (NGFW-based) |
| Data centre footprint | 150+ PoPs globally | ~80 PoPs |
| NGFW integration | Limited | Native (Strata integration) |
| Advanced DLP | Strong (industry-leading) | Competitive (improving) |
| Fiscal year end | July 31 | July 31 |
| Platform deal leverage | Limited (SASE specialist) | Strong (NGFW + SASE + XDR) |
Optimising Zscaler licensing for a large enterprise deployment?
Our vetted advisors help enterprises optimise Zscaler ZIA and ZPA licensing — typically achieving 30–40% discounts through competitive evaluation, seat count optimisation, and timing strategy.