The AI era has fundamentally changed what it means to secure applications. AI coding assistants now generate code faster than teams can review it. Open-source AI models flow into production pipelines with minimal vetting. The software supply chain includes not just packages and dependencies, but pre-trained models, agentic workflows, and AI-generated code that introduces new classes of risk.

Traditional security models assumed the perimeter, network boundaries, firewalls, VPNs, was the key control point. Zero Trust changed that by moving security decisions to the identity and access layer: never trust, always verify. But as code becomes the new perimeter, enterprises need to extend Zero Trust principles to the applications they build.

To help address these challenges, Endor Labs has partnered with Zscaler to integrate Endor Labs’ AI-native application security capabilities directly into the Zscaler Data Fabric for Security. Together, we are delivering a force multiplier for enterprise security teams, enabling them to secure the AI supply chain without compromising speed.

"The attack surface has shifted to code," said Justin Lau, Director,Technology Ecosystem at Zscaler. "By bringing Endor Labs' application security intelligence into the Zscaler Data Fabric for Security, we're giving customers unified visibility from AI models and coding agents down to open source dependencies and container images. This partnership makes Zero Trust for the AI-native software supply chain a reality."

Visibility in a fragmented ecosystem

Together, we're addressing the fundamental challenge security teams face today: fragmented visibility in an increasingly complex environment. For many CISOs and security leaders, the challenge is visibility in disconnected and siloed environments. Static Application Security Testing (SAST), Software Composition Analysis (SCA), and runtime threat data often reside in disconnected environments. This gap leads to:

• Alert fatigue: Teams are inundated with "false critical" vulnerabilities that lack context, forcing them to waste cycles investigating risks that are technically present but operationally irrelevant.
• Incomplete risk posture: Without a unified view, correlating a vulnerability in the build pipeline with active threats in the runtime environment is manual and prone to error.
• AI blind spots: As developers increasingly rely on AI coding assistants and open-source models, traditional tools fail to provide visibility into this new AI supply chain.

The Zscaler Data Fabric for Security addresses these challenges by harmonizing data across the entire security ecosystem. By ingesting high-fidelity insights and alerts from Endor Labs, Zscaler empowers customers to operationalize application security within a broader Zero Trust architecture.

Zero Trust for the software you build

The Endor Labs and Zscaler partnership delivers that unified view. By integrating Endor Labs' AI-native application security platform directly into the Zscaler Data Fabric for Security, security teams can operationalize Zero Trust principles across the entire software supply chain.

Here's how it works.

1. Unified exposure management across code and infrastructure

Zscaler's Data Fabric for Security acts as the central nervous system for enterprise security, harmonizing data from network, identity, and application layers into a single platform. With Endor Labs integrated, security teams now have deep visibility into application-layer risks alongside infrastructure and identity signals.

This means you can correlate a vulnerable function in your codebase with active exploitation attempts at the network layer. You can connect a malicious package flagged by Endor Labs And can create, modify, and enforce policies in Zscaler that span from code commit to production deployment, ensuring only verified, trusted code enters your environment.

The integration feeds directly into Zscaler's Unified Vulnerability Management (UVM), giving teams a single pane of glass for both infrastructure and application security risks, including contextual prioritization and suggested fixes.

2. Reachability to prioritize exploitability vulnerabilities

Endor Labs uses multiple agents to detect, prioritize, and remediate vulnerabilities. Each agent is equipped with a variety of static analysis tools that help build a comprehensive graph across the entire software artifact—code, open-source dependencies, and container images—to identify which flaws and vulnerabilities are reachable and exploitable in code. 

These validated, high-context findings are fed directly into the Zscaler Data Fabric. This allows security teams to prioritize remediation based on actual exposure rather than theoretical risk, reducing the vulnerability backlog by up to 95% and focusing resources where they matter most.

3. Continuous validation for AI coding at scale

AI coding assistants are productivity multipliers, but they also introduce risk. Code generated by Copilot, Cursor, or Claude may include vulnerable patterns, insecure dependencies, or logic flaws that human developers wouldn't catch in a quick review. As AI-generated code becomes the norm, security teams need tools that understand the nuances of machine-generated logic.

Endor Labs' AI-native SAST uses agentic AI to analyze code at a deeper level than pattern-matching tools. It understands intent, business logic, and context—catching issues like injection vulnerabilities, authentication bypasses, and insecure API usage that traditional SAST tools miss. And because it's built for the AI era, it scales with the velocity of modern development.

By feeding these findings into Zscaler, organizations ensure that AI-accelerated development doesn't compromise security posture. You get the speed of "vibe coding" without sacrificing governance.

4. Governing AI models and services

The software supply chain now includes AI models. Developers are pulling pre-trained models from Hugging Face or using services from OpenAI, Anthropic, and other sources to build applications. These models bring new risks: licensing ambiguity, potential backdoors, tampering, and operational reliability concerns.

A core principle of Zero Trust is never trust, always verify. Endor Labs helps teams verify the security of AI components and services through comprehensive AI model governance, giving teams visibility into which models are in use, where they came from, and what risks they introduce. We track provenance, license compliance, and security posture for AI artifacts the same way we do for npm packages or Docker images.

When this data flows into Zscaler's ecosystem, enterprises can manage AI model risk alongside traditional software dependencies. You get a unified governance layer that aligns with Zscaler's mission: securing data flows across the entire organization, whether that data is moving through a VPN tunnel or an LLM inference pipeline.

5. Closing the loop between development and operations

The true power of this partnership is in closing the gap between build-time security and runtime protection. Endor Labs identifies risks in code before it ships and Zscaler offers dynamic vulnerability management to create a feedback loop that strengthens both.

For example: Endor Labs flags a critical vulnerability in a reachable function in an application’s transitive dependencies. That finding flows into Zscaler's Data Fabric, where it's correlated with network activity where Zscaler can automatically  trigger incident response workflows, block malicious traffic, and alert security teams with full context.

This is Zero Trust for applications: continuous verification at every stage, from code commit to production runtime, with policy enforcement that adapts to real-time threat intelligence.

Getting started

The Endor Labs integration with Zscaler Data Fabric for Security is available for all Endor Labs and Zscaler customers. To learn more about bringing Zero Trust to your software supply chain, book a demo or contact your Zscaler representative.