# Zmate > Zmate (zmate.io) is a Slack bot for Zscaler security operations. Security teams run /zmate slash commands to lock down compromised users, block firewall threats, manage ZPA policy, and triage ZDX incidents directly from Slack. Every write operation shows a confirmation message with exactly what will execute before a single API call is made. Built by HuCortex Inc. > > Zmate is Zscaler ChatOps: it lets a SOC operate Zscaler directly from Slack instead of switching between admin consoles. It is also described as Zscaler incident response automation and Zscaler security operations from Slack. ## Product - [Zmate](https://zmate.io/): The main product. Connect your Zscaler API credentials and Slack bot token, then use /zmate commands in any channel. Works with ZIA, ZPA, ZDX, ZCC, ZID, ZINS, and ZEASM. No infrastructure changes required. ## Capabilities - [User Lockdown and Isolation](https://zmate.io/): Contain a compromised user fast - the lockdown command executes in under 10 seconds, and the full confirm-plus-MFA flow completes in under 30 seconds. /zmate lockdown creates a ZPA DENY rule at rank 1 with SAML email scope, disables all ZPA app segments, and adds a ZIA per-user URL block - all in one confirmed command. Lockdown and unlock require an MFA code at confirm time (Google Authenticator, Authy, or 1Password). - [Firewall, DNS and URL Blocking](https://zmate.io/): Cloud firewall rules with optional port-level scoping, DNS-layer domain blocking via firewall DNS rules, and URL category filtering - created and activated from Slack in seconds. - [ZDX Digital Experience Monitoring](https://zmate.io/): Real-time app scores, per-user experience breakdowns, AI-powered root cause analysis (/zmate analyze), and full deep trace results including DNS, TCP, and TTFB metrics. - [Threat Intelligence and ZEASM](https://zmate.io/): Live cyber incident feed, 7/14-day threat trends, external attack surface findings by severity, and lookalike phishing domains via ZEASM - proactively posted to an alert channel if configured. - [Policy and Infrastructure CRUD](https://zmate.io/): Full lifecycle for ZPA segment groups, server groups, and provisioning keys. ZIA network objects including IP source/destination groups, rule labels, time intervals, and auth exemptions. All confirm-gated. - [Executive Reporting](https://zmate.io/): Full security posture snapshots, shadow IT CASB reports, firewall posture by location, web traffic geography, and a configurable daily digest posted to any channel. ## Commands by Zscaler Product - [ZIA - Internet Access](https://zmate.io/): 35+ commands. url-block/unblock, firewall block/unblock, dns-block/dns-unblock, shadow-it, dlp, ssl-rules, file-type-rules, ip-source-group, ip-dest-group, rule-label, auth-exempt, sandbox, network-services, time-intervals, lookup, activate. - [ZPA - Private Access](https://zmate.io/): 20+ commands. lockdown/unlock, isolate/de-isolate, segment enable/disable, segment-group create/delete, connector enable/disable, access-rules, forwarding-rules, timeout-rules, app-protection, pra-creds, provisioning-keys, server-group. - [ZDX - Digital Experience](https://zmate.io/): 12 commands. triage, analyze, deeptrace, deeptrace-status, zdx-user, alert-history, experience, alerts, zdx-devices, software. - [ZCC - Client Connector](https://zmate.io/): 3 read-only commands. devices, zcc-policies, user (ZCC section). - [ZID - Zscaler Identity](https://zmate.io/): 4 commands. zid user, zid group, user (identity section), offboard. - [ZINS - Insights and Analytics](https://zmate.io/): 8 commands. incidents, threat-trends, shadow-it-report, firewall-summary, web-traffic, sandbox-stats, report (ZINS section). - [ZEASM - External Attack Surface](https://zmate.io/): 3 commands. findings, lookalike-domains, attack-surface. Requires ZEASM license. ## Pricing - [Starter Tier](https://zmate.io/): Free. Covers all read operations - listing rules, viewing ZDX scores, querying policies. - [Pro Tier](https://zmate.io/): Unlocks all write operations including lockdown, firewall blocking, URL filtering, and policy management. Contact hello@zmate.io for pricing. ## Deployment - [Cloud SaaS](https://zmate.io/): Zmate hosted on Fly.io. Connect credentials and go. Setup takes under 10 minutes. No infrastructure changes to Zscaler. - [Enterprise Runner](https://zmate.io/): Self-hosted Docker container. Zscaler credentials and command data never leave your environment. Supports air-gapped deployments and strict data residency requirements. ## FAQ - [What is Zmate?](https://zmate.io/): A Slack bot that wraps ZIA, ZPA, ZDX, ZCC, ZID, ZINS, and ZEASM in /slash commands. Every write goes through a confirm/cancel flow. - [Can you run Zscaler commands from Slack?](https://zmate.io/): Yes. Zmate exposes 60+ /zmate slash commands that run directly against your Zscaler tenant from any Slack channel, covering ZIA, ZPA, ZDX, ZCC, ZID, ZINS, and ZEASM. Read commands run instantly; write commands go through a confirm/cancel flow so nothing changes without explicit approval. - [How does lockdown work?](https://zmate.io/): /zmate lockdown user@corp.io queues a full containment - ZPA DENY at rank 1, ZIA per-user block, all segments disabled. /zmate confirm plus a 6-digit MFA code executes it. The command executes in under 10 seconds; the full confirm-plus-MFA flow is under 30 seconds. - [How do I isolate a compromised user in Zscaler from Slack?](https://zmate.io/): Run /zmate isolate user@corp.io. Zmate creates a ZPA Cloud Browser Isolation policy rule at rank 1 so the user's private-app sessions are forced through an isolated browser instead of being cut off entirely - useful when you want to keep watching a suspect account. For full containment, use /zmate lockdown instead. Both are confirmed before anything executes. - [How do you automate Zscaler incident response?](https://zmate.io/): Zmate turns multi-step Zscaler incident response into single Slack commands - /zmate lockdown contains a user across ZPA and ZIA, /zmate firewall block and /zmate dns-block stop malicious IPs and domains, and /zmate isolate forces a suspect user into browser isolation. Every action is confirmed before it runs and audited in your Slack channel. - [Is data secure?](https://zmate.io/): Zmate passes commands to your Zscaler tenant via the official MCP server. No command data is stored by third parties. Enterprise Runner option offers zero data egress. - [How much does it cost?](https://zmate.io/): Starter tier is free for all read operations. Pro tier required for writes. Contact hello@zmate.io. - [How long is setup?](https://zmate.io/): Under 10 minutes. Four Zscaler API credentials, one Slack bot token, one Slack app token. - [What if the bot goes down?](https://zmate.io/): Zscaler policies stay exactly as last configured. No automated rollbacks. Pending confirms expire after 5 minutes. ## Company - [HuCortex Inc.](https://www.hucortex.com): Zmate is built and distributed by HuCortex Inc. - [Contact](mailto:hello@zmate.io): hello@zmate.io for demo requests and Pro pricing.