Surface vs. Zscaler: Sovereign On-Prem Browser Security
Surface vs. Zscaler
When Zscaler becomes the bottleneck
If every web request has to detour through a vendor cloud, you have traded data sovereignty for a global PoP map and paid for the difference in latency. Surface keeps detection at the browser and the control plane on your infrastructure, so the upstream connection is the only connection.
Two different theories of where the control plane lives
Zscaler is a global cloud SSE platform. Outbound web traffic is steered to one of its points of presence, decrypted there, and policy applied before being sent to the destination. Surface treats the browser session as the surface that needs protecting, so detection runs locally and policy runs on the customer's own platform deployment.
Cloud-routed SSE
Outbound traffic is detoured through Zscaler's global cloud, decrypted in a vendor PoP, then forwarded to the destination.
In-browser detection, on-prem control plane
Detection runs in the extension on the device. The platform you manage holds policy, telemetry, and keys. No detour.
The cost of the detour
Cloud SSE adds a hop. The size of that hop depends on the user's location, the chosen PoP, current PoP load, and whether the destination is itself cloud-hosted nearby. The architecture guarantees that the path is at least as long as the direct path from user to destination, and in most cases it is longer.
Zscaler path
- Adds a network hop the upstream connection would not otherwise take.
- Decryption is performed inside the vendor cloud, which means TLS state, cipher, and content are visible to the provider.
- PoP selection, congestion, and routing are operated by the vendor and outside customer control.
Surface path
- Detection runs in the browser on the endpoint. The upstream connection is direct.
- No TLS termination by a vendor. Decryption never leaves the device.
- Routing is whatever your existing network already delivers, with no vendor-controlled choke point.
We do not produce SSE benchmarks ourselves. Cloudflare does, as part of an effort to position its own Zero Trust products against Zscaler. We cite their measurements here because they make the architectural cost of the cloud detour concrete, even if you read the numbers with the appropriate vendor-context discount. From Cloudflare's Cloudflare is faster than Zscaler post, measured by third-party Miercom and Catchpoint across 14 global locations:
The architectural point holds independently of any specific benchmark. A cloud-routed SSE adds a network hop the upstream connection would not otherwise take. Where Zscaler's PoP is close to the user and the destination, the cost is small. Where it is not, the cost is paid on every request. Surface keeps the control plane on the endpoint and on the customer's own infrastructure, so no such hop exists.
Your data, your keys, your perimeter
A cloud SSE is, by design, in the middle of your encrypted traffic. For some workforces this is an acceptable trade. For regulated industries, defense, critical infrastructure, and anyone with strict data residency obligations, it is the problem they bought security to avoid.
Where decryption happens
With Zscaler, TLS is terminated inside the vendor cloud so policy can be applied. With Surface, the browser is the inspection point. Decryption never leaves the device.
Where telemetry lives
Zscaler telemetry is processed in the vendor's multi-tenant cloud. Surface telemetry flows to the customer's own deployment of the platform. Air-gapped environments are supported.
Who controls the patch cadence
Zscaler patches its cloud on its own schedule and operates the change-management for it. Surface deployments are patched on the customer's schedule, against the customer's own change-control process.
Who can see the page content
Zscaler inspects content in its cloud. Surface inspects content on the endpoint. Page DOM, OCR, and detections do not have to leave the user's machine.
Surface Platform
Detection engine, policy manager, API. Deployed on your VMs, containers, or bare metal.
SIEM / SOAR
Splunk, Sentinel, XSOAR. Surface events feed your existing analyst stack.
Browser Extension
Runs in Chrome, Edge, or Firefox. Detection executes on-device.
Keys and Data
TLS, telemetry, and policy state never leave your perimeter.
Vendor Cloud (Zscaler model)
TLS decrypted here. Policy applied here. Telemetry stored here.
Where each platform is structurally stronger
An honest table. Zscaler wins on the things a global cloud SSE is built to do. Surface wins on the things an in-browser, on-prem platform is built to do. Most enterprises end up needing some of both, and the two coexist cleanly.
| Feature | Sovereign on-prem  Surface Security In-browser detection, on-prem control plane | Zscaler Global cloud SSE (ZIA / ZPA) |
|---|---|---|
| Detection runs without leaving the endpoint | Fully supported | Not supported |
| Adaptive browser security (Surface Vision, on-device, signature-free) | Fully supported | Not supported |
| On-premises and air-gapped deployment | Fully supported | Not supported |
| DOM-aware phishing and credential-page detection | Fully supported | Partial or limited |
| Real-time DLP on paste, drag, upload, and GenAI input | Fully supported | Partial or limited |
| Agentic AI controls (prompt injection, agent scope) | Fully supported | Not supported |
| Decryption keys stay inside customer perimeter | Fully supported | Not supported |
| No detour through a vendor cloud for outbound web | Fully supported | Not supported |
| Network-layer SASE / ZTNA for remote workforce | Not supported | Fully supported |
| Global cloud PoP footprint for branch egress | Not supported | Fully supported |
| Works without replacing the user's browser | Fully supported | Fully supported |
| Full data sovereignty by default | Fully supported | Not supported |
| Detection logic and policy controlled by customer | Fully supported | Partial or limited |
Surface does not displace Zscaler entirely
Zscaler is a network-layer SASE and ZTNA platform. Surface is a browser security platform with an on-prem control plane. The two solve overlapping but distinct problems. Most customers who migrate browser-level controls onto Surface keep Zscaler for the parts it is genuinely built for, and run the two in parallel.
Where Zscaler is the right answer
- Network-layer ZTNA for private application access across a distributed workforce.
- Branch and remote egress with a global PoP footprint.
- Coarse-grained URL category filtering and bandwidth control at scale.
Where Surface replaces Zscaler controls
- Browser-level DLP on paste, drag, upload, form submission, and GenAI input.
- Page-level phishing detection that reads DOM and rendered pixels, not just URLs.
- Agentic AI controls: prompt-injection detection, agent scope, and exfiltration monitoring.
- Full DOM and session reconstruction for investigation, on customer infrastructure.
Coexistence and migration
Most enterprises run Surface and Zscaler in parallel during evaluation. Surface deploys as an extension to the browsers employees already use, so there is no network reconfiguration required to stand it up. Customers typically move the browser-layer controls (DLP, phishing, GenAI, agentic AI, session forensics) onto Surface, then revisit whether the cloud SSE is still the right place for the remaining network egress controls. That decision is the customer's, on their timeline.
Move browser controls off the cloud detour
See Surface running on your infrastructure, against your real traffic, alongside whatever you already have in production.