¿Le preocupan los recientes CVE de PAN-OS y otros firewalls/VPN? Aproveche hoy mismo la oferta especial de Zscaler

Zscaler Deception (EDU-238)

SOC Engineers/Analysts, Security Engineers, IT Teams, CISOs

Course Summary

The Zscaler Deception course is a part of Zscaler's cyberthreat protection solution. It focuses on detecting and stopping active in-network threats that have bypassed other defenses, as well as how Deception uses lures and decoys to detect and disrupt cyberthreats. In this course, you will learn about Deception and its capabilities, benefits, and the problems it solves, as well as key factors driving its adoption.

Learning Outcomes

In this course, you will:

Explain what Zscaler Deception

Explain what Zscaler Deception is—challenges it solves, benefits it can deliver, and its unique points of differentiation

Orchestrate automated workflows

Orchestrate automated workflows, notifications, and response rules

Use prebuilt decoys

Use prebuilt decoys and datasets to deploy effective Deception campaigns

Monitor and analyze

Monitor and analyze attacker activity; gain visibility into credential misuse, entitlement exposures, and privilege escalation in Active Directory

Identify advanced account settings

Identify advanced account settings, manage users and roles

Recognize support options

Recognize support options and how to access the Help Portal

Course Outline

Current State of Cyberthreat Security

  • Introduction to Deception
  • Security Challenges Posed by Cyberthreats
    • Key Values of Deception
    • What Sets Zscaler Deception Apart

Zscaler Deception

  • Zscaler Deception Architecture
    • Integration with ZPA
    • Zscaler Deception Admin Portal
    • Types of Decoys
  • Key Features and Benefits
  • How Deception Works
  • Deception Use Cases


  • Investigate Overview
  • ThreatParse


  • Orchestrate Overview
  • Orchestrate Rules
  • Integration Types
    • Enrichment Integrations
    • Containment Integrations
    • SIEM Integrations
  • API Token Management
    • Describe Use Cases for API access to Deception
    • Describe API token details
  • Event Template
    • Types of Event Template
    • Template Settings
  • Service Connectors
    • Usage of Service Connectors for SIEM Integration
    • Service Connector Settings


  • Miragemaker Overview
  • Dataset Types
    • Static Application Datasets
    • Vulnerable Application (CVE) Datasets
    • Dynamic Application Datasets
    • SCADA/IoT Datasets
    • Keyword Datasets
    • Custom Service Datasets
    • File Datasets and File Template
  • High-Interaction Containers 
  • ThreatParse Rules


  • Deceive Overview/Menu
    • Start and Stop Decoys
    • View Deployment Logs
  • Types of Decoys
    • Threat Intelligence (TI) Decoys
    • Network Decoys
      • Internal Network Decoys
      • Zero Trust Network Decoys
  • Active Directory (AD) Decoys
    • User and Attributes
    • Triggers
    • Domains
  • Landmine Decoys
    • Landmine Policies
    • Landmine Agents
    • Landmine Settings
    • Landmine Update Phase Groups
    • Landmine Safe Processes
  • Cloud Deception
    • Deployment of Deception in Azure
    • Deployment of Deception in AWS
  • MITM Detection
  • Deceive Settings
    • Blocklist Management
    • Hash Password Settings
    • Hostname Resolution Settings
    • Decoy Groups Management


  • ITDR Dashboard
  • Change Detection
  • ITDR for AD
    • Scan Agents Settings Management
    • Issue Safelist
    • Object Safelist
    • Change Detection Safelist

Deception Settings

  • Virtual Machine Settings
    • Interface Settings
    • Decoy Connector Settings
    • Aggregators Settings
    • Service Backend Settings
  • User and Roles Management
    • User Management
    • Role Management
    • SSO Management
    • Support User Management and Alert Notifications
    • Login and Password Settings
  • Logs
    • Audit Logs
    • Debug Logs
    • System Messages
  • Network Settings
    • Allowed IPs Management
  • Advanced Settings
    • Verify License Information
    • Event Data and Evidence Management
    • Log File Retention Settings
    • Kill Switch Function (Account Deactivation)
    • Debugging Settings

Help and Support

  • Account Settings
    • Profile Settings
    • Notification Preferences
  • Support Options
    • Submit a Ticket
    • Access Help Portal

Hands-On Lab Details


  • Zscaler for Users - Essentials (EDU-200) Learning Path
  • Completion of Zscaler Deception (EDU-238) eLearning


Learn the key skills you need to protect sensitive corporate data with Zscaler’s Deception solution. Use Deception to detect compromised users, stop lateral movement, and defend against human-operated ransomware.


3 hours


Self-Guided or Instructor-Led (virtual or in-person)

Completion criteria

Complete all lab exercises

Available language(s)



$600 (2 EDU credits)

Lab Outline

Lab 1 - Connect to the Virtual Lab

Log in to Client Connector and verify Deception service is running on endpoint

Lab 2 - Navigate the Deception Admin Portal

  • Investigate Threats
  • View Orchestrate Functions
  • View Miragemaker Options
  • View Deceive Functions
  • Check ITDR Posture
  • View Deception Settings

Lab 3 - Investigate Pre-Breach Reconnaissance Activity

  • Conduct DNS brute force attack
  • Identify and respond to pre-breach reconnaissance

Lab 4 - Lure Adversary to Decoys and Contain via ZPA

  • Conduct post-breach attack from a compromised windows VM
  • Investigate and respond to post-breach attack

Certificate Exam Details


Completion of Zscaler Deception (EDU-238) Hands-On Lab


45 minutes

Test format

20 multiple choice questions

Available language(s)



$300 (1 EDU credit)

For any other inquiries, please reach out to [email protected]