How is Zscaler Page Risk Index Score calculated?

Risk is an interesting topic in security. Sometimes it's obvious... other times, not so much. Zscaler has a feature in their Advanced Threat Protection sub-component that examines a web page and calculates a Page Risk Index Score. What exactly is it, though? How is that score determined? Let's unpack this concept...

• Zscaler has a feature called "Suspicious Content Protection". It examines a web page in real-time and makes a judgement call on how risky it is.
• There are two broad sets of attributes that this feature looks at: "Page Risk" and "Domain Risk".
• Page Risk is focused on the code-level content of the page itself. Things like:
  • Injected scripts
  • ActiveX content
  • Zero-pixel iFrames
  • Etc, etc.
• Domain Risk is looking at the domain attributes, metadata, and corresponding threat intelligence history. Things like:
  • Hosting country
  • Domain age
  • Links in (and out) to other high-risk sites
  • Top-level domain
  • Etc, etc.
• These two checks produce individual scores. The Page Risk review produces a risk value called a "Page Risk Index". Similarly, the Domain Risk review produces a value called "Domain Risk Index".
• The final rating is the combination of the both index values (which confusingly enough is called "Page Risk Index Score".
  • Page Risk Index Score = Page Risk Index + Domain Risk Index
• Admins can define a threshold value (ranging from 0 -100). Zscaler recommends 35.
  • If the Page Risk Index Score exceeds whatever threshold the admin defines, then Zscaler will block users from accessing that page.

For more information on this topic, check out the documentation here:

https://help.zscaler.com/zia/configuring-advanced-threat-protection-policy#pagerisk