Your Zscaler Private Access deployment is making continuous access decisions for 50,000 users across 200 countries. Device posture evaluated. User risk score computed. Application sensitivity classified. SaaS access pattern profiled. Every session, every hop, every access request — evaluated against a policy ruleset your security team has spent nine months tuning.
You have learned things. You know which combinations of device posture signal and user behavioral delta actually precede credential misuse in your environment. You know which step-up MFA triggers generate too many false positives in your sales org versus your engineering org. You know that in your industry, lateral movement from an unmanaged device to your ERP over a non-standard port is nearly always malicious, not misconfiguration.
The enterprise with an identical Zscaler deployment three blocks away — same industry, same SaaS stack, same remote workforce profile, same adversary targeting them — is nine months behind you. They will learn those same lessons. Their security team will tune those same policies. They will experience some of the same incidents you already resolved before their policy matured.
None of what you learned crosses the tenant boundary. None of what they will learn reaches you. The per-enterprise intelligence wall is the architecture.
What SASE and ZTNA Actually Solve
SASE (Secure Access Service Edge) consolidates network security and access control into a cloud-delivered service: SWG, CASB, ZTNA, SD-WAN, FWaaS. The architectural premise is that the perimeter is gone — users are everywhere, apps are everywhere, so access decisions must be made continuously and contextually, not at a static firewall.
ZTNA (Zero Trust Network Access), the access control layer, operationalizes the principle of never-trust-always-verify. Every access request is evaluated against identity, device health, application sensitivity, and behavioral context. No implicit trust from being on a corporate network.
Gartner projects that 60% of enterprises will implement SASE by 2025, up from 10% in 2021. The market is converging on a small number of dominant platforms: Zscaler, Palo Alto Prisma Access, Netskope, Cloudflare Access. This vendor concentration is functionally a shared infrastructure: thousands of enterprises running nearly identical platforms against similar adversary TTPs.
And yet the IBM/Ponemon 2024 Cost of a Data Breach Report measured the average time to identify a breach at 194 days. The Verizon 2024 Data Breach Investigations Report found that 77% of breaches involve compromised credentials or stolen access paths. These numbers have not moved.
The platforms are getting more capable. The detection gap is not closing. The intelligence about what worked — which access policy, which trigger combination, which step-up rule — is locked inside individual tenant logs.
The Synthesis Problem Is Structural
Consider what happens when a novel attack pattern hits an enterprise running Zscaler ZPA.
Attacker obtains credentials for a low-privilege user. Device posture check passes because the compromised laptop is enrolled and patched. First access request: unremarkable. Over 72 hours, the attacker probes application inventory using low-frequency requests just below anomaly thresholds. Eventually they access a sensitive finance application from a new geographic location at an unusual time.
The enterprise's security team eventually identifies this pattern — through SIEM correlation, threat hunting, or a downstream impact discovery. They tune their ZTNA policy: flag the specific combination of (managed device + valid credentials + new geo + sensitive app access + low-frequency cross-app enumeration preceding) for step-up authentication. The attack pattern is now blocked for future attempts.
That tuning insight — the specific trigger context, the policy response, the validation that it works — exists in their Zscaler admin console and their internal runbooks. It does not exist anywhere else.
Meanwhile, the same adversary TTP is hitting 40 other enterprises in the same industry vertical. Each of them will independently identify the same pattern over the same 72-to-194 day window. Each will tune the same policy fix. The synthesis of what worked, from the enterprise that discovered it first, never reaches the others.
This is not a threat intelligence problem. The threat intel industry shares IOCs (indicators of compromise): IP addresses, domains, file hashes. IOCs are point-in-time. They tell you what was used, not what access policy stopped it from succeeding. ISACs share incident reports, not policy outcome intelligence.
The gap is between knowing an attack happened and knowing what access decision architecture stopped it from succeeding again.
Why Existing Approaches Cannot Close This Gap
Vendor threat intelligence feeds (Zscaler ThreatLabz, Palo Alto Unit 42): These teams aggregate signals across the vendor fleet and publish threat reports. Valuable for understanding adversary infrastructure. They describe campaigns, not per-enterprise access policy outcomes. They cannot tell you: "for your specific combination of industry vertical, user behavioral profile, and SaaS application dependency, here is the step-up policy tuning that worked for 200 similar tenants."
ISACs and information sharing bodies: The FS-ISAC, H-ISAC, and sector ISACs share IOCs and incident summaries. They operate on a timescale of days to weeks. They do not share continuous access decision intelligence. Sharing the policy rule itself would expose proprietary security posture — most enterprises will not do it.
SOAR runbook repositories: Shared SOAR playbooks describe process steps, not outcome deltas. "When you see X, do Y" is qualitatively different from "doing Y for trigger context X reduced false positives by 34% and blocked three follow-on access attempts in our deployment, with this confidence." The outcome data — the empirical validation — is never encoded.
Federated learning: ZTNA policy optimization is not a model-training problem. Access policies are logical rule systems: condition → action → outcome. There are no differentiable weights to average. Federated learning gradient aggregation has no meaningful application to discrete access policy optimization. The non-IID problem is severe: a financial services firm's access policy context (regulatory apps, trading infrastructure, elevated credential theft targeting) is structurally different from a healthcare firm's (EHR access, HIPAA audit requirements, clinical workflow patterns). Averaging policy signals across these environments degrades both.
The constraint is architectural: every existing approach requires either sharing raw policy configuration (which enterprises will not do) or aggregating at a level of abstraction that loses the outcome signal. Neither works.
The Architecture That Routes Policy Outcomes Without Revealing Policy
In June 2025, Christopher Thomas Trevethan discovered what he termed the Quadratic Intelligence Swarm (QIS) architecture — a complete loop for routing distilled outcome packets by semantic similarity across a distributed network, without any raw data leaving any node.
The discovery was architectural: when you route pre-distilled outcomes (not raw telemetry, not model weights, not policy rules) to a deterministic address defined by semantic similarity, and every node can both deposit and query, intelligence scales quadratically with network size while compute scales at most logarithmically. This had never been demonstrated before.
Applied to ZTNA policy intelligence, the loop works like this:
- Access event — user requests access; ZTNA evaluates device posture, identity, behavioral context, application sensitivity
- Local processing — enterprise security team resolves the event, determines what policy response worked
- Distillation — the outcome is compressed into a ~512-byte packet encoding: what trigger context was present, what action was taken, what outcome was observed, at what confidence
- Semantic fingerprinting — the packet is fingerprinted by structural meaning: industry vertical class, user population type, application sensitivity tier, attack pattern family — not by identity, not by policy rule, not by company name
- Routing — the packet is deposited to a deterministic address derived from the fingerprint. Any enterprise querying that address sees aggregated outcomes from semantically similar deployments
- Local synthesis — your SASE platform queries the address for your current trigger context and receives: what worked for the 150 enterprises with similar profile that encountered this pattern
No raw access logs shared. No policy rules exposed. No user data transmitted. The packet contains outcome intelligence, not operational data.
The routing mechanism is transport-agnostic. The same loop works over DHT (decentralized, O(log N) routing), a database with vector similarity index (O(1) lookup), a pub/sub topic hierarchy, or a REST API. The quadratic scaling comes from the loop and the semantic addressing — not from any specific transport.
The Math: Why This Is Not Incremental
If 1,000 enterprises adopt ZTNA policy outcome routing:
| Metric | Current Architecture | QIS Architecture |
|---|---|---|
| Policy tuning intelligence available to a new tenant | Own deployment history only | N(N-1)/2 = 499,500 synthesis paths |
| Time to discover novel attack pattern policy fix | 6–12 months median | Days (synthesize from peers who already learned it) |
| False positive tuning (step-up MFA friction) | Months of own-deployment calibration | Informed by similar-profile enterprises' calibration outcomes |
| Novel TTP coverage | Limited to own-environment exposure | Scales with network: each new enterprise expands coverage |
At 1,000 enterprises: 499,500 synthesis paths. At 5,000 enterprises (the approximate size of Zscaler's enterprise customer base): 12.5 million synthesis paths. Each path is a potential channel for routing what worked, before your environment encounters the same situation.
The 194-day detection gap is not a SIEM problem. Detection is already excellent. It is a synthesis gap: the intelligence about what access policy correctly resolved the threat pattern in similar environments is not reaching your policy engine before your environment encounters it.
A Concrete Implementation Pattern
The implementation requires no changes to existing SASE infrastructure. QIS runs as a layer alongside your current deployment:
import hashlib
import json
import time
from typing import Optional
class ZTNAPolicyOutcomeRouter:
"""
QIS outcome routing for ZTNA/SASE policy intelligence.
Transport-agnostic: replace self.store with ChromaDB, Redis,
Qdrant, DHT, or any mechanism that maps addresses to packets.
No raw access logs. No user data. No policy rules.
Only: what trigger context + what action + what outcome.
"""
def __init__(self):
self.store: dict = {}
def emit_outcome(
self,
trigger_context: dict, # industry_class, user_risk_tier, app_sensitivity, attack_family
action_taken: str, # "step_up_mfa", "block", "allow_with_logging", etc.
outcome: str, # "lateral_movement_blocked", "false_positive", "breach_prevented"
confidence: float, # 0.0–1.0
false_positive_rate: Optional[float] = None
) -> str:
"""Distill a resolved access event into an outcome packet and deposit it."""
fingerprint = self._fingerprint(trigger_context)
address = self._deterministic_address(fingerprint)
packet = {
"schema_version": "1.0",
"timestamp": time.time(),
"domain_tag": "ztna.policy_decision",
"trigger_context": trigger_context, # no user identity, no IP, no company
"action_taken": action_taken,
"outcome": outcome,
"confidence": confidence,
"false_positive_rate": false_positive_rate,
"ttl": 2592000 # 30 days: ZTNA threat intelligence has medium recency requirement
}
self.store.setdefault(address, []).append(packet)
return address
def query_policy_outcomes(
self,
trigger_context: dict,
min_confidence: float = 0.7,
top_k: int = 20
) -> list[dict]:
"""
Before making an access policy decision, query what worked
for semantically similar trigger contexts across the network.
Returns ranked list of outcome packets from similar deployments.
"""
fingerprint = self._fingerprint(trigger_context)
address = self._deterministic_address(fingerprint)
candidates = self.store.get(address, [])
# Filter by confidence and recency, rank by outcome quality
valid = [
p for p in candidates
if p["confidence"] >= min_confidence
and (time.time() - p["timestamp"]) < p["ttl"]
]
return sorted(valid, key=lambda x: x["confidence"], reverse=True)[:top_k]
def _fingerprint(self, trigger_context: dict) -> list[float]:
"""
Encode trigger context as semantic vector.
Industry vertical + user risk profile + app sensitivity + attack family.
No user identity. No company name. No raw behavioral data.
In production: replace with embedding model fine-tuned on security taxonomy.
"""
# Simplified: hash-based projection for illustration
raw = json.dumps(trigger_context, sort_keys=True).encode()
digest = hashlib.sha256(raw).digest()
return [b / 255.0 for b in digest[:64]]
def _deterministic_address(self, fingerprint: list[float]) -> str:
"""
Map fingerprint to deterministic routing address.
Enterprises with similar trigger contexts route to the same address.
This is the QIS semantic addressing mechanism — transport-agnostic.
"""
quantized = [int(v * 16) for v in fingerprint[:8]]
return "ztna:" + ".".join(str(q) for q in quantized)
# Usage: emit after policy resolution
router = ZTNAPolicyOutcomeRouter()
# Enterprise A: discovered that managed-device + valid-creds + new-geo + ERP-access
# + low-freq cross-app enumeration preceding = step-up MFA blocks lateral movement
router.emit_outcome(
trigger_context={
"industry_class": "financial_services",
"user_risk_tier": "low", # baseline risk — this is what makes it dangerous
"app_sensitivity": "critical", # ERP, financial systems
"attack_family": "credential_abuse_low_freq_enum",
"device_managed": True,
"geo_anomaly": True
},
action_taken="step_up_mfa_plus_session_limit_2h",
outcome="lateral_movement_blocked",
confidence=0.94,
false_positive_rate=0.02
)
# Enterprise B (different company, same vendor, same industry, same attack pattern emerging):
# Query before deciding whether to auto-block or allow-with-logging
similar_outcomes = router.query_policy_outcomes(
trigger_context={
"industry_class": "financial_services",
"user_risk_tier": "low",
"app_sensitivity": "critical",
"attack_family": "credential_abuse_low_freq_enum",
"device_managed": True,
"geo_anomaly": True
}
)
# Enterprise B's policy engine now knows, before experiencing the full incident:
# step_up_mfa_plus_session_limit_2h → lateral_movement_blocked, 94% confidence, 2% FPR
# from Enterprise A's already-resolved deployment. Days to learn, not months.
print(f"Similar policy outcomes from peer network: {len(similar_outcomes)}")
for outcome in similar_outcomes[:3]:
print(f" Action: {outcome['action_taken']} → {outcome['outcome']} "
f"(confidence: {outcome['confidence']:.0%})")
The _deterministic_address() method is the critical architectural piece. Enterprises with structurally similar trigger contexts route to the same address. The packet deposited by Enterprise A is queryable by Enterprise B before they encounter the same pattern. No coordination required. No shared infrastructure required beyond the routing layer.
In production: replace self.store with ChromaDB for vector similarity routing, Redis for O(1) channel-based routing by attack family, or a DHT node for fully decentralized cross-enterprise routing. The QIS loop is identical regardless of transport. This is the point of the 39 provisional patents filed by Christopher Thomas Trevethan: the discovery is the architecture — the complete loop — not any specific routing mechanism.
The Synthesis Gap Closes Quadratically
The 194-day detection dwell time is not an instrumentation problem. Modern SASE platforms have excellent telemetry. It is a synthesis problem: the intelligence about which access policy correctly resolved a novel attack pattern — in a deployment with similar industry profile, similar user behavioral baseline, similar SaaS dependency — is not reaching your policy engine before the same pattern reaches your environment.
NIST SP 800-207 (Zero Trust Architecture) defines the access decision as a continuous, context-aware function: every access request evaluated in real time. What it cannot specify is how access policy outcomes from peers with similar contexts should inform that decision — because until now, there was no architecture for routing those outcomes without exposing the underlying data.
QIS provides that architecture. The complete loop — distill, fingerprint, route by semantic similarity, synthesize locally — is the mechanism by which N(N-1)/2 policy outcome synthesis paths become available to every enterprise in the network. At 500 enterprises: 124,750 synthesis paths. At 5,000 enterprises: 12.5 million paths. The intelligence scales quadratically. The compute scales logarithmically. The dwell time shrinks not because any individual enterprise gets faster, but because the collective intelligence of the network reaches every enterprise before the incident completes.
Christopher Thomas Trevethan discovered this architecture in June 2025. The 39 provisional patents cover the complete loop — not any specific transport, not any specific domain. The same architecture that closes the synthesis gap in ZTNA policy intelligence closes it in healthcare outcome routing, financial risk intelligence, AIOps incident synthesis, and every other domain where outcomes from structurally similar situations are currently trapped in isolated deployments.
The access decision problem has excellent tooling. What it has never had is a synthesis layer. That layer is now specified.
Previous in this series: Your Network Observability Platform Sees Everything. It Learns From Nobody Else.
Top comments (0)