The correct answer is C . In Zscaler’s Zero Trust architecture, the recommended goal is to inspect as much traffic as possible , especially encrypted traffic, because inspection enables key protections such as malware detection, sandboxing, intrusion prevention system (IPS), browser isolation, Data Loss Prevention (DLP), cloud app controls, tenancy restrictions, and file type controls. The TLS/SSL inspection reference architecture explicitly states that organizations should strive for 100% of traffic to be inspected and that Zscaler strongly recommends this as the starting point.
At the same time, the same guidance also confirms that exceptions can exist. It says bypasses may be required for regulatory, vendor, or contractual reasons, and that bypasses should be used only in extreme circumstances . Examples include certificate-pinned applications, some Microsoft 365 flows, and certain regulated destinations. That means the platform should be able to inspect any application or destination , but the enterprise decides where inspection is ultimately enforced. Therefore, the best answer is not “always inspect with no exceptions,” but rather that full inspection is strongly recommended while allowing enterprise-controlled exceptions when justified.
