Zscaler has acquired San Francisco-based SquareX to extend its Zero Trust controls into the browser, with a focus on securing access from unmanaged and third-party devices.

The Nasdaq-listed cloud-native cybersecurity company did not disclose the terms of the transaction.

SquareX has built a Browser Detection and Response (BDR) product aimed at monitoring and responding to client-side threats that operate inside the browser.

Zscaler said the acquisition will support a browser-based approach that uses lightweight extensions across common browsers, rather than requiring a separate, third-party browser. The company framed the move as part of its broader Zero Trust strategy for distributed environments where users increasingly access applications through web interfaces.

Zscaler said it sees the browser as a security gap in older enterprise models, given that much day-to-day work now runs in web apps and many attacks target browser-based sessions and client-side execution paths.

The companies linked the deal to enterprise access patterns that still depend on remote access virtual private networks (VPNs) or virtual desktop infrastructure (VDI) for users on unmanaged endpoints.

Zscaler said it previously pushed organisations away from VPN-based remote access with Zscaler Private Access (ZPA), which it described as using a lightweight agent and device posture checks.

Zscaler CEO, chairman, and founder Jay Chaudhry said: “Enterprises have historically relied on legacy VPNs and VDIs, but these technologies are fundamentally flawed and laden with security risks.

“With SquareX, Zscaler is deepening our Zero Trust Exchange Platform’s capabilities in standard browsers, such as Google Chrome or Microsoft Edge, to stop threats without having to deploy a third-party enterprise browser. Zscaler continues to set the standard as we evolve into an increasingly powerful platform for global enterprise security.”

According to SquareX founder and CEO Vivek Ramachandran, browsers have become the primary enterprise execution environment and, as a result, a key target for attackers. SquareX designed its product to add real-time detection and response inside the browser via an extension, and to give security teams visibility into in-browser events while keeping the browsing workflow unchanged for users.

He also said the company expanded from browser threat detection into controls for application access from the browser, focusing on least-privilege access.

Zscaler said it expects this combination of in-browser threat controls and browser-mediated access to help organisations secure users in their existing browsers, including Google Chrome and Microsoft Edge, without deploying a full endpoint agent on unmanaged devices.

SquareX integrates with multiple browsers, including Chrome, Edge, Firefox and Safari, to avoid requiring browser change management.

On integration plans, Ramachandran said SquareX’s technology will integrate into the Zscaler platform and its Zero Trust Browser. He said the extension will add detection and response on managed devices and feed threat telemetry into Zscaler.

On bring-your-own-device and unmanaged endpoints, he said it will add “last-mile” controls intended to make a standard browser a functional alternative to VDI for some use cases. Those controls, he said, include support for work profiles, browser data loss prevention, device posture checks and local data protection.

Ramachandran said: “By integrating with Zscaler, we will enable organisations to secure SaaS and private applications across any device – managed or BYOD – without compromising productivity.

“This approach allows IT leaders to replace expensive, insecure legacy access tools with precise Zero Trust policies that protect data and AI interactions based on an organization’s specific risk profile.”

Prior to this deal, Zscaler acquired AI security platform SplxAI and managed detection and response (MDR) provider Red Canary in the last 12 months.