Skip to content
PainScaler

PainScaler

ZPA is the cloud. This is the storm.
Get started View on GitHub

What it is

PainScaler is a self-hosted Go + React tool that pulls a full snapshot of your Zscaler Private Access tenant, builds an in-memory index with backlinks the console doesn’t expose, and lets you ask the questions you actually have:

  • Who can reach this hostname?
  • Why did this user fail to reach that segment?
  • Which segments have no policy coverage at all?
  • If this connector group dies, who notices?

The ZPA admin UI does not answer these in under a minute. PainScaler does.

Pillars

Search

Full-text across segments, segment groups, policies, SCIM groups, connector groups, server groups. Milliseconds, in-memory.

Simulate

Construct a SimContext and run it through an FSM-driven evaluator. Get the verdict and the trace - which rule matched, which conditions skipped, why.

Audit

Orphan segments, policy shadows, domain overlaps, blast radius, connector load, SCIM reach. The reports your auditor will eventually demand.

Run anywhere

Single Go binary or four-container Docker stack with Caddy and Authelia out of the box. Pure-Go SQLite, no CGO, no surprises.

Getting started Prerequisites, environment, first run, dev workflow.
Policy simulator The FSM, the SimContext, and what the trace means.
Deploy with Docker Caddy, Authelia, and the data volume layout.

PainScaler is an independent tool. Not affiliated with Zscaler, Inc.