1️⃣ Why this is needed
Your organization uses Riot to run authorized phishing-simulation and security-awareness training. The login pages used in these simulations are hosted on dedicated Riot domains.
Because they imitate real sign-in pages by design, Zscaler may classify them as phishing or malicious and block them — which prevents your employees from receiving the training.
To ensure the simulations are delivered correctly, the Riot domain(s) below need to be allowed in your Zscaler tenant.
📌 Domain(s) to allow: secure-oauth.com (plus any additional simulation domains communicated to you by your Riot contact)
2️⃣ Overview — two actions
There are two complementary actions. Action 1 fixes access for your organization immediately. Action 2 asks Zscaler to correct the classification globally, so the block does not keep coming back.
Action | What it does | Scope |
1 — Allow in your tenant | Adds the Riot domain(s) to your ZIA allow rules and threat-engine exceptions. | Your org (fast) |
2 — Request recategorization | Asks Zscaler to reclassify the domain away from phishing/malicious. | Zscaler cloud (durable) |
3️⃣ Action 1 — Allow the domain in your Zscaler tenant
☝️ Important: Perform these steps in the Zscaler Internet Access (ZIA) Admin Portal. Menu labels can vary slightly between ZIA versions; the path names below match recent versions.
👉 Step 1 — Create a custom URL category for Riot
Go to Policies > Access Control > Internet & SaaS > URL Categories.
Click Add URL Category and name it, e.g. “Riot Phishing Simulation”.
Under Custom URLs, add the Riot domain(s) (e.g. secure-oauth.com), then save.
👉 Step 2 — Allow that category in URL Filtering
Go to Policies > Access Control > URL & Cloud App Control.
Add a new rule, set Action = Allow, and select the “Riot Phishing Simulation” category.
Move this rule above any rule that blocks Phishing / Suspicious / Newly Registered Domains, so it is evaluated first. Save and activate.
👉 Step 3 — Add threat-engine exceptions
Because the domain mimics a login page, the threat engines may still block it. Add the domain(s) to the security exceptions:
Advanced Threat Protection: Policies > Threat Protection > Advanced Threat Protection > add the domain(s) to the allowlist / “Do not scan” URLs.
Malware Protection: Policies > Threat Protection > Malware Protection > Security Exceptions > “Do Not Scan Content from these URLs”.
👉 Step 4 — (If needed) SSL/TLS inspection bypass
If access is still blocked on an HTTPS handshake, add the domain(s) to the SSL/TLS Inspection “Do Not Inspect” exemptions: Policies > SSL/TLS Inspection.
4️⃣ Action 2 — Request a global recategorization
So the domain stops being treated as malicious across the Zscaler cloud, request a category change. As a Zscaler customer you can do this in either of these ways:
Site Review: from a device going through your Zscaler cloud, open sitereview.zscaler.com, look up the URL, then choose “Modify Categories” to request a change. A Support case is created automatically from your email.
Support ticket: open a change-request ticket in the Zscaler Help Portal asking to reclassify the domain away from phishing/malicious.
☝️ Good to know: Site Review and reclassification requests are available to Zscaler customers only, and are handled on a best-effort basis (no SLA).
Justification to include in the request (in English):
The domain is owned and operated by Riot Security (https://tryriot.com/), a cybersecurity company specializing in employee security training. The domain information is publicly available. We use this domain for phishing simulation exercises that are only available to our customers and are not malicious. Could you please whitelist the domain so we can ensure the uninterrupted delivery of our training content and phishing simulation exercises? Thank you.
5️⃣ Verify it works
From a device behind Zscaler, browse to the Riot domain (e.g. https://secure-oauth.com).
Allow a few minutes for the policy to propagate, then confirm the page loads without a Zscaler block notification.
Need help?
If the domain is still blocked after applying Action 1, or you would like assistance with the recategorization request, please reach out to your Riot point of contact and we will help you through it.
✅ Key takeaways
Allow the Riot domain(s) in your Zscaler tenant (custom URL category + Allow rule + threat-engine exceptions).
Place the Allow rule above any blocking rule so it is evaluated first.
Request a global recategorization via Site Review or a Support ticket so the block does not return.
Still blocked? Contact your Riot point of contact.
References
Official Zscaler documentation this guide is based on (menu paths reflect recent ZIA versions and may differ slightly in yours):
