Zscaler, Inc. (ZS) Earnings Call Transcript & Summary

As you can see by my virtual background, the theme of this year's event is beyond limits, beyond the limits of legacy systems and network security and beyond the legacy thinking as we advance into a cloud and mobile-first future. We'll start today with a short presentation by our CEO, Jay Chaudhry, on our newly announced fourth pillar of our platform, the Zscaler Cloud Protection or ZCP. Afterwards, we will be joined by Amit Sinha, President and CTO; and Patrick Foxhoven, EVP of Emerging Technologies and CIO. Then we will open the session for question and answer. [Operator Instructions] We will not be providing any financial updates today. Please be mindful of this during the Q&A session. As noted on this slide, today's session may contain forward-looking statements including, but not limited to, our view of the industry, product performance, product business outlook and other statements that are not historical facts. These statements are not guarantees of future performance but rather are subject to risk and uncertainty. So with that, I will now hand over the call to Jay.

Bill, thank you. Let me start with a few slides to give you a big picture view of where we fit. And the new pillar we launched yesterday, Zscaler Cloud Protection. By now, hopefully, you're familiar with our Zero Trust Exchange platform and pillars, ZIA, ZPA and user experience. These 3 are focused on user protection and experience to make sure a user can get to any application with good experience. We have been building over time to make sure we have a strong story to expand our offering in the next area. And that is, let's go beyond protecting users, to being able to protect servers and workloads. So the launch yesterday is of Zscaler Cloud Protection, which has multiple solutions in it. But the great thing it does is that expands our market significantly because we're not just doing user protection, we're also getting into workload and server protection. And I'll give you a quick high-level view of it. Hopefully, some of you had a chance to listen to my keynote where I covered it at a 40,000-foot level that Amit and Patrick, during their product innovations, kind of brought it down to a lower level. This fourth pillar actually completes our overall offering. Now why do we care about Zscaler Cloud Protection. If you look at the workloads moving to the cloud, the distributed, multi-cloud, they evolve, they change, their configurations are pretty complex. They're dynamic. They come, they go. And DevOps moves faster than secured. They're actually going ahead and doing things that aren't even secured. And connectivity, trying to [ take ] your traditional network-based connectivity with all these ingress and egress routes is complicated. Traffic flow, east and west, very low controls. So we looked at the problem in 4 key areas as we talk to our customers. Security posture workloads when there's so many workloads are being deployed out there, literally millions and millions of workloads out there. What's configured properly? What's not configured properly? It is the biggest source of security risks. That's one problem customers are asking us to solve. Second, they need various applications or workloads to talk to each other within the same data center from public cloud A to B to C, whatnot. That's the second thing. How do I do it securely? Third, within our cloud, risk of lateral movement. Typically, you connect the networks. Once you're on this beautiful flat network, you can reach anything and everything which is wonderful, but which is also dangerous at the same time. And fourth, right, the most important, you may have the secured stuff, but your employees and your B2B customers need to access those applications securely with great experience. So those are the things we looked at. And we have been hearing from our customers that they have been trying to do it in a traditional way where the network security rate is not working. So what do we have? It's a combination of some of the investments we've made in-house, building upon the zero trust technology we built for ZIA, ZPA and the like. And some acquisitions with focus being how do you protect multi-cloud workloads. Multi-cloud is important because you don't have hardly any customers who is depending on one cloud. So Cloud Security Posture becomes important. Gartner calls this thing CSPM and its proper configuration, the like. It's a new revenue opportunity for us. We have started with cloud native and are evolving and growing it. I'll dig a little bit deeper into it. Workload communication. The -- workloads or applications sitting the data -- sorry, in the data -- sorry, sitting in your public cloud on -- an island, they need to talk to each other. Communication need to happen across cloud to cloud. Traffic goes from workload to the Internet. And you got cloud to data center connectivity. All that has to be done. And we built a very cool technology called Cloud Connector that powers this communication. And essentially, the ZIA, ZPA use case, which used to be for user protection, now it's getting expanded to workload protection, and the pricing will be workload based just like user based and here, workload based, but it expands our TAM significantly. Third area is segmentation, within a data center within a public cloud. This is where customers have been trying some of these virtual firewalls, doing network segmentation or some of these new vendors like Illumios of the world. But really, we haven't seen serious traction. Customers are still looking at better solutions. And we built and expanded upon Edgewise Networks acquisition we've done. And at the end of the day, all of this is good only if the users can access the workloads. So it actually required ZPA to be able to go and access those applications directly without having to go to the data center. So that's our overall positioning. Three major new areas of functionality, plus ZPA for users to access these applications. I'll give you a little bit deeper view of each without getting too deep into it. CSPM is the term Gartner coined. All kinds of workloads being deployed across multiple clouds, including applications like Office 365 that got to be configured properly with so many [ knobs ] out there. And we acquired this company. We're further enhancing it. We're making some serious investments to make sure our CSPM offering is the best in the market, but it starts with discovery of what assets do I have, how are they configured. Being able to match against a lot of standard compliant configurations to identify what's not compliant. And the prior times, what's the risk of noncompliance and being able to do auto remediation alike. Important area, this market is ready out there, and we are beginning to sell this offering out there. So that's one. Two, this is probably the most exciting and very unique because here, we are bringing zero trust to the data center or call it, zero trust for public cloud. Almost all vendors out there are trying to do network-centric communication. You could throw firewalls here and there, all that type of stuff. But in this approach, I got to say, workload needs to talk the Internet. Setting an AWS, it needs to go to Internet. Well, we -- our Cloud Connector is very smart. It figures of the traffic and direct it to ZIA policy engine, and you can apply the same policy, same protection. What would you do without it? You'll try to buy some virtual firewall. Well, how do you do a cyber threat inspection? How do you do SSL inspection? How do you do DLP inspection that you used to? You miss it. So we bring all the rich functionality to the traffic that's known user traffic, that's air traffic to secure it. Then there's a cloud-to-cloud traffic. Probably Azure traffic needs to go to -- from Azure east to Azure west. Maybe AWS traffic needs to come in app, and AWS needs to talk to [ app and ] Azure. All this stuff flows through our Zero Trust Exchange powered by Cloud Connector. You also need the same thing, data center to cloud. Today, you typically have a dedicated site-to-site VP, expensive. And it's network extension, not really 0 zero trust type. This is the third area. Fourth, more and more businesses want to change the old way, where they're trying to send larger data exchange and files between 2 companies through some kind of old convoluted system. With zero trust, we can do it in a much better fashion. So this is an exciting, highly, highly differentiated use case. The third area -- I mean this is a diagram we picked up from the Internet how people try to do this kind of cloud protection with workloads, firewalls or VPNs to go out, to come back in, VPN to data center, all that mess. Now for segmentation, we've got a very cool approach where Edgewise gave us that very, very important IP, being able to create identity of -- software identity of workloads, okay? That's a core IP we bought. And they know within a public cloud, you can kind of say, this app can talk to this app, but this app can't talk to this app. And all this is powered by a bunch of sophisticated machine learning models. Because when you have lots of workloads, lots of policies, you need automation, and ML is playing a big role and the segmentation policies are automatically generated. Otherwise, operationally, it will be very hard to do. And it is -- it's great benefits in terms of operational benefits without a lot of overhead and the risk reduction. This is a younger market. It's going to take some time as customers are getting educated in this area. Fourth is really the overall benefit. Once you got your stuff in the cloud, just like I'm showing here, in the old world, you would be going back to the data center and going back site-to-site over. Now with ZPA, all these workloads can be accessed directly through us. They could be in your data center. They could be in GCP, Azure and AWS. So this thing kind of rounds out the benefit customers are [ driving ]. So in summary, public cloud is happening. We all know that. Traditional security is a problem in a public cloud. It doesn't work. The new approaches are needed. And really that's what we have built here. Essentially extending zero trust to public cloud, that's number one point. Number two, think of the opportunity. Just like end points are looking at saying, "I am going to take EDR to servers." Here, we're saying, "I need to take, use it to app communication, zero trust technology or app-to-app or workload-to-workload communication," so it expands our TAM a bit. So with those remarks, Bill?

Okay. Thank you. Now we'll start the Q&A session. [Operator Instructions] Our first question will come from Andy Nowinski from D.A. Davidson.

It was good to listen to a lot of the presentations yesterday as well. Maybe I'll start with a clarification. On the slide you just presented today, you said that ZPA is a cross-sell but it does seem like it's maybe the opposite. Wouldn't they deploy ZCP first -- or excuse me. They wouldn't deploy ZCP without first running ZPA. So it seems like ZCP, the cloud platform, is actually your cross-sell that you'd sell into all your accounts that are running either ZIA or ZPA already, right?

So it's a good question. So first of all, when I use the word "cross-sell," I said, we already are selling ZPA for data center, VPN replacement, it becomes one more opportunity to be able to go to public cloud, okay? That's one. The second part is actually, there's no proper sequence to embrace ZCP. If you look at the 3 pieces of ZCP out there, we think CSPM, Security Posture Management, and the second part, where I said workload communication within a kind of cloud to cloud and cloud to Internet. Both of those, these products are being asked for by our customers today. So you could be start -- some of our customers are starting with a CSPM, some are already starting with workload communication. But ZPA will be needed, well, by everyone. We believe that every customer of Zscaler eventually will have ZIA, ZPA and ZDX because once you have those 3 things, you can access any application, internal, external. And with ZDX, you can know the performance, security and user performance both get solved.

That makes sense, Jay. And then last question for me, can you just give an example of an unprotected workload at one of -- like a Zscaler customer? So a Zscaler customer's already committed to transforming their network infrastructure. They're already running, presumably, a next-gen architecture. They're not running a legacy architecture. So what are they using to protect? And presumably, they're already -- some of the workloads are in the cloud as well already that our Zscaler customers. So what have they been using or have they just not been protecting these workloads in the past?

I'll start, and Amit, you can add to it. We have a tool called Internet Attack Surface. We point to a given company called acme.com, for example. And see what can I see out there without sending any active traffic because a lot of information sitting in Google and Shodan and the like, we see so many workloads that can be discovered, that can be attacked. In many cases, customer doesn't even know about it, how it's being exposed. So they need a tool like CSPM to identify it, for example. And in many cases, they can fix the configuration. But in many cases, then they will need -- some will be exposed, they need to go through a tool like ZPA, so they don't expose them to the Internet. But there's a lack of education, in some cases, and there's a lack of the right technologies on other cases. Amit, do you want to add things to what I said?

Yes, absolutely. I think, Andrew, there's a lot of cloud sprawl that is happening. If you look at ZIA and ZPA, predominantly, we are -- we have been protecting users accessing applications either in the Internet SaaS or in private workloads that require a VPN. But as applications are moving to the cloud, things are sprawling. I mean you might be moving an SAP application, maybe the back end is sitting in your data center, the front end is moved to Azure. How is Azure talking to your data center, right? Those are the kind of use cases that are greenfield opportunities for us to expand into, right? Similarly, as more applications move to AWS, what is happening is people are bringing the traditional data center thinking into AWS, right? Let me -- I had a firewall here, let me deploy firewalls, let me do VLAN segmentations. And that architecture that Jay was sharing becomes hairy very quickly, right? Because now you're talking about this VPC talking to this VPC, going through a transit gateway. Well, the Internet access is available only from this transit gateway. All of these are sort of greenfield opportunities as we start getting to app-to-app communication because people are just still thinking of their legacy way of doing it in the data center, except now they are trying to move it to AWS and Azure. So we believe that many of the zero trust concepts that we brought to secure a user to app communication naturally extend into cloud workloads. And it starts off with those 3 things. One, as I get into AWS and Azure and GCP, configuration management is the #1 problem, right? Do I have an open S3 bucket? Maybe I was doing some QA testing to an entire customer database and put it in an S3 bucket somewhere, and it was left open, right? Those workloads have never traditionally been part of the Zscaler ecosystem, and cloud protection brings that into the fore.

Okay. Our next question will come from Hamza Fodderwala at Morgan Stanley.

Thank you for doing this product presentation, very clear. I wanted to get your early sense about sort of what you see as a market opportunity here, right? Because you mentioned a few times, this really expands the TAM for you. Amit mentioned, sort of bringing you into sort of a lot of greenfield spaces. So I guess for Jay, Amit or -- and even Bill, how are you thinking about framing that market opportunity as you move to a more workload model? So said another way, there's going to be roughly $100 billion or so in PaaS, IaaS spend today that's probably going to grow, let's say, by double over the next 3 to 5 years. What percentage of that do you think is going to be a workload protection solution like this?

So the unit opportunity for us is number of workloads, okay? The way -- yes, and the bigger the market, we will charge by workloads. Every workloads need to be how we charge for your security posture, how many workloads are we monitoring and really looking at the posture, how many workloads are talking to each other, it's essentially based on that. That's obviously the opportunity. We think with public cloud, those workloads are growing. They keep on growing and growing, and then they'll need someone like us to protect it. So do we have an idea to quantify it at this stage? It's probably too early. But do we get a sense that it's a pretty big, big TAM opportunity? Yes.

Yes. And so CSPM, workload segmentation and workload communication, all will be priced on a per workload basis. And we'll discuss the TAM at our Analyst Day, which would be in January.

Okay. Next question will come from Joshua Tilton at Berenberg.

Yes. Hey, guys, can you hear me?

Yes.

Just a quick one for me. I just wanted to kind of touch on the workload segmentation feature, just -- I understand it's early, but who have you identified as kind of your competition in this space? And then how much of a moat, would you say, do you really have around an identity-based segmentation strategy? In other words, why can't others come out and kind of mirror this with their own identity-based approach?

Patrick or Amit, do you want to take it?

I can share some insights, Patrick, as deeper insights. It's a good question, Joshua. In order to look at this space, again, the traditional thinking has been, I know how to build a firewall, let me bring virtual firewalls into my AWS or GCP workloads. I'm going to do -- have static ports and protocol-based rules that says, "Here is my UI server, and it's only allowed to talk to this database over this port." And we all know that, that does not stop lateral propagation from happening because once one workload is infected, malware knows how to explore its static rules and propagate laterally. So we believe that sort of traditional thinking, even the Illumios of the world are thinking more around traditional network-based segmentation inside a modern cloud workload. The identity-based approach requires a complete rearchitecture, right? So when we say identity, we are looking at multiple attributes. We are looking at, well, this is a UI process and there is a lot of fingerprinting that is going on. What machine is it running on? What Mac address is it coming from? And there's a list of attributes that go into asserting a strong identity for that particular process. And doing it at scale is a hard engineering problem, right? You're sitting right in the middle of a very high-speed communication that might be happening between one workload and another workload inside, say, AWS or Azure. So doing it at scale is a hard engineering problem. It's not just a simple identity. It's multiple different attributes going into fingerprinting that identity. That's a tough problem. The third problem to solve is how do you simplify the deployment, right? So we use machine learning-based auto segmentation, where you click on a button and it -- the workload segmentation will look at the topology of your application and say, "This is how it needs to communicate." And that simplifies the DevOps cycle dramatically. We're not again tinkering with manual rules. In a complex application, you're going to have thousands of different pathways. How do you automatically discover and say this is legit, this is not legit? So all of those are hard engineering problems that we have built IP on. And most people in this space are still traditionally thinking of static kind of network-based isolation principles that just don't work. Patrick, do you want to add anything to that?

No, that was good. I -- maybe just to emphasize that point or pile on to that point that Amit was making. Almost every other solution in the space, like Amit was saying, is network centric, meaning it's IP address. It's a traditional firewall or ACL-based approach. And that's why projects like microsegmentation have been so much of a failure. We rarely see customers have -- they may have implemented microsegmentation in one piece or part of their network, but not holistically, not across the organization. The approach that we have, like Amit was saying, is identity based, and it's a much lower-level approach. It's not at the network level, it's at the process level. It's a lower level that gives us a much stronger form of identity that is just not possible if you're doing this at the network level.

Yes. So our belief is that the traditional firewall, network-centric approach won't work based on what you're seeing from the customers. And it's an opportunity for us. I talk to many customers, some of the forward thinkers who said, "We would love to do segmentation. We have tried product A, B and C. It just doesn't work." So we think our approach is very promising. Having said that, I'll say this is a younger market. It needs a fair amount of education. But I would rather be in a younger market and educate the market than try to go later on and become a me-too.

Our next question will come from as Taz Koujalgi at Guggenheim.

Two questions. One -- first one is, it looks like some of the functionality you have in ZCP will overlap with, I guess, native functionality you get from the cloud vendors, AWS, I guess, security gateways and Azure firewalls. How do you address the fact that you would be competing with the, I guess, the cloud vendors in some areas with the ZCP product?

Every cloud vendor will have some pieces here and there. I mean should -- would Microsoft do some kind of firewall? Yes. But okay, what does that firewall do? If you really look at what our CISOs are telling us that every server -- I shouldn't say every. Most workloads talk to the Internet from the public cloud. And what is -- what do they need to protect, number one, cyber threats. Number two, data loss. All those connections are SSL encrypted. Somebody needs a proxy architecture with multi-tenancy to simply send the traffic to some cloud and [ set goals ]. As our Fortune 500, Global 2000 customers had deployed ZIA, they're basically saying, "I can use ZIA technology for policy enforcement, for DLP and cyber threats. I had no way to really figure out and send the right traffic of a given cloud. [ You -- with ] our Cloud Connector that's [ powering ] the technology, you could have the traffic coming from AWS, Azure, DLP, VMware, your own data center. Same policy, same protection. So it's very compelling. Will some of the firewall functionality from AWS or Microsoft get in the middle of it? We don't think so. Will those firewalls do some level of macro-network segments? Probably yes. That's fine. But I think the opportunity is big for us, especially for large customers who understand the value of our platform.

That's very helpful. Just one follow-up. One thing we've heard -- we hear from CIOs is that the world is going more towards a hybrid architecture, more multi-cloud wall. People are not going to be using just one cloud, we'll have people using AWS, Azure and ZCP. Now does ZCP product work across clouds and across on-prem and cloud? Or will it be limited to just the workloads, which are residing within a certain cloud?

Amit?

Yes. It's a great question. I mean you answered your question yourself, Taz, right? We are designed for a hybrid-cloud world. Cloud Connector works on Azure and AWS and GCP. It also works on your VMware-based data center, where have you, right? So since we are not living in the world garden of AWS, right, you need a uniform approach that can allow any workload to talk to any workload regardless of the infrastructure it is hosted in, right? So to some extent, firewalls have already existed in AWS and Azure. That's how VPCs are designed, right? And my router has a bit in firewall. We need to sort of up level and talk about how do we have workloads across multiple different infrastructures, talk seamlessly through a common policy engine, through a common Zero Trust Exchange platform. And that's really what we've built. And most organizations are not going to just bet on one cloud provider. They will have scattered and distributed workloads, and they will need to have consistent policies across all of them. And Cloud Connector enables that definitely. So does CSPMPs (sic) [ CSPMs ] and workload segmentation, they work regardless of their underlying infrastructure.

And just one follow-up, if I may. This would be a service, right? It's a SaaS. You're not deploying a software on a VM in AWS or Azure, correct?

Right. All 3 services are SaaS, right? The CSPM is a SaaS service. You -- with APIs, you point to your cloud workload. You -- we give you all the misconfigurations and auto remediation options. With the Cloud Connector, you can automatically provision and auto scale whatever is needed based on your workload, regardless of, again, the infrastructure it is deployed in. And it is all based on the same subscription model instead of users will go more towards a workload-based subscription. But it is all a SaaS service.

Okay. So we'll take our next question from Alex Henderson at Needham.

I would hope to get some detail on a couple of the elements. First off, do you need to sell this to the DevOps teams? Do you sell into the shift-left community? Or is this primarily going to be sold to the IT administrator, the SecOps teams back at the corporate? And when you define a workload, if I take an application and I deploy it across, just hypothetically, Akamai's 4,000 locations, is that considered a workload? Or is that considered 4,000 workloads because it's running it in 4,000 different locations? And then the last piece I just wanted you to clarify is, obviously, policy is critical here. Policy management problems with the flow-based architectures of the Palo Altos of the world have been a huge impediment. But I assume that this is a per user per application policy implementation going forward, which I think is core to your architecture. Is that accurate?

Thank you. Let me start with the first one. You have a 3-part question. The first one, who is the buyer, okay? The buyer could come from DevOps side of it or come from security operation, network operation side of it. Our primary buyer of Zscaler today has been starting with CIO to enable transformation, with Head of Infrastructure and Head of Security having been the primary 3 buyers. For example, the one thing our customers have been asking for a long time is -- and this is being asked by the CISO and the CIO. My users go out to the Internet through you. My workloads need to go through you with the same security, same data protection type of stuff. Yes, we do get brought -- DevOps gets brought into the loop, but our primary start from the production side of it, from the security operations side of it. And over time, we'll get to both ways, but there are 2 decision-makers. DevOps is an important player, but who runs the operations, security and all is important as well. That's part number one. Part number two, Amit, do you want to take that?

Yes. What was the specific part 2 question?

So the question is if you're defining a definition of a workload here. So people think about a monolithic application running on a single server as a workload. But obviously, in a CI/CD pipelining world, they could be highly distributed and therefore, implemented in thousands of locations.

Right. So the concept of a workload is pretty well-defined in public cloud infrastructure, right? And for example, when we do our CSPM scans, you -- a typical organization might have a few thousand workloads. We're not counting instances like a CDN scenario, where you have 4,000 copies of the same thing as a workload. However, if you have a VM, that's a clear workload. If you have a Kubernetes cluster with X number of running instances, that's a workload. And similarly, you might have a serverless workload, right? So those concepts are well understood within the AWS framework or the Azure framework because they believe based on it, right? So it's not an ambiguous concept, and we're going to piggyback on that.

And there was a third part, Amit.

The last piece was on the policy.

Right. So yes, I guess your question was, we've traditionally been a user-to-app policy, how does that translate to an app-to-app world? How does that translate to a workload or process-to-process world? I'd say translates quite naturally, right? When you're able to implement policies for an organization with 400,000 users talking to millions of applications. Being able to translate that to a few thousand workloads, talking to a few other thousand workloads is relatively simple. The amount of traffic per workload goes up. But the complexity of the policy decision tree is actually getting simplified. And we've done it at a bigger scale and bringing it back to us to a more manageable scale is easy.

Right, just to expand, just like today for user, we can do a specific user to whatever. Here, we can do a specific workload-based policy or you can have a group of workloads either way.

I mean think of it this way, Alex, right? Today, for an organization like Siemens with 400,000 users, you can go to the Zscaler console and for every user, have a specific user-level policy for every destination. We'll support it, right? I mean no organization wants to do it that way, but we have that kind of scalability building. Now workload is a little more static, right? You might have a server that needs to go to the Internet to download the latest Linux patch on it, right? So those are a little more manageable. Since we've done it at that user scale, the ability to translate into a workload scale is easier for us.

Okay. Great. Our next question will come from Brian Essex at Goldman Sachs.

Maybe I was just wondering, kind of back to the competitive environment, you see a number of your different peers in the market approaching this from an end point perspective or a platform perspective or a developer perspective, you guys from like a network-access perspective. How do you see yourself differentiating yourselves from some of those vendors, some of which are partners of yours, particularly maybe compared to like a CrowdStrike who's approaching the cloud workload protection market in a little bit of a different way? But with a different construct in that, they can have contextual data around access and workloads.

Yes. So I think we think from the ecosystem in a pretty meaningful way, yes. So what's end point vendors doing? Here's my EDR. Since you have lots of workloads, I should run the same thing on my workload to make sure nothing malicious is going on. It is just like the device protection. It's the workload security by running AV. Just because you've got CrowdStrike or Microsoft or VMware end point, you still need Zscaler. We are the switchboard. We are standing in between. So if you're stuck with the stuff you're talking about, which workload can talk to which workload and under what policy? When my workload talks to Internet, somebody has to sit in the middle. It's like an international airport who goes -- we are sitting in an ideal position to connect the right party to right party. Now that doesn't eliminate the need for having a host end point software or, say, workload software sitting to -- for doing the kind of security end point does, it's complementary to us. We are in between, communication from A to B. So that's how we look at it differently. Now the other one, who else did you mention? So end point to us is very complementary.

Okay. And maybe...

Also Brian, one point I'd add there is, as you think of the way the world is evolving, it's moving more and more from my data center to VMs in AWS to serverless and kind of lambda functions, and just as a service, right? I'm running BigQuery. I'm running Snowflake, right? So all of these, where will you put your end point agents, right? So kind of the same concept that we thought about when we said, "Hey, how do you run this on your right phone on a 5G network, right?" So if you think forward, the firewall vendors will think of virtualizing firewalls and running it in the cloud. The end point vendors will think about virtualizing their end points and running it in a VM host. But as you move to more kind of -- there's the pure SaaS for which we do CASB, and then there is more and more just serverless computing, right? And that's where CSPM is very important, that's where the ability to do policy. This lambda function can talk to that Internet workload, but that's it. And how do you do it without putting end points becomes an important criteria.

So we like our switchboard function. Beyond the switchboard, who should talk to who based on the policy?

Okay. Great. And maybe one just quick follow-up is are you applicable to development as well as run time?

Patrick?

Applicable to development and as well as run time. So the -- when we come in line, we're coming in line as a process on the machine that is at run time. It's not in the development CI/CD pipeline. That's the -- we would be complementary to kind of some of the things that would run there. But we're in an in-line, real-time -- run time agent.

Okay. And our next question will come from Matt Hedberg at RBC.

Just one for me. I wanted to come at the kind of the TAM opportunity from a little different perspective. Obviously, ZIA and ZPA are seat-based pricing. But in some of your early conversations with some early adopters of ZCP, if they're spending $1 on ZIA and $1 on ZPA, any sense for could ZCP be $0.50? Could it be $1? $1.50? Just even from a magnitude perspective, how do they think about the spend in this category relative to your other categories?

Early stage, we are collecting data in February, early pricing. We've learned from the customer. I think it will be probably a little bit too early to give you some data points. Probably in a few months, we'll have much better data points. The data point's a learning -- purely learning point of view right now. So...

And then I guess maybe from those data points, from some customers that have looked at it early, maybe pilot phase customers, beta customers, what has been -- what have they been sort of most happy with so far?

I think it's a range. So we are finding that some customers, we kind of try to go and get them early on with very attractive price, some have tried to pay. Pretty significant. So the gap is quite big. So we'd rather narrow it down before we kind of share the numbers with you because that's how we'll finalize our price as well based on what the market is looking for. So give us a few months, we'll have it, okay, share the data.

Our next question will come from Brad Zelnick at Crédit Suisse.

Nice to see everybody, and thanks so much for hosting the event. Jay, for yourself, or Amit or Patrick even, how should we think about ZCP pairing with SD-WAN? As it seems like you're adding the application awareness that SD-WAN is based on. And maybe in context with your VMware partnership, which I know you've expanded recently, how should we think about the selling motion and how this could pair with what they're doing with NSX and network segmentation with the workload segmentation that you've announced?

Right. So we look at Zscaler as independent of the network. We'd like to say that we are totally decoupled application access for network access, right? When questions get asked to us and say, "What are you doing with SD-WANs?" Say, "We can take traffic from SD-WAN. For SD-WAN or a router, it's the same thing to us. It really doesn't matter." I think when it comes to the market of segmentation. This market is relatively young out there at this stage. In fact, if you ask me, how many customers have done network segmentation or any kind of app segmentation successfully, those numbers are very, very small, okay? So do we have enough data on the approaches on? We don't. Yes -- are we aware of the network segmentation that VMware is doing? Yes. I think we'll -- it remains to be seen where the market evolves. But we like the zero trust approach where we are totally independent of the network. Now the 3 areas I talked to you about our functionality, I think CSPM is ready for prime time because customers who have already deployed hundreds of thousands of workloads, they need security posture and policy configuration. The communication between the data center and public cloud or public cloud to Internet or communication between Azure east and Azure west, without connecting the network, there's a big need out there for that piece. So the Cloud Connector is actually enabling and empowering that piece. So that's -- actually, that market is ready to go. The third piece, if you talk on a microsegmentation level, early stage, we're learning and figuring out. As I said, we'd rather educate the market upfront. But to answer your questions, I would say, I haven't seen enough data out there.

Fair enough. Jay, thank you for that. And it's always nice to see you pushing beyond limits.

Thank you.

Our next question will come from Walter Pritchard at Citi.

On -- just 2 things. One, I just want to be clear on what actually has to be deployed in the customer's network to be able to -- or what you have to have access to, to be able to do the sort of 3 things you're talking about. So that's just a clarification. And then I'm wondering, as you think about container, serverless, I mean everybody is coming at this from a different angle. You have the sort of traditional workload that's a VM, you have virtual firewalls, you have the sort of cutting-edge workloads that are not very deployed but there's solutions today. I mean all the providers seem like they're taking a different approach on these different workloads. I'm curious how you expect to see your cloud workload protection offerings adopted initially versus where we're seeing some of these others adopted because everybody's got a very small initial footprint.

Patrick, do you want to start with that? And Amit, you can add on.

Yes. I can tackle the what you deploy, the first part of the question. So the answer varies depending on which the -- which part of the suite or entire cloud protection bundle that you're deploying. If it's the security-posture element, that's just an API integration. There's nothing you're really deploying. You're configuring APIs and enabling us to have access to what you're governing there. If it's the workload communication, that is a new component that we call a Cloud Connector. And that is something very similar to what customers already deploy when they run a VM or a piece of software from us in their environment, that's what the Cloud Connector is. That's the form factor. And then the workload segmentation, that's actually a piece of software that gets installed in the existing -- it's not a VM or something on the side of the network, it's installed on the existing machine or container that's running the workload. And technically speaking, it's a kernel security module. It's a software process that goes on to where the workload's already running. So hopefully, I touched on -- those are the 3...

Yes, that's actually very specific and helpful.

Sure.

And then just -- I'm just curious kind of how you think people will come at like different -- where will you -- like if we hear success here in 6 months, where do you think we'll hear the initial success? What type of workloads? What scenarios? Because it seems like everybody has a bit of success in this market but nobody really has any share today.

That's correct because the markets are young, right? Or installed customer base is all looking for CSPM, right? That's number one, right? I think that second area, what we call, workload communication, we, are very unique in that area. I want my workloads to be able to talk to Internet. Any Zscaler customers say, "Oh, I know that's with ZIA, gives me such a great security and DLP. Now I can take it to new workloads and new markets for us, or being able to talk among workloads." I haven't seen anyone do zero trust-based communication among those things. We're seeing like what do customers do, right? Data center should be connected to my AWS. My data center to Azure. My data center to this. We are actually extending the networks over. We have seen situations where something got, actually, hacked in a public cloud because of bad configurations. And the malicious actor could actually traverse over to the data center because the networks are connected each other. So we bring a unique benefit in that deployment. So we expect our workload communication to actually have very good traction. And the third area I said before, it is really nascent, and customers are figuring out, and it's not easy, microsegmentation in that level. And that market will probably take the longest time. But the first 2, we are feeling very good based on the traction we've seen.

Our next question will come from Sterling Auty at JPMorgan.

So actually, that was a great segue, so thanks, Walter. So I wanted to know what was deployed on the client side. But now let's go to the other side and understand where are you actually delivering the solution from -- in terms of Zscaler, is this running out of your public cloud footprint? Or your private cloud? And is the entire ZCP available globally? Or how are you thinking about rolling it out region by region?

Amit?

Yes. So there are 3 components of ZCP, Cloud Security Posture Management, it's a SaaS service. It's available today. As we mentioned earlier, all you need is to authorize us to scan your AWS tenant or Azure tenant. It discovers in terms of -- all your misconfiguration. So available globally, nothing needed -- no -- nothing needs to be deployed on the customers VPC, for example, right? The Cloud Connector piece, which is connecting workloads to the Internet or workload to workload across data centers or across between 2 clouds. That does require a VM. That VM is 100% managed, orchestrated by the Zscaler Cloud. The VM runs in your AWS VPC or Azure VPC, it dramatically simplifies your VPC design. You don't need to have complex gateways, transit, VPCs and all that other stuff that traditionally goes into designing these. And it is like other virtual components that customers deploy from Zscaler, right? When they deploy ZIA, they might deploy a log streaming service. They might deploy a virtual zen, which is -- or a private service edge, which is extending on to their particular section, right? So again, that's available globally. And...

Hey, Amit, if I make one comment to that but -- before you move on the next topic.

Go ahead.

It's like a traffic cop. There's not a whole lot to it. The difference is when you deploy a firewall [ world ], you're talking with the policies and that stuff. This is a traffic cop that's, really, [ directing on traffic ], where it needs to go. Hence, it's a much simpler deployment and ongoing operational stuff.

It's -- think of it as, today, users deploy a Zscaler Client Connector on their laptop. It's a lightweight, traffic-forwarding agent. This is a -- instead of Client Connector, it's a Cloud Connector. It's just sitting in your cloud where your workloads are and forwarding traffic either to other workloads in the interim, right? So that's available, again, globally. Nothing needed, except deploying this particular small agent on your VPC. The third bit for the workload segmentation, it's a nascent area that does require this -- a little bit of a host-type agent that is deployed on those workloads. And again, that's available. That customer has to do it on there -- inside their workload. It's available wherever customers want to try it. Folks, I need to jump and host the CISO panel.

No worries.

I need to run. Thank you.

Yes. Thank you, Amit.

Okay. So our next question will come from Roger Boyd at UBS.

Can you hear me?

Yes.

Very good. On for Fatima this afternoon. I guess thinking about the -- with the addition of ZCP and CSPM finding a home there, does that change how you're thinking about, I guess, the modular add-on approach around ZIA in the past? And maybe if we'll see some new bundles around more of the converged CASB, Secure Web Gateway, DLP that seems to be resonating well?

I think it's too early for us to make the decision. We'd like to get some traction, see the degree of traction, then eventually, over time, we create bundles. Right now, we are individually selling ZCP solutions being presented. And based on the customer interest, we're selling it. But over time, you can expect us to bundle it in certain things.

Perfect. And then I guess going back to the DevOps pipeline, given the fact that you're focused on run time and not being sort of in the pre-deployment phase, how are you thinking about areas to maybe partner, integrate with the tool set that is in the CI/CD pipeline?

Patrick?

So we're actually very complementary or almost agnostic to what's being done in the development pipeline. So that's -- we don't really -- just like a -- well, we're not a firewall. We're not -- we're saying it's a much better approach. But just like a firewall is not intrusive to that pipeline and is completely out of the picture, the same is true for what we're doing as well.

Our next question will come from Walter Price at Allianz.

I don't know if you can hear me.

Yes, we can hear you.

So my question is, we've -- in the cloud -- the most famous breaches have been the Capital One, AWS. And then recently, this FireEye breach yesterday where people steal identity and then go into a workload that they shouldn't have access to either tangentially in the case of Capital One or in the case of FireEye, they misrepresented themselves as a customer. How does your solution -- and I think that's really -- probably a really common way that nation states attack workloads that they want to get. How does your solution solve that problem?

See, at the highest level, if you think about most threats come because someone gets on your network and can laterally move left and right, discover other services, if they're not passed properly, getting to them. The whole thrust of zero trust is a switchboard approach, you connect someone to a particular application or service, don't put them on the network. That's what we have been trying to do with users. Now we are taking the same zero trust approach to servers. I think as more and more companies do this, the notion of your online network inside, outside, if that starts disappearing, life will get much better. Now would I say there won't ever be any security hacks? Not really. I think Security Posture will get much, much better with zero trust approach. Our customers are swearing by it.

We'll take -- I'm sorry, go ahead, Patrick, did you have anything to say?

I was just going to add, this Capital One breach is very well-known and dissected. There was multiple places where we could have helped in that. The first place was it was a misconfigured service in AWS, and that is core to what CSPM is meant to help discover and remediate. And then obviously, that was then used to do subsequent malicious activity. And that's where, Jay, the workload protection and being in line and the run time protection is what helps them solve that if they're already in as well. So we kind of tackle it in the Capital One scenario in a couple of different places.

Okay. Thank you, Patrick. We have time for one more question. And our last question will come from Michael Turits at KeyBanc Capital Markets. Michael, you have to unmute.

That should do it. Guys, got me?

We can hear you.

Great. So congratulations, it does look like a big expansion to TAM, as you said, and a real broadening of what you're doing from a really strong architecture and platform. My question is this, what you've done to date has largely been a networking service. You've protected users from applications and workloads. But when you move into the cloud, whether you're doing Posture Management or looking at the connection between "workloads," those workloads are based on very, very distributed application. So it requires a level of knowledge, understanding, mapping of all those applications that wasn't really necessary for the prior types of security that you delivered. So how have you built that expertise? And I know you've made acquisitions. But in that sense, this is somewhat of a new area for you.

I'll start, and Patrick, you can add. The core technology we are leveraging is our Zero Trust Exchange. What we have built over the past several years with ZPA, for example, and there's some of the same principles applied to ZIA as well. But with ZPA, especially, our switchboard approach. A user comes to us. We validate who you are. We look at the policy. We connect you to a particular application or service. But the switchboard is not just meant for users. It's meant to, say, a known entity to known entity, and we connect you, if the policy says yes. We needed to know the identity of workloads. And in the case of microsegmentation type of stuff, Edgewise Network brought it to us. In the case of others, Patrick, maybe you can expand the second area because we are seeing easy traction of workload communication from our customers. Why do you think it's easy for us to take over the workload communication market? There are 3, 4 use cases we talked about, workload to Internet, cloud to cloud, data center to cloud, independent of the network. That market is made for us. Maybe expand upon that a little bit.

Yes. I would add to that saying that it's actually not as big of a -- as a leap, as I think was being characterized from the standpoint that if you look at our customer base, we have many, many customers already on our ZIA offering that is not -- they're not just sending us user traffic. They're taking their workloads that they've deployed in these environments, and they're actually forcing it via a network tunnel to go through our ZIA security stack so that we can help secure that already. So we're already in line to workload traffic already, even to the point that, that's a [ SKU ] now that we've been charging customers for years for. And we also, on the ZPA side, a core fundamental component of ZPA is to define named applications, which is workload environments. And so in ZPA, we've already had to figure out how to discover applications that exist, i.e., workloads, map them, understand the context of how wide they are in scope because it's never just an IP address or just a name of a host. It's much wider and broader than that. So we had to build application segments and all the hierarchy around that as well. So it's not -- I'd say it's not that big of a leap. We're already in this space already.

Great. And really, congratulations on this broadening.

Thank you.

Thank you.

Thank you. Now I want to thank you all for your questions. If you have got any questions remaining, please send those to [email protected], and we will respond promptly. We will also have today's presentation available for download on our IR website very soon. We're excited about our additional opportunity to disrupt the data center just as we are doing for enterprise perimeter. We want to thank you for your interest in Zscaler. This concludes our innovation briefing. Speak with you soon.