Zscaler, Inc. (ZS) Earnings Call Transcript & Summary

Okay. Welcome. I am Jonathan Ruykhaver, I'm responsible for security and infrastructure software coverage here aired. Very pleased to introduce Zscaler. From the company, we've got the whole team. Jay Chaudhry, CEO; Remo Canessa, CFO. Bill Choi is also with us. So it's a fireside-chat format. If you have a question, you can use the Q&A chat feature to ask that question. I'll get to as many as I can. I also want to mention that directly following this discussion, we have a breakout session for 15 minutes where you will have additional time for Q&A. So start off the discussion, Jay, it's interesting. As I talk to clients as we observe more and more vendors talk about moving it to this space, it just becomes more difficult for the investment community to really separate what differentiates certain companies' offerings. So from your own perspective, in your own words, can you just talk about why you think [ ZS ] has somethings different than ZIA and ZPA relative to the peers? How is that differentiation sustainable?

Yes. Jonathan, thank you for the opportunity. I'll use a few slides to set the stage as visuals can make it a lot easier. Can you see my slides?

Yes.

Good. So we all know that CIOs are driving transformation, which starts with applications that are embracing SaaS, they're embracing public cloud. And users are beginning to work from anywhere. COVID forced every employee to work from home. So your data is everywhere because datasets with either applications or with users and business is happening outside of corporate network. And what you see at the bottom of this slide is your network and security on which you have spent tons and tons of money. Businesses happening outside that. A typical legacy network called hub-and-spoke network looks like this. Every company has it, lots of money spent on it. A typical data center with applications and a lot of security and network and gear looks like this, I call it castle-and-moat security model. And this made perfect sense when data center was the center of gravity and every branch took a shortest path to data center. It was wonderful. But things are changing, not only from application access point view, but security point of view. All bad threats come from the Internet. They need to be stopped before they hit your company. That's where we start with ZIA to make sure we keep you safe. In today's world of supply chain attacks, you can get compromised. Our job is to make sure we don't let threats move laterally. That's where ZPA comes in because in a world of firewalls and flat networks, lateral movement becomes very easy. And third thing, every bad guy wants to steal your data. And data needs to go out through like an international airport, that's our exchange. We sit here make sure nothing good leaks out. This is a holistic approach for your risk reduction. How do you solve it? In the traditional world of network and security, network and security are interpoint, that's why they call it network security, that means securing the network, and firewall is an important piece of network security. You build applications in the data center. You put them there. Users must be on the same network that applications are. That's all of the model. Hence, you extend your network to every branch office, then you extend it to every cloud availability zone. And then with VPN, you extend it to every household. If you've got 25,000 employees, your network sits in 25,000 homes. These performance issues are backhauling, the biggest issue is security. One infected machine on this wide data network can infect the whole thing, this is called lateral movement risk. So wide area network presents a big risk. That's what Zero Trust is trying to correct. What will legacy vendors try to tell you how they're solving? They're going to say, "Don't buy my boxes. I will spin VMs on my firewall, on my VPN and the cloud, and I'll manage it for you. Just extend my network to wherever my cloud is. And if you want people to work from home, I'll do VPN. I won't call it VPN, but it is VPN spun in the cloud. And if you want to do cloud, I'll extend your network everywhere." Your network gets extended all over. It's a big security risk. It's a lateral movement risk. So as long as we use firewalls, whether on-prem or in the office, you'll always be doing castle and moat. You always have risks like what happened to colonial pipeline. The bad thing came over VPN, an expired account spread laterally to go after the billing applications and took care of it. So the right approach is Zero Trust, totally opposite of network security. Applications are destination. Users are all untrusted. Users and applications are not on the same network. Hence, you don't do wide area network. User comes on any network, 5G, 4G, broadband, to an exchange. Think of Zscaler like a smart switchboard. We authenticate you using your identity system, then we look at a few contexts around user, device, application and the content of an application, we connect the right user to right application. So connecting users to applications securely using a business policy, not putting them on the network, hence, opposite of network security. In this model, applications can be put in 2 buckets: external and internal. External applications need, one, a different kind of inspection and policy to make sure we block the bad, protect the good, that is our ZIA service. For internal applications, where you traditionally either go to the office or you get in the office logically using a VPN, we don't do either of the 2. We simply, through our switchboard, connect the right user to right application, not to the network. Hence, ZPA and ZIA combined can eliminate the entire network security stack. With ZIA, you remove a lot of gear listed on the left. With ZPA, you eliminate a lot of gear coming from your typically inbound DMZ. Once you do that, your infrastructure becomes much simpler. Customers are tired of point products. They want to standardize across best-of-breed platforms. We are one of the half a dozen platforms that are standardizing all. They standardize some cloud providers. They have SaaS providers. We are setting a line to enforce policy like an international airport. We integrate identity provider. Identity is provided as a database of identities. Endpoint protection integrates with us. We can take traffic from routers and SD-WAN devices, and we can send logs to security operations. This simplified architecture give you much better security, much better user experience, lower cost and complexity and helps you with your transformation journey. Hope this gives you a pretty good view of what we do overall and what sets us apart. And Jonathan, let's get into Q&A now.

Yes, Jay. So thanks for that illustration. Intuitively, the architecture just seems like it makes complete sense. But when you look at the market today, you do see a lot of adopts to the virtual firewalls. And so I'm just wondering, internal segmentation -- workload segmentation comes up a lot as a driver when you talk to the other public firewall vendors. So I'm just wondering if you think there is a situation where that architecture is good enough or is it just where we are in the market, companies are quickly moving to public cloud, they need to do something. They don't really look that hard outside their existing vendor, what that better can do today?

Yes. Customers and vendors always start with what they have and try to retrofit it, use it, make it work. And when the architecture doesn't work, doesn't scale, it moves on to the new things. I'll give you a couple of examples. When CRM was trying to move the cloud and Salesforce was pushing it, Siebel was spinning it's VM and say, "I can do Siebel in the cloud as well. You don't need to go to this cloud-native architecture." So in the same way, Blue Coat, Symantec, McAfee of the world try to build a cloud-based service to do the secure web gateway because they had the right proxy architecture. They just didn't have the right multi-tenant architecture. And what happened, it withered away. If you don't have the right architecture, you can claim all you have, but things don't work. Market -- customers are complaining about it. How? Operationally heavy network segmentation is. So we think the world will move away from network-based segmentation to identity-based segmentation, and that's what we advocate.

Right. Okay. So I want to bring Cloudflare. Cloudflare, historically, has used a reverse proxy for their security applications, which you know them. So that -- that would include denial of service attacks, web application firewall protection, other DNS types of attacks and reverse proxies is perfect for addressing those security issues. Now they've also moved into user protection via a forward proxy. And I'm just wondering, how do you think about that? I mean do you think that, that 3 years from now can be a platform that will cause competitive issues for the company like Zscaler? Or do you think it's entirely different model has issues?

Yes. So sure. They have reverse proxy just like Akamai has that reverse proxy because when you sit in front of those servers, you need to do something like this. But reverse proxy is still exposed to the open Internet. It does URL rewrites and all this stuff. For us to come up with a creative Zero Trust architecture, you don't do reverse proxy alone. You combine forward proxy and reverse proxy to make you're hiding everything behind it. That's number one. So our ZPA is very different than Akamai or Cloudflare of the world trying to do a reverse proxy, okay? Proxy is a good architect, it gives you control. But reverse proxy is not alone. That's one part of it. Then you look at a secure web gateway. That's where you start the forward proxy side. Forward proxy is about inspecting every byte that comes and goes out. The amount of traffic that a forward proxy handles is multiplefold more than a reverse proxy because the amount of traffic going to the Internet or SaaS is about -- actually, about 80%. We see an enterprise about 20% going to internal applications. Being able to handle all this traffic for threat inspection, DLP engines is not a trivial task. Proxy is a good starting point, forward proxies, hard to scale and make highly reliable. So can anyone build a forward proxy? Of course, he has to take a lot of time. I'll tell you that from experience, forward proxy, secure web gateway, one company had 85% market share when it came to on-prem appliances, and that was Blue Coat. They built a great proxy. What happened to others, McAfee, Ciscos and everyone else web since they all had proxies which never really worked and scaled for large enterprises. So it takes a while to build any try-and-right technology. So companies need to try. In the CDN world, CDN is being subsumed by hyperscalers, along with their -- where the compute is being offered. So CDN vendors need to find other markets. So it's natural for them to look for expanding, but you got to have core competency to be successful. You just can't move into a new space and say I can do it.

Right. No, look, I think, you founded Zscaler in 2010. So that tells you how long it takes to build. So the one thing I want to ask about, it doesn't really come up that often, but you look at the back end and the shared data plan and specifically around that, the performance effect, but also some of the obvious advantage about data residency issues. How important is that when you look at what you're doing in meeting some of these regulatory mandates out there?

Yes. Data privacy has been becoming more and more important for the last 10, 15 years. In fact, when I built Zscaler, hard to make a decision. But do I do content caching or not? When I talked to some German and French customers, they said, "If you did content caching, you will have a problem with our data privacy because your content is sitting in hundreds of locations out there." So deliver performance without doing content caching for secure web gate. There's a new thing. That's the decision we made, and we have been doing a great job at it. It's because of decisions like this, it made -- we became the natural choice for international customers, and our international revenue is about 50%. Give you another point, logs. Logs is not data, but still there is some PCI data in logs. It talks with the user and whatnot. So almost every company I know of, they write logs where the traffic goes through. If someone has their processing happening in 100 locations, their logs will be written in 100 locations. Then in a batch fashion, they can move somewhere else. That's what every firewall company does. We wrote -- built a unique architecture where logs are never written locally anywhere. They are created in memory in real time. They are compressed and sent to a logging server of the customers' choice without writing anywhere else. Those are the very important data privacy issues we handled, and I know of no competitor that comes anywhere close to that. And that's a large customers' need.

Yes. No, that's important. So thank you for that, Jay. So workload protection, I want to dig into that technology, the applications and then also the incremental TAM because it seems to me that, that's the next big story beyond ZIA and ZPA. And obviously, ZIA and ZPA are still big, big growth drivers for the foreseeable future. But when you look at cloud security posture management, app-to-app communication, identity-based workflow segmentations, talk about those 3 key pillars to that workload protection, and then where you see the demand across those 3 products? And over time, does that become kind of a complete portfolio as you go-to-market with a single SKU?

It's a very good question. This is how we think. Security, users is one part of it, protecting users, ZIA, ZPA, and don't forget ZDX, digital experience. Security without good experience is no good. So we must do all 3 of them, and we believe it's a matter of time and every user of our customers will have all 3 products. Now think of workload as the mirror image of users, workloads talk to Internet. Workloads talk to other workloads. It needs to be done securely. Today, SKU, it's done using network security-centric approach with firewall, virtual firewalls and the like. It needs Zero Trust. So it was natural for us to really disrupt workload communication with Zero Trust the way we disrupted users. But you should think about these cloud protection, as you said, 3 areas: one, workloads communicating with each other. It's essentially using ZIA, ZPA technology for Zero Trust but underpowered by some of the new technology we built called cloud connectors. That's one piece. Second, segmentation, create small segments. Today, the market is trying to do segmentation of workload using network segmentation, virtual firewalls and the like. It's too much overhang. We don't see it scaling much, and that's where we have identity-based segmentation. Third market is actually before even things get deployed. So there's a run part of the market, there's a build part of the market. When you're building your applications and as you're deploying it, you need to make sure your workloads are configured properly. That's where cloud security posture comes in. Probably the best -- simple example will be, if you got a massive palace with lots of windows, doors, ventilators and gate [indiscernible], they all need to be open and close from time to time for certain things. Which one is open, which one is not, those are the configurations. And when you're doing thousands and thousands of workloads, they need technology, a nice product to be able to handle that. And we have CSPM for that market and an adjacent market to that, I should really say market. It's really a product module because these are not independent markets. It is what Gartner calls another 4-letter acronym CIEM, infrastructure entitlement management, which means which user should have entitlement or permission to access which workloads. So in my palace example, you've got lots of people coming in, who should be allowed to get to what room, what floor and all that happens still, and that's CIEM. So we did an acquisition recently of a company called Trustdome to give us the technology. We are integrating the 2, so it becomes a very good offering for security, posture and compliance type of stuff. So everyone will need CSPM. It's table stakes. It's API-based stuff. You won't have any vendor having architectural differentiation in this area, okay? And we will plan to -- we have a good offering. Our biggest differentiation will come from workload communication built on Zero Trust. And the workflow segmentation, a little bit more advanced use case, only advanced large customers are doing it right now. And we're well positioned for it.

So you just mentioned those large customers that are looking to use it, is there a broader tail to -- in the market to leading with that application, in particular? I mean how do you think about that when you look at those 3 or 4 key products in driving that value proposition and then monetizing those applications?

Yes. Our customer base understand workload communication with Zero Trust extremely well. It's easy for us to start with them and everyone needs it. And that's a piece that really is disrupting traditional network and virtual firewalls of the world.

Okay. I have a couple of questions that have come in from participants. So the first one regarding contract duration, are you seeing a change in behavior that would suggest growing appetite for upfront multiyear payments as the economy normalizes? It seems like you did see potentially some of that in 1Q. It wasn't your first quarter, that was your third quarter, I'm sorry.

Yes. I'll answer that, Jonathan. So yes, contract duration did increase in the quarter. And again, what we look for is 3-year contracts. And so a lot of our new business was 3-year contracts. Billing duration, we focus on just annual billings. The annual billing duration, our range is 10 to 14 months. And in Q3, it was on the higher end of that. We had record 7-figure deals in the quarter, which was pretty evenly spread between new and upsell customers. And so the bigger deals, customers were paying upfront. We give no incentive for the upfront payment, but we did see that in Q3.

Do you think that, that can become more of something you see going forward? Does the economy normalizes?

Hard to say. I mean they know -- it's really hard to say. It pretty much varies. I mean I think the key thing I draw upon is the actual contract duration. When companies pick vendors and they have longer contracts, it becomes more of a strategic vendor and you're basically going making a commitment to that vendor. If you do 1 year, you can more aptly put it in and take it out. But if you make a 3-year commitment -- and again, we're seeing bigger deal sizes. You've seen the bigger deal sizes with the longer contract duration. And again, when you take a look at Zscaler, as Jay mentioned, we've got 4 pillars. We've got the ZIA, the ZPA, the ZDX and the ZCP, which is the cloud protection. And so with these bigger deals, customers buy more of our platform and again, longer-term type deals, all good signs for Zscaler.

You know what's interesting with -- listening to that comment, Remo, if you look into your ARPU, I think, across the base today, it seems like, by our calculations, it's still fairly low, maybe $20, $30 per user type range. So that would imply customers aren't even broadly using the ZIA transformation bundle. So just wondering how you think about driving further upsell cross-sell within the business to push higher to the $145 per user ARPU you could achieve. Are there certain incentives in place or does that just happen naturally over time as companies expand usage?

Yes. I mean so a few points. Our ARPU is continually going up. It's based on ARR. And in Q3, our ARPU was in the -- was above 30. So that's -- it's in the 80s and move up. As we -- and what you referenced is that $145, that's what we called out on our Analyst Day. So that with customers with 5,000 employees, if they're buying ZIA, the ZIA add-ons, ZTA and ZDX, that's how you get to $145. So we are seeing that. So we're currently seeing that. So we would expect that ARPU to increase. We'd expect also for customer sizes of around 5,000 to have that type of ARPU in the $145 range. And it's really buying the platform, and that doesn't include the workload protection. So the average revenue per user for the workload protection is $155. So that's the CSPM, the segmentation, workload segmentation and also workload communication. So we'd expect it to increase. And again, the sign that we're seeing is basically in Q3 record 7-figure deals and again, longer contract duration. And again, evenly spread -- pretty evenly spread between new and upsell.

Yes. Yes. Thanks, Remo. So the next question I have is just the Biden Administration, the recent cybersecurity executive order really explicitly states that agencies must take concrete steps towards Zero Trust adoption. So maybe you can talk about where you are in fed, which products are ready for that opportunity? What you're seeing today in the federal vertical?

Yes. Thank you, Jonathan. So first of all, it was great to see Biden Administration stepping up and urging that company need to embrace Zero Trust. Not only that, they went to step beyond in realizing that lots of legacy vendors are spreading misinformation because they don't want to be disrupted, and they all claim Zero Trust. So they referenced NISTS, Dot Orgs, Zero Trust explanation, which is very objective and good, which says you don't connect through like a firewall. It basically says a firewall and Zero Trust are opposite to each other, right? So having a good architecture helps. But in the case of federal, unless your FedRAMP certifications, your architecture is no good. You need both. Over the past 2.5 years, we have spent a lot of time to get FedRAMP certifications for ZIA and ZPA. On ZPA, we are at the highest level called FedRAMP high. With ZIA, we're very close to the highest level. We are at a moderate level today. We have a strong team in place. We're -- our business has been increasing over the past 2, 3 years since we put a team in place. Pipeline is strong. So we expect that increased interest, the momentum in the federal government should benefit us, should ask quite a bit. Remo, you want to add anything?

I think that's -- I think, you said it very well. Yes. I mean it's a good opportunity for us. And with the new initiatives, it's even more and bigger opportunity. And the key thing, getting to federal is not easy. It takes time. Getting certifications, we've been working on this for years, not months. So it is a big barrier to entry for other companies entering the federal space.

Yes. Yes. So in the time we have left, which is just about 1.5 minutes, just phenomenal success in terms of what you've seen under Dali Rajic. And so I'm just wondering, you've been rapidly hiring the headcount on the sales side over the last year, I'd say. So can you give us a sense for what you've seen in terms of productivity improvements with Dali and the programs he's put in place? How long it is generally taking those newer cohorts to get to full productivity relative to earlier cohorts? And also, what you're seeing just in terms of the opportunity to hire digital reps? Is it becoming more of a challenge?

Yes. So we are very pleased with how well we are performing on the go-to-market side. But go-to-market is a lot more than just hiring sales reps and SEs, okay? I look at 3 important legs of the stool for go-to-market. Having a strong sales team and strong leadership is one. We've done a good job there in the past 6, 7 quarters, and we've been open and transparent with you, the changes we have made there so that our foundation is able to scale us to multibillion-dollar level. The second and very important leg is marketing. We hired a very strong CMO, who has actually added a number of strong leaders. We're investing in a number of demand-gen programs. We are investing in brand building programs. And we think marketing will play a very important role on our sales productivity and awareness out there. And the third piece is the channel, right? Channel creates a leverage. And traditionally, in the past, we had strong -- we had a little bit, if I may say, stand office-to-bar channel that sold boxes. The hope was that boxes will sell forever. As the world has changed, we're getting inbound calls. Our brand awareness has gone up. Our customers are telling the channel to really work with us. And they are also now trying to build cloud-centric services. And so for that, we've especially created a program called Summit Partner Program, where, based on the degree of engagement, they can get more money. And early indicators are that channel program is taking off. So in addition to SI and SPs, they're getting strong growth, actually faster growth now on the VAR channel, which is good. So all 3 things: sales, marketing and channel is -- should be helping us. It keep on giving us the kind of growth, aggressive growth we're looking for.

Yes. You can see it in the results. So unfortunately, we've exceeded our lot at time. Jay, Remo, Bill, thank you very much for presenting. Online attendees, thank you for participating. And just a reminder, in less than 5 minutes, Zscaler will have a breakout session for additional Q&A. Everybody, thank you very much. Have a great day. The next presentation in this session is the Model N.