Zscaler, Inc. (ZS) Earnings Call Transcript & Summary

Great. Okay, we can get started. Welcome back, everyone. Again, I'm Trevor Walsh, cybersecurity analyst here at JMP, and happy to have Zscaler with us today virtually. We got -- we're joined by Remo Canessa, the Chief Financial Officer at the company. How are you, Remo?

Good, Trevor. How are you?

Good. Can you hear us okay?

Yes, perfectly. Thank you.

Terrific. I'll just -- I'll start just to kick us off with just a simple -- how is business going?

Trevor, Jay's here also.

Okay. Terrific. Okay. So you're the only one I see on my screen, so let me -- I'll -- let me introduce CEO, Chairman and Founder of Zscaler as well, Jay Chaudhry, on the line. So we'll both -- we'll probably be alternating back in terms of the screen. So good to have you both. Hi, Jay.

Hello, hello. Thank you.

Great. So I'll frame it. I'll start with you, Jay, just how's business?

Very good. Very excited about the opportunity ahead of us.

Great. Terrific. Can you -- there's obviously a lot of buzz, some might call it noise in the market around Zero Trust. Can you just explain for our audience where Zscaler fits into that trend and how you all differentiate yourselves with some of the other players?

I think it's wonderful to see that market is realizing that castle-and-moat security is no longer going to work. We need Zero Trust, which is the opposite of network security. And last year, when we saw attacks like SolarWinds and [ Light ], the market -- the customer realized that they need to change. Unfortunately, as legacy companies realize that it's going to disrupt them, they're trying to confuse the market and they all try to claim Zero Trust. In fact, I saw a recent thing where a company said, we are the best Zero Trust network security. I said, come on, either you're zero trust or you're network security. You can't do -- you can't be both. It's like trying to build zero trust with firewalls. It just doesn't work. Let me use one slide to set the stage of what Zero Trust is supposed to be and what it's not supposed to be. I'm going to use this one slide. Let me share it because then it will be much easier. All right. Can you see it?

If you could zoom in a little bit, it would probably -- there we go. Now we're -- yes, I think that's better. Yes.

So in a Zero Trust world, what you see on the top, applications are viewed as destinations. Like an island, a data center, your cloud, your Office 360 (sic) [ Office 365 ] and the like. And applications are not on the same network that users are. Users, as shown below, are all untrusted. They're never on your network. There's no network between the user and the application, which has done the old way of firewall, VPN puts you on the network. So how do users connect to applications? Well, they go through an exchange, which is like a switchboard. Almost like a phone thing. Somebody calls, I need to talk to Joe. Hold on. Who are you? Verify yourself. In the same way, our exchange, that's 2 things. First, it makes a policy decision. Should I connect you? And two, it does policy enforcement. It actually makes the connection. So if a user needs to, say, access an application. First, we say, "Stop. Who are you?" We verify identity, working with identity vendors like Microsoft, Okta and Ping. So identity plays a very important role for Zero Trust. Two, we check the device profile in question. Is the device compromised? Should I allow this person to go from a BYOD to my critical application? So you can do policy based on the type of device, so device plays a big role. We've got partners like CrowdStrike and Microsoft there. Say, we say, where are you going? We don't let you get on the network. We connect you to only particular applications. It's like walking someone to a meeting room and walking them outright and letting them wander around in a building. And then we check the content. Are you carrying dangerous stuff with you? It could be phishing attacks. Where is your bad files? We inspect all of them. Then we also check the risk score based on many factors, then we connect. So this is -- what's happening in the middle is what Zero Trust policy engine does. On the internal application shown on the right side, you go through some of the same steps. The last step is different, whereby using this connector technology, it's a lightweight software, we open an inside-out connection so there's no outside connection allowed. That means your applications are not open to the Internet. They can't be discovered, they can't be hacked or they cannot be DDoS-ed. So hence, we eliminate attack surface, fundamental to really do better security. And then, since we don't connect to the network, only to applications, no lateral movement. And if there's no lateral movement, they can't wander around and find high-value targets. These 2 things are opposite of firewalls and VPN. So Zero Trust don't trust anyone. Verify, connect to the right party and right thing. That's what some 6,000 customers, over 35% of Fortune 500 companies do with Zscaler. Our goal is to make sure we keep on educating the market so they're not confused, and they're not trying to build Zero Trust with high spending, be it firewalls and VPNs in the cloud. I hope this helps. Long answer, but it needed some description.

That was great. No, we appreciate the overview. I'd like to touch on maybe some of the bottom portion of that buildup that you just walked us through around the ecosystem with identity players and endpoint players like CrowdStrike. You -- do you find that -- I know you have partnerships kind of in and amongst both of those identity and endpoint. Does the go-to-market change, I guess, between those -- as you mix the different players within those spaces, whether it's SentinelOne or CrowdStrike or Okta versus another identity player?

Yes. So our goal overall is to provide what customers want, and customers want integration. So we make APIs available to integrate the leading endpoint vendors or leading identity vendors. But practically speaking, there are leaders in each space. Our customers want to work with leaders. So in the endpoint area, CrowdStrike is a great partner. Microsoft and CrowdStrike often is what our customers ask for. Identity, Okta is a leader out there. Microsoft has done a good job. So we work with scores of vendors, but for go-to market, we work with some of the vendors that are leaders in this space. For example, CrowdStrike and Zscaler, our sales teams work in the field together. In many cases, they help our sales team, we help their sales team. It becomes a very good, mutually beneficial relationship.

Great. Terrific. Let's talk a little bit about the Security Service Edge, the new Magic Quadrant from Gartner. Congrats, first, on just getting into the Leader's Quadrant upper right on that one.

Thank you.

What -- how important do you think it is to break out the security component of the SASE model in that way? And why is that important? Why is that relevant?

Oh, it was needed. You know the way the SASE evolved. Three, four years ago, when Gartner started talking to lots of customers, before they came up with SASE, they found the Zscaler cloud security. Security at the edge in the cloud was the common -- becoming common. And they found that SD-WAN was getting deployed to connect traffic from the edge to Zscaler Cloud directly without going back to data center. So they coined SASE, Secure Access Service Edge, give connectivity and do security. And they realized that it's a broad framework. It's not exact thing that they can even do a magic quadrant around. When I was talking to them, would you do MQ around SASE? They said, no, it's too amorphous. It is the right thing for them to say network is wireless and edge MQ, security SSC comes together. The biggest thing Gartner did, and I give them lots of credit, they brought all these point products into it. It built on Secure Web Gateways. Secure Web Gateway already had all the malware, it had DLP, it had sandboxing. All these things they've brought has been to it out of band cast. We had line cast. We are already part of Secure Web Gateway. They added Zero Trust access products. So it became a nice MQ. So we are proud to be in it for the 11th year in a row. I think the most important part here is that if you really understand zero trust, you decouple applications from network access. Network is simply the transport. If you decouple the two, why should you combine the two and say you must get it from the same vendor? It makes no sense. It's simply plumbing. So wireless WAN edge says, "Give me the connection, no matter how." And SSC says, "I will enforce policy sitting in line." And the 2 complement each other. That's why Zscaler positioning is, I'll work with anyone who provides connectivity and go from there. We have never tried to be an SD-WAN vendor.

But I would also ask or maybe -- so Zero Trust and Security obviously kind of bread and butter, but you also, I think, are starting to play or are definitely still have operational use cases around what you're doing, whether it's with ZDX. So can you talk a little bit about how you're branching into more kind of operational type of concerns maybe outside of just bread-and-butter security-type use cases?

First, the way I think about and the way I've always thought from day 1, I didn't want Zscaler to be restricted to security. And when it came to name Zscaler, some people said, call it security cloud this and that. I said, every company will have a word cloud in the name in every company. I don't want to use either cloud or security in the name. And I don't want to restrict us to security. So we will do whatever can be done by sitting in line. When you're sitting in line like a switchboard, like an international airport, you should do everything. For example, very early on, we added something called bandwidth quality or service. Nothing to do with security. Since we're sitting in line, I could throttle YouTube and give better performance to Office 365. Nothing to do with security, but very good for networking. Then we built Zscaler Digital Experience because we're sitting in the middle. We see the applications side, we see the user side of it. And our lightweight agent is collecting telemetry to tell us what's going on where. It became an amazingly useful service because all performance products are built around the given network between the branch office and the data center. We said location doesn't matter. It's about user and application. User could be anywhere. Application could be in the data center, it could be in the cloud or wherever. It could be a SaaS application. So ZDX is an amazing product. It's the fastest-growing service for us. We were very happy when ZPA grew fast. ZDX is actually growing faster than ZPA. So it's wonderful. We are very pleased with the performance of it.

Terrific. Thank you. That's a great perspective. I think I'll -- since we have Remo on the line, too, why don't I transfer over to some questions about the numbers, and we'll talk to him as well. Remo, there's been a lot of maybe change in investor sentiment recently around profitability versus growth. And I know you've talked a lot about that just in terms of Zscaler and ultimate kind of plans there in terms of the path forward. Can you tell us a little bit about -- or just maybe to reiterate your perspective on that as you go forward and provide guidance and just the plan for '22 and beyond?

Yes. I mean the key thing is that thinking about what the market opportunity that we have, we recently went over $1 billion of ARR. And what we're going to do, our goal internally now is to get to $5 billion ARR. So we talked about -- with our investors is that if we're going over 30% in revenue, you can expect less than 300 basis point operating margin expansion. So our focus is to invest in growing the top line. The value that is given to our shareholders by growing that top line is huge. What happens is that because our contribution margin is 60% in years 2 and 3, we have -- getting to our operating profitability target is not really difficult to do. All you -- once your business, your new ACV starts slowing down and as your renewals go up, what you pay for renewals is a lot less, and you're not spending as much on marketing. You get to your operating profitability target. So I'm not concerned related to gain to our operating profitability target, again, when you have a SaaS model with 80% gross margins, with the type of revenue growths that we have. One thing also is that if you look at our free cash flow margin, in the first half, it was over 20% free cash flow margin on revenue. In last year, our free cash flow margin also was over 20%. So we're in a cash -- significant cash generation-type model and a huge market opportunity with what we feel is the right product at the right time. We're going to continue to invest. Now having said that, we understand the trade wins and things like that related to operating profitability. But I would say, still think of Zscaler as investing in growth but we'll be mindful of operating profitability and long term getting the operating profitability target in a SaaS model, with our type of model it's not difficult to do.

Remo, we have talked about a few times, Rule of 70s, what we look at. Over the past 4 quarters, it has been more than Rule of 70. Lots of companies try to get to Rule of 40. So Rule of 70 takes into account the growth and profitability both.

Yes, that's right. I mean we're in rarefied air, quite frankly, related to how business is running. And like I mentioned before, in a SaaS model with 80% gross margins, with the contribution margin about 60% years 2 or 3, it's not difficult getting to those types of market -- getting to our target margins of 20%, 22%.

Sure. Great. Can you -- let's talk a little bit about the kind of the land motion. Can you give us a sense of when you land, roughly how much of account ACV is left over kind of in that upsell opportunity? And would you anticipate that changing kind of as we -- on the go forward? Will that get larger or smaller?

Do you want to start, Jay? Please go ahead.

All right. I think we shared with our investors last time at the investor meeting that our customers, we could go to 6x if we could sell all of our products to our current customer base. And by the way, we added a lot more products since then. Now having said that, I would say that more and more customers are buying bigger and bigger platform. We talked about several deals during our last earnings call, where customers bought ZIA, ZPA, ZDX and cloud protection as well. Now cloud protection is still young and just coming, very young market. But ZIA, ZPA is becoming very, very common. And ZIA, ZPA and ZDX is becoming common as well. And in ZIA, the Transformation Bundle, which is a big bundle is becoming very common. So more and more customers want consolidation of an integrated platform. And that does cost reduction. That reduces complexity. That's why our customers buy us. This one CIO talked to me a few months ago. He said, platform is becoming a buzzword. Every vendor comes to my door and says, "I got a platform." Then he said, then what we find that there's one dashboard and underneath everything is [indiscernible]. They bought a bunch of companies that's talking about platform but there's no integration. Well, integration is not easy. It takes time and effort, and most companies try to skip it because they're under pressure to go to market. Not a good idea. We take pride in having built an extensible platform, and we do only those acquisitions that can be integrated properly in the platform. So very proud of that fact.

And the 6x opportunities just for ZIA and ZPA, it doesn't include ZDX or ZCP. So that's incremental to that 6x.

Perfect. Great. Just to stay on time here, because we have a good audience that you probably can't see from your end. But I want to make -- I want to open it up for questions. So please, any questions that I can relay for Jay and Remo? Okay. So I'll relay that one. So the question was, what internal milestones are you tracking or looking at as you pace from the $1 billion in ARR to the $5 billion mark?

The milestones that I'm looking at is basically the top line growth, how are we growing sales productivity. Also how are we doing from a sales productivity perspective, building sales capacity. And also looking at how the individual products are doing. I mean we've got projections for all our emerging products, and we track that. So staying on top of that. Also, milestones. Looking at our headcount adds overall in the company. We added 1,000 employees in the first 2 quarters, sort of about 4,000 employees. That's the key thing that I'm looking at. Also, I guess, one other thing. There's a lot of things I look at. Gross margins. The gross margins we said we're going to be between 78% and 82%. Our emerging products carried lower gross margins because we're getting to the market sooner. We're not trying to optimize on the gross margins. So we track that also on a monthly, quarterly basis. And if we see any kind of pressure on gross margins, we can put more emphasis on gross margin optimization, software optimization. Those are the things I look at primarily. Jay?

And if I may add one more, especially important one. Now we're also focused on market segments, in addition to geos. We first, we want to make sure we can cover geos from U.S. to Europe and APJ pretty well. And now we have always done well on the major, very large accounts, the large enterprises. Now the next 2 segments that we are putting more focus on, as we are going down market, one is enterprise segment and the second is commercial. So those are big growth opportunities for us. So we got targets for each of those areas. And we optimize our resource and investment differently based on those segments.

Great. Well, we're out of time from our end, but we thank you both so much for being with you -- or being with us, and look forward to hopefully in person next year.

Looking forward to it. Thank you.

Thank you so much.

Goodbye.

Thank you. Bye-bye.