Zscaler, Inc. (ZS) Earnings Call Transcript & Summary

[Presentation] All right. Well, good morning, everybody. My name is Hamza Fodderwala. I'm the U.S. cybersecurity analyst here at Morgan Stanley, and welcome to the 2023 Morgan Stanley TMT Conference. I'm sure it's going to be a great week. To kick things off, we have the team from Zscaler. We have the pleasure of having Jay Chaudhry, CEO, Chairman and Founder; as well as Remo Canessa, the CFO, Zscaler. And before I begin, for important disclosures, please see the Morgan Stanley research disclosure website at www.morganstanley.com/researchdisclosures. We had to say that 1,000 times this week. Well, welcome, gentlemen. Thank you so much for being here.

Maybe I just wanted to start off, level set, you guys reported earnings last week. I was wondering if you could just quickly recap the results? What is sort of the state of the union in terms of overall macro demand picture? What were some of the positives and perhaps some of the challenges coming out of the quarter?

Right. I'll start. And Remo, you can add on. Yes, macro is getting tighter. There's more scrutiny. But overall, if you look at from revenue or sales point of view, you think of 2 things. Number one, due to tight environment, is there enough demand? Generally hard times make demand soft. We are seeing a very high degree engagement with our customers. Now why is that? That's because, number one, all CIO, CISOs do care about cyber. Cyber interest is not going down. Number two, if CIOs understand that they can save money to reduce cost, they're willing to engage. It's because of these 2 reasons, we see good demand. We've seen a record pipeline. The second part is great, you got pipeline. Can you close the business? Because that's where extra scrutiny comes in. Yes, 3, 4 quarters ago, a CIO could get the deal done, more and more deals do go to CFO for approval now. The 2 things we do in that area that help us. Number one, Zscaler has always been selling to C level because we are transformational. Traditional appliances, firewalls have been bought at the technical level, we started at a CIO level, not even CISO, CIO level. That helps us because there's only one more level to go to. Number two, there's a lot of push on business justification. About 6 years ago, we started a team for business value assessment. That team has grown. It does a good job. So being able to do these 2 things is helping us actually do good business. Remo?

Yes. I mean from a primary basically, our -- our call last week, we beat on revenue significantly and also operating profitability. We're at the high end of the range of billings. We increased our guidance for the full year as well as increased our guidance both on billings or billings revenue and also operating profitability. We did announce a 3% restructuring, about 200 employees. Over the last 18 months, we've doubled the size of the company. So basically, just increasing efficiency throughout the company, we decided to take out a couple of hundred employees.

Got it. Got it. So you guys have been a disruptor in the network security market and sort of pioneer in the move towards SASE and Zero Trust Network Access. One of the things that you talked about was customer sort of cutting deals into phases. One of the things we think about with SASE is while important, while it's a cost saver, it is a transformational sale. So are you seeing some pushback on that front that's long in a deal cycle further saying, "Hey, this is something I want to do. But right now, perhaps I want to conserve cash," especially as people return to the office and will likely remain in a hybrid model for the foreseeable future?

So the world has been hybrid for a long, long time. Zscaler is not about just cloud. In the Zscaler world with a Zero Trust architecture your applications could be sitting in the data center in Azure, AWS, whatever, it doesn't matter. Users could be sitting in the office or at home. So sometimes people have a misconception that hybrid means legacy firewalls and VPN, absolutely wrong understanding. Now it is true that during COVID you had to work from home. So only option of working in the office was not a good option. But if you really think about the security part there have been 2 models for security, protecting servers and data center has traditionally been done by firewalls. The user security when users need to access application has been done using a proxy architecture. And you must be familiar with some of the names, the Blue Coat and McAfee and Cisco of the world. We basically started to disrupt the user protection. Quite often, people think that we compete directly with firewalls. Not true. Firewalls were designed to protect servers. Now it is true that firewall vendors are getting nervous that with the Cloud, the role of firewalls will disappear. Where will you create moats all over? You can't. So they are trying to pivot and say, "I can do what Zscaler does." Well, not quite. To do what we do you need to be literally a switchboard with a proxy architecture. That's the opposite of a firewall architecture. Architectures like the foundation of building. If you have a foundation to build a 2-story building, you can't build a 10-story building on top of it unless you fix the architecture. The easiest thing for legacy vendors is to say, "I can do it because they kind of put some bolts around things." I believe that it's because of our architecture difference, we will maintain the lead. You may hear a lot of noise overall. But eventually, the architecture wins. And our architecture is designed for on-prem, off-prem no matter where things go. So we don't see a negative impact of people staying in a mixed environment, we think it's positive action.

So let's talk about the competitive angle because that's obviously a bigger topic again these days. There are a lot more SASE and ZTNA vendors than there were, let's say, 3 years ago or at least companies that purport to be fast forwarders, right? Has that in any way impacted Zscaler's win rates compared to 1 or 2 years ago?

So if you think about what we started out, we started out with a disruptive architecture. Technology incrementally changes all the time, but this architecture change happens every 20 to 30 years. okay? And I think SASE has become a buzzword, even Zero Trust has become a buzzword. But overall, the notion was don't put people, own the network, connect the right party to right party. And that's what we pioneered. Now you can kind of equate some of these things in the other markets. I have talked about how Siebel software dominated the space, then Salesforce came with a different architecture, who won the day? The architecture. Let's even talk about Cloud, you know where cloud started out earlier? VMware could spin VMs in the cloud, and should we be really the best hyperscalers. Early on, it felt that we are able to do very well, but guess what? When AWS built the cloud-native architecture to do this stuff, AWS got a significant lead. We think our architecture will help us win it while firewall vendors will come from behind, they will all claim cloud blue co, try to do the same thing. They spun up their proxy in the cloud. It wasn't the right architecture. So from a market point of view, when it comes to high end of the market, we do extremely well. Those companies understand it. You've seen a lot of these large deals we end up announcing. We literally have no real competition. When you come down market sometime, the understanding of technology may not be as clear. And we see a bunch of competition there. And that's where a networking company may be bundling a route rent switch and firewall and some of the other stuff. And we have been expanding our presence there, once we engage, we win.

Okay. Okay. So it sounds like high end, there's no change in win rates as far as you can see. Is the incremental competition at the very least slowing down the sales cycle because now there's more vendors to evaluate?

On the higher end, I don't think competition is slowing us down. On the higher end, there is impact of approvals and extra scrutiny. So some of the deals, you want to get done, they may take longer.

So our pipeline is a record pipeline. And then you're right. I mean the scrutiny is higher, as Jay mentioned. We're seeing that. We took that into account with our guidance. So over the last couple of quarters, we've seen basically deal cycles taking a little bit longer. And so for our guidance going out into the second half, we've put a little more conservatism on our close rates.

Got it. Got it. I want to talk a little bit about the 3% workforce reduction. Jay, I think at other conference earlier this year, the comment you made was that yes, like things are slowing down, but we're not going to overly pivot, right? You're still hiring, you still want to be aggressive. And then 6 to 8 weeks later, we had the announcement there. So just walk me through the thought process behind that.

Yes. So in the past 18 months, we doubled the company size. We went from about 3,000 to 6,000 employees. Okay. And as we do know that some of the things are slowing down. But also when you double in 18 months, there are some level of optimization you need, did some level of roles get big and prody, what's the right word? You end up adding, you shouldn't be adding. We are not slowing down our core engineering. We're not slowing down our product development. We're not slowing down our core sales function. What we've done in this area, for example, you don't need a large recruiting team when you are slowing down your hiring. That's -- so G&A was one part. While core sales is important, sometimes there are a bunch of supporting function for sales that end up beefing up. So those are some of the changes we made. We expect to keep on hiring in selected areas like core sales and core engineering, and we expect our headcount to be higher by the end of the year. So we are bulls. We are bullish about the long-term opportunity. We'll keep on hiring, but making sure we don't add extra stuff that's not needed for the business.

Got it. So consolidation is a big theme these days. Can you talk a little bit about how Zscaler is aiding in that? And sort of what are the major cost savings that you do get when you deploy Zscaler?

Yes. So cost saving is a very important factor in today's market. If you look at various vendors out there, especially in the security space, most vendors and customers know that security is not typically about either cost saving or generating more revenue. It is actually a cost. Take most of the areas, endpoint, identity, where would you save cost? Not a whole lot of stuff. In the Zscaler world, we actually bring cost savings not from a bunch of security point products removal, but also from the network side of it. Once you have Zscaler as a switchboard, it does everything your typical DMZ, what's known as Demilitarized Zone does. A typical DMZ may be sitting with dozens and dozens of boxes. All you need in the Zscaler world, is you need something on the endpoint for security, you need identity, and we are the switchboard, we connect the right party to right party, and we work over any network. There's network savings. There is savings on network performance monitoring tools, there is savings from proxies, DLP. Essentially most of the firewalls go, where the only area of firewalls remain is in the data center because data center is still pretty cluttered and complicated. Outside that, the simplification, the savings are significant. We actually quantify the savings. And now customers are actually asking us to make sure we can do a quarterly deployment, quarterly savings type of model, which is helping us.

Got it. Federal is an area where you talked a lot about in terms of seeing more opportunity. There's been a lot of initiatives recently announced by the Biden administration on that front, and you have multiple products that are FedRAMP certified. But I think in your most recent quarter, you talked about how that business was a little bit slower than you expected. Just comment on that and what you're seeing in terms of the pipeline ahead?

I'll start Remo and then you can add on the financial picture of it. We started investing in the federal market about 4 or 5 years ago, knowing that you do need some of the critical certifications around FedRAMP, then StateRAMP to win this business. Today, we have the most certifications at the highest level as compared to any vendor. In fact, if you look at certification, the highest level, in the entire IT ecosystem, there are about 6 companies that are there. We are the only cyber company in that space. Who else are there? It's folks like AWS, it's IBM who have been there in the business for a long, long time. So first of all, it's good to be in that unique group of people who have full certifications. When it comes to business, we had a strong Q1 in Federal. Q2 was lighter but the rest of the outlook for the second half of the year is strong. Federal business can be lumpy, bigger deals, they go up and down. And also, as you know, that these budgets last year, you may heard about these continuous resolutions that delayed funding until March. This time, I think got done in December, January, it had some impact on it but we have a strong pipeline. We have a strong team. We are bullish about this business.

Yes. The budget approvals were approved in December. So we did not see a strong Q2 but we do expect to see a very strong second half. We're well positioned, as Jay mentioned, our pipeline is outstanding and growing with the FedRAMP certifications that we have, the highest in the industry, we're in a really good position.

Yes. If I may make 2 more comments, 12 of the 15 cabinet-level agencies are Zscaler customers. Now they all started small but it's a big opportunity for us to grow that business. Some of the most sophisticated security agency like CISA that actually mandate security is a Zscaler customer. We have a public cyber summit this Wednesday in Washington, D.C. We got a number of CIOs of some of the top agencies presenting how they have done transformation, over 700 people have registered for the event.

Got it. Got it. So I wanted to go back to sort of the SASE market and sort of defining the SASE market because I think there's a lot of different definitions out there. So if I think about SASE, does it have to be a cloud-delivered service through Zscaler sort of proxy architecture? Or is there some combination of both cloud-based and physical elements, whether that be firewalling or SD-WAN for securing the WAN Edge, for example, which is not going away anytime soon? So just talk a little bit about the state of hybrid SASE today.

Yes. So 2 separate points. There's nobody saying you must be cloud-based service only or on-prem only, it's the architecture that matters. Today, when we talk about Edge Cloud, we talk about taking the cloud to the edge to on-prem in many, many cases. So the issue is not on-prem or cloud, issue is architecture. What's the biggest problem with network security today? In a network security architecture was designed in late '80s, early '90s, at the time the notion was, you get on the network by connecting to the network in your office. Once you are on the network, you are like getting on highway 80 here. You can reach Miami, New York or Dallas without hitting a single light, how wonderful. But bad guys can do the same thing. Once you get on the network, the firewall is creating a trusted network and everything else is untrusted. This model worked very well when everything was in your data center and your branches connect to the data center, you control everything. The biggest change is that your applications are anywhere and everywhere, users are everywhere. The old model of firewall-based security, you extend your network to every household, every office. Everything that's connected to the highway, have you been reading or ransomware attacks? Why are they happening? It's all because of firewall-based architecture. You get on the network, you move laterally, you find high-value applications, you encrypt them. The foundation to fix that is Zero Trust Architect, which says, do the opposite of what firewalls do, do not connect people to the network, be a switchboard like a phone switch board. What does phone switchboard do? You get connected to party A, party B, party C, that has to be done. It's unfortunate that with this disruptive architecture, legacy firewall vendors are so worried that they're hijacking the tram, they're telling the world, I got Zero trust, rather I got Zero Trust 4.0, 5.0. I understand what they are trying to do to protect themselves. But it is a disservice because when country and companies need to protect themselves, it creates a false sense of security. But I believe that this message will carry on for so long, eventually reality will catch up and in companies the right architecture will prevail.

Okay. So your competitors are saying SASE is about the convergence of security and networking. Zscaler saying the opposite. And -- but is there some aspect of additional complexity in that you have to go out of network to another edge to do the security processing with Zscaler versus where the firewalls can provide security within networking as well as for remote users as well?

So firewalls were never designed to protect users my friends. They're designed to protect servers, the proxy architecture design to protect users because the marker realized that you must be able to terminate and go. It's a wrong thing to think that firewalls will do user security, okay? Good thing is firewall guys are adding more and more stuff on the same architecture. I think in the long run, it won't work. In the old world without cloud, you could ship a box and its customers' responsibility to make it work. In the world of cloud you need to take all this traffic and handle it. They're all kind of issues you need to deal with when traffic is coming from all kind of locations. You hear us talk about amount of traffic, amount of transactions we're handling. At our IPO time frame, Remo and I used to talk about 30 billion transactions we do every day. That was a big number. Today, that number is approaching 300 billion. How do you handle that traffic? Have you heard these legacy vendors talk about traffic? Is it how much of a shelfware as a part of ELN, how much is real, real traffic for real customer?

No more questions about firewalls. Okay. So that's -- the transaction is a good segue to the next question. So I think Zscaler processes over 270 billion transactions daily through their Zero Trust Exchange and they're deployed on millions of clients. How do you see AI change the threat landscape? And how do you think Zscaler can leverage that data to be better equipped for this growing opportunity and threat?

For AI/ML data is fundamental. It's about 270 to 280 billion logs every day. And these are not little firewall log. These are proxy full logs with full information. You need expertise, you need data and AI/ML applied to it, can figure things out. Now there's something called network effect or cloud effect. When you got so much traffic coming to you, AI/ML is allowing you actually to analyze the stuff. Look for some of the threats you couldn't find otherwise. We are already actually doing some of that. And it's giving us far better cybersecurity than most of the other vendors offer. Because in an appliance-based architecture you design this thing for each appliance. And then in a batch fashion, you try to bring the traffic back to correlate. Can they do AI/ML? Probably, yes. Do they have those real logs? No. Can they do it in short amount of time? No. These are some of the things that are setting us apart. There are many, many use cases of AI/ML to help our customers. One other example I'll give you is, in the firewall and networking world you put people on the network, they have access to all kinds of applications. In the Zero Trust world, you want the right party to access only right applications. You've got 50,000 employees. You've got 10,000 applications, which employees should have access to which applications? No one knows. But once they start going through Zscaler architecture, we find the logs, we apply AI/ML engine to suggest that customer that these users should access these applications. This is the kind of cool stuff we can do by leveraging all the logs we collect because of our architecture.

Got it. Got it. So ZIA, that's still the majority of the business. You talked a little earlier about how you're not competing directly with the firewalls. Is there still a big sort of replacement opportunity with a lot of legacy Secure Web Gateway out there. So how much of the opportunity is still replacement versus greenfield within ZIA because I think Blue Coat at its peak had maybe about 20,000 customers or $1 billion installed base. So is there still a big replacement opportunity there?

So I know on the high end Blue Coat had 85% of Fortune 500 company, an impressive number that we publicly talked about, right? And that's because they've built the best proxy architecture that others couldn't build. So I think those customers understand us, they come to us. I do not know exactly how much the market is left, but I can tell you one thing, every quarter as we close deals, any ZIA deal in my top 30, 40 deals, it's probably 80% comes from Blue Coat replacement, and probably a few from McAfee, a few from Cisco. It's the companies who understand the proxy architecture on the high end to do very well. I keep on wondering when will this end. There's a lot of Blue Coats sitting out there still. So some of the biggest banks are still sitting on it.

So a couple of data points. There's 20,000 companies with greater than 2,000 employees. We've got about 2,000 of those companies. So basically, that's 10% penetration in the market. In addition, related to what we can sell to our installed base just for ZIA and ZPA, there's a 6x opportunity. So in the market size, we look at it as a $72 billion market, both for users and also for workloads. So huge market opportunity, very early stage and the ability to sell a lot into our installed base.

And a couple of other products I mentioned is just like we disrupted the user security with ZIA, ZPA, now we have the same technology available for workloads. Workloads eventually will have no firewalls. They go to Internet through ZIA. They talk to each other through ZPA technology. That's what we call as Zero Trust workload big opportunity for us. Data protection is still an early stage market. We've got very comprehensive data protection technology, which really requires a proxy architecture. Lot of semantic 1, 2 products deployed in large enterprises. Now we are beginning to replace them in significant numbers. That's another opportunity. And also, the net performance, Zscaler's digital experience designed actually to give you end-to-end performance. We really have no competition in that space. So we have many points of entry. And we can start from one side and expand to other areas.

And important, all those products are on the same stack, VDI, IPP.

They are all built around the same core platform. If we buy something, we buy a feature kind of early stage product, but we are not a close of many companies that are bought and they are on dissimilar platforms.

Got it. We have a few minutes left. Just want to open it up to the audience for any questions. Anyone? Okay. I can continue. I want to talk a little bit about M&A. So Zscaler has just about $2 billion of cash. You just announced an acquisition of Canonic Security. Talk a little bit about that and just your thoughts about buy versus build going forward?

Yes. Canonic acquisition extends our data protection portfolio to the next level. We've done CASB within SSPM and SaaS security posture management. This is the next leg of cyber, supply chain, if your salesforce is intertwined with 30 SaaS applications, how safe are they? It's kind of our thought leadership. We have always done newer stuff long before others. And those are areas we look at. We've done smart acquisition. We did a browser isolation, integrated the platform, made it very easy with a single click deployment. And I think you'll keep on seeing us doing smart, selected acquisitions. They're not really done for roll-up or revenues. We're doing them for key technology where we can get to market and save 10 to 12 months rather than wait.

Got it. Remo, I guess for the last question, I'm going to have to end up with stock-based comp, I know a very exciting topic these days. So the stock-based comp for Zscaler did uptick quite a bit the last couple of years. I think at its peak, it was about 40% of revenue, now it's in the 30s, low 30s. How do you see that trending as a percentage of sales over the next couple of years?

Yes, keep on seeing it trending down. So you'll see stock-based comp. And what happens is that when you're a company going public, stock is a big piece or a component of your compensation. As you get bigger for all companies, that declines. It's a natural thing. So I would expect stock-based compensation. It was 29% this last quarter. It will be substantially lower this year versus last year, in fiscal '23 versus fiscal '22, and you'll see it continually going down on a year-over-year basis.

All right.

If I can make closing comment.

Yes, don't want you to add anything on stock-based comp.

Architecture always wins. You can go and keep on buying a bunch of companies and win. You've seen the history of how companies, the disruptive architecture that executed well, they win. We think we're doing the same kind of stuff.

All right. Thank you very much, Remo. Thank you, everybody.

Thank you.