Zscaler, Inc. (ZS) Earnings Call Transcript & Summary

Good morning, everyone in the room, and good morning and afternoon to those of you joining us on the webcast. My name is Bill Choi. I'm the Head of Investor Relations and Strategic Finance at Zscaler. So this event, Zenith Live 2023 conference, this is our second day. So for the past 2 days we've had exciting keynotes and breakout sessions talking about our latest innovations. With this investor briefing, we are going to be focused on the technology aspects of it. What are some of the latest innovations, how our customers leverage them and also how we partner with our customers in our engagement process. As you know, 2 weeks ago, we did have our Q3 financial earnings report. So this won't be a financial-centric briefing. If you look at our agenda, it is 2 hours. We break it up into 2 segments. The first one would be focused on solutions. In the second hour, we'll be focused on our customers and go-to-market. We'll have 2 dedicated Q&A sessions. So I'm going to be asking you to hold your questions until we get to those times. And before we get started, I want to remind you that we'll be making forward-looking statements, and these statements will be -- are not guarantees of future -- not guarantees of future performance, but rather are subject to risks and uncertainties. If you could take a moment to take a look at our safe harbor statement, and then we'll get started. Okay. Now I'll turn the session over to our Founder, Chairman and CEO, Jay Chaudhry.

All right. Thanks, Bill. Hopefully, most of you had a chance to listen to our keynotes. If you have been able to listen to a number of keynotes, raise your hands? Okay. Well, maybe I don't have to talk much, right? We covered a lot of stuff during those sessions. So I'll give you a big picture view, overall. Summary of key points, I think what you learned, right. Scale matters, reliability matters, resilience matters. We are essentially the switch board that enables all safe, secure, fast communication. So reliability in addition to scalability is fundamental and that's what we have been pioneering, that's what we pioneered. It's a big barrier to entry. As someone said, there's no compression algorithm for years and years of cloud experience in managing and running the cloud. And even then the expansion of the platform, right? You saw Zero Trust, the user is only one piece. The big workload is becoming a very important piece. IoT/OT is more for subset of companies but B2B, we believe, will be massive, and we are making good progress in that area as well. We'll talk a little more about AI/ML. Hopefully, you saw the keynote on AI/ML. And Sean will give you a little deeper view of it. Part of the reason for Sean to come and join us as part of his experience in large clouds, AI/ML and related information. And you'll hear that the data matters, the users matter, and we have both of that far more than anybody else out there. You've seen innovations across the whole thing. You saw the innovations. We talked about cyber to data protection to connectivity, all areas. It's not going to slow down, and you'll see innovations accelerating. If you would look back 5 years ago when we had just gone public and you look at the platform we had versus the platform we have today is day and night difference. And you can only imagine the next 5 years, it won't be what we did in the past 5 years. You would expect with the kind of resources we have, the size we have, it will be multifold bigger than the past 5 years change we had. Go to market, we always have had different go-to-market motion and strategic engagements, customer engagement, C-level, architectural level discussion properly backed up by business value assessment. The skills that we've built that's helping us, and we believe will keep on helping us. I also am very mindful of the fact that as companies grow from nothing to a few hundred million dollars and a few hundred million dollars to a few billion, then multibillion, you need to make sure you have the leadership team that can step up and do the stuff. You're seeing us up leveling and bringing seasoned leaders along the way every year or 2. So that's fundamental to us. And I believe we're doing a good job in that area. So you've see in the platform slide. The couple of key points here is while users has been a starting point and users with ZIA to then ZPA to ZDX, I mean, users is not one piece, the 3 big pieces underneath. Now the same core technology, same core engine, same core switchboard is powering workload IoT/OT and B2B because we are designed for that Zero Trust world connecting known party to known parties. But the extension you're seeing on 2 sides of them, main thing is really on the posture control cloud side. This is securing data at rest sitting in SaaS applications or public cloud or end point of where we are. That's an important piece because it rounds out the overall picture. And on the right side, that's a new focus for us. We have been dabbling and learning in this area and the interest from customers is massive -- but with this massive cloud, we can do things that nobody can do out there. And we'll touch base on some of the critical data we have. You saw a few examples of things we did Risk 360, very exciting. When we think of, there are many companies that talk about risk. They come with this cool sophisticated models, but there's no data underneath. The only data companies have for risk out there today is outside in, what can they see from the Internet. Bedside security score and all these guys can say, what can I see if I scan? That's one piece of it. But the rest of the data sits with communication logs that we have. So very exciting area from AI cloud point of view. And the network effect has been useful in many things. We have been doing network effect for detecting threats for our customers big time. I was talking to a customer a couple of weeks ago. And they had not turned on SSL inspection for big chunk of traffic, only limited traffic and said, why aren't you doing it? He said, yes, my team has been slow, Europe and all that stuff. And then he saw the number of threats we're blocking. He said, wow, so how are you blocking such a large number of threats, where 95% of the traffic is SSL. Well, because we're seeing the whole world, we are able to actually help other customers. So this network effect is massive. These are massive numbers that give us far better detection and prevention capabilities. But the same thing is going to feed into the AI/ML engine that we'll talk about, okay? So with that, let me bring Syam Nair, our new CTO here to share his perspective.

Great. So I'm relatively new, joined recently. So I'll tell a story from my standpoint of why it's exciting for Zscaler, especially in cloud scale and AI and ML. Like everybody is talking about AI/ML these days. I'm sure every customer you talk to, every customer I talk to, they're all looking at how can we leverage AI/ML technology safely and securely. So Zscaler as opportunity, in my view, comes in 2 different areas. One is being that Zero Trust platform so that we can actually, based on what Jay talked about, we can actually communicate, look at the logs and help the customers from data leak, data loss production. As an example, not a lot of people think about what goes into a prompt these days. When you actually write something into a prompt, it's contextual data. In many cases, it includes IP information of what that business is about. How can we actually protect such that these kind of leaks don't happen in the world of AI/ML. So instead of being a blocker, it's about being an enabler so that people can use AI/ML, really -- enable it, leverage it and go with the advancement of generative AI. Now why can Zscaler do it really well. With a Zero Trust exchange, as Jay was mentioning, we have about 300 billion transactions on a day that goes into the system. I call it a data fabric, a fabric where structured data, unstructured data as well as data, metadata within the URL that we can correlate together and form intelligence and information on top of it. This cloud-scale data fabric enables a lot more of domain expert generative AI models as well as AI models on top of it, like predictive analytics, business transformation functionality that we can provide, risk management. These are a few of the scenarios. If those of you who have been following the AI world, this is not new, right? It has been in the industry. A lot of these AI advancements have been because users, data, and more value. You have more users, you get more data, you have more data, you can deliver more value. If you deliver more value, it actually creates that network effect again. With the advancements of generative AI, it opens up a lot more capabilities especially for people, for vendors or for businesses that actually have this data as well as the users. We have been looking at our platform at cloud scale. We almost grew, like doubled within 18 months in terms of the number of transactions that go through our system. So we are preparing ourselves for 10x scale. To prepare ourselves for 10x scale, we ourselves are leveraging a lot of the AI/ML capabilities, whether it is in terms of how we operate our cloud, large-scale cloud operations itself require AI/ML from an operational standpoint or whether it is in terms of how we make sure that we can provide that 100% availability, reliability and a resilient platform for all the customers. So these 2 things together, the 10x scale of the cloud as well as the data that we have and the AI/ML investments we make, makes it very compelling for us to be the leaders in providing the Zero Trust platform for AI/ML use cases for the customers. With that, I'll invite Patrick who is our Chief Innovation Officer, to talk about some of the advancements we have actually made in AI/ML.

Good morning, everyone. So a couple of points. Some of these are themes you would have heard yesterday in the keynote. But I wanted to emphasize it. We've been leveraging AI and ML on our platform for over 5 years now. There's a lot of different areas that's been sprinkled throughout the entire platform and made really meaningful gains. At the bottom, there's some core technology stacks that we've also investing in heavily that is leading a lot of the innovation that you're seeing us talk about today. So I made the statement yesterday that I think AI is changing everything, has a potential to change everything. We have seen this story play out before, though, in a couple of different ways. We've seen it in the mobile -- the introduction of mobile into the enterprise. We've seen it in Software as a Service. We've seen it in Infrastructure as a Service. But the one thing that we think is a little different about AI is that the risks this time are much, much higher. And I put some examples there on the right on what those risks are. We see -- Syam just mentioned, we see the potential for data loss happening where organizations want to enable AI, but they don't want to become at risk by doing so. And you can't be so draconian and just say block it. And you may not even be aware of how it's being introduced because there's thousands of applications that are embedding AI technology in their core. And you may not even know that it's going to a large language model. We see intellectual property being a challenge. We see false and fake content also being a big challenge. I gave a good example of that yesterday in the keynote. So we've kind of -- we've broken up how we are looking at this problem into 3 buckets. We think there's 3 ways that we can enhance what it is that we do by leveraging some of these new innovations. So the first one is under enable. So we want to -- like Syam and I both said, we want to enable organizations to embrace this, but in a safe way without putting themselves at risk -- we see a lot of room to innovate and that could be enhancing what we do already, our existing offerings as well as bring out new products to market. And we also see that there is a groundswell to be able to do radical transformation, just like you've seen chat bots that have existed for many, many years, but obviously, now with advents of things like ChatGPT and large language model technology, it's going to make revolutionary changes, and we think we can do the same in our domain in the -- particularly in a couple of areas, in the areas of security efficacy as well as operational insight. So you've seen us talk at the conference about a couple -- a lot of AI innovations, but I wanted to highlight 3 that are good examples of all 3 of these buckets. So the first one is the breach predictor. You would have seen a good demo of this yesterday. It is leveraging the capability that we have that is pretty unique -- because to do things like breach prediction, any time you're applying or training an AI model, the data in which you train it with is what matters most. Everyone will have -- everyone in the domain will have chat bots. Everyone in the domain will have large language models that they can bring to market. But very few organizations or companies or services like ours have the ability to have insight to logs. You've heard the 300 billion transactions a day happening all the time. But those logs that we have visibility to are not limited. They're not short, they're not abbreviated. -- they're full fidelity in a way, meaning we're logging every transaction a user has 2 from the Internet, whether it's a threat or a breach or not, it could be purely operational because we -- our platform is much wider than that. That is a data set that will give us a pretty unfair advantage, I would say, in being able to do things like predicting breaches before they happen. We also talked about what we're calling Zscaler Navigator, which is leveraging these conversational interfaces to be able to make answers come out of the platform easier and more approachable for customers. And then we also showed off multimodal DLP, which is taking DLP to the next level, being able to do things like searching for data leaking out in the form of videos or in the same way that you're familiar with ChatGPT being able to summarize large amounts of information, we think the same thing can happen in how you prevent data from leaking out of the organization. I won't spend a lot of time on the breach prediction to keep us on time. So with that, I'd like to hand it over to Steve House to go over some other innovations in the platform. Thank you.

Thank you, Patrick. So I'm going to focus in on 2 areas to go a little bit deeper data protection first, and then I'll move on to the Zero Trust connectivity. As you would have heard in the keynotes, when we think about data protection, We want a comprehensive unified story, set of technologies that cross everything that is Zscaler. You set up your dictionaries, your engines, you use the data classification. All of that happens one time and gets put into all of the different channels where your data could get lost. This includes things that are in the cloud exposed to the public. You want to make sure your posture is set up correctly. You don't have things open to the public that have that sensitive data in it. And it also includes how that data can go in motion out of your control. And when we think about the -- how does that get out of control, we've had in-line DLP for many years. That's how we block the content trying to leave to the web. We talked about today, adding data protection on the endpoint, which is available, has been for a little bit as well as in e-mail because you can SSL decrypt most e-mail now, 4 or 5 years ago, it was a lot of legacy protocols. You couldn't see inside that were wrapped in an SSL wrapper, but now map it inside of HTTPS or outlook web access, you can open up and you can see that traffic and it's trickier than just seeing whether it's sensitive data or not because most e-mail is sent from one person in a company to another person in a company, that's allowed even though it's sensitive. So what we've added is the ability to put policy around who that e-mail is getting sent to? Is it leaving the company? Is it to an approved organization. So now you can only block the things that are trying to leave your environment as opposed to just being sent through a web interface. For CNAPP, a new innovation we talked about is connecting that up, not just the posture and the entitlements in the infrastructure's code and vulnerability management, but also knowing where those problems also exist with your sensitive data. So integrating in the full data protection is important because it's a much higher priority if your misconfigured workload has sensitive data on it. And then taking it one step further, which is something that no one else on the CNAPP side would be able to do is what paths do those workloads have. Can those workloads talk to other workloads. So maybe it doesn't have sensitive data on it, but it has an authorized path to talk to your workloads with your crown jewels on it. That makes a misconfiguration there, a much higher priority because even though it didn't have the sensitive data, it talks to things that do. And then we've also added the ability to scan your containers and your virtual machines to find your sensitive data there as well and apply policy of where that data is allowed to move. So this idea of having that unified data protection across everywhere where your data might live is really important and something that will continue to differentiate us. Switching on to the Zero Trust connectivity. Jay spent a lot of time in a keynote talking about what really matters, but this kind of sums up those 4 key principles or that 1 applications are the destination, not the network. You don't put people on to the network, you don't put workloads on to another network, you don't put your things on to another network, you make a connection from a resource to a resource. They never get an IP address on the other side of that. Two, the networks become really just about the transport. You don't spend your time securing that network, that whole concept of Mac and securing your branch office shouldn't matter if your office is Zero Trust and your sensitive data isn't there. Treat it just like as the rest of the day, a Starbucks-like experience. You don't try to secure a Starbucks. Even if you've got a WeWork where you've got 10 salespeople, you don't try to secure a WeWork. Why are you trying to secure one that you haven't had the lease on that property where your people come to get a high-speed network connection and collaborate with their coworkers. Three, I already mentioned, you connect to specific apps, not to the networks. And four, you want to -- even though the networking is there, it's plumbed, just because you're on a network, you shouldn't be able to move around it. You shouldn't be able to nmap scan and discover the rest of the nodes, move laterally and find other things. Again, you are granting that authorization from one resource to another resource. So now that applies in the client world. We've had that for many years with Client Connector doing Zero Trust connectivity to your applications. We've had Cloud Connector now for just about 2 years, which brought those Zero Trust principles into your cloud workload environments. So you don't have to plumb those together with firewalls and IPsec connections, where you're poking lots of holes, but still allowing that lateral movement. And today, the big announcement or this event, the big announcement was introducing that into the branch office with our Branch Connector. And when you look at what is the sweet spot for this, we break it down. We talk to lots of very large enterprises, often there are thousands of locations. And they say, well, some are really small. They're just our sales office. There's no data there. There's no printers there. There's no IoT. All you need there is Client Connector. You just put it on all your machines, it secures your traffic out to the Internet and provides Zero Trust access to the applications they are authorized to utilize for their internal apps. The medium-sized branches are where it gets interesting where there is some infrastructure. It could be printers, badge readers, security cameras, OT manufacturing lines, various things that you can never load an agent on, but they still either need to communicate out to the Internet, maybe it's telemetry, software updates, whatever that might be or back to your data center, maybe your security camera feed goes to something into a headquarter site. So how do you take that branch off the routable network, which is how all that traffic got where it needed to go before and get it to those devices or get it to those applications and it needs to be there. And that's where Branch Connector comes in with its ability to take any traffic that's trying to exit that branch and make the smart decision, if it's going to the Internet, it goes through Zscaler Internet access, gets the right policy applied, logging, everything you get there when you're securing it to the Internet. And when it's trying to talk to something that's your application, either in your data center or in AWS or the cloud, it asks for authorization first. If it's authorized, 2 outbound connections that meet in the middle, get stitched together a Zero Trust connection without ever putting that television set on to your data center network where it was communicating back to or whatever that might be. And then the third type of office is really about the large campus factory environments that still need high-speed MPLS WANs, some sophisticated path selection where you want to send this traffic over the MPLS and other traffic may be over an IPsec where those kind of more high scale, high sophisticated requirements are, that's not the sweet spot for Branch Connector today. It's really meant for those Internet-only sites, which more and more people are moving larger and larger branches that direction. So over time, that market gets bigger. And as Branch Connector evolves, we'll do more of the things that allow us to succeed in the large campus environment as well. So I don't know if I need to spend a lot of time on this, but this sort of just highlights the 2 different philosophies around building up your branch office environment. One is by having that complex routable environment where you're trying to manage how traffic is a center-round path versus path. Obviously, when you've got the routable network, you have the ability to move lateral -- laterally, which means your attack surface is larger and the blast radius if something happens is potentially more significant. So like we do in -- when users were remote and with a cloud now at the branch, you can do the same idea to have a true Zero Trust branch that is disconnected. People are really excited about how easy it is to bring up a new branch without thinking about circuits and how to connect it, you drop it in, it connects up, and I don't have to secure it in the way I did in the old world. And then the last piece of it is from an availability standpoint, the virtual machines available today, we've got people using it in production. We talked about that in the keynote this morning. And we showed off the new hardware appliance that we're working on that's in early access, and we'll give you more details on that as that gets ready for general availability. And with that, that is it for my section, Bill?

I'll invite all of our speakers up to the podium to begin our dedicated Q&A session. We'll have 2 mics in the room. So for those of you, if you could raise your hand and we'll get to you. But since we are webcasting the session, if you could wait until the mic gets to you, it will also be helpful if you identify yourself and your firm.

Jay, it's Joel Fishbein from Truist. Thank you for doing this, and thank you all for the detailed information. Jay, great, a lot of new products, 2 questions. Number one, can you give us an indication of how this fits into your current pricing scheme, some of these new products, number one. And I guess, along the same lines, is -- are some of these products more aligned with a consumption-based model than a subscription-based model? That would be my question.

So first of all, you saw lots and lots of functionality come out. Traditionally, what we do is lots of features go in our existing products, but some new big [indiscernible] -- for example, there's 360, big new thing. So the SKU of its own. So there will be product that have SKUs and we charge for them others have been part of the same bundle, for others, they become part of the bundle, but they also help us justify higher and better price study. Okay. They help us justify better price. So it will be a combination of all new, some bundled, some help us increase the overall bundle price. And you'll hear more about it as time goes on some of these new -- we test with the customers early on for a few quarters before we really start finalizing some of those numbers. Question on consumption-based versus user-based or unit base, so to speak, a lot of stuff, our customers has been a number of users-based. Workloads is largely unit-based, but there's also a piece of consumption-based as ephemeral workloads are coming in and going around. So you'll see some combination evolving. It won't be a [indiscernible] model. Take a B2B area, where we have suppliers and customers coming and accessing applications through our cloud. In that case, you can't really do user base. Some of them will come once a month, twice a month, every day. So that becomes consumption-based. So we'll do the right thing based on what makes sense for the customer.

Okay. Next question, Trevor.

Great. Trevor Walsh, JMP. Maybe around some of the AI announcements. It seems like from an outsider's view that the product kind of split between AI focused on threat protection versus more enabling users just within the platform seem fairly balanced. But I would imagine that might not be the case when you look under the hood in terms of R&D resources to make that all happen. So if you could maybe just tell us a little bit about how making those 2 different buckets, again, kind of works out in terms of from an engineering and getting them kind of to market, that would be helpful. And then on the enabling users within the platform, how much of an accelerant to hitting more downmarket accounts might that kind of actually kind of yield in terms of the -- again, having AI to help users just [indiscernible].

I'll start then Syam or Patrick can add to it. If you look at the buckets of AI/ML, it has been influencing many areas. Threat detection has been getting better and better, but that's incremental. But things like breach predictor is very new, very different and disruptive. So you'll see some of the totally new stuff powered by AI/ML, while existing stuff getting better. So it's -- you're not going to see that everything that touches AI is a new SKU, the new price. It is part of existing products. It will get better, but new products are coming along as well. That's one. Two, it does impact all areas. It is impacting cyber protection area, playing a big role in data protection area. Things like ZDX was from day 1 powered by AI/ML, big model, all that stuff. That's part of it. And in addition, it is also making the use of product simpler and easier. So it actually makes it easier to go downstream. The core pilot kind of announcement you're seeing from vendors like Microsoft, they are actually simplify the stuff. That's not rocket science. Every company will do some of those automation and simplification and we are doing it as well.

Yes. I think I can add to that. In the context of the architecture itself, think about this as one common data fabric and the data may -- there are in-line data that we collect into compressed logs, there are data that we collect from other -- which comes from other sources. So they're all on the same platform. It's more about what data do you train on for specific use cases. So the architecturally, there is a very cohesive platform, a cohesive data fabric on top of which we can provide this different training and different models. Some of them will be customer-specific in terms of like Risk 360, some of them which are more cybersecurity related would be much more -- would be using much more bigger models.

It's Keith Bachman from Bank of Montreal. I'm going to do 2 simultaneous or 2 connected. Jay, maybe for you. The first one is just if you could talk about the multimodal DLP, what is -- what are you adding to your DLP solution? It sounds like it's capturing more media, if you will. But I'm just hoping you could broaden out to how you think it enhances your competitive positioning as it relates to DLP more broadly? And then the second is you're introducing -- you've had cloud, you had client and now you're introducing branch as a new solution set. And I was just wondering if you could talk philosophically about expectations associated with that because you've had branches connecting for some time using your technology already. It's been a wonderful solution. And so what should we investors be thinking about the opportunity set with branch specifically?

I'll start with the second, and Patrick will take the multi mode questions. So branches. Before Zscaler, branches will go back, everyone will go back to the data center, all traffic on MPLS, that is one. Two, even when SD-WAN came before Zscaler, SD-WAN will still take all the traffic back on a cheaper transport Internet. When Zscaler came and we said with ZIA, our fast product Internet access, peeled off all the traffic at each branch and sent it over broadband or whatever connection to Zscaler data center. And you would be surprised that the amount of traffic that a user creates, the one going to your data centers and private applications is actually only about 20%, 25%. Most of the traffic goes out. So we're able to peel off by using existing routers that Cisco had for years, creating a tunnel to us. That was first generation. When SD-WAN boxes came, they made it easier to create that tunnel literally click, click rather than going into command mode. So SD-WAN integration we've done has helped our customers. And -- but it's still needing a box in a routable network. You're managing route cables. Every branch you create you don't only put a box. There's somebody who has to manage routes and stuff like that out there. That's a hard part, and you own the network, you own in the branch. Once you're in the branch, you move here, there on SD-WAN and access application, which is good. But if there's an infected machine, it can access all that stuff, that's bad. So the biggest thing, we are fixing with our Branch Connector technology is the simple little branch box is like a relay. There's no route cables to worry about. Just like in your home, what do you do? You get a little router from your local telcos or whoever the telco is, you plug in, the thing works. That's really what our customers are excited about. Simplicity, security and lower cost. That's why our customer pushed us. I told them I don't want any boxes. I kept on pushing back for a long time. So when we introduce Branch Connector, we offer as a VM, here's a little piece of software you can put on any box it works. Then they said, man, I can't find this box and I have a lot of branches. So do it, that's what we've done. Did I answer that question? Patrick, multimodal?

Sure. So multimodal DLP is in a simple way, all about making the efficacy of detecting data leaking significantly better. If you look at how DLP has evolved over time, you would have to give it phrases or pattern matches that you would try to find in plain text, then more modern techniques like doing OCR and image recognition to try to detect text and images. Multimodal DLP in the same way that you've seen, when you see AI services that are taking tech streams and generating very complex realistic images from it, you have to have an awareness of contextually what objects and things are and how relevant they are, that kind of technique that you see that allows us to create crazy images in 2 seconds from text queries can absolutely be applied to interpreting data that is leaving an organization and making the efficacy of the DLP far greater. That's in a quick summary.

So it has YouTube kind of video. You can put stuff on a YouTube video. What DLP solution stops it, nothing. We can solve that kind of problem.

Yes. And the example we showed is if you have a sensitive PRD with your internal plans on it and you try to e-mail it out, DLP would always catch that. And then the next thing you do is if I take a picture of it, a screenshot of it, I could e-mail that out, but OCR could catch that. But now if you do a little zoom recording and you just scroll through the document and it comes as a video, that can get through any DLP solution that exists right now, and that's what this multimodal DLP is meant to stop.

John Difucci from Guugenheim. Jay, you announced that a lot of new data-related protection products, and you recently announced a partnership with Rubrik. And I know that's a new partnership. But how do -- how should we think about where you take Zscaler technology, how far you take Zscaler technology versus where you want to partner with others, especially when it comes to data protection and third-party data intelligence.

This a good question. I'll give you a short answer because the long answer is we spend hours figuring out how far do we go, how far we don't go. We are pretty methodical. We like to kind of don't jump around from here to here to here. If our technology and platform can naturally extend over to the next level, we do that type of stuff. Otherwise, we don't. Take Rubrik. Rubrik backs up your data where ever. What if the data that's backed up is already corrupted or encrypted, so to speak. It's not a good thing. So we are essentially making sure your data doesn't leak. They are essentially -- they are also making sure the encrypted and bad data doesn't get backed up. So passing some of the information and intelligence we have to them helps them and vice versa. So this is a natural partnership. We aren't going to get into the business of backing up data to secure the data, right? That's a pretty clear boundary for us. But making sure your data is secure wherever it goes, is of interest to us. So a partner who is doing data backup to support them is a good thing that helps us and helps the customer. That's how we think about it. On this side, I think you should stand on the front, then you can see all the hands on side.

Hamza Fodderwala, Morgan Stanley. Jay, I think some of us, at least me, we're surprised at the branch appliance announcement. I'm curious why now. I guess the presumption would be that most SD-WAN boxes today that you partner with are controlled by security vendors. So I guess, why would they want to advance integration with Zscaler? And then secondly, how do you convince a customer who's already on an SD-WAN journey to effectively add another appliance to the edge? Or is this a full replacement of SD-WAN?

So first of all, as I said, we never wanted to be an SD-WAN vendor that runs -- that enables lateral threat movement, okay? So -- but here, so what are we doing? But we do need to make it easy for our customers to get traffic. Our client connector sitting on the endpoint or the phone, transfer and make sure the user gets our traffic. You don't even know you don't do anything. It figures out lots of smarts, it even knows the best data center around if one data center, one path has issues, it figures around all those things on its own. Now the branch, yes, we used to do tunnels from Cisco routers and SD-WAN, made it easier. The issue is not the security vendors [indiscernible] even the networking vendors who rather kind of control their stuff and put it on it. They also want to charge more and more price for it. My customer says, I want the branch office to be thin dumb box. The more software, the more functionality you put in any box, the more complex it becomes, that's how life is supposed to be. That's why you want endpoint of the thinnest, least amount of software on it. You want branch to be thin. So all the expertise or complexity or policies are sitting in the cloud. So our customers said, I don't really need all that mesh network that SD-WAN gives me because it connects everything to everything, because that's a risky part. All I need is connect this branch to the Internet, period. With the lowest function. So we are literally a traffic cop relay that connects you out there. So for that, then the customer wanted to say, rather than you point me to these vendors, those vendors, just -- I want to treat branch as a basic stuff. It's -- they basically said it's a commodity thing. It needs to work, just make it easy to deploy and manage. That's really to us. I mean I can tell you -- I mean, we'd like to listen to our customers, but sometimes a customer like to tell us to do all things, right? So we -- when we want to do disruptive stuff, we don't listen to the customers. When we want to really see the pain, we need to take and this is one of the areas I kept on pushing back and back. I probably heard from 100 customers and say, I'm having pain with SD-WAN. I just don't need all of this to give me a simple solution. So I don't think we'll have. So we are not really trying to go and fight for SD-WAN market. You can keep the market. Our customers will start from smaller branches. Think of it, a small branch, I said probably in Makeno. 80% of your branches are small branches like sales offices. They're no different than sitting at home. They need something very simple like this. That's why we came up with this.

Okay. Brian?

Yes, thanks. It's Brian Essex from JPMorgan. Jay, I wanted to follow up on kind of AI strategy. And we see a number of different companies taking different approaches to whether it's kind of controlling the models that are being trained or having the -- like I think you alluded to a very large data set that's very valuable enough high-quality. How do you think about -- where is Zscaler going from that perspective? Are you going to start -- are you controlling the models and the training of the models? Or are you enabling your customers to leverage your data set to train those models more efficiently? And then how do you controlled drift and quality and governance as those models are developed. How do you think about the opportunity there for Zscaler?

Yes. Look, if you look at to do AI/ML well, you do need data scientists and domain expertise. In fact, we did a fast acquisition 5 years ago. This acquisition was all about AI/ML team. So we actually evolved and learned from it. It's not a totally new thing for us. Two, you do need data models, large language models, actually, they are becoming more and more open source. So I think there'll be more and more open source models that everyone has available, but companies like us can actually customize them and extend them to, say, security-centric LLM kind of stuff. And even that won't be a differentiator. So if you look at barrier to entry, it's not data scientists and domain expertise. There are lots of them out there. It is not the model. It will be the data, the data that's used to train, you can put data in 2 buckets. One is public data. ChatGPT has all the public data, you can crawl on the Internet and answer all the questions. But then there's a private data. All the security-centric data we're talking about cyber and all, it's all private. There may be multiple kind of data, but the most important data for cyber is communication between entities, users, devices, applications and the bad guy's trying to pin you to do reconnaissance kind of stuff. That's the most important data we have. Now you can make a case that firewall guys have logs too. But firewall logs are by and large, useless. They're short logs. They don't have much stuff. They -- most of the time, they don't even do SSL inspection. So without that, all you know is this source IP to this destination IP domain and this user, and not a whole lot out there. We -- our customers inspect SSL, they've got real data and they got full URLs, and URLs have tons of unstructured data that gives us some of the upper hand. So we believe we have a sustainable, long-term barrier to entry when it comes to the security model, and that's what we are focused on building on. Do you want to add anything to that?

Yes. This is Shrenik Kothari from Baird. So yes, I mean, in this new AI world, you announced a very holistic value proposition in the form of the breach predictors, form of the business insights, which are underpinned by proprietary kind of data that we control, the multimodal DLP. So we have seen in the past historically like wherever there's a new situation, there's a tendency to -- for the security world in general to go towards like a path of least resistance, right? Kind of -- for example, when kind of data explodes, there will be explosion of control points. So there has been like a tendency to throw kind of firewalls at the problem or boxes at the problem. So as we stand on the cusp about this kind of new frontier and you guys, of course, talked about the strategy from a solution standpoint, from a kind of a larger go-to-market strategy, education because I mean seems like a brand new opportunity for you guys to grab. So how are you guys thinking about kind of grabbing this opportunity or just strategically going about it from a go-to-market standpoint?

So AI/ML, I never felt it's a stand-alone market for most companies out there. There will be some open AI kind of companies that are highly specialized in doing that stuff. There was a time 15 years ago when people said, mobile is on the scene. I'm going to build a mobile company around mobile, trying to create sales force from mobile. Doesn't make any sense, not really. It's a device and it's a device, it's a device back and it's the same. I do believe that AI/ML become -- will become integrated part of every company. Otherwise, those companies won't survive. The question is, if you do a better job, you can actually leapfrog and get ahead of others. It's kind of painful to see when a breach happens, they buy a lot more firewall because that's all they know. But I think the world is changing. If you talk to any of the customers here, and now we are in the 40-plus percent range of Fortune 500 companies. These guys are believers, they get it, they understand it. And we're going at a pretty good rate of adding new customers as well. I think you get to a tipping point where firewalls will become like mainframes. I mean I saw that, I used to be at IBM. No one could imagine that mainframes could ever lose the prime spot they had in the heart of the CIO. When we met those CIOs, they only care about IBM and IBM mainframes. But over time, it just happened it took care on its own. Zero Trust will displace this whole firewall stuff. And I think we are in a prime position because we don't think you can just spin those VM in the cloud and take care of it. But AI/ML will be powered by the logging, the data we have. That's the most important stuff, and we're doubling and tripling down to make sure we take advantage of that.

Okay. We're actually going to take a little break here, and the speakers will be back at the end for final questions. We will be serving lunch for those in the room next door, Juniper 2, and we'll be back in about 10 minutes. [Break]

[Audio Gap] customers and our partnerships. We're always excited to have our customers who are on this great transformation journey and to talk about how the unique business value that we can drive together as they transform their IT as well as aligned to zero trust architectures. So with me today, I'm going to introduce Manesh Patel, who's the CIO of Sanmina and also excuse me, Matt Ramberg, VP of Information Security. Manesh?

Okay. Great. Good afternoon, everyone. So I'm the Chief Information Officer at Sanmina. And Sanmina is a Fortune 500 manufacturing company headquartered in San Jose, California. We operate in 20 countries around the world, 60 manufacturing operations worldwide. And we focus on manufacturing for name-brand OEMs in a variety of industries from medical devices to industrial, defense and aerospace, communications equipment and so on. So our run rate in terms of revenue is about $8 billion. So as you can imagine, our environment is very complex from a network standpoint, security standpoint. And with the manufacturing environment, we also have a large number of customers as well. So we're very invested in protecting our customers' data as well as our employees' in our business. So it's a pretty complex environment. And our Zscaler journey started over 7 years ago, very early days for Zscaler. One of the things that really attracted us was their really significant investment on architecture and getting it right from the beginning. That was a very compelling element. And then their initial product, the ZIA product, was a big game changer for us in terms of our environment, all of our locations worldwide, connecting them securely to the Internet and making sure that we had great data security for our employees as well. So that was the beginning of our journey. And what we saw with the architecture was the potential and to really move towards a more comprehensive security environment. And that's sort of what we're seeing now. And it's very exciting. We're very excited about the opportunity to not only continue to build our security profile but also to really have a comprehensive environment for security. And one of the things we as many other enterprises are seeing out there is a wide variety of technologies for security and just integrating all those things, making sure we've got great coverage as the security landscape and the threats out there continue to grow. So it's becoming a very complex environment to manage and one of the things we love about Zscaler is it's really helping us to simplify that. I'm going to hand off to Matt. Matt heads up our security organization, and Matt is going to give us more details on what we're doing.

Thanks, Manesh. Good afternoon. There's so much to talk about on the journey. I obviously can't cover every single aspect. But as Manesh stated, we started with ZIA, so several years ago, like most companies, I think, ZIA. And in our case, we had a very -- our system was set up with individual web filters at each location across the globe, which is the time -- well, between 60 and 70 locations. As you can imagine, when we needed to make a change, and it was a global change, it had to be made at 70 different places. Along came ZIA, it was a very easy decision when we compare them to other vendors. And it allowed us to free up just resources, an immense amount of resources. I can't even -- it was more the hours spent than anything else. Literally, we have one guy that was running the entire ZIA process for the entire globe. And then as that, as we continued down that same security transformation path, the cloud became this more involved thing and everybody started working remotely. We started looking at our VPN solution, our architecture, and we realized it was not scalable. It was limited per box. Everybody is familiar with VPN boxes. It was limited per box. And we had, I believe, at 1.13 of these distributed throughout the globe. And it just was not a sustainable process. So that led us down the ZPA path. We got into the ZPA realm. And it really allowed us to give the users the flexibility they needed, the productivity they needed, and we didn't lose any security that we wanted. And that was really a key balance. Security is always known as the department of no, no. And I've said this at other events and I wanted to become the Department of know, KNOW for our company. And Zscaler made it really easy with the transition because it didn't impact the employees. So when we were doing the communication and explaining what we were going to do, they understood it and made for a really simple transition. Of course, you run into some hiccups here and there, but they were easily resolved. And to this day, we still have one primary support person for both ZIA and ZPA, one primary support, and then we have some administrators that help support some other things, but it really is one guy that's driving the entire transition across the organization. And what we've really embraced is that Zscaler has not rested. I was just speaking with somebody in the back, they keep improving on everything they've done. And we are now at a point where we have 5 different Zscaler products that we now deploy in the company. After this conference, we'll be asking for 3 or 4 more. We'll see how that goes. But it's just been really a great partnership. But the biggest thing has just been the ease of implementation. That has really been the key, is the ease of implementation. The ability to be able to do this with just a handful of people across an organization as vast as ours with different needs at every facility because we have so many different industries that we support has just been immeasurable and freed up a lot of crucial time to work on other projects instead of just day-to-day KTLO type information. And I would also add, one of the things that allowed us to do was -- I've got some members on the team that are junior members. They don't usually get to be involved in a lot of the strategic things we're doing just because of skill set. Because of the ease of implementation of a lot of these products from Zscaler, we've been able to have them be involved with it. So we didn't just go through it, we were able to grow through it. The employees were able to get this training that they ordinarily we probably wouldn't provide but they don't need to be experts because the tool really makes it easy. The various tools make it easy.

So we'll take a few questions. Rob?

Rob Owens from Piper. Can you double-click on implementation, how long it took for the various products? And then to the extent you're willing to talk about it, what solutions were you able to get rid of because you implemented Zscaler?

Yes, we're not going to focus on any specific -- vendor specific, but let me give you a quick example. In general, sure, sure. So at the beginning of the pandemic, March 2020, we all remember that everything locked down worldwide. Up until that point, we had about 700 employees at any given point around the world working remotely using VPN. And we were in the process of planning a rollout of ZPA and when the lockdown happened, we said, well, let's accelerate that rollout of ZPA and we're going to need a lot more than 700. So we -- by -- within 4 weeks, so middle of March, we locked down, middle of April, end of April, we were at 7,000 employees a day working remotely using ZPA. So that's the pace at which we were able to roll out, and we were able to take out our legacy VPN solution. So that's a good example. You want to comment on any other ones?

I think a key thing to keep in mind here as well is we did this, but we maintained Zero Trust. So anybody can turn on ZPA for 100,000 people today if you have an app segment that's *.*. Everybody gets access to everything. We wanted to make sure that when we did this deployment, we maintained Zero Trust. So we had already predefined some groups with the 700, we had predefined some groups, HR, finance, engineering with specific app segments. So we were able to take that base setup that we already had. And within 3 to 4 weeks, we had added -- it eventually at one point, reached roughly 10,000 people but all in their proper segments. So we lost nothing on Zero Trust.

It's Joel Fishbein from Truist. Just wanted to follow on to Rob's question in terms of -- you've probably seen a lot of new technology announcements today from Zscaler. You talked about ZIA and ZPA. Are there any other areas that you may be looking at, ZDX, maybe some of this breach predictor technology that they've -- I know it's early days for announcing -- in other words, are you thinking about going broader with Zscaler and going forward?

Yes, we are looking to broaden our profile with Zscaler. I think some of the more well-known products that have been around, we are actively looking at them. The new one that was just recently announced was Risk 360 and we're very excited about that product. And especially for CIOs, such as myself, we're engaging with our business leadership executives with the Board. And that's always been a challenging arena where improving the level of understanding at that level of security and how that ties to our business and then having key metrics and real data behind it is invaluable. So I really see the Risk 360 product as enabling that conversation with -- at the executive level. And part of my challenge, I'll be very honest, is when I engage with my executives and the Board and we say we're using Zscaler and it's doing great things for us, there isn't much else to report, it just works. So the level of visibility at that level is limited. So I think Risk 360 will raise that visibility. And I think -- and that's a very valuable thing for us.

One thing would be worth mentioning is, Matt, you had talked about your supplier and partner access, Zero Trust. That's not a common use case still out there. It may be worthwhile for you to share with this audience what you're doing with that and how you had to do it before?

Our primary focus, of course, was our employees when we deployed ZPA. And we, very early on, looked at that and worked with our Zscaler representatives and realized we could use that same technology for the suppliers, the vendors, the people that had to provide support into the company. As with most companies, in fact, I spoke with a lot of them here that still do it, to have that access in the past, we had to give those people access to our identity platform. We had to create accounts for them on our systems. That presents some various problems. When do we suspend it, when do we terminate, et cetera. And we realized, hey, if ZPA works for customers or works for employees, it will work for customers and vendors and suppliers. So we used an IDP that was provided through Zscaler and we were able to use the customer's own identity platforms, whatever it might be Microsoft. And they came in through that way. Over -- in our case, we had them using browser access, but we could give them the ZCC client. We had them using browser access because we didn't want to tell a customer or a vendor supplier, you have to go install this software. So we were able to have them come in, access whatever they needed to access. We created a new group within our ZPA. And we provided new accounts for them. We had total control over their access. We could terminate it any time we needed to terminate it. And of course, it was fully secured because it was now over Zero Trust. So they weren't coming on to the network to provide support. We were making the app available to them to support. So it's been a very positive experience for us because we no longer have to go to that identity management administrator and say, here, create these 50 accounts. We just send an e-mail to these people that want to -- that need to come in. And it's resolved. It's -- they have access instantaneously. And somebody had asked -- just going to add this on. So we have ZDX. We do have cloud connectors. We've got illusion, the deception technology. And -- but today, you were -- you had mentioned what other things. The emergency access for Zero Trust for ZPA was announced today or it was one of the things they had mentioned. And that just is going to be a real positive thing for any companies like ours that require external people to have support immediately, but we don't have the time to go find out their name, their e-mail address, et cetera. We just need immediate access and then all of the -- I just came from it, so it's fresh in my brain, but all of the changes or additions that are being made to ZIA. That sounds just -- I think it's going to be quite positive, the ZIA with the DLP implementation. And DLP in my world view has always been just a dirty word. It's the thing that everybody talks about, the thing that nobody can do. Multimodal DLP, this sounds like a real evolution in basic DLP. So those are a couple of things that I'm really looking forward to from my perspective moving forward.

I think we could go on for much longer. It's a fascinating conversation. But in -- due to time, we'll end it here. But hopefully, some of you will be able to engage Manesh and Matt, and I really want to thank you for your partnership and your time.

No. Thank you, everyone.

Okay. So then next, we'll invite our COO, Dali Rajic.

Thank you. I just wanted to take a moment kind of go through market dynamics and our view and perspective. If you take a look at the macro, I don't need to describe it, but it is complex, getting more complex, and every company in every vertical is feeling it. At the same time, the dynamics of the pressure, I think are getting really increased by the fact that you're trying to respond to an increasing threat ecosystem that's building across the globe while at the same time, having pricing, budgeting, resourcing pressures. But what it means is that cyber still is the #1 topic and the #1 discussion and the rethinking of cyber is accelerating from what I'm seeing in my meetings with senior executives. You can imagine that -- we've had the same discussions with many of our potential customers and partners around really just an evolution of how you think about security, how you think about the legacy vendors and what they're packaging up as new and what they're packaging up as business impacting. And those conversations are much more open and accelerating today, driven by the macro than what we saw before. Now the reason why we actually believe some of these trends and some of these new threat vectors are supporting our story is because of the uniqueness of our platform. And it's not just the uniqueness and capability, but what outcomes it really drives. And when we talk about driving outcomes, what we realized over the last 6, 7 months, we always had a very structured sales process, go-to-market model that's based on discovery and being consultative to our customers. But a lot of our customers were facing new pressures and Zero Trust is this broad term that everybody talks about. The questions now are coming back of what does this really mean? How is it differentiated in outcome you drive, not just feature function capability that you have. When you have these conversations, you better be prepared when you sit down with those individuals. For the last 6, 7 months, we've really invested heavily in just taking the training across our CFO ready business cases and our business outcome modeling to another level. And the reason why is we have all these unique platform innovations and capabilities and you have to really dissect what it can do for a customer across the entire journey and across multiple functional groups whether it sits in network or on the security side or on the cloud side or on the managed service side, it really became our responsibility to connect all those threads for our customers, multiple layers deep. Now deal scrutiny is going up. That means your business case, better be ready. What we found is that engaging early in building it versus presenting it on the back end made a huge difference because a lot of the executives within our customer base are getting more scrutiny from their CFOs and CEOs on these business cases because they have to commit to what it delivers, not just hypothetically, but within whatever gets budgeted down the line. And I'll talk about that in a little bit as well. And what was really clear is that the pressures from the CTO and the office of the CEO on transforming becoming more business agile is really being hindered with legacy network-based security solutions. And it's really being slowed down. We talked about to go to know with a k versus no with no. That is absolutely the demand that's being made of CIO and lieutenants from CTO and on the CEO side. So we built a repeatable blueprint on how we engage, how we execute the level of depth we go in our analysis before we ever present our technology. And over the last 6 months, we've really evolved and up-leveled that expertise across all the ranks. And it's an integral part of our go-to-market model. What we've also done is, and I'll speak to this in a little bit, what we've also done is taking the end-to-end journey that you heard about with our customers to another level. It's not enough to just have a great plan, it's not enough to just deliver great solutions. But you've got to map out the journey, the steps, the phases, you got to map out then how are you going to help with adoption, even once you leave everything is deployed and everybody's happy because there's great capability in our solutions. How do you turn and evolve and twist your entire organization to really be micro focused on customer adoption and value realization. And we've had it in place, and I'm very confident we took it to another level over the last really 4, 5 months. So if we also think about the kind of drive to modernize, what does that mean? Automation is critical everywhere. Why? You heard the customer talk about, we have one person that manages this. Probably wasn't the intent originally, but that is the capability we provide. What I'm seeing and hearing with all customers today is everybody's pressed and stressed on resources for the volume of projects that they're having to manage. And the level of sophistication of what has to be done is gone up manyfold. How do you supplement that sort of environment because we're not experts in everything. The way we do it is we automate current operations, we really drive consolidation, and we do it pretty simply for us, not so simply, I think, for anybody else in the industry. I've spoken about our model for quite some time now, but I want to just double-click on one point real shortly here. When you build an entire go-to-market engine that is structured with each part, understanding what their role is and what they have to deliver because busy work is great, but it doesn't produce results all the time. When you build a go-to-market engine where every resource across the entire ecosystem knows what they're delivering at which stage and how, and you integrate all of those elements, what it means is you build a seamless engine that really allows you to go detailed and build business plans with your customers. I'll tell you right now, our competitors are not doing it, and this takes a while to build, and we've been building it for years. The reason this matters today is -- and ROI is great. Who on the customer side, signed off or whatever it is that you have in there on changing their business around. It better be some relevant people. So again, the discovery collaboration efforts that we have on the front end, allow us to create comprehensive business plans on value we will drive with the backing from the individuals that matter in the organization and that validate what we have put in place. We map it to the minor framework. Why? Because everybody wants to know what vectors do you help me cover? What security threats from my adversaries can you help me cover? So this is another element that's in there. And then we, with the customer based on blueprints that we have. So this is a repeatable process by vertical, customer size, we map out the different phases of their evolution -- on the outcomes they have to drive and that they want to drive and the businesses they need to support. There isn't one conversation with a CIO that I'm having today where they're not being asked to map to the transformative CTO and CEO vision that they've laid out for the next 5 years. And to the earlier point, what information, what am I bringing back to the executive suite on acceleration of value I can provide. So building this, phasing it, having a deployment plan that drives ROI by each phase and then a customer success team that continues to work after deployment leaves, that is part of our secret sauce in really amplifying the unique capabilities that our platform affords our customers. This is pretty much a must on anything. That's a couple of hundred thousand dollar deal and up. And the only difference is how deep do you go based on segmentation of customers. This is also the discussion points that we're having with customers if something slows down or doesn't. I just met with CEO minus one of a very large global company, and they bought based on the plan we had comparing us to competitors and all the pricing gimmicks that they were going through. And we were about a quarter in, in this purchase, and we sat down and we went through the plan and our progress to that plan. So this is not a theoretical exercise. This becomes our mutual success north start. And customers are appreciative, and we invest the time in doing it because it's our responsibility. And it's our responsibility because there are so many different disparate security solutions out there, and they're being asked, customers that is, to replace, to consolidate. If you don't, how are you going to automate. How are you going to automate? By the way, as you're doing all this and you're driving an ROI, that's interesting. But what's your business impact? We talked earlier about my employees are going to sit everywhere because I need to get to talent. We talked about third-party suppliers. We talked about M&A-related activities. We talked about any sort of cloud transformation that you're planning on, you have to understand what are you going to do not just from a user or a workload standpoint. So what's my journey, how daring can I be? How quick can I be? What is the risk, I think I'm taking versus Zscaler risk you can eliminate for me. And by the way, can you do this quickly for me. We have the unique ability to deploy in short windows. And we make sure that we have plans on how to do that. So we've really centered in this fiscal year on not just the entire ROI practice, but also what is the business enabling platform capability and acceleration that we can provide for our customers because we understand how this connects, it matters to one degree or another across any vertical. And this has also allowed us to really become partners with our customers instead of just a vendor. And it's also allowed us to have a much broader and more aggressive consolidation of solutions discussion because we have an end-to-end integrated plan. And if you can deliver that, and you're not just selling solutions and hoping the customer figures it out on their own, that's pretty unique, and it's part of our success and growth. You've seen this before. And I know at the beginning of the year, we restructured to kind of really align to our go-to-market model and really map closer to our partner community. And this has worked really well so far. Up top, it's the largest of our large customers. We have very, very consultative scientific activity that we're driving, broad ecosystem and that way, anybody who engages with us, you have access to many different experts and many different C-level executive practitioners. You get into the mid segment, depending on size, it's still very much the same model, just a little bit lighter. And that's really it. And it's really helped us continue to drive acceleration, not just upmarket, but also mid-market. And in the commercial sector and below, we've really, really gotten close to our partners in many collaborative efforts, and Karl is going to talk about it a little bit to drive that velocity. And we've seen velocity upmarket, mid-market and down market at a really satisfactory pace. And what it validates is that our solution is relevant and especially relevant if you go mid and down market because your resourcing is even lower than what it is when you go upmarket. Automation is even more critical. Low touch to no-touch security is even more critical. And the beauty here is our partners usually have a managed service wrapper that they offer up for these customers, and that combination has worked really, really well, and it's an area of future investment for us. So kind of in conclusion here on this, the organization has pivoted to really serve every segment. And we've really refined and up-leveled what was already in place and what we've been building for years in order to do it at a very different detail level, on what we discover and uncover and then how we build plans to deliver and how we hold ourselves accountable to deliver. It's real ROI, it's real business value and our customers are very appreciative on this approach because it is a unique approach, especially if you've grown up with legacy security appliance vendors as your primary vendors back in the day. So on the partner model, I'm going to bring Karl up to kind of speak a little bit more detail on what we're doing and what we're looking for going forward.

All right. Thank you, Dali. I appreciate it. All right. Good afternoon, everybody. So I've been on board little over 90 days right now. And when I joined, the first thing I did was really go on a listening tour. So I really understand where we needed to go and how we're going. Spend a lot of time with the partners trying to understand what's working, what's not and what their needs are. So truly, before you can build the future, you need to understand the past in a way. And the story I heard was really what I anticipated here in quite a few ways. For a company our size and where we're going and where we're -- the trajectory that we're trying to go after, we're right where we're supposed to be. So right now, the sales process historically, it felt somewhat reactive and opportunistic, meaning we have a big opportunity, we'd engage with partners, but we weren't really building a holistic strategy for long term. When we're looking across the market that they go after and the customers they go after and seeing how we can work together. So as a chance to kind of step back and say, where do we want to be in the future and what's that need to look like. We measured partner success somewhat on top of funnel, a lot of companies our size would, how many leads are they bringing? How can we actually bring them into the pipeline? How do we drive that? Early-stage opportunities, not integrating them through the sales process that Dali spoke about. Amazing opportunity and energy and appetite for them to do that. When we think about the partners that we work with globally, the large GSIs. I think we did a good job managing them from a global basis but there wasn't a lot of great theater interlock that we can actually work with and drive down to the specific regions. So how could we actually get that tracking and moving quickly. Then lastly, from -- when Jay founded this company, it's always been a partner-first mindset, like let's get the partners engaged. And there's always been a commitment level there, but there's never been a full infrastructure underneath it to really drive that process. So what I'm really trying to do now is take a look at this and drive it through the maturity cycle. What I'll show you next is really kind of how we're looking a little bit at segmentation, which maps a lot to what Dali talked about. How do we segment these partners because the needs are different. On the GSI, my needs are different than if I'm a regional solution provider versus a service provider. And everyone is going through a bit of transformation right now themselves in how they're going to market and they're evolving. So we need to be engaged in listening to what their needs are. So here's a good look at this. If we take a look and try to understand who really the global players are and how they work and how we can get scale, I'm here to tell you one thing, the appetite is there from our partners. I mean I think we anticipated when we had this event, we have about 150 partners show up. We have 300 partners that are here. And the energy is there. It's less about selling them on the virtues or values of the technology, it's much more about how to integrate and operate. So I think that the sales process here is amazing. That we've developed the interlock with the partner is going to get there, and that's how we're going to get scale and reach down market. Scale in the higher end, going wider and deeper within the Global 2000, the reach as you go down market into new customers. I've been amazingly surprised how well this brand translates down market to the commercial space. And I think our biggest competitor sometimes is awareness, how do we amplify the messaging? How do we get it down through to the customer base. And that's what we're going to really do. So when we think about this model and how we break it out, whether you're a global or regional, what your play is, it's really also looking at what problem you're trying to solve and what the customers' needs are. So maybe an interesting angle from a partner leader but as we're building this strategy, we're literally looking at customer first. What's the customer's needs? And then how do we layer the partner into that to solve some of those needs. That's a handshake and complementary to what our sales process is. And again, looking at today versus tomorrow, natural transition of where we are today, that we grew so fast that things naturally had a few silos tied to them. We manage the GSI team a bit different than the service provider team. We have these amazing in partnerships that were kind of siloed off. And they're all very successful standing up on their own. But what if we unify them, what if we get them working together, what if you look at the message a little differently. Through an end user's eyes, let's look at the Zscaler customer journey, not just about the acquisition of the technology, it's about the deployment of it, the consumption of it, how they're leveraging it. We heard from the customer a few minutes ago, how they actually can actually truly engage in the problems they're solving, our partners are going to be part of that journey. I think there's an amazing opportunity for our partner community to add advisory services. This is an architecture and a mindset. The large consulting companies can actually drive that. Again, what I'm seeing right now is not a lack of desire. It's awareness, it's enablement and it's engagement, and that's what we're going to change. We're going to invest in the coverage model. We're going to invest in the alignment, and we're really going to drive them. So with that, Bill?

Okay. Thank you. Karl has to leave early for -- he's hosting a partner program. So we'll take a few questions just with Karl, and then we'll bring up Jay to close.

Questions?

So you did a great job at Palo Alto Networks, creating the next wave program to really enable the partner community to sell the broader platform vision. I'm curious based on discussions that you've had so far with the partner community, how do you plan to do that with Zscaler, which does have a lot of products to sell, but really selling that broader platform vision like you did at your predecessor?

Yes, great question. I think it's less about selling a platform vision and more focusing on the use cases because those are the conversations we're having. I'm not having a lot of technology conversations right now. I'm talking a lot about the use cases and the problems we can solve and their board level problems right now. So if a partner truly wants to be seen as a valued consultant or an adviser, those are the level of conversations they need to have. So I think it's more about just truly aligning from that, and we'll see the scale. It's interesting. There's not a partner conversation I've had yet where someone feels as though we're fairly saturated in how we're executing together. Everyone's conversation is the same. We're in the early innings. We've done a few big deals well together, how do we amplify it. So it's not an issue of having capped headroom or the fact that I need to go wider and deeper and sell more of the technology, it's more about amplifying the message to get more opportunities. So it's exciting from that. And so it's a bit different from that end. Great question.

Alex?

Yes. Alex Henderson over at Needham. I'm interested in your view of why the Street consistently gets the VAR channel information wrong and why -- when you talk to all of these partners, why is there such a disconnect between the read the Street gets when they talk to VARs and the actual results, which obviously have been better than the VAR checks suggest.

I think transparently, in my opinion, I think it's sometimes speaking to the wrong VARs or the wrong people within the VARs who aren't connected, respectfully. But I actually do think, again, I'm going to go back to how early we are in this process right now in this journey with our partners. Partners have always been there. But remember, I flipped it back saying it was opportunistic. As we are strategic as we have business plans, which the business plans we're rolling out are actually 2-year business plans we're working with them on. It's not what we're going to do over the next quarter or the next few months. It's what are we going to over the next couple of years to scale their business. And the conversation I'm having with them is it's less about me being relevant, you being relevant to me. How can it be relevant to you? What do I need to be relevant to your business in the size and scale? Again, going back to that segmentation, some of the conversations we're having.

It's [indiscernible] from WedBush. A question on -- one thing that we heard from management team and even like customers on Zscaler versus other security vendors historically, it was that -- it's a more evangelistic sale. It takes a long time to convince customers to move from their old network security model to the Zscaler model, and that's why the channel mix was lower for Zscaler versus other security companies. Has that changed now in the last 2 to 4 years? I know Zero Trust has been around for quite some time. Customers get it now. When you speak to partners today, do you think that they have the ability to sell a Zscaler-like solution today more than say, 3, 4 years ago?

Yes, I think it depends on the partner and where they are in the evolution with us. I think the term Zero Trust has been out for a long time, but who can actually truly execute to Zero Trust is still to be determined. We believe we're the leader in there. I think that the sales cycle partners are not afraid of because if it's a longer sales cycle, it's usually a larger opportunity, and there's usually a greater margin portfolio window for them. And it shows that they are engaged, it's sticky and they're having ownership over the customer long term. They want to have those type of relationships. This is not a commoditized technology. This is not about the volume of partners that we have. It's about having trusted partners that we trust that we work with, that they trust us and most importantly, that the customers trust. And that's really how we're holding ourselves accountable.

Okay. So thank you, Karl. Appreciate it. All right. Why don't we move next to our final Q&A with management. I'll invite all the speakers up to the podium. Okay. Who wants to start off the question, at the back?

Andy Nowinski with Wells Fargo. So maybe a question for Dali. You talked about providing and focusing on CFO-ready business cases and selling outcomes. I guess, are customers coming to you and asking you how they can roll out LLM to their employees? Is that a high priority for them right now? And are you involved in those discussions? And if so, why would Zscaler be better positioned to secure the use of those models versus maybe alternatives from Palo Alto and others?

I'll go back to, again, our approach is very integrated. And I'll tell you right now, Palo Alto does not sell this way. And I've not seen it yet, and I won't see it. So why are we in a better position and why are we in a better position even to step outside of kind of our -- some of our core capability. We have a really rich technology alliance ecosystem. That is not just basic integrations, but it's deep engineering connections that provide a plus one value proposition. So the credibility that we have because not just our platform, not just the holistic approach that we take, the research that we put in, there's a lot of work that we do on behalf of the customer. But the tech alliances that we also integrated into the broader story, the partner community that we integrate into, how can this partner help you deliver, I'll go back to we're not selling features and functions. We're selling a paradigm shift, a transformational view with details on what we can do, with details that we can do through our alliance ecosystem and our partners who we work closely with, and we then bring in to where we stop, they continue and our partners who then also deliver an additional layer on top. It is a different sales approach. So why would we be better qualified, I could just say we're well qualified because of this approach. That's very unique to provide a perspective and a very integrated, holistic point of view, not telling the customer this is the only absolute truth. Doing a lot of work to let them know what is possible, what the different permutation stages are. And then with that customer crafting what this means and bringing unbiased expertise on other technologies that they're either leveraging or thinking about leveraging. So you become a trusted adviser when you do that. And I guess that's my answer. Again, we're not telling them what to do nor are we proposing. We're the only thing out there that need to be looking at or having discussions on. But we are the only entity that's bringing them a holistic, very detailed well research view with other entities that we collaborate with that sitting outside of Zscaler.

Adam?

Adam Borg with Stifel. Maybe for Dali on the business, following up on the business value assessments as well. I'd love to hear more about where in the go-to-market pyramid. We talked about from majors all the way down that you're seeing that these refined business value assessments where that's -- where you're seeing the most impact there and maybe just anecdotes you could share?

Yes. So on the upper level, it is -- it's just -- it happens on every engagement. It's not a discussion of. If you go into the mid-level, I'd say you're still doing it in 70%, 80% of the cases at the level of depth that I described. But we also have an automated solution in-house that does a lot of these things through really the field teams when you start going down market. So we're still delivering ROIs. The entire services organization was pivoted to deliver a phased approach of value realization and the customer success org is managed and measured on adoption-specific KPIs. So upmarket, it just -- it becomes an amazing beautiful discussion. You iterate, you're building business plans to get, it's what makes the job fun. And I will tell you, it's so appreciated by those executives because, again, it's not a standard approach in our industry. And in the mid-market levels, it is also very much appreciated. We're just a little bit more efficient on how we do it because we have some automation in some of those environments, are not as complex. So it's a little easier to do it. It absolutely explains not just the possibility of the different impact areas, but also the how to and by when because I'm going to go back to CFO-ready business case is not a tagline. Everybody is being asked to commit to cost reductions, and you have to -- I'm dealing with a bank right now, and they have some of the competitive product in-house. It's sitting there for free and it doesn't matter. It's not free because you still -- in order to deploy at scale, there is a lot of things you've got to pay for and buy. And when you do that kind of reverse ROI almost on what free really means, it's not. We haven't even talked about your security posture yet. And the moment you go into those discussions with those companies. And this is 50,000 users, right? So kind of in that upper mid spot. It is pretty interesting to see how quickly the customer actually pivots to wanting to know more and more and more on what else we can do together because they're presenting that back to their board. What we're building here is basically board-ready business cases and plans on how to achieve them. And they're being used, repurposed, but used.

Brian?

Brian Essex from JPMorgan. I'd love to keep the spotlight on Dali for a minute. I really appreciate the blueprint framework that you framed out. And I know you commented, I think, a few times on bringing things to the next level over the past 4 to 5 months. So I'd love your perspective on the friction that the company saw in its go-to-market strategy in the January time frame. What have you seen the biggest impact with the changes that you've made? And how are things kind of now that we've putting more kind of better procedures in place from a go-to-market perspective?

Listen, we're not immune to the macro, and I hope that's not what people have taken away from this. We got a hit just like everybody else and we analyzed why, because this was already in place. And what we realized is what we call stage 0 to 2, these are the initial discovery stages. What we realized is there was inconsistency in the depth of really the analysis that the teams were going into. So the biggest change that we made from first half into second half of the year is really deep 0 to 2 training across all teams not just sales, including presales architects on the level of discovery that we need to go into so that you can really deliver very hard unquestionable consolidation of technologies, ROIs, time lines you're confident with. People have contracts on their books. What does that mean? Well, now you got to come up with some flexible pricing and adoption models. So we tweaked that a little bit as well. So it was the approach and then what we delivered and how we allow customers to step into it. That was really the biggest change from first half to second half and kind of the level of detail and sophistication on what we adjusted because the macro is still the macro. We saw it with bigger deals is instead of our sales cycle is about 9 to 12 months and what we saw is a couple of years ago, you were on the lower end of that range. What we saw first half of the year's got pushed to the upper end of that range. So then how do you still control that, so it doesn't slip outside of that? And kind of what I described is what we did.

If I may add the same question was asked many times during our earnings call, I essentially said the same thing, that we had to go deeper and more granular, better discovery on what's there, what can be replaced, better job in doing more granular ROI plan where even annual return wasn't going to give me on a quarterly view of what can be done and what not type of stuff. So better execution by learning. I also said that, so we have to work harder and smarter now than we had 2 years ago.

Madeline?

I'm Madeline Brooks from Bank of America. Two, one for you, Dali, and then I'll take the spotlight off of you, but first one is on just pricing and competitive natures in this market, free in this market is a very attractive word. So have you seen any more additional scrutiny around like pricing for your products, especially as other platforms, not just legacy guys, but newer guys are starting to give away products for free. And then also, if anyone can comment on just Zscaler's exposure, thoughts on the recent cyber attack on our government agencies, that would be great.

Yes. So here's what I'd tell you. We see the same competitors. And I take it a bit of as a badge if we're doing things right if they're compelled to offer things for free. And I don't know about you, I've never gone into a store, gotten anything that mattered for free. So the question then is, how do you articulate that to a customer based on use cases that drive outcomes and results. So I know I'm harping on this, but there's a reason for it. It's not free. It's not free, might look free. So then it becomes a question of, I hear you and I agree with you, Zscaler, how can you help me with some creative financial and packaging machinations. And that's really where with Steve and his team on some of the packaging, flex packaging that we've come up with because everybody steps into it a little bit differently. And if you can then make sure that you help them on how they step in without eroding your pricing and opportunity down the line, that's a win-win all around. But it comes back to even if it's free, does the customer have the responsibility to investigate, of course you do, if you focus on use cases, outcomes, ROIs, what you consolidate and what requirements you're solving for and then you take it a step further and not just about right now, but map out what matters next year and the year after and the question of how are you going to solve for that? And how much is that going to cost? Which is why the reverse ROIs, I called it, which is what is your -- if you were to pick something else, what is your real cost? And then what's your vulnerability and security threat exposure still in that point? If you map it out, if you prove it out during the proof of values that we do, an if you prove out scalability and reliability and automation and integrated components with other vendors they have in their environment. We don't talk about these tech alliances enough in my opinion, because they are absolutely critical and drive real competitive differentiation. When you do that, any business person is going to realize it's now free. Puppy is not free, even if you walk out and store with them. And that's the oldest analogy in the book, but it's true. Can you quantify it is the question. And we really refine how we do that and how we educate and partner with our customers.

The second -- I can take the second part of your question, the headline security breach, the move in vulnerability that is out in the news today with hundreds of companies or organizations being compromised. Our team was already tracking this. If you search Zscaler and then move it, you'll see the first link is our Threat Labs research team 6 days ago, posted a full dissection of the threat, the vulnerability, and we also announced coverage 6 days ago that we deployed a couple of protection techniques for all of our existing ZPA customers. So we're well on top of it, and we've had protection in place for over 6 days now.

Shaul Eyal with TD Cowen. Jay, one for you. I want to double-click back on the appliance. Typically, appliances they come in families. What's the thinking on that front? And at least one of my takeaways from the past than they have today, you guys listen to your customers and you want to delight them and it's great. But assuming within the next 18, 24 months once the strategy, the plan -- I wouldn't call it strategy, but that takes off, will you be adding more appliances? Will it be even going higher?

No. It's essentially a basic commodity in the branch office like a relay to send traffic to us. The thinner, the better, okay? If the customer has already some box sitting there and they can put up software on it, we'll say run with it. We're not trying to build an appliance business. We are trying to make it easier for a customer to really send traffic our way reliably and easily without having the lateral movement. You won't see us talking about doing x percent of sales coming from these boxes.

Okay. We'll take one last question here from Peter.

Peter Levine with Evercore. Maybe to switch topics here. So you introduced identity threat detection. Maybe just talk about the depth of the product today, like the use case and also is the plan to kind of build out like a full-fledged identity, PAM, IGA, customer workforce, meaning like competing with the Oktas of the world.

Yes, we announced the identity threat detection and response today. Our first foray into it isn't going to do PAM and IGA, but that is something we're considering for a future road map item. We think what we are releasing. We've gotten great feedback from our early access customers that it's solving the problem and not something they're doing today very much and that it's a natural fit with what we already do combined with some of the other threat detection technologies like deception and isolation, et cetera.

Yes. If I may say, we're pretty thoughtful on what to do, what not to do. We have lots of good discussions about we are not doing this. We're doing this. I mean take a few years ago, we -- our customers said, you got a client connector sitting here. Why don't you do posture check and some people said, oh, EDR does posture check. And the customer said, yes, you can do it too, add it on. So we added our posture check. Now we give a choice to customers. You want to do posture check from our agent, have it. If you like CrowdStrike or Defender to do it, have at it. So I like to give choices because some of these add-on features are not necessarily the core of our business. They actually help rounding it out and adding more value. Doing identity threat detection protection was natural. In fact, we're sitting there with a deception box out there or on the endpoint. So we are adding thing doesn't need to mean that we need to go all the way. And we'll let the market and timing decide how far we go.

Okay. So I want to thank all the executives, and we'll invite Jay to lead us in closing.

Good. Thank you. Look, I think you got a pretty good understanding of our message. But overall, if you summarize in 2, 3 areas, right. We pioneered Zero Trust before Zero Trust became fashionable. And it become the largest cloud out there. And the cloud effect is making a big difference. And I think you're going to hear more and more about the resilience of the platform becoming more and more important. You heard about AWS issue once yesterday or day before yesterday and Azure one on the weekend. These things will become very, very mission-critical for us. I have had customers who said, Jay, Zscaler is more mission-critical than Office 365. And it makes sense. We are the switchboard. We are the first one that launched disaster recovery service. The copy cats probably haven't even thought about it, they're trying to do the basic stuff. So as it becomes more and more mission-critical, customers are leaning towards people who have been there, who have done it. So this will be bigger and bigger play. And the platform expansion. You saw during the conference, our team innovates at a very rapid pace. And it's not that because we have -- we only -- we have the best people. It's because when you got a platform that can really be extended, you can add innovation more easily. When we added sandboxing to our platform, literally, if we had to do 100 units of work, we only did about 25 because the 75 units are already part of the platform, how do you take traffic, how do you authenticate, the policy engine, opening up the file, and we simply had to send it to the sandbox, which did run it and return the verdict. So those are the great things we're building upon. And I think multi-tenant architecture will play a bigger and bigger role, especially when you're sitting in the traffic path, and that's a big barrier to entry and go-to-market and execution. I think we've done a good job. You've seen our numbers. We keep on refining, aligning more and more large customers especially -- I mean they see us at mission-critical so many of our customers, we are the only mission-critical cyber and now sometimes they call us networking vendor, which I don't like to be called because we are not a networking vendor. We eliminate the network, but it's a great position. And as I mentioned early on, keep on expanding and growing the team, not only at just the leadership level at the next level or the next level is our big focus. My #1 priority is always keep on making sure the team is getting stronger and stronger. With that, I want to thank you for your time, and thank you for your interest in Zscaler, and we'll keep on delivering.

One announcement, we will have these slides available on the website shortly. And for those in the room, if you want to pick up a copy of the CXO architect book, those are in the back. Thank you.