Zscaler, Inc. (ZS) Earnings Call Transcript & Summary

Okay. Good morning, everybody. Welcome to day 3 of our Morgan Stanley TMT Conference. This morning, I'm very delighted to have Jay Chaudhry, CEO, Chairman and Founder of Zscaler. Jay, thank you so much for joining us.

Thank you, Hamza.

And before I begin the conversation, a brief programming note. For important disclosures, please see the Morgan Stanley Research Disclosures website at www.morganstanley.com/researchdisclosures. With that, we'll kick it off.

So Jay, you just reported earnings a week ago now. Obviously, a lot of demand for zero trust, SASE, modernizing security architectures for this new world that we live in. At the same time, we've heard some data points around there's a still budget scrutiny out there, some talk of spending fatigue. I'm curious what are you seeing today. What's the state of the union? And where do you think CISOs are?

So we aren't seeing any cybersecurity spending fatigue. In fact, if you ask me, the risk of cyber breaches is far high today than it was 6 months ago or 12 months ago. Every CIO, every CISO I talk to, they are nervous about it. That means if you can solve the cyber problem, they're willing to spend money. Now they also -- all cyber is not created equal. The biggest worry is ransomware. You've heard about Change Health this week, there was something last week, every week, things are happening. So while the market throws acronyms like SASE out there, more investors talk about SASE than customers do, by the way, okay? Because it's just -- if the vendor stuff gets to investors, there's more dialogue with some of the terms between investors and vendors than actually with customers. Customers want to solve the cyber issue, the ransomware issue. If you can solve that, and that's where zero trust comes in, and you can save money at the same time, you get the deal done. Great cyber, no cost savings makes it hard. Great cyber, good cost savings make it easy. Since we eliminated a number of point products, it becomes easier. I mean, look at various products. Will firewall company that place firewall to save money and sell SASE? Not really. They want to add more stuff on top of that while trying to preserve what they have. What does the EDR in place? Symantec, McAfee, do they save money? Not really. Do you save money by buying identity? Active Directory is free. When we go in, essentially, most of the DMZ goes away. We are able to save. So that's the combination, best cyber with zero trust and saving money is what helps us.

Got it. So natively, you've built your solution as a platform that can consolidate multiple products and ultimately save costs across a variety of different categories. But on that front, there's been some debate around platform versus best of breed in cyber. You've been very thoughtful about the areas that you address, right? Ultimately, it comes down to the architecture for Zscaler. But I'm curious, where do you think we are on that spectrum. Last couple of years, it was consolidation, consolidation everything. And now it seems like we're leaning a little bit back towards best-of-breed. So curious to hear your thoughts there.

So I don't believe you're moving back to best-of-breed point products, if I say that. The debate has always been too many point products is not good. Best-of-breed, lots of point products doesn't help. But on the other extreme, there's no such thing as God security cloud platform that does everything, okay? So our customers want a handful of best-of-breed platforms that work with each other that connect with each other. Unfortunately, the word platform has been hijacked just like the word zero trust has been hijacked. Platform is supposed to be a common set of services on which you build application A, B and C. It's not supposed to be a collection of acquisitions and label them under a bundle, okay? That platform is really nothing but ELA labeled as platform, which is becoming shelfware. If you ask me one of the feedback I'm getting from CIOs is, we are tired of ELAs because they essentially become shelfware, a lot of stuff that's not very good, we don't end up implementing it. Our philosophy has been platform almost like to give you a good model. ServiceNow has built a good platform that works well together. How many vendors have tried to do a bunch of acquisitions they never came together. It's supposed to be a platform. So market wants best-of-breed platforms probably in security. They'll probably bring it down to a handful of them. So you're bringing down 30, 40, 50 products down to a small set of vendors that work with each other.

Got it. Got it. No, that makes a lot of sense. So you talked about cost savings when you deploy Zscaler, and there are a lot of different ways you can deploy it, ZIA, ZPA, ZDX, but can you just remind us again what some of the key cost savings are within security and networking as well?

Yes. Of course. I mean, savings are tremendous. In fact, quite often, the question I get when we present the cost savings to customers is, where is the catch? Because they think, it's too many. So where is the cost? Even today, you'll be surprised that there's so much blue coat still sitting out there in large enterprises, okay? When I look at the top 10 deals or 20 deals I get for new logos, a large number of them are still blue coat. But that's a starting point for Internet gateway. You start with Secure Web Gateway, then you add DLP on top of that, you add sandboxing. We are the full outbound DMZ. That's why our deal size starts going up. And on the ZPS, ZIA says, I'll give you secure access to any Internet destination or any SaaS application that you don't manage, you simply use them. With ZPA, I give you access to any internal applications in anywhere hybrid fashion and data center, plants and factories, Azure, AWS, wherever. It starts with replacing VPN. That's a small piece. But then it essentially replaces the entire inbound DMZ starting with load balancer to DDoS protection, a layer of firewall and the like. And then ZDX replaces a bunch of point products. So more and more of our customers today buy what we launched about, what, 12 or 18 months ago. We call it Zscaler for Users. It has all 3 products packaged because that replaces a lot of stuff. Now product replacement, there's a network cost saving in the local breakout. The next big savings we kind of discovered in the past few months is actually massive. This was a dialogue with the CIO a few months ago. He was talking to me, he said, "I'm so proud of the fact that 60% of my applications have moved to the cloud and only 40% on the data center." I said, "Wonderful. That means only 40% of your traffic goes through the data center." He said, "Perhaps." I said, "That means you shouldn't have upgraded any router, any firewall, any load balancer or any switches in your data center since the traffic is shrinking." He smiled. He said, "I wish that were true." Now why wasn't that true? All these branches on SD-WAN still sending traffic back to the data center, then they got expensive access route or direct connect to go to the cloud. Slow, expensive and those upgrades of those routers, firewalls in the data center are not cheap, they are millions of dollars. Instead, with Zscaler, you go direct, saving network cost, you're saving cost of all those routers and firewalls in the data center. That's what a number of our customers are driving. So this will impact the sales of firewalls and router and switches in data centers, it should because it's less traffic. And also with our -- what we announced as zero trust for branch, we're eliminating the need for any box in the branch. One single box provides you connectivity, no firewall, none of the other stuff needed. It simply connects the whole thing and gives zero trust connectivity.

Got it. And just for context, I mean, I think like investors, they prefer their Gartner, IDC market map sometimes. So you started off with the Secure Web Gateway, roughly $4 billion, $5 billion market based on some estimates out there. You've dominated that space. Now, you're going really after the firewalls that's still roughly a $17 billion market. And then there's additional cost savings from networking MPLS, which is anywhere from $30 billion to $40 billion. So really...

And VDI market we discovered a year or so ago.

Okay.

I never thought of VDI solution till a few customers came and said Zscaler Private Access combined with browser isolation gives you essentially streaming pixels and doing everything VDI needs to do. So it's becoming a very important use case. I'm surprised how many large enterprises use VDI today. They're all either trying to move the cloud. Even if they move to the cloud, they still go through Zscaler to access Internet. So it's a significant use case.

Yes. And digging in -- when you talk about the firewalls, right, there's 3 aspects. There's the data center firewall. There's a branch and then there's the edge firewall. So where exactly can Zscaler drive the cost savings?

So if you think about branch, when Zscaler gets deployed, you really don't need a pool in the branch. In the past, we didn't really offer a complete solution. In the branch, we said here's a piece of software, you deploy on something, it works. We called it Branch Connector internally. The customer said, "No, no, no. I want you to give me a complete solution. I want to hold you as a single vendor accountable for it." So that's why we launched our plug-and-play appliance. So it's my belief that it's a matter of time that Zscaler customers in the branches will have no firewalls. It's a matter of time. When you talk about the edge. That's the east-west -- sorry, that's the north-south traffic. You don't need a firewall for North-South with Zscaler. ZIA, ZPA takes care of that stuff completely. The data center is what we have kind of left alone for the east-west traffic. While you can deploy the ZPAs to do so, there's a lot of little nuance stuff in the data center. One CTO I talked to, I met him and he said, "I don't even know what's in my DMZ and what I'm doing in here. Don't worry about it. Let's focus on the cloud. My data center is shrinking. It's going to become less relevant. So we are focused on making sure the edge and the branch firewalls go away. Data center east-west, while they're solutions you'd rather focus on doing east-west in the cloud than in the data center.

Makes sense. So the other thing that you battle sometimes, obviously, it's a large opportunity and the architecture that Zscaler has laid out makes a lot of sense and a lot of companies are replicating that. But sometimes, you're battling inertia, right? And I think implementing zero trust architectures, sometimes you hear from CIOs and CISOs can be difficult, and maybe that's just because there's a lot of FUD in the market. So what are you doing to battle that inertia and help customers really align more towards the zero trust framework?

Yes, zero trust is the most confusing firm out there, but it doesn't need to be. Zero trust means don't trust your users or applications being on the network. What does on the network mean? On the network means probably the best analogy to give you is the following. If I come to see you at your headquarters, they stop me at the reception, check my ID, give me a badge. And if they said, "Jay, no escort needed, just go to floor 7, room 23." I'm inside the building. I could go where I need to go, whatever room is open, I go in, I snoop around, I leave. That's like being on the company network. Firewalls and VPN are staying on the gate like the receptionist. Once you're on, your on. That's why you try to do segmentation. Let's put a wall here, wall here, you can go to this part of the building. You can't go to that part of the building. It's a nightmare. That's why you're not going to find any company that will tell you I had done segmentation based on network in a very well fashion. It just doesn't work. What's the better approach. If they check my ID, give me a badge, they'll say, "Jay, stop. You will be escorted to the meeting room and meeting room only." And you don't even need to know where the meeting room is. I get taken to the room. Once meeting is done, I get taken out. Think of the building like your data center or your cloud. Think of each room like an application. Zero trust starts with connecting a user to specific application. We are the policy engine, the switchboard to do that, an important piece of zero trust. The 2 other pieces for zero trust that are important. First piece is identity. It starts with who are you? When the receptionist checks your ID, that is your authentication. And the second piece is posture check of the device, is the device good or bad. And that gets checked at the reception itself as well. Generally, EDR vendors will give you posture check. Identity gives you identify, and we are the switchboard, 3 basic things to get you started with zero trust, big benefit. Then the next phase where people get confused ends up being creating what you call user-to-app segmentation, which says salespeople can only access these 12 applications and nothing else or finance people can access this. That's the next phase. With Zscaler, it becomes a lot easier because you're not doing network segmentation. So while this confusion, most of our Zscaler customers have already done Phase I, and they are at various stages of journey in doing Phase 2.

Got it. Got it. I could talk about architectures all day, but maybe we could talk a little bit about the sales execution. So it seems like this fiscal year might be a bit of a transition year for Zscaler. You had this long-term goal to reach $5 billion of ARR. You're a little north of $2 billion today. To get there, you're up-leveling the sales organization. You brought in Mike Rich as your new CRO from ServiceNow along with others. Talk to us a little bit about the reason for that sales leadership transition, and how you factored in potential disruption from that?

So when you go to certain levels, you need to change what got us here wouldn't get us there. Right after IPO, right, we come -- we up-leveled a lot of things and go to market at that time, put proper sales enablement, some of the cadence in place, got us to over $2 billion. To go from $2 billion, to $6 billion to $8 billion wherever, we felt we needed to make some next level of refinement. Now what we're doing is not new. But 6.5, 7 years ago, I really showed to David Schneider, who was the President and go-to market leader for ServiceNow. I say, "You're the best role model for us. You sell to large enterprise, well sell to a large enterprise. You sell a platform, we sell a platform. We have to sell to sell to CXOs, you sell to CXOs. Help us, guide us." So he became an adviser and mentor to me and Zscaler and a couple of years later, he joined our Board. So a lot of stuff we have been putting in place, you have been hearing about CXO-level engagement, large accounts and all have been essentially being added to the process we have been doing. But now to bring somebody who actually drove it there, obviously, helps us a lot. And some of the changes we are making, and these are not kind of dramatic changes. We have been -- some of my large account salespeople have already been selling what we call account-centric sales. You got this account. You work their account, say, how do I help you? How do I grow you? As opposed to opportunity-centric sales. When you are a young company, you don't have that many accounts, you don't have that many customers, so you look for this deal here, this deal here, this deal here. You go from deal to deal, which is what you need early on, but at our stage, with 40-plus percent of Fortune 500 companies, with so many customers who are doing over $10 million ARR with us, so many customers doing $5 million and about 500 customers doing $1 million, every customer in the 5 -- $1 million needs to get to $5 million and $10 million, we can go there. We're doing it. We just want to do it rather than 30% people doing this in a great fashion. I want 95% people to do it. So Mike, having done it, when you do the second time, you do even better. So that's -- it's a refinement of the process. It's not a mass scale changes. You'll see more focus on larger accounts. You'll see more focus on working with system integrators. You'll see more refined engagement at CXO level, and you'll see more expansion towards the vertical level setting.

Got it. And so just to clarify, it's not going to be the sales restructuring similar to what we saw back in 2019 when Dali had come on Board.

That's correct.

Okay.

There's no restructuring on the sales side.

Okay. Sounds good. And on that front, I wanted to ask about the focus on maybe depth versus breadth. So today, I think Zscaler has a little less than 10,000 customers still. And ServiceNow obviously has scale to a big business, $10 billion ACV with tens of thousands of customers too.

Actually, my last number was, they got about 8,000 customers. We actually have only about 8,000 customers. We're the same number actually.

Okay.

They're just about 4, 5x with the same customer base.

Yes. No, it's remarkable. And again, there's very few companies that have been able to do that. But I just think SASE, obviously is still very underpenetrated, very big market. So what was the reasoning behind going after doubling down those large enterprise accounts versus focusing more on breadth?

Yes. So first of all, large customers understand depth and breadth of functionality. Large customers understand cyber. The lower end doesn't fully appreciate. They don't have resource to appreciate it. So when we go and engage with large customers, literally, there's no competition. When firewall guys or CASB guys come and say, I do that too, customers kind of takes a look and exclude them pretty quickly. So we benefit from our customers who at large enterprise, they understand the difference. That's number one. Number two, we have seen many, many customers who started with X100,000 went to $1 million to $5 million to $10 million. We had done it many, many times. I think it's a wonderful great opportunity to be able to do that. That's to you're on the lower end of the market is probably hard to differentiate because they don't understand the difference. Sometimes the low end, quite often I see customers said, "Oh, I bought SASE from CISCO, it got bundled in my network." So I would rather play if where a big opportunity is. We think the opportunity in the enterprise, large enterprise save is massive.

Got it. And then it might be a bit of a CFO question. But like the metric that you disclosed, how do we, as investors, measure the success of this effort with large enterprises? So are we going to look at $1 million-dollar ACV deals, net retention rates? What are some of the metrics we should be looking at?

So #1 metric is new ACV we're adding because ARR is accumulation of what you have, what you add. So ARR or new ACV every year, which is the best reflection done in terms of billings because they're normalized saying, "That's our #1 measurement." Now when you start looking underneath, yes, we start looking at how many customers are crossing $1 million ARR with us, how many crossing $5 million, how many crossing $10 million.

Got it. Got it.

And of course, churn. Minimum churn is always important for us. We are proud of having very little churn, and we think we'll keep on doing it the same.

Great. I want to shift gears on the federal side. So that's been a big focus for Zscaler. You've gotten FedRAMP certified across a wide variety of your products. Just curious how the Fed pipeline has been looking like with the zero trust initiatives in place.

Fed pipeline is very strong. Since Biden administration actually pushed for zero trust architecture, things took momentum. And when -- why did they do that? This was after Solarwinds happened, after Colonial Pipeline happened. They stepped up. This agency CISA that's in place to really help kind of advocate this thing out there. So pipeline is very strong. We have 12 of the 15 cabinet-level agencies. All these agencies in government, they have started small, unlike enterprises, which kind of went in for all the users. But we're seeing them adding more and more users. I talked about an agency during my prepared remarks. They doubled their ARR by adding more users, so went from about $2.5 million to $5 million ARR. And still only 15% of the users are covered. That means 85% upside is available. So there's a big opportunity for federal market for us. And this is the civilian side. Then there's a defense DoD side. Today, a very small part of our business comes from defense. Because the defense opportunity is even much bigger. And we are actively engaged with all branches of DoD.

Got it. Got it. One more question for me and then I'll open up to the audience for questions as well. I wanted to ask about the competition question in a different way. So there's different vendors that are coming at this market in different ways. Zscaler is coming at it really on the -- from the security side. There are certain vendors that are coming at it from more the network optimization, SD-WAN side of things. I'm curious with the focus on single vendor SASE, which really is combining the security and the SD-WAN or the network optimization side together; one, is that something that you're seeing that customers want that convergence at least at the large end; and two, for Zscaler, is it easier to, let's say, now have an SD-WAN solution or something similar to SD-WAN versus an SD-WAN vendor going more into security? Is that the harder part of the equation?

Yes. I think it's a weird thing when Gartner came with single-vendor SASE, okay? If you really think of what did they say, this secure service edge, and this network that sends traffic to the cloud. SD-WAN really wasn't designed for that. SD-WAN was designed to connect your branches to the data center over Internet, okay? So it is about a WAN solving a wide area networking problem. We are not about solving a wide area networking problem. We are about eliminating the need for a wide area network. It's the network that's the biggest culprit to really propagate ransomware and all the lateral movement. So the reason I have pushed back on SD-WAN. SD-WAN says, a single infected machine in a branch office can traverse the whole network, and in fact, things out there just like what happens in ransomware cases. So we did not want to be part of solution that propagates lateral type moment. So what did we launch? Zero Trust SD-WAN. Your branch office becomes simply like Starbucks or Internet cafe. It's not on your network. There's no routable management or routable propagation. So we have always done innovative disruptive solution. Our customers love what we offer. There's big pent-up demand. I expect almost all Zscaler customers over time to embrace what we've built because that's what we're hearing. SD-WAN guys trying to move into the security space is a tall order. Networking is a very different core competency than security. Which vendor has done networking and security well together? When customers want Zscaler branch box, they're not asking me to give them my WAN. They want to say, please figure out how does my traffic come seamlessly from our branches to your cloud, from there, the policy happens. So we're not solving, we're not trying to build another network, we are trying to eliminate it.

Got it. Any questions in the audience? Okay. We'll give it a minute. I definitely have more. Maybe just a question on pricing. I think you've been very adamant around helping customers save costs, not charging for traffic, for example, and giving customers a predictable pricing model. Has that view evolved in any way as you're delivering more value to customers? Have you been able to maybe take more price?

So we -- honestly, when I talk to a CIO, the CIO says, please give me predictable pricing. I'm tired of my hyperscaler bills going through the roof. So by and large, it's mostly user-based pricing. But our ARPU has gone up because we have been selling more and more products, okay? Customers like that, okay? Now there are some pieces where we do charge, based on traffic, some of the workload security because that traffic is not totally predictable, workloads come and go and that type of stuff. So we will use traffic-based pricing as needed. We are using some of the traffic-based components in my branch networking solution as well because there are some of these IoT/OT devices, their traffic is coming. They don't know exactly what to expect. Every IoT/OT device is not created equal. So where it makes sense, we are adding traffic-based pricing there. But most of the time, it is user-based.

Got it. And there's been some new competitors in the market who might say they charge half of what Zscaler does on a per seat basis or 1/3. But when you sort of consider the whole TCO, if you will, around reducing cost of appliances and everything else, how does it look Zscaler versus some of the new competitors out there?

We have seen, for the last 3-plus years the new entrants come and say, "Buy all of my firewalls for $20 million, I'll give you Zscaler part for free, or by this" We've seen it over. If we were an incidental solution for the recruiting or this and that, customer will do that. Customers tell me, Jay, Zscaler is the most mission-critical application. It's more important than Office 365 because you are the switchboard. Everything goes through you. Reliability, availability, security is fundamental to us. That's -- so they're willing to pay more price, okay? It's almost like if you really have a heart problem, you don't want to go to the cheapest doctor. If you've a headache, you may want to find the cheapest pain killer, okay? So the positioning what we do is fundamental, availability, reliability is very important. We've done a good job. And the customers still keep on getting asking more and more. If somebody had a 5-minute impact on the service today, hell breaks loose. The impact is probably 3x more than the same thing what had done 3 years ago. In 3 years, the impact will be much, much bigger. So the positioning we have is fundamental, reliability, availability, cyber is fundamental, it's rare for us to see. I have had many cases where customers came to me and said, "Hey, here's the issue." I'll tell you the real example. This was a few days ago. This week, this CIO reached out to me. He said, "I've been using Zscaler well. This vendor has made an offer and procurement is coming to me and say, can you squeeze Zscaler to get a little bit more savings?" I mean this is CIO. This is a third-time buyer, okay? Company 1, company 2, company 3. He said, "How can you help me? Told him, "Hey, you should be using this and this, and I could replace A and B. You can squeeze me for another 3% or 5%. What if I save you equivalent of 30% or 40% by eliminating a lot of tech that is sitting out there?" We're able to identify that, show that. That's how we are able to do a good job. So is there -- do we see vendors pushing for it? We do. Is there a little bit of procurement pressure? Some but not most of the time because we have customers who actually really, really like the solution we have.

Got it. Got it. I wanted to talk about some of the new product initiatives as well. One, maybe around just generative AI. Zscaler processes 390 billion transactions daily. So you have a lot of data that you're working with. A big problem in cybersecurity has been DLP or proper data protection. Talk a little bit about how you're using the power of generative AI to improve that?

Yes. That's right. AI is as good as the data that's powering it, the data that's training it. Yes, that ChatGPT can train on all this public data sitting out there, but to do what we need to do needs private data. So we're able to train our Gen AI against all logs of all customers because it's trained on anonymized data. Then what we learn from that gets applied to each specific customers for data protection, data exfiltration, identification or cyber threat detection. That's what makes it very powerful. So we have the most common case customer come and say, AI ML, what's the loss of my data being sent out? Can you tell me if I'm compliant against that? We launched some of those services very early on from last year to take care of that kind of stuff. So AI, ML for my data protection and compliance, so I'm not leaking data out is one of the big use cases out there. We had done Risk360. That's one of the most exciting application for a CISO and CIO. Every vendor talks about I am blocking this, I am blocking that. What does that mean to a CISO? It's a lot of bunch of numbers. In the consumer part, you hear credit score of a person or a house. There isn't any meaningful credit scoring for risk for an organization out there. Why isn't it available? Because it needs data to quantify risk. The best quantification of risk can be done by all communication your employees and workloads have. We happen to have that data. So Risk360 is one of the very exciting application that's built on top of our AI cloud. Business Insights give you insights about the SaaS application using, underusing, overusing where you can save money? If you've got 400 locations, how many are hardly being used? How much, how often, should you expand your facilities, should you shrink? Those are important applications for CFO and HR leaders out there. So we are taking advantage of the stuff and building things that show value to our customers. Look at even the breach prediction is my personal -- sorry, new favorable project. I want to be able to predict a breach. How do you predict a breach, if you're all that telemetry underlying stuff. We can do that kind of stuff. So we think we are extremely well positioned to leverage AI ML. And other thing AI ML is doing, especially Gen AI, it's making much, much easier to attack. Every attack starts by finding your attack surface. What's your attack surface in the physical world, your physical locations and branches? What's your attack surface in the cyber world? It's every IP address that's facing the Internet, it's every firewall, every VPN, every application portal that's open to Internet. We hide all of that stuff behind us. That's part of zero trust. When others talk about zero trust, they got these firewalls, VPNs facing the Internet. And still, they claim to do zero trust. That's not zero trust. So we think when attack surface, attacking becomes important the need for cyber products like Zscaler will become bigger and bigger.

Got it. Just one last question on maybe how you're thinking about growth and profitability and hiring. Really impressive margin expansion over the last couple of years. Going forward, how do you think about maybe reinvesting some of that margin upside, some of those savings towards continually driving growth to that $5 billion ARR target versus giving more profitability?

Yes. Remo set out some of the models years ago to say how we are going to look at our margins, net free cash flow kind of stuff. I think you've seen the numbers. We have done a good job there. But top line growth remains a high priority. Since Remo and I, we manage business well, right? We don't spend on fancy buildings and mahogany desks out there. So we're able to deliver good bottom line. But as we are -- we see a large market out there we will keep on expanding. So don't expect the same kind of bottom line expansion. We want to give you good results there but sales expansion, R&D expansion, a big, big opportunity for us. So that will remain our #1 priority.

I've seen you and Remo fly code, so I can attest to your cost savings mindset. Well, Jay, thank you so much for your time this morning. We really appreciate it, and thank you for everyone for joining us.

Hamza, thank you so much.

All right.

Great.