Zscaler, Inc. (ZS) Earnings Call Transcript & Summary

Excellent. Thank you, everyone, for joining us. My name is Keith Weiss. I run the U.S. software equity research franchise here at Morgan Stanley. Very pleased to have with us from Zscaler, both CEO and Founder, Jay Chaudhry and Remo Canessa, CFO. So thank you, gentlemen, for joining us.

So just came off a really solid quarter for Zscaler. Maybe just to start with like a State of the Union. What are you guys seeing in terms of overall security demand? What are you seeing in your backyard in terms of how people are shifting towards a more software focus in network security and security overall?

So first of all, cyber is no longer only CISO's business. CIOs care about it, CFOs, CEOs and the Board cares about it. So it is becoming more and more central and that's driven by all these ransomware attacks that are happening. I was asked by a group of CFOs a few months ago who said, we are spending so much on -- in cyber, why are attacks still happening? And my answer was, you know what happens typically, a breach happens, the budget opens up, you had 200 firewalls and VPNs, you buy 200 more, okay? You're doing their own thing, you need to move the right architecture. So there's focus on cyber. But you also need to be able to save money. The customer says, "I need Zero Trust architecture and I need to save cost. If you can do both of those things together, you can do good business. And that's what we are driving towards. When we go in, we eliminate so much stuff. If they're spending, say, $20 million on network security and we're going to cut into half [indiscernible]

Got it. And in terms of what is sustaining or kind of driving budgets on a go-forward basis, I've always thought in terms of security, there's 3 fundamental demand drivers. One, expansion of the surface area to be protected. Two, the threat environment. And 3 is regulatory, like sometimes it's mandated that we have to do this on a go-forward basis. It seems to me, AI is a big accelerant for the first 2, right, expanding the surface area and arming the bad guys, if you will, to enable them to make the threats worse. What are you seeing from kind of your position? Is this -- is AI expanding the market opportunity for you guys?

So let's talk about attack surface. Everything that can be seen from the Internet is your attack surface. Every public IP, every firewall, every application out there, every branch office an attack surface. Before AI, it used to take a lot of time to find all the attack surface areas. Today, you ask a simple question. Show me all the firewalls and VPNs and application portals of a given company and the one that have vulnerabilities, it shows up very quickly. So easy to find attack surface, discovery is easy. The second part ends up being with sophisticated threats, how do you go in and compromise? That's the second part. Attacks have been getting more and more sophisticated. But there's some basic attacks. For example, phishing, probably the most common one because people fall for it. It used to be those e-mails you got on phishing from Nigeria where there are typos and misspellings. Not anymore. Write the e-mail, phishing e-mail, from a CFO, using CFO style, to really go and get these users. So it's getting easier to get in. Once you're in, you can use automation of AI to find the most precious application and servers you want to go in and encrypt. So AI is dangerous. But AI, the same AI is used by companies like Zscaler to do better protection. In the firewall and VPN model, your things are sitting as a gate. I am here to protect. I'm here, come and attack me. In the Zscaler world, all of your applications are sitting behind our cloud. They are not discoverable. So that's one thing we do that's extremely well. If they can't find you, they can't attack you. The second part ends up being how do they break in. The reason most attacks happen is not because of very sophisticated stuff. Most attack happens, identity gets stolen. You log in as a VPN and once you're in, you're home free. In the Zero Trust world, you never own the network. We connect you to one application at a time. If your credential got stolen, maybe they compromise 1 application. And that application may not be that relevant. So these are the type of things that companies are working with us, that's driving our business acceleration and phasing out the legacy stuff. Now it has taken a while to phase it out. But the cost pressure is further helping us. There's real cost savings when you remove legacy staff out there.

Got it. Got it. So we talked about AI as kind of an expansion of the surface area. It's also an opportunity for Zscaler to improve products. I think about it in terms of the amount of data that you guys have visibility to. I think you guys talked about over 500 billion transactions daily.

Per day, yes.

Which is unbelievable. It seems like there's a massive amount of data that you can utilize to sort of get better protection. So can you talk to us a little bit about how generative AI is changing the product portfolio? How you're able to leverage that to improve the security?

So if you think about Zscaler, from day 1 when I started the company, I had a North Star. We'll be the exchange, the switchboard. So users will access application through us, almost like an international airport. We log everything, who goes in, out, whatever. Then we expanded the portfolio to do the same thing with workloads. Workloads are somewhat like users. They talk to Internet, they talk to each other. Same core technology, the second use case. Then we expanded to IoT/OT devices. Their devices need to talk to each other. Then we added for B2B, your customers, suppliers and partners but same core engine. And that engine is delivering about 500 billion transactions that so many communications go through us, some good, some bad, reconnaissance activities, all this stuff. Now you take all of that and then we added a next area for the first time a new, call it, North Star, second North Star. How do we take all of the data use AI and GenAI to find meaningful information to detect threats that can't be detected before. That's why we bought a company called Avalor last year. It gave us the data fabric and we're building things on top of that. What are the kind of things we're building? My favorite project is breach prediction. Predict the breach before it happens. How can you do that? It's very, very hard. If we could do it, there will be no breaches. But think of this way, when you got 50 million users going through you, 1 new attacker comes, it attacks these 10 companies, 20 companies, some people fall for it. If half of the Fortune 500 companies are our customers, we see it, then we see it across. When you see the machines got compromised, with the agents sitting at the machine, we can see what the bad guy is trying to do, where is it trying to go? We can build the attack graph, see what's happening. Now based on the configuration, we can use AI/ML to see what's the likely thing they're going to do. So tell them we see ABC happen. You can do this kind of stuff. This is the power of AI/ML. For example, in our early threats, the early AI work, we took 10,000 attack kill chains. We train our engine on it. Now I can figure out the next attack kill chain on its own without we having to train them. That power is only good because we have the most precious proprietary data for it.

Got it. Got it. I want to shift gears a little bit and talk about sort of the customer journey, if you will. I'm going to show my age a little bit. When we were doing the Zscaler IPO, there was a, almost a no-brainer entry route for you guys into customers. It was MPLS replacement and it was a like a really great value proposition. Now you're selling a much broader platform. Now it's a whole Zero Trust architecture, which frankly is harder to implement, harder to get customers on board with. So how does Zscaler evolve in terms of go to market, in terms of customer success to enable that adoption, to get to customers on board with that fuller vision.

Yes. The platform has gotten bigger. The early story was traffic goes direct, MPN is expensive, better experience. Okay. But now the platform has gone much bigger. Now our story starts with the following. You've got 50,000 users. They got a gateway to the Internet. You've got 10 boxes sitting to go out that's taken care of by our service called Zscaler Internet Access. Then you've got a dozen boxes sitting on the internal traffic, your DMZ, VPN, load balancers, DDoS protection, all of that goes away. You could be sitting at home or wherever, simply with an agent, the traffic hits us, with a who are you, where are you going, we make the connection without you having to worry about anything. So the implementation is simple and we haven't even touched the network and the complexity. So our #1 goal is go and get it turned on. If the traffic is taking a longer path things may be slow for the time being. When we go in and this is where we actually seek help from global system integrators. Somebody has to remove the stuff. You've got 200 branches. There's firewalls and routers and this and all this sitting. Over the next few quarters they remove all the stuff, there's a lot of cost savings and that becomes very good. And the customer sees the results, the savings and there's a lot of pressure on IT leaders to do cost reduction. We do that with transformation. That's really driving our business. Now the sales force has to get a little bit more sophisticated. The training has to be done better. We have some specialists in certain areas. When we sell Zero Trust Branch, we've got some people who actually are very good at it. They get pulled in by the general account manager but partners like GSIs are helping the customer to do some of the deployment.

Got it. So maybe we could dig in there a little bit. I know you guys brought on board Mike Rich in November 2023 to help evolve that kind of go-to-market strategy, if you will. Can you talk about some of the changes that Mike has put into place and how that go-to-market strategy has evolved?

Yes. Before Mike Rich, when we had the previous CRO in around IPO time frame, just after IPO, we were a much smaller company, few customers. The focus was, let's identify opportunities, close them, close, move on to the next or next one, which is great. That's what driven our growth. But then our customers started to tell us, with 45% of Fortune 500 companies as our customers, they want focused people. So we evolved to the model we borrowed from ServiceNow. I have admired ServiceNow for years. 8 years ago, when I met David Schneider, who was the President and go-to-market leader, I said, I want to learn from you, please mentor me. He became an adviser to us. Then 2 years later, he became a Board member. They have large enterprises. They know how to sell platform. They know how to sell CIO level. So we essentially have been implementing some of that things for a long time. But last year, when we brought Mike in, as I said, someone who has been doing it at ServiceNow for Americas business, which is about 70% of it, let's bring them on board and help him drive the stuff. So Mike up-leveled a number of leaders and want to bring in people who came more from a solution selling background rather than box selling background, rather than security geeks. Then he up-leveled many of the salespeople underneath and these people have been ramping up. And basically, we have that methodology that has evolved. So that's 1 thing we've done. All that is in place. The transition is complete. Now the people we hired in the past 1 quarter or 2, they're still ramping up and we're seeing the productivity benefit of it. His second focus was to bring GSI global system integrators along and doing that as well. So I'm pleased with the progress and the results we are delivering is essentially a result of the changes we have been driving.

Good. ServiceNow is a fantastic template. We have a product we call SaaS X-ray and we try to understand the underlying unit economics of companies and ServiceNow is the most efficient kind of go-to-market strategy there is. You talked about the success in the Fortune 500. And you guys have traditionally been that enterprise-focused company. You started to focus a little bit more on sort of coming into more of a mid-market. How do you do that? How do you sort of capture that broader part of the market opportunity?

So our biggest opportunity is large enterprises who are demanding, who need deep and wide functionality, a broader platform. Yes, we have some presence in the lower end but that's not the focus. If you really think about it, the 2 -- Global 2000 is the #1 focus, then go from 2,000 to 10,000. That's the next one. And there's a tier below that. We have presence but not the biggest presence. We have such a big platform that I do not need 20,000 customers. Look at ServiceNow. It is funny, when I talked to David Schneider years ago, he was sitting at $3 billion. We were setting about $200 million. And I said I want lots of customers and growth like you. He said, "Do you want more customers, or do you want more ARR?" I said both. He said pick one. I said ARR. Then he said, "I have only 3,000 customers, I'm sitting at $3 billion ARR." So they had a platform. If you have a platform, you don't need to go to the lowest level. The go-to-market significantly changes the majors to here to low end. SMB market is very different. They don't really understand sophistication sometimes. The telcos can bundle a router and firewall with them. If the orders come from the low end, we take the order. We have an inside sales team, a small sales team to take care of that. But our primary focus will remain large enterprises. And we are very good because they understand the difference in technologies and some of the lot smaller ones don't.

Got it. Got it. So let's dig into the platform. I think it was about 1 year ago, you launched an SD-WAN offering. So now you could offer the single vendor SASE solution, which combines both the Secure Edge and the SD-WAN components onto that single platform. Can you walk us through the decision to finally start offering that SD-WAN piece of the equation? And how do they differ from some of what's in the market today?

You use 2 terms, that neither of the term is what I like, okay? We don't like SASE. What is SASE, is the collection of one more 4-letter acronym to really give something to every network and security vendor. We are about Zero Trust architecture. SASE is not Zero Trust. If we've done Zero Trust, the reports of SASE will be bought only by a small number of vendors, okay? Those research reports needs to be sold to everyone. So SASE says SD-WAN plus SSE, okay? We basically have stayed out of SASE, though in customer conversation, they all talk about Zero Trust architecture. In investor conversation and analyst conversation, you guys ask for SASE because you talk to more vendors than customers. Every vendor has SASE. That's why I hear about SASE. SD-WAN, I've always said, SD-WAN enables lateral threat movement. Why is that? The fundamental networking was designed so you get on the network, like getting on a highway. You're going to go left and right, there are no lights. You go unfettered. That's why lateral movement happens, the ransomware attacks happen. Now we -- my marketing is doing a term Zero Trust SD-WAN, the SD-WAN has no lateral movement. I call it Zero Trust Branch, okay? There's no SD-WAN in our offering. We aren't offering SD-WAN. It's literally a single plug-and-play appliance just like you have it from AT&T or Verizon at home. Is there an SD-WAN? Not really. In our world, a branch is becoming like a cafe, like your home. You simply have a device that plugs, everything happens, no route tables to manage, no lateral movement and the like. That's what our customers are excited about. We're getting tons of traction. I mean we are surprised to find that the customers who bought our Zero Trust Branch, 57% were actually new logos. I didn't expect that. Why did that happen? Because our customers are buying bigger bundle. The most common bundle we sell these days is Zero Trust for users. ZIA, ZPA, ZDX and the customer says, "Oh, I'm buying this, I'll also add on Zero Trust Branch. So we think the world is moving where these mesh networks do not need to be managed and run by companies. Do you worry about the network when you use this? Why should you worry about the network? It's a matter of time when Internet will become your corporate network. Before nations built highways, if you're a big corporation, you could afford to build private roads connecting your headquarters to different offices. But after highways, you shouldn't. As Internet has become a mature cyber highway, companies shouldn't be building networks, Internet to the network. That's a big part of the cost savings as well. Networking is expensive. We are taking a lot of cost take out of networking as well.

Got it. So there's a lot of vendors who are talking about having 4-letter acronym offerings that I'm not going to mention anymore. But it's prevalent across all the network security vendors and even like sort of CDN vendors that are evolving and trying to offer this as well. From an investor perspective, there's the concern when it comes to Zscaler, yes, you've led in this market but now it's a lot more competitive. So from your perspective, has it become more competitive? Is it harder sort of to differentiate in that marketplace and get your message across? .

The short answer is no. There's a lot of confusion 4, 5 years ago when some of these firewall companies started to say, "I do Zero Trust and all this stuff. Now most of the market heard the story. So it's easier some ways. Now in the past year, the remaining firewall companies are becoming for later 4-letter acronym as well. I tell you what's good about what's happening in the market. Firewall is 1 architecture, Zero Trust is totally opposite architecture. If you want to get the market, you take what you have, you repackage it. Just like Siebel Systems, about 10 years ago would say, "I can really run my VM in the cloud and do what Salesforce does." Really, it's like having your DVD player spin up in the cloud and say, "I offer Netflix service. So as long as the architecture is wrong, this thing is not going to work. They're going to play it out. They're going to allocate some of the revenue to Zero Trust or whatever. I think in the long run in-line services better work. If it doesn't work well, if it doesn't really protect you, we're going to phase out.

Got it. So let's talk about the opportunities within sort of the product portfolio. ZIA was a starting point. How much opportunity or runway is left? Is there still a lot of greenfield for ZIA on a go-forward basis? Or is it shifting to become more of a like a replacement opportunity for you guys?

In large enterprises, we are focused, good amount of runway. We have about 45% of Fortune 500 companies that have ZIA or ZPA or both. We have 35% of Global 2000 companies. And if you go to the top 10,000 companies, our penetration is probably in the 20% range. That means there's a lot of upsell. Now these large enterprises don't really -- don't have firewalls installed because firewalls never did user protection. That market belongs to Blue Coat, Symantec, Websense, McAfee, Cisco. And some of the large deals we closed today, actually the #1 source of starting point is still Blue Coat and Symantec. It's interesting. And that's one. Then you look at ZPA. ZPA came as second leg. It's selling very well. It has been very successful. But if you look at large enterprises, about 60% of our large enterprises have ZIA and ZPA both. That means 40% is still headroom on the ZIA side, sorry, ZPA side. Then data protection is becoming the big engine. Early on, when customers deployed us, they deployed for cyber protection, blocking bad things. Building -- deploying data protection a little bit more complicated. You have to have data classification, rules need to set up. For cyber, you don't have to set up a lot of rules. It's our job to figure out what's bad and worth blocking. So our data protection business is growing. It's growing pretty well. It's growing 40-plus percent year-over-year. Then the other product that, there's 1 product I hadn't thought of early on. That was digital experience. When I started the company, I wasn't thinking of whether a customer said, you're sitting in line, you should be able to tell me where the issues are. ZDX has grown very, very nicely. It has become very good. And then now Zero Trust Branch, Zero Trust Cloud, we have lots of products. We just need to make sure we sell them in the most optimal fashion. That's where the notion of account managers as quarterbacks, some of the specialists come in. Those are the things we are refining and learning from.

Got it. Got it. So maybe if we could move into the conversation and help us kind of frame this in reference to perhaps maybe sort of total revenues or kind of the new revenues. How should we think about the proportion between like ZIA, ZPA and the emerging products in terms of what's in your revenue base today versus what you're seeing in terms of what's coming in the door in terms of like the new business?

Yes. I mean the -- currently, if you look at emerging products, we're expecting emerging products this year to be, for new and upsell in the mid-20% range, up from what it was last year. When you take a look at ZIA and ZPA, just those 2 products, ZPA is about 40%. So it's about 60% ZIA. Following on what Jay mentioned, the 45% for the Fortune 500 and 35% for the Global 2000, the opportunity we have to sell in our existing base is 6x just for the users. So when you look at these new products, like the AI, the data protection, data protection on a year-over-year basis has increased 40%. AI has almost doubled. Jay talked about the branch product, which is for new customers, 57%. All those things are really boding well related to the market opportunity. The focus -- I mean, you take a look at it, our focus is large customers. And once you're in the large customer and you get that trust, the ability to expand within our existing products and new products becomes very large. That's the ServiceNow model. You take a look at our new and upsell. Our new and upsell, when we went public was probably 80%, 75% new, 25% upsell. Now it's basically 65% upsell. And if you take a look at ServiceNow, it's probably close to 90% upsell. That's what we're going to evolve to. So get large customers, focused on the large Global 2000, get a footprint, get their confidence, get them understanding of Zero Trust everywhere and expand our platform. So great position, absolutely great position.

Got it. So maybe we could dig into some of those emerging products, some of those upsell opportunities. Zscaler Digital Experience, it seems to really kind of hit the mark as we were focusing a lot on the hybrid workforce and the need to sort of understand the performance of that hybrid workforce. Does that necessity wane as I -- started to come back into the office and the focus is a little bit less on sort of the hybrid environment?

No, no, no. All of our products are actually needed no matter where you are. So ZDX says I'll be user-focused, no matter where the user is, I'll tell you end-to-end experience. People used to talk about ZPA [indiscernible] and say ZPA is needed only when people are outside the office. Zero Trust Everywhere. Customers realizing that they have higher risk when the user is sitting in the office with an infected machine because the machine can reverse on the network and bring things down. So in our Zero Trust Everywhere model, you're sitting in the headquarters, you saying on guest network. You are untrusted. So with that, it goes through our ZPA for every application access. So we are seeing every customer moving towards having ZIA, ZPA and ZDX for all users.

Yes. Got it. Data protection, in the current environment, I mean, data has always been important but it's rising and important. But even more so the governance and the effective governance of that data. People are worried about data leakage and especially when we're using these models. It seems like that's a -- it should be a good tailwind behind your data protection offering. Maybe you could talk to us about how large that ? How fast has been growing? Are you seeing that demand pick up that tailwind, if you will?

Absolutely. In the past, since the AI thing took off, 1 product that got a bigger boost than others is data protection. The first thing was, "Oh, are my employees submitting things to ChatGPT, my source code and other stuff." We are natural. We are like an international airport. Everything goes out through us. So for us to build a policy engine was pretty easy. We've done that. Then the next level came, oh, we are putting Microsoft copilot. It's pointed to OneDrive and SharePoint to really get all the information that trained. These things are so powerful. Once you train them, they have every answer for you. They can answer the salary and bonus of every employee as well. How do you put guardrails around it? We have data protection that can do data classification, build rules and policies around it. That part is helping. The next customer is worried about the models getting poisoned, the prompts -- kind of inspecting prompts, inspect response, all those are big areas for us. So we've seen very good acceleration. And we really don't have a lot of competition in data protection that -- 2 reasons. Now AI is accelerator but we are sitting in the traffic path, going to the Internet. Every bad thing comes from the Internet, every good thing leads to the Internet. So if you're sitting in the path, they can't go to someone else and say, provide me the stuff. So that's called DLP, in-line DLP. We built that, that's what customers are adding. But then the data has also grown. It's sitting in SaaS applications, sitting in S3 bucket. It's sitting on Endpoint. It's going through e-mail. So over the past 6 years or so, we expanded our data protection because customer wanted 1 single policy what -- no matter what the data is. That type of development is really giving us the biggest platform. And firewalls company will never do good data in line because they're not a proxy architecture that traffic flow through. To really inspect data, to make inspection and policy, you need to be able to open it, look at it and make a decision and proxy architecture that the foundation of Zscaler is very good. So we think data protection has a long runway for us.

Got it. So you guys have this great foundation within network in ZIA and ZPA. You've expanded out the product portfolio extensively. We're talking about a go-to-market notion that is focused on selling up into that customer base. Does the pricing strategy need to evolve? And we hear a lot from some of your competitors about some more token-based pricing or platform-based pricing. How are you guys if you are at all, evolving the pricing strategy to try to incent that bundling notion?

Yes. Pricing strategy is evolving, has been evolving. Early on, it used to be for users at a simple user-based pricing because customers wanted simplicity. Then we took Zscaler to protect workloads, what we call Zscaler Cloud, it's cloud-to-cloud communication. First -- initially was, oh, let's do a number of workloads, then we realize some workloads are very ephemeral, some are long lasting. So we combine number of workloads along with some of the traffic flow. IOT/OT devices. The same kind of stuff. How many devices? What communication? So we have already evolved into using traffic as an important part of it because you will have more and more data out there. You'll have more and more communication. They'll need us more. We talk about agents. One other question everyone will ask is, oh, users are going down, agents are going up. Now agents are evolving. There will be different type of agents. But if you look at the agent that's doing customer support, for example, if it's going and accessing a system, if the user was doing it for policy, the agent needs the same kind of policy enforcement as well. We become natural policy enforcement point. And the charge will evolve. I'm sure there will be agent-based pricing or the user-based pricing or traffic. We are evolving and it should evolve.

Got it. Got it. Remo, I apologize. I've only like 2 minutes for margins but Jay is very engaging. You guys had a 5 percentage points of margin expansion in FY '25. It was a great year in sort of pushing leverage. How are you thinking about that balance between growth and profitability on a go-forward basis from here?

We're -- our operating profitability this last quarter was 22%, which when we went public, we said we'd be in the 20%, 22% range. From my perspective, it's a huge market opportunity. We're -- significant positive free cash flow. Our free cash flow margin was 22% this last quarter, really, we'll be mindful of operating profitability. But it's really, from my perspective, it would be a disservice to our shareholders and to ourselves with the product platform that we have, not to invest -- continue to invest in the company. The game is basically not to drive profit short term. The game is basically to get market share and really get that dominant position. Our run rate revenues currently, we're a large company. We're $2.5 billion run rate revenues. We're just in a very unique position. We're the pioneers. We're the leaders. We're the innovators. So -- and we got a great team. So we're going to keep on investing.

Got it. And if we think about that sort of -- you feel like you're in a good place in terms of operating margins. You want to have the capital to invest. If you think about the capital intensity side of the equation and how that's going to sort of translate into free cash flow, anything we should bear in mind in terms of which direction we should expect capital intensity to trend?

Yes. I mean the capital intensity, we called out there would be a headwind with our CapEx this year related to investments in our data centers. Next year, you can expect to be in the high single-digit type range, which has happened in the past. We're not a capital expensive business. So from -- I wouldn't think much about the capital intensity related to CapEx investments. It's going to be in the higher single-digit type range going forward after this year.

If I may add, with the amount of traffic we handle, if someone else were to do it with a less optimized architecture, this will be a very capital-intensive business. Gross margin will be low. It's the design of the architecture and optimization we had done is delivering 80% of the margin. You've seen that we have been able to sustain even when the traffic is going up. So Zero Trust exchange is understood. The second part we look at is how about AI/ML now? What kind of investments do we need in that area, right? Because those GPU and all could be very expensive. We are dealing with large amount of data but proprietary data. We're not trying to take all the data in the world and try to train on it like ChatGPT does. Our training is on the proprietary data of security communication. So we don't think it will have any massive impact. We're also going to charge money for those products. We believe, at this stage, we should be able to keep the gross margins in the kind of range we are. And if there's some onetime investments at all, we'll call it out.

Excellent. Unfortunately, it takes us over time. But I think it's a great note to end on. It's really about -- the right network architecture is what's positioned Zscaler for this opportunity, what enables Zscaler to be such a -- so efficient in going after this opportunity. So thank you, gentlemen, both for kind of sharing that perspective with us at the TMT conference.

Thank you. And then combining Zero Trust architecture with AI, the 2 together becomes very impressive.

Excellent. Thank you so much.