Zscaler, Inc. (ZS) Earnings Call Transcript & Summary

[Audio Gap] of 2025. Today we are going to talk about everything that we have released on out platform which is generally available to all our customers beginning of September until today. And I am very pleased to have Venkat Krishnamoorthi, who is VP of Product Management, focusing on data protection portfolio of Zscaler joining on this webinar.

Hi, everybody.

So we'll dive into it directly and give you a lay of the land at a very high level. We're going to focus on 4 broad solution areas on our platform. Starting with a focus on our whole platform, which is Zero Trust Exchange and AI fabric. The 4 solution areas that run on this platform, which is cyberthreat protection, data protection, zero trust networking, which includes branch and cloud networking and our broader risk management and threat exposure management portfolio. Jumping into the platform directly. So one of the big innovation that we have been working on that we have now made generally available is business continuity cloud for both our in-line services, which is Internet access and private access. We have provided our customers an option to use self-managed, self-hosted disaster recovery capability for the core services for the last 18 months. What we have introduced now is a fully managed and hosted cloud that is operated by Zscaler, which can give you a business continuity option for your -- both in-line services for your data path products. And we also are keeping the data sovereignty in mind. So your content localization, data localization needs will be met with this. So if you're interested, please talk to your team, and this is available to you. We have been working with many of you on our next-generation API automation platform, which we are calling One API. That has been generally made available to all of you starting January 2025. This is the single API service and have the API endpoint for all Zscaler products. We have built our product on restful APIs from day 1. So you can leverage APIs and individual products that you will continue to be there. But going forward, this new API Gateway is one where we will be layering in more security capabilities, has more consistent OIDC based authorization framework and becomes the single API endpoint for our customers, partners, allowing you to do more automation with Zscaler platforms. Moving on to the next innovation that we have just rolled out in February 2025 is an embedded captive portal handling within our client connector portal. So one of the challenges is that when you encounter a captive portal on a flight or in a hotel, you need to fire a browser window, it's not ideal user experience. So we actually have now a Client Connector being able to inform end user that a captive portal is detected, like we always did in the [ pre-icon ]. Now the portal renders inside the Client Connector where you can actually resolve that. And also you can enforce in network lockdown mode, which means they do not have connectivity to bypass your security controls while they resolve the captive portal. So this is much better user experience, better security embedded in the Client Connector. Another very important feature that we have rolled out in Client Connector is on the iOS platform. In the past, we were able to support either per-app VPN or the enterprise VPN profile. Now enterprise VPN is when you want to enforce broader security policies; per-app VPN is for certain highly important private applications. What we have done now is we actually support dual Apple VPN profiles on iOS. So you can have certain enterprise apps that are accessed with private access being used with per-app VPN profile, while the rest of the traffic can follow the enterprise VPN profile to be inspected for Internet and cyber threats. So you get the dual benefits of private application Zero Trust with per-app VPN and broader cybersecurity controls with enterprise VPN coexisting at the same time. Another significant enhancement that we have rolled out in production since December is our unified console that we made generally available in August to you for all our Zscaler users or SSE products is now been extended to all our networking products, including branch and cloud networking products. So this actually allows you to bring full visibility and analytics and full policy configuration in a single console for all Zscaler products that you need from SSE and SASE perspective. This is also generally available since December 2024. Many of our customer executives are looking for key insights at their fingertips, especially their risk posture, their companies networking information or the cybersecurity threat posture. So we have introduced a new Executive Insight app, which is focused on execs. You just need to create an exec insight admin profile for them. They can download this app from iOS and Android app stores and can immediately start seeing this tremendous valuable information focused on their day-to-day risk posture, risk scores, your cyber threat posture and also get very specific direct industry news, which is relevant to you and your tenant and how Zscaler is protecting against you. This has been generally available since November, and you can encourage and share this information with your executives to start using this application to get more meaningful information for the platform. Another very key initiative that Zscaler introduced in the beginning of September, October time frame is what we are calling ZIdentity, which is the common identity service for all Zscaler products. Instead of you authenticating and authorizing every Zscaler product identity endpoint, we now have a single identity service, which is generally available for all your admins to be migrated to this service, which means no need to have separate Okta, Azure ready tiles for every product. You can have one Zscaler tile and you can federate identities. And on this service, we actually have built OIDC for user authentication as well and as well as admin authentication. So you get seamless experience. And this will unlock you to move to Zscaler Experience center as well as new adaptive access control that I'll talk about. So this is a significant enhancement in admin experience that has been generally available and every customer can move to this for last couple of months, it needs a 30 to 40 minutes change into the exchange window and you can start leveraging that right away. Another identity enhancement that we have rolled out in private access is Zscaler supporting step-up authentication inherently. Now many of you have step-up auth available with your -- for your modern applications with your IDPs. But for many legacy applications that do not support modern auth or your OT environments, you have inconsistent security posture. So we cannot only revoke the access for -- when the user risk profile goes up on long-lived connections to these applications, we can also introduce a step-up auth so you get consistent security positive for modern and legacy applications and your OT environments. And you can connect it with your existing MFA platforms from Azure AD or authenticator apps or any 502-compliant platform, and we will just initiate the step-up part or we can give you the MFA for these services as well. This is generally available for private application where there was more need in the beginning, but we are rolling it out for all Internet destinations later this year as well. Now moving on to Cyber Threat Protection. So one of the big things that we have rolled out in Federal Cloud is full IPV6 support. We have a lot of customers in the government space where there was an OMB mandate on to move to IPV6. For your benefit, for last 2 years, we have been supporting a 6 to 4 NAT functionality, which means you can send V6 traffic to us and we'll NAT it out to V4. And give you a reverse connection on V6 again. Now with this enhancement, which we roll out on our Federal cloud is that we can support V6 traffic without any net translation required. This is something which will allow you to get future-ready for your full V6 networking requirements. Now we do plan to bring this to commercial clouds in second half of the year, but the capability exists and it is generally available on our federal cloud. And if you have V6 traffic today, we are supporting it seamlessly with 6 to 4 NAT, but we will move to native support later this year on the commercial cloud as well. Another thing that we have also rolled out is that our APIs are now extended for granular SSL policies. So you can use full automation for SSL policies with APIs and use it with third-party API services, which could be leveraged within the common console as well in the experience center in addition to the older UI as well. We have also, for our customers who use our bandwidth control capability expanded the number of bandwidth class we support from 16 to 255 bandwidth classes, which means you can create more granular policies, can scale your requirements to like add more classes of applications for which you want to set up throttling or provide controls without blocking them, and you can have more permissive Internet while still making sure that the business applications are getting top priority. So this is also generally available since January of 2025. Another area that we are investing significantly as a company is enhancing the developer experience. So our customers who have software engineers, developers, we want to make sure that they have secure as well as seamless experience. Many of our developer customers actually use IDEs that we are now fingerprinting and have built predefined URL categories for developer tools under IT super category, and you can define granular policies. And we are also introducing more fine-grained controls in this area at application level and more features are coming in this space including auto certificate enrollment to support inspection, better understanding of apps that are SSL pined and providing controls around [Audio Gap] generally available now. We are also making sure we keep expanding coverage for new protocols like ZSTD and coding has been recognized in RFC, which is RFC compliant. So we have extended the definition of RFC compliant in codings, which could be supported without blocking. There's advanced setting to block or non-FC compliant HTTP traffic. This is something some of the regulated customers care for. So you don't need to manually worry about it. We are extending that support without you requiring to do this manual work. Another thing that we have added on the same theme is support for web ADV or WebDev HTTP method, for full policy criteria in addition to other methods that we support. So we want to make sure that any attackers are not able to circumvent security controls by using variants of existing protocols or methods and we are able to provide you enhanced security posture and provide all the cyber threat and data protection controls for all web traffic. Now moving on to segmentation. One of the key ask from our customers, we already have our intelligent segmentation generally available for more than a year, which allows you to scale segmentation from few [ ground wells ] to go to 80%, 90% segmentation for your applications for our well deployed customers with ease. One of the things that we have now layered in is additional visibility and analytics around it. So this new analytics that we have introduced in the product actually tells you which of your private applications are well segmented with app segmentation concept that we have introduced with intelligent segmentation. And on top of it, we can also show you things like those applications that are heavily utilized but are still not segmented which rule sets are hitting most number of applications. So giving you a better idea, are you segmenting your applications correctly? Do you still have need for more segmentation and we are layering in more and more intelligence using ML to help you achieve better segmentation, but also better visibility for your applications. Another big area that we have focused on is to give you better visibility on the overall coverage as well as how does our intelligent segmentation ease out your segmentation and improve your security posture. So when you go into a recommended segmentation, a policy that comes from our intelligent segmentation framework, you are actually able to see how many users were using this prior to segmenting this application with this approach and how many users will actually get access. So in this example, you can see that -- this application is available to more than 8,000 users. But if you go with the recommended approach based on how we have seen the usage patterns, you actually have come down to 100 users using it, reducing your attack surface significantly. You can download this recommendation, you can save these with the time stamp. So as the usage improve, you can keep improving your segmentation policies. Very powerful, very useful for customers who are using ZPA platform. Another very significant enhancement that we have been working in ZPA, which is generally available now, is support for legacy applications like wipe, if you have on-premise wipe or server to client application where the connection is initiated by server, these applications typically needs in network connection or IP-based connectivity. So we basically keep a zero trust path for all applications in ZPA, that do not need network presence and then create a network presence based connection to these applications. This allows you as a customer to actually retire all your VPNs and firewalls for inbound access using ZPA service. So the intent and broader coverage that we are providing here is that any application that does not support enhanced zero trust architecture need IP-based connectivity, we can support that using ZPA with the same policy framework as well. Our broader goal is to make sure that we are able to provide Zero Trust everywhere. One of those use cases that we have been working with a lot of IT services customers of Zscaler and those app customers who host third applications and third-party data centers. Typically, in those data centers or partner data centers in extranet use cases, you cannot deploy our app connectors as VMs or our service edges in those environments. So now we have removed that dependency and you can actually initiate a IP sector which comes to a Zscaler cloud via Zsec node, and we take the user connection from their device with the full zero trust user to application mapping and then translate that to app -- user ID to IP mapping and give them end-to-end zero trust from user to third-party data center without deploying app connectors in those scenarios. Very powerful. Again, the theme here is deploy Zero Trust everywhere, get rid of your traditional firewalls and VPNs that create massive attack surface. This is also generally available since October. In terms of partnership, we have extended our partnership with Google Chrome Enterprise Browser. One of them that we have supported, especially for unmanaged or BYOD scenarios where you cannot run Zscaler client is to basically use Chrome Enterprise browser as a client for Zscaler, where it can share additional posture and user identity context and allows you to extend more granular policies in those scenarios. We also have a clientless version of our service and we have the user portal, which leverages our Zero Trust Cloud browser to give you client-less access. But when you need more granular positive control and you have a Chrome browser running on your personal device, we can actually integrate and pick signals from that. Very powerful for customers who are also using Google Chrome Enterprise browser. Another industry-first partnership that we introduced in February is for customers, many of you use SAP and are planning to move from on-premise SAP to SAP RISE. We actually -- and this is driven by SAP ECC going end of life by 2027. So we have been working with SAP in this partnership for a few quarters now. What we have introduced is the ability where our private access servers can run natively inside SAP with managed Kubernetes clusters. So you do not need to deploy any infrastructure as part of your SAP workloads, whether they're running SAP cloud or hyperscalers, we can actually spin up these app connectors and provide you zero-trust access with very easy provisioning steps that are fully supported with -- due to our partnership with SAP and also eliminates the operating system or hardware dependencies because we are spinning it up on the Kubernetes without you requiring to maintain any host operating system. So this is something which many of our large customers with SAP footprint are finding very powerful. So if you're interested, please reach out to your teams or SAP teams, we have a joint integration guide and deployment right available now. Continuing on our expanding our footprint from a cyber perspective. We understand that attackers are always looking for evasive techniques. So one of the things that we're doing in our sandbox now is that we actually -- when we send it for any file for detonation, we actually send it to an unpatched VM, which we do today as well as a fully patched VM, to determine any difference in the malware behavior in both environments because some of those scenarios we have seen that the behavior is different. And originally, we had the fully passed VM report identified mitigation and available to you from the beginning. We actually are providing your next level insights, especially for your SOC and security operations and engineering teams to understand malware adaptability when it comes to the underlying operating system and host environments and how do they behave. So this will save your researchers time because they don't need to go to do their own analysis on fully passed VMs. This is coming as part of the sandbox report on the platform. This is generally available as of coming soon in March 2025, early access is available now. Another capability we have introduced and again, this is something we keep expanding, adding more file types and expanded file sizes for -- that are sent to the sandbox. So you can see there are a bunch of new types mentioned here, including script file installers, batch files, developer files. One common theme you will see here is a lot of these files are actually text files. So we actually go one step deeper to look at the syntax of these files and beyond just the magic byte or the headers to determine what these files are. So very powerful and as the file sizes have been increased to 50 mb as well. Moving to next area, which is Zero Trust branch and cloud. So one of the big focus area for us is to -- for our customers to use zero trust for inbound access to OT systems. Many of our customers are using our privileged remote access for third-party contractors or even their employees' access to privileged systems. One of the capabilities we have added now is allowing third-party OT vendors to do update maintenance over Zero Trust. That has been generally available for time. But now we've added in-line security scanning of those files as well. Because if a compromised user, third-party user or employee uploads a malicious file on this OT system, it could have a bigger impact on your production system. So we actually have integrated that with our sandbox. And this file transfers that you support from console, we can support privileged file transfer with full inspection for better cybersecurity and giving you full governance capabilities. This is generally available for all OT customers since November. As part of our broader -- last year, we acquired a company called Airgap Networks, which is now called Device Segmentation on our platform. So one of the unique approach that product takes is it basically makes every device on your network, an island of 1 by using -- becoming DHCP gateway and giving a slash 32 IP subnet to every device. Now we are mindful that certain very legacy OT environments where Airgap is used very heavily for our agentless device segmentation, do not take a slash 30 to subnet mask. So we now allow as part of that configuration to customers to configure microsubnets of 4 to 32 end points. So you can have a slash 30 or slash 27 subnet sitting on an OT environment, which actually solves all the use cases we have encountered and allow you to extend this segmentation for all your legacy OT environments as well. Very powerful, again, extending it beyond IT, OT to legacy environments where we can go beyond slash 32 or work with your static IPs as well. Another very significant product that we have introduced on a platform is Zscaler microsegmentation, which is available for AWS, Azure and on-premise which means data center-based workloads where you can -- are running VMs on bare metal. This is something that we have built on top of our private access service with the same segmentation framework. One of the challenges that we see in large enterprises who are looking at micro segmentation is that -- they are trying to build micro segmentation from ground up, while having different policies at the network segmentation. This really doesn't scale well. And most of large organization abandoned these project with 20% to 30% deployment. So we are building host-based microsegmentation where you can deploy agent on these VMs running in the host space with -- and no corner space hooks. So it can -- you have peace of mind from an operability perspective, and be able to give you full visibility into process level network flows as well as host-level network flows. And you can then define outbound, inbound policies at a host level using network flows, and we are expanding this rapidly to support containers and EBP flows in the foreseeable future. But this is built on ZPA as the same concept of intelligent segmentation yet becomes generally the form factor on which you deploy segmentation, not disjointed product but a very special core featured product on top of a broader segmentation platform. Another thing that we are doing in our broader cloud workload segmentation product area is that we are minimizing the dependency on DNS resolver. The DNS behavior on every hyperscaler is different. So a lot of customers prefer to map, IP addresses to FQDN and then depending on DNS resolvers. So our Cloud Connectors, which are our gateways that you deploy in cloud with full automation now support integrated TCP proxy to leverage the SNIs to build database of IP to FQDN, simplifying how you basically map these IPs to FQDN and not overly applying or relying on these cloud native DNS revolvers. So this seamlessly work with existing DNS configuration that you have done on public cloud. You don't need to redo this, but it simplified the macrosegmentation using ZPA for workload to workload or machine-to-machine segmentation use cases and consistent policy for rules with wild card FQDNs. This is also generally available now. Another integration that we have rolled out is our partnership with HashiCorp Vault. Any third-party secret management solution. So typically, customers are required to use cloud-native secrets, manage it for storing cloud connector secrets that we use, which is based on job tokens. So instead of you using a lot of our customers standardize on like HashiCorp or third-party vaults, we actually now support integration with it. You don't need to use the secret manager on public cloud. So third-party vaults, whether they're on-premise or public cloud are also fully supported. Moving on to digital experience next. So there are a lot of things that we have been doing in ZDX. It's a very fascinating area where we use AI and ML very heavy. In ZDX, 1 of the things that we have done is we have 2 kinds of probe, a Layer 7 webprobe or HTTP probe, that looks at application and Layer 3 or Layer 4 network probe, which uses like things like MTRs, but with high level of customization and extensibility. One of the things that we have now done is if your application is a non-web application, we were leveraging on Layer 7 probes to do ZDX scoring. We actually extended that logic to the network probe, so you don't really don't need to configure web probes for non-web applications. So you can get the same level of hop-by-hop monitoring with the experience score for applications for non-web applications as well. Another thing that we have done is a lot of you use our workflow automation service, which is directly integrated with data protection DLP use cases. We actually are taking that as a platform service and integrating with all of our core platform products, including Internet access, private access. But we have already rolled out the first level of integration with digital experience when you create alerts. The output of that alerts, instead of creating a web hook to ServiceNow or e-mail can actually be integrated to workflow automation where you can delegate these like DNS level issues to your DNS teams or application issues with Office 365 alert to Office 365 team allowing you the right to bring these workforce for the right team to act upon. This is also generally available in the product now. Another very important troubleshooting feature we rolled out in September for in ZDX is to create live snapshots or short-lived URLs that you can share with the context of an incident not just with your company's ZDX admin, but also with your L1, L2 health test who would not have a ZDX log-in available to them to -- or let's say, you're looking at an ISP problem, and you want to share this view with your L2 engineer of your ISP without sharing ZDX console with them. This actually takes the incident data, what you are looking at and share it's in real time with them. So [ Link ] provides access to the full context to reduce troubleshooting, sharing logs, tickets and allowing you to do live troubleshooting with another party in real time, very powerful, useful from a troubleshooting perspective. We also are extending more visibility into the infrastructure. A lot of you use private service edges. We actually are providing more visibility into the performance metrics and embedding that into ZDX and in our broader experience center consoles, things like identifying overall traffic trends, bottlenecks are detecting early performance issues and giving you workflows around that, that's also part of this as well. We also are -- ZDX-as-a-service is available on PC, Mac, Android, and we have extended support for iOS simply as well when you have those as managed devices. One thing we are doing is extending the feature parity. So we have non-macro added support for self-service where your users get notified if we see performance issues on their side as well as initiating the remote bandwidth testing. It was available on Windows. We have extended that support on Mac OS as well. Another extensive product that we have built in ZDX, which is extension of ZDX platform is to run ZDX from Zscaler cloud. Traditionally, is ZDX run as a library on the Zscaler cloud. But what we have been doing sorry, as a library on the user's device, embedded in our Client Connectors. So you get the full user context for the experience issues that are being -- that we through -- see through the lens of ZDX. Now we have taken the same library, made in multi-tenant and running it from Zscaler data center, which allows you to monitor your key applications, your company's website, monitor SLA for your applications, and look at the state of your network through the lens of Zscaler, leveraging hundreds of data centers and point of presence that Zscaler has across the globe. This is currently running in about a couple of dozen Zscaler data centers. You can reach out to your team to start using it, deploying it in production. Our goal is to have this running in all Zscaler data centers by end of this year. Continuing on that theme, we also have also introduced a WiFi dashboard and enhanced it significantly to find issues that are restricted to WiFi data, with how it is impacting your network and the users who are connected to that network to track the performance of end user experience. This can actually tell you specific areas within a WiFi network or multiple WiFi access points in broader WiFi landscape to find issues that are impacting end user experience. You can actually see very specific information like jitter and latency on the WiFi nodes but also see which users were connected with. [Audio Gap] and they had bad experience for certain applications, and you can triage the issues quickly. So we have built this new dashboard on -- for ZDX Advanced customers, and they can get more insights into the WiFi experience. As I mentioned, we have expanded that digital experience to support iOS which was not supported in the past. So our Client Connector and iOS, if it is managed by a MDM like JAM or Workspace ONE, we actually are able to spin up ZDX to support that using the per-app VPN profile. It minimizes the troubleshooting effort and identifies LTE 5G issues. We are planning to extend this further for nonmanaged devices in the future. But currently, it's available for all managed devices or that's about iOS. Another thing that we have done is for ZDX standard customers. So ZDX Advance is a paid subscription, standard is included for all Zscaler customers. We had certain restrictions on how much information you can get. One of the things that a lot of customers were asking, they see tremendous value in getting the full hop-by-hop view while troubleshooting things. In ZDX standard in the past, that view was 3-leg view from the client to the gateway to cloud and the cloud application, we were not expanding them. Now we have given the full hop-by-hop view. So if there are 10 hops between the client to the egress and 10 hops or 20 hops between egress to Zscalar Cloud, we'll give you a breakdown of all those hops with a click of a button even for ZDX standard customer, which will help you in troubleshooting network issues with these as well. Next area that I want to talk about risk management. So risk management is an area where we have been extending building products that give SoC teams a lot of useful tools that help them clear out issues in real-time. So last year, we acquired a data fabric -- security data fabric company called Avalor that came with prebuilt integration with 150 different security, networking, cloud security and business products. And over a period of time, we actually have brought Zscaler first-party data to integrate here as well. So one of the things that we are doing is a product that we have built and is generally available on the fabric is UEM or vulnerability management, that aggregates find it from multiple data sources and uses our data fabric to normalize, contextualize this data and if it takes disparate signals from 10 different products and give you 1 output with the remediation workflows and then you can take a lot of actions to resolve those exposures. So unlike a traditional vulnerability scanner, it takes input from them as well, by the way, it allows you to solve issues much faster and get visibility and make the sort team's lives much easier. This product is generally available, running on Data Fabric today. We have also last week announced an asset exposure management product or what Gartner called is CASM, which focus on giving you full visibility into all your enterprise assets tied into the same data fabric that I talked about earlier, not just give you risk and vulnerability, but also asset level details for hundreds of different assets coming or detected automatically from different sources, creating a superset of all known assets and their current risk rate and also telling you how to remediate issues on them. So this helps you identify coverage caps that come from individual product, you don't need to rely on multiple third-party tools connecting into a data lake and then giving access to a separate asset inventory. We are basically building a full asset inventory and tying risk and vulnerability exposure to that and remediation for that, too. So this service is generally available as of February as well. With that, I would like to Venkat to join me and give you an update on all the innovations that we have done on the data protection platform in the recent 6 months. Venkat?

Thank you, Dhawal. That was amazing. So let's get going right into it. So GenAI security has been a major work stream for us at Zscaler. We've had a lot of conversations with customers as well. On top of everything that we've already released for our customers, one of the things that we released recently is the ability to provide API-based CASB controls for ChatGPT using compliance API and so this gives visibility into sensitive data and malicious responses in ChatGPT, right? So keep tuned to this channel. We're going to be adding a whole bunch of GenAI related capabilities going forward as well. And you'll see some of them show up in some of our data in motion in line and e-mail DLP capabilities as well. So we have added optical character recognition for e-mail DLP. And so now with this customers are able to find sensitive data that is going across in the form of images. So we can actually look for PII, PHI, all kinds of sensitive content within image types. As you can see, the file types that are supported over there. We've had this on API CASB and in line DLP for a long time, just adding it for e-mail right now. We've added support for e-mail DLP for O365 about a year ago. Recently, we added support for the Gmail customers base as well. So with this e-mail DLP is now supported across the 2 major e-mail providers across our enterprise O365 and Gmail, we're able to do -- we're doing this in-line e-mail DLP so that people can use -- customers can use our full-fledged e-mail unified data protection capabilities on e-mail that are going across Gmail as well. So in line of the e-mail traffic and provide you controls, quarantining and all those kinds of features. One of the cool new set of features that we have released for our in-line DLP is the ability for us to enable coaching and confirmation for the end user. So as they're uploading something potentially problematic to a shadow website or a unsanctioned application, we're able to ask the customer end user to decide themselves if they should go forward using a confirmation policy. And if they are willing to add a business justification for it, that whole thing is captured in the incident data and the analysts can actually inspect what the users did. With this feature, what we've noticed is a lot of our end users are self-censoring themselves, and that actually ends up becoming a nice coaching feature and improves the data security platform -- security posture for our customers. We're expanding worldwide. We have massive success all over the place, but we've added a bunch of capabilities on the Japanese market. We've added Japanese street names, first names, last names, and other capabilities within -- to be able to determine without the ability to do delimiters, right, Japanese-specific requirements for where we should be able to find these names, et cetera, without counting on spaces to give us the limiter. So we've been able to do this and massive adoption happening in Japan because of this feature. Trigger context for DLP, what is basically showing in -- when an incident occurs, hey, this is all the sensitive content that actually caused this the policy to trigger, but what are some of the bytes in and around the actual offending, right, offending data, right? So this actually gives the analysts the ability to contextually understand better what type of policy violation might have occurred so they can actually determine the false positive nature of that violation, et cetera. Okay. EDM, we have giant corporations, banks and medical systems deploying our Exact Data Match solutions. One of the areas where we're making an enhancement here is to allow customers to match against popular formats like for PII, PHI, et cetera. so that the number of false positives on just the bland numbers over there are reduced even more with EDM. And so the PII data taps format checking is now being enabled for Exact Data Match. One of the cool new features we've added is having the ability to inspect WebEx transactions as they're going through. We are looking at is typically end-to-end encrypted. We've worked with our partners at Cisco to actually be able to decrypt those chats and perform DLP inspection and give our customers the ability to have some controls over that real-ime, okay? So this is a really big innovation there. As I said, we are investing heavily in a lot of ML and AI based data classification capabilities. One of the things that we've recently released is the ability to do image recognition for even images such as DICOM images that might be ultrasounds and things of that nature, also find PII information in passports, driver's licenses and things like that. So again, expanding the frontier of what we do with our data protection capabilities, using AI to be -- state-of-the-art AI to be able to determine things like images, determine image recognition and be able to block exfiltration. Moving over from e-mail and in line to CASB, both on the inline side, as well as API-based CASB, we're able to apply Atlassian labels for data at rest, right? So we've been inspecting Atlassian products for Jira and Confluence, et cetera, for a while now, but now we will be able to add labels on them based on our classification, and then so that Atlassian can take some action based on that. Watermarking is something that is very interesting and innovative for our customers. So with this API-based CASB solution, what we can do is if there is a sensitive document, we can actually add a watermark based on what the customer is telling us on that document. So that we can actually prevent customers from simply exfiltrating that document because they've -- or even taking a picture of it with their smartphone because there's a giant watermark on that picture, right, so on that document. So that is a new feature. One of the cool areas we've worked on for in-line CASB is the ability to actually do instance discovery, right? So we've been having a lot of inroads into a lot of big customers because what we are able to do, for example, for GCP is being able to go in, into the Google Cloud environment for our customers and discover various instances of Google that might be running. And then this actually allows customers to know exactly what's happening in their own environment, and then they can put some controls over it. So okay. I don't want data to be exfiltrated to this particular instance or I can -- this is allowable and so on and so forth. So it gives a lot of ease of use and policy creation, et cetera, and stopped in-line data loss prevention. Cool, let's move on to unified SaaS security. This is an area where Zscaler is particularly differentiated, right, with our advanced SSPM or SaaS security posture management capabilities. So as we've announced in the past, with our unified SaaS security, what we are doing is we're giving our customers SaaS security posture management, right, for all the well-known SaaS applications, O365 Okta, Slack, ServiceNow, you name it, we have it. On top of which we also have app governance, meaning third-party apps that the end users might be connecting to these platforms by going to their various marketplaces, right? So we've unified these 2 capabilities into what we call the unified SaaS security capability into this portal. And so we have actually enabled these 2 things to be together. And so our customers can get full visibility onto these -- the posture of configurations, et cetera, for the SaaS environments and on top of it, all the third-party apps that their users might be using. And obviously, we give you a full thread information about those apps and you're able to use our product to go ahead and remove [ OF ] tokens, et cetera, from those apps so that the highly risky third-party apps are not in your environment, right? So this is like bridging the gaps which customers can have because pure-play vendors are simply giving you point-in-time visibility and not giving you the connectivity between these various things that are happening up, misconfigurations as well as third-party apps and so on. Okay. We're also adding a new dedicated compliance dashboard, right? So for our SSPM feature functionality, adding like industry standard compliance frameworks on a dedicated dashboard and giving you full visibility as to which of those applications are maybe not very much compliant with certain compliance signatures and also, over time, giving you the drift of the configuration that might have occurred, right? So at some point in time, customers may be compliant. But over time, it may have moved on from there. And therefore, giving you that -- the delta of where things were and allowing customers to go back and become more compliant with the signatures again. So these are some of the things that we're doing with our compliance dashboard. And then we have actually innovated on this space where we're actually doing some scraping based methodologies to be able to rapidly expand the number of SaaS platforms. You can see some of the examples over here -- so that it increases the breadth of support at SaaS in a very SaaS apps in a very, very short time, enables faster onboarding of new apps, right, without waiting for API support. And then it enables our customers to be able to POC our solution much faster with this broad app coverage. So we are also adding a bunch of capabilities to adding a complexity matrix to help our customers prioritize and give you a sense of how different posture controls play in the mix, right? So as we expand to support more and more platforms, security teams are may struggle to prioritize hey, where should I be focusing my attention on, right? So we can do -- with this complexity score, we can tell you where in the UI, which can tell you where you should be focusing your efforts. And then that actually gives you the highest priority things can be taken care of first, right with this complexity matrix. All right. Switching gears over to our endpoint DLP. As you know, this is functionality that we've built into the Zscaler Client Connector, integrated in. And so most customers are super happy with this because some of the other DLP type agents can come off of the machine. But -- so here, there's some significant innovations we've done. We've already announced in the past that with our endpoint DLP, you can actually figure out what types of sensitive content are sitting on people's laptops, right? So across the entire enterprise. So a user might have multiple devices, but we will give you a cloud dashboard where actually we're able to give you -- give our customers visibility on all the sensitive content that's sitting across the entire gamut of laptops that they have in their environment, right? So answering the question, if somebody were to lose a laptop or forget to return it, what sensitive content is there. And furthermore, we'll be giving some capabilities in this -- in the future there. Along the same lines, on the endpoint DLP one of the key aspects for our customers is, "Hey, what are some of the devices that my end users are using, right? How do they know that? They don't know that and who are using these devices? What types of devices are these, are users using printing capabilities to print stuff on personal printers, right? So with this new inventory capabilities -- capability we have just released customers can get an inventory of all the removable storage, external hard drives, SD cards, USBs, et cetera, printers, local and network also portable devices like MTPs, smartphones and things like that. And then they get a full inventory of that. So once they get full visibility of that, and then we already have device controls rules, that are available as part of our endpoint DLP so they can go ahead and have controls over that, right? So you can say, hey, these types of devices, I do not support, et cetera. Okay. So that's inventory. Device control, I already mentioned, right? So we've just released this as well. So what we're able to do is, for example, for that removable storage that you've figured out with your inventory control, Hey, I have all these USB devices instead of doing DLP and allowing copies, et cetera, to USB, you can simply say, I'm going to do a device control and completely block some of these users from using USBs altogether, right? So those kinds of device control. So there's device control and then there's DLP. Device control is not strictly a DLP feature, but we are making it available for our customers so that they don't need to use multiple device control type endpoint applications. They can do everything from the Zscaler endpoint DLP solution. All right. That's endpoint DLP. Switching gears to DSPM, data security posture management, right? We have released, again, like the SSPM where I talked about we have released this capability to provide a global security risk view for our customers, right? Being able to see hey, what is my overall risk? And how can I improve my risk and how has it degraded over time, right? So we'll give you a risk score, and we also give you a risk score trend over time, right? Again just analogous to the idea I mentioned about drift on the SSPM side. Here, it's all about data, right? Hey, what are all my data repositories, whether it be structured data, in the public cloud or unstructured data in S3 buckets, Azure Blob and so on and Google Storage. So we'll give you, hey, these are really sensitive data that are sitting on all these repositories and by the way, the risk score is high because so and so user and/or NPT is able to go access these and here's how we should be remedying these, right? So we give you this global risk score. Okay. Again, we have a compliance dashboard that we've built here for industry standard frameworks such as NIST, PCI DSS, ISO, et cetera, and more, so you can keep your cloud in compliance with regulations, benchmarks and so on and so forth. And so this actually improves the data security posture on the public cloud infrastructure here. We've built this very nice insights dashboard, right? So after you've run the security scan, right, there's multiple alerts and topics, right? So which of them should be top of mind. What is something that I need to highly prioritize? So we'll give you these insights. We're actually using AI techniques to summarize the insights that are coming in, all these alerts that come in from all the scans that have been running, we'll give you insights on this. For example, the heat-sensitive data stores can be accessed by users with some risky profiles and things like that. So you can actually figure out which are some of these highly critical insights that I need to take action on ahead of other actions, right? Okay. So these are, by the way, out-of-the-box data security insights, there's no configuration required. It comes out and you're able to actually go ahead and take a look at this. One of the things we're adding for our DSPM portfolio is malware analysis, being able to do as it says, it's a self-explanatory, unstructured data, find malware risk, and we can automatically scan this and report on malware risk, et cetera. Again, these are predefined policies and these consider as part of the posture issues and alerts so that we can detect multiple such scenarios, right? Cool, that's malware. With this, we can actually storage services public exposure Explorer. So we have -- give very nice visuals for our end users to be able to see, hey, that's how our S3 buckets, for example, potentially publicly exposed, right? So typically, it is not just hey, some S3 buckets are open to the Internet, right? That's, of course, the simple stuff. But being able to say, hey, there's sensitive data in these S3 buckets. They are at risk of data exposure, right? But how do you know how is it that this data can be exposed, right? So Zscaler data security posture management, DSPM provides an easy explorer for that with all the appropriate visuals like in this case, you can see there is an ACL or something that is actually open, opening that S3 bucket up to the -- with some HIPAA data to the public Internet. So this is stuff that probably will fall in that critical insight that I was just mentioning to you so that you can go ahead and take remediation action, right? So we'll give you full -- the files that we found in the S3 bucket, for example, that have -- that meet these sensitive data criteria. All right. We've been hard at work, adding a whole bunch of new additional services that we support in our DSPM. So we're expanding this by adding all of these stuff, as we said from December to February as of -- when we're recording this AWS, DynamoDB, GCP storage bucket, GCP, Cloud SQL, Azure, and then we've also added 140-plus new policies for AWS, Azure and GCP. As you can see, we have all the main clouds covered here with our DSPM as well. One of the cool things we've added in our DSPM is for the ability to -- for your analysts to be able to go in and do a full investigation and you can actually build -- use our query builder to build your own queries to understand, right? So how do -- as a data security admin, like to -- how would I like to investigate raw data and search for topics that may not be covered by Zscaler policies, right? So there's hundreds and hundreds of prebuilt Zscaler policies we give you. But with this easy query language-based tool, what we're enabling our users to do is to go ahead and simply write very easy queries to find out things like, hey, user types for IAM users, unmanaged users and external users. And so you can create your own investigative capabilities on this, and you can build on some of the predefined ones as well, right? So the ability to better tune in the context of investigation. All right. One of the key features that many of our customers have asked for in this space is, hey, my -- I want to keep my S3 bucket or my Azure Blob as private end points, right? So how can I deploy your DSPM scanning framework that requires me to give you access to my S3 bucket? So with our bring-your-own-network capability, we can allow embedding the orchestrator and scanner services into an existing network setting and so during the onboarding flow, DSPM will adjust the template based on user inputs, right? So in case of very strict regulatory environments and in customer networks in the public cloud, we can actually allow our customers to bring their own network and so deploy our DSPM scanning services there. Being able to scan DLP engines over file types that are relevant for these engines, right? So -- this is some specific stuff we're doing. For example, we want to exclude Java script files when searching for financial records, right? So just improving our accuracy of removing false positives and things like that. All right. So with that, as you can see, we have been hard at work, adding a whole bunch of capabilities on all the stuff that Dhawal covered for you as well as data protection. We look forward to seeing you again on our next update. We will be doing these very, very periodically, quarterly, if not more frequently, but I look forward to seeing you on the next one. Thank you very much, and have a brilliant day.