Zscaler, Inc. (ZS) Earnings Call Transcript & Summary

Hi, everyone. Excited to welcome you to today's webinar on why CIOs are adopting a Cafe-like brand strategy. My name is Ameet Naik. I'm our Director of Product Marketing here at Zscaler, and I'm super excited to welcome here with me, Brian Deitch, Chief Technology Evangelist, who's going to walk us through what he's seeing in the market and why Cafe-like branch architectures are going to -- not only make it more secure, but also save you more money. So I'm excited to have Brian on board. So without further ado, let's dive in. Just a couple of housekeeping notes. This webinar will be about 30 to 40 minutes in duration. we will take questions along the way. So if you have questions feel free to type them into the chat box below and we will do our best to address them along the way. We'll take them as they come and, of course, after the webinar a recording will be sent out and available on our website to watch on demand. So let's dive into Cafe-like branches. But before we understand Cafe-like branches, let's take a look at what's been out there, right? So we've all been living in the world of traditional networking and security. Now what's the kind of the goal of all of this at the end of the day. The goal is that enabling your employees to access business applications. And those business applications might be like some kind of manufacturing tool, might be your Salesforce instance, right? And you want them to enable them to do a job. And once upon a time, all these applications live nicely in your data center, all your employees were nicely in our office, and we built these private networks to connect the 2. And there was this notion of good and bad, right? Trusted, untrusted. Anything inside the network was stressed and anything outside was untrusted. And we created firewalls to kind of create -- allow secured communication between those 2. But then things got a little bit more complicated. We started seeing applications move to the cloud. We started users moving everywhere, right? And about a decade ago, we started using technologies like SD-WAN. Before that was MPLS, before that, we just created site-to-site VPNs. And we use these technologies to connect all these cloud applications to all these users. But that's really not what it was designed for. So what we end up with is end up with a lot of sprawl. We end up with a lot of technology sprawl. So let's say, you connect all your sites, small branches, medium branches, campuses, factories, retail locations, hospitals, health centers. You connect all of them through some kind of a traditional SD-WAN or MPLS service depending on where you are, and then you typically rely on some sort of a communication hub. This may be an old data center that you still have, this maybe a colo facility somewhere out there. And through -- this kind of becomes a focal point for you to then connect out to the cloud and to the Internet. And to secure all of this, we've added a patchwork of technologies like north-south firewalls. We've created DMZ so that applications can come in and out, right? We create VDI farms in data centers in the cloud to allow third parties access into all of this. But at the end of the day, what happens is this is all relying on a routed network SD-WAN and MPLS are really good at allowing things to talk to each other. And this is a problem because attackers use this as a weak point and use this to facilitate the lateral movement of ransomware. Now we all heard about ransomware attacks and how they happen and how -- what we probably don't hear about is how quickly they happen, right? By the time your teams report in some problems, you realize what's going on, your system is compromised, your entire organization is compromised. And one of the reasons this happens very quickly is because all I have to do is find the weakest point anywhere in my branches, anywhere in my infrastructure. It could be a camera sitting in branch office somewhere, right? Exploit a zero-day vulnerability that will come in. From that camera, I can now move around laterally. I can go to the communications' hub. I can go start poking around my sensitive applications in the cloud. I can go into data centers. I can go infect other sites. I can go infect factories. So that's a huge problem with the traditional network architecture. So what did we do? We started then popping firewalls all over the place to control this movement. But the problem with these firewalls is you now have to manage all the complexity, all the rules, all of the -- who's allowed to talk to who, right? And you end up with a lot of them, you end up with a complicated rule base that nobody really understands why it's there and what it's been doing. It's not uncommon to have organizations that have thousands of rules -- and it's a nightmare to go through those and understand what they're actually doing. And sometimes, you just don't, right? You end up living with this technical debt of firewall rules because somebody put it in some time ago, or not sure what it's really doing. So -- go ahead, Brian.

I just want to chime in because I've been doing this for quite a long time. The 2 biggest parts that when I think of that firewall sprawl. Number one, it's still based upon IP addresses, right? And our users aren't an IP address. There's identity kind of tied to that. So you have to look at it a little bit differently. And the other one, too, is like you have an outline rate here beautifully. We have a small branch, we have a medium branch. We have a campus. And generally speaking, like the tail kind of wags the dog, right? And so the network team and security team they want to put that firewall at the campus. So they're like, "oh, my god, we've got 50,000 people here. So we buy this big thing, this big firewall. We turn on all the features." And then they started to, "okay, well, now we need to do the other places, like the medium-sized branch and a small branch." And then what ends up happening is like if they want to turn on all those features, at a small branch, they can't buy a small branch of plan. They have to buy a really big one because the throughput kind of gets killed. So we look at that, it's the cost of complexity, right? There's 2 forms of it, whether it's trying to figure out who the heck the user is or trying to get feature parity across all your different locations, and it's something that we solved here with Zscaler.

Yes. I mean that's a classic cybersecurity trade-off, right? You start doing more inspection in these appliances. They have finite horsepower. And the more capabilities you turn out on these things, right, the worse they perform -- and then at some point, your users start calling in and complaining about poor app performance and you have to force to roll them back or live with the trade-offs that you make, right? So it's a really good point with the traditional architecture. So again, a lot of complexity enables lateral movement. Your entire network, every site, every location that you have is now your attack surface because all the attacker needs to do is find the weakest point. It could be an old obsolete camera that somebody forgot to update. You didn't even know you had sitting somewhere in the remote office, where malware can come in, start scanning your network, move laterally and infect your crown jewel applications. So this is the complexity and the security challenge we've been living with for some time. So what's the real answer to this, right? So at Zscaler we've Pioneered Zero Trust. Now Zero Trust is simply a notion that instead of starting with a model where everything is connected and everything is trusted. You start with the model that nothing is trusted, right? And nothing is connected to begin, whether you don't rely on traditional routed networks. And as we get into -- I know Brian will talk more about it, right? But as we get into more Cafe-like architectures, this becomes very important. But with Zscaler, we have the Zero Trust Exchange, which acts like a broker like a switchboard, if you will, between any connection, any device, any user trying to talk to any application. And what it's doing is validating that session at that point in time to say, "hey, do I know who you are," right? Are you who you say you are? Where are you going? What are you trying to do? Are you a camera trying to talk to your cloud server that's trying to -- that's the normal controller? Or are you a camera trying to talk to command and control site, right? So that context is really important. And then what's the risk? This is where adaptive access comes in, right? So if I know something about the end point, if I can pull in information from EDR tools. I can make better decisions on what applications I'm allowing you to access. Let's say, come in on a laptop, that's potentially -- it has a lower trust score, then maybe I'll let you go out and surf the Internet, but I don't let you connect to private applications. And we can extend the same model to devices. We can extend the same models to branches and locations, right? So the idea behind Zero Trust Exchange is, you don't just connect very common router network. You just connect to Zscaler Zero Trust Exchange. And in this world, your branches essentially become like coffee shops, right? Now we all worked from a coffee shop at some point in time. We can do our business. We can connect to our corporate applications. But I as the IT leader, not responsible for managing that coffee shop, right? I'm not worrying about it threat level I'm not worried about the quality of the network because I know it's completely isolated from the rest of my network. And another analogy to think about here is like it's like putting users on a guest network, right? So everybody comes in, everybody connects to something locally but they're not directly connected to the corporate network. And the best part about this architecture is you are starting out fully segmented, right? You're not in a any-to-any routable network where anybody can talk to anybody with then you have to go on and put gates and put toll booths on the way, right? Brian any thoughts on the Zero Trust Exchange? I know you've been talking about this for a very long time. What else can you share with our viewers here?

Actually, I'll get to my stuff here in just a moment, but there is a question in the chat. So it says, "hey, if we're not focusing on IP addresses to identify users, how are we actually identifying those users? How does the Zscaler know who the user is?

Yes. So that's a really good question. So Identity is an interesting aspect in the zero trust. It's a very important concept. So from a user perspective, we are pulling in user identity. So identity can be a couple of things. Identity can be the user name and password that you type on your computer. It could also be a certificate that lives on a managed device. It could be a YubiKey that's connected to the USB port, right, that's validating who you are, that IT knows that this is really the device that they provision and allowed on the network. But as you get into devices, right, that you don't -- you can't do some of these things. You can't put a on a YubiKey on a USB camera readily, right? You can't put a certificate on an IoT device or a printer. So once you get into those types of devices, behavioral identity becomes more important, right? So identity is almost like how are you behaving, how are you acting? You look like a printer and you're accepting print jobs and you're sending bring jobs and you're communicating with a cloud controller. Let's say, you're more likely a printer. But if you look like a printer and then you're basically sending large video files to up some risky site on the Internet, you probably -- something is compromised about you, right? Something is wrong about you. So identity means there's lots of different ways to define identity, but that's the most important piece in the zero trust puzzle.

Agreed. And if I was going to add anything else to that, specifically around the user context, like we just want to do that control, alt, delete, whatever the user is on that machine when you're able to identify them and we want to make it transparent. One of my favorite things here at Zscaler when I first came here 8 years ago, was it kind of scared me trying to figure out this whole authentication thing because they did it back in the day like. If I'm trying to do this thing via firewall and I have a user that's plugged in, but they go to WiFi and the IP address and active directory hasn't synced up yet, it's just discussing, right? You just have like this moment in time of a gap in security, but Zscaler is different. You federate identity to do that, it might take you 10 minutes and that's if you spend 5 minutes to talk about your feeling. So it could be ping, it could be Azure Active Directory or Entra ID. I think it's funny. The identity company is having an identity crisis, naming their products. It could be Okta, any IdP that's out there. We've got you cover to pick that up. And once you do it, it's just transparent. We just know exactly where the user is -- even if they're trying to do something that varies, we can help identify that. Back to you.

Yes. So again, very important pillars of the zero trust architecture, right? Identity is the biggest part. Context is also equally important, like what are you doing, how you're behaving what you're trying to do? And then what's the risk at that point in time, right, so you can provide adaptive access. So these are sort of the foundational pieces that help build out the Cafe-like branch architecture. So I want to jump in and turn it over to you, Brian, to walk us through what is a Cafe-like branch. What does this actually mean? And how does this benefit our customers? And why does CIOs care so much about it?

Yes, let me know. Can you actually see the good old pyramid of greatness?

Not yet.

Not yet. According to my calculations, we can. Let me check the chat window, see if everyone as can see it. Yes, we can see it. Okay, cool. Maybe just on the wrong screen, but get your life together. So yes, number one, PowerPoint is stupid, I don't like it. So I'm not doing more PowerPoint at least I'm not, and this is what I look like. So a quick housekeeping. I have a piece of glass in front of me. Yes, the wall is black. You see me looking over here. I'm trying to figure out I was talking but honest with you. I'm way too old that if you put it in a chat window, I can't see it. I'm just -- it's not going to happen, but Ameet will tell me what's going on.

So I'll keep on chat and the pipe in with questions as they come up.

This is why I like you bother. So I'm going to come over here. I'm going to draw a little thing. We'll call this the old school way of doing things, right? This is the old school branch and at the branch, we had all kinds of weird things going on. We have users to come over here and draw them and these users, right? They're kind of just flat face. They're not like -- life isn't great, but then you also have other things going on here, like IoT or as I like to call it the IoC, the Internet crap you might have some OT devices here as well. And when you have the branch, what are you doing, you're doing branch things. So you're coming over here, you have maybe a firewall perhaps you got NAC. You got VLANs and all that good stuff. But the world isn't just right there. You have to contend with the data center as well so they come over here. And we have the data center. And what do we have at the data center, like back in the day when it's castle and moat, life was pretty good. You just had applications that lived over here. So you had applications, 1, 2 and 3 and so as you said it before, we try to do what -- we try to connect these environments together. And there's this idea, right, that we'll come over here and like this. And this can be like MPLS, super costly, SD-WAN, it's cheaper, but you know what, maybe not entirely the best idea. But there's a problem with this and that it's implicit trust and the idea is simple, back in the day, it's like, "hey, this is our network, and this is our network, and they should coexist and we should just allow them to make connection maybe left, right and center." But the problem with that right? Is now that your is like, well, I have a firewall over here. So then you come over here and you're like, I'll deploy another firewall over here, and I'll try to do some type of weird segmentation. And if this user or this IoT thing gets popped like a due date, your attack surface is huge because of this implicit trust. These things can come over here and talk to things over here at the data center, maybe not everything, but definitely more than what it should be able to talk to because this underlying technology, whether it's MPLS or SD-WAN to allow these things to talk together and do that. The next big problem that you have is over here at the branch. And these things have like an IP address, and I said that this is your attack surface right? So if it's reachable, it's breachable, that's a bad thing. And then the -- this entire thing gets compounded even more because at least from an end user experience because you have the Internet and SaaS that are out there in the world. So we'll come over here and you have employees going out checking their e-mail like AOL. That's a joke. They probably don't do that. Maybe they're going up just like GenAI websites, like my favorite, right? It's not ChatGPT, it's DeepSeek and I keep all my passwords and financial stuff, my company secrets there. They do such a great job of organizing it. Just kidding and then maybe like M365. And if you have a user that's in New York and his data center is in California, and you're taking all of their traffic and then you're sending it out in this direction because you have that old security stack appliance, like that's -- well, number one is anti-cloud. Number two, it's going to kill the user experience; and number three, from an administrative user experience, my god, it's going to be terrible, right? Because these users like, well, what branch are you at? And you do a packet capture over here or over here or the link going out like it's just insane. And so from a Zscaler perspective, when we start looking at the Cafe-like type of branch. We want to come over here and say...

Brian, one quick question before we jump into sort of the Cafe-like world, right? So in the SD-WAN world, can you just solve some of this by just split tunneling my SaaS traffic out directly from the branch?

We can, but there lies a problem because you turn that on, you allow like maybe a local breakout to go in this direction. But now you have to figure out, can I scale this firewall to do all these things. And you still have that implicit trust you don't think who the user is at all sometimes, right? Like it still becomes problematic. So yes, you might be able to amplify the user experience marginally, to be honest with you. But remember, what was it, the campus network versus the medium-sized network versus a small campus. It's not going to be a consistent user experience. So you might fix one little problem, but in the grand scheme of things you're going to have a whole lot more product -- whole lot more challenges...

You're living with some security trade-offs, right? You know that you're blind to some traffic because you're not able to inspect it and that's not good.

Exactly, exactly. So when we look at the -- that's really the Achilles -- because think about it, like going out to the Internet, I would say conservatively, like 90% of this traffic going in this direction right here is going to be CLS encrypted. So whether you're decrypting it over here or you're not -- whether you're decrypting here or not -- if you're not decrypting it, then you're only really kind of applying security to 10% of your traffic, like that's a terrible insurance policy, like we don't want to do things like that. And so from a Zscaler perspective, this is like how can we get rid of your attack surface, how do we not do implicit trust? How do I reduce lateral movement throughout the network, give a great overall user experience to our users without putting them on the network and treating it like kind of like a cafe at the end of the day. So we call it the Zero Trust branch or the Cafe-like branch is this like, yes, it's like a guest network and you look at this and you say, okay, well, we're going to have users, right? We going to draw a very similar situation over there. And these users will be happy because they're going to be on Zscaler. And then again, you're still going to have IoT stuff over here and then you're also going to have OT stuff. And the idea is we don't want to hairpin traffic ever over here. It just doesn't make sense. And then this is where I like to kind of introduce the Zero Trust Exchange. We're going to come over here with the Zscaler Cloud, make it simple. What you need to know about the Zero Trust Exchange, and I'm not going to litter the board with all the cool things that we have. But it's DNS next-generation firewall, CASB, DLP, Sandbox and I think the list goes on and on, probably 100 things. And you can choose to adopt them however you want, but it just becomes another destination. So we look at this and we say, well, number one, we want to be able to figure out what the users are. We're going to do that with identity like remember, that's the Azures and Oktas of the world. And what we wanted to do is to ensure when users are flowing through here, when they are going in this direction, that 90% of TLS is going to be decrypted or inspected to make sure that's going on. So like how do we kind of connect the dots. And so the first thing is real simple. I don't want you guys to have to roll out firewall in NAC, in VLANs and other crazy stuff anymore with the Zscaler world. So we have something called the branch connector. And at a very high level, and I promise you it's not Blue Coat, but at a very high level, you might be this is just SD-WAN, but the Zscaler version of it. And it's not because it's zero trust SD-LAN and there's so -- it's a very heavy statement to put in there. Because first things first, when we introduced the branch connector, we get like this auto segmentation of your users, your networks, the IoT, OT devices that are out there because we want to make sure that if this IoT like this one gets popped like a due date. This one gets [indiscernible] be able to talk to itself. They can't talk to OT, it can't talk to the users and it sure can't go back over here. So then we look at this and say, the branch connector on top of a lot of things it's doing, its sole goal in life is to send traffic outbound to the Zero Trust Exchange. So there is no attack surface right here, right? That attack surface is gone. There is -- if you can't reach it, can't breach it, it doesn't exist. So I would say it's gone, maybe getting rid of that entirely. So this is completely dark, impossible DDoS it, SQL injection, [indiscernible] scripted and all that good stuff. And so from a user perspective, right, you're coming through, branch connector is going to kind of flow that traffic over there. IoT if it was going out to like [indiscernible], right? You can't install like an agent on there. And so the branch connector takes that traffic and has the ability to intercept it transparently. And when traffic kind of arrives right here, I know a couple of things. Number one, this is your branch. Number two, this is your network. It's coming from over there and I'd be able to apply policy based upon the IoT stuff. Now earlier, I said that IoT is the Internet of crap, and let me show you why I can actually say that. So I take 100% of all my traffic that I have here in my house, including all the IoT stuff. So think about this real quick. You might have 3 branches or you might have 3,000. There's an awful lot of work going into the HVAC or the Epson printer that you have on there going out and trying to figure out, hey, I probably shouldn't allow this thing to talk to this to the Internet. It should just talk to just the Epson website, things like that. And so wouldn't it be nice if you had a tool to kind of automatically classify that and then put rules in place for you to make it trend out having to figure out the IP address of this device without fearing to figure out if it's over here or in this other network. And so in my house in sending all that traffic there. And you can see in the lower left-hand corner, I know this is kind of a busy thing, but I got like 24 devices that are kind of classified as IoT. And then I'm going to jump into that, so I click on it and I know this is the party file and like weak [ obstac ]. You get to see my internal IP addresses, I don't care whatever, you're not my real dad. But you can see these IoT devices, I get an auto label, so if it was like a ring doorbell, I know what it's supposed to talk to you. In fact, I have like a Lutron at least they did SmartHub, it control the lights in the house. And what that looks like when I click on it, is you can see that there's this device going out to lutron.io, and it's mapping that all out for me, so you don't have to worry about it. You don't have to think about it. Now the thing that really threw me off here is at the very top it was going over SSL and HDP. And I was like, oh, HDP, that's kind of weird, right? And so I dug into a little bit more. And this part freak me out. So this is their website. firmware-downloads.iot.lutron. That update, that firmware update for that device headed an embedded piece of malware on it. I'm telling you, it is the Internet of crap. I reached out to them Red Team, Blue Team, e-mail, Twitter, they just didn't care. And it was going on like that for almost 6 months. But here's the cool part about this. Let's say that device successfully had the ability to go out to the Lutron website and download that piece of malware. And now it has been -- it's been breached, right? It has the ability, at least over here to talk to everything, but in my Zscaler world, it of automatically segmented. And then again, I'm showing where that thing should go to. So if I have something trying to beacon out to the North Korea, China, Russia, they can't just go directly out there, has to go through here. And this thing and say, well, no, you're an IoT device, oh, you're that Lutron device. The only thing you talk to you is the Lutron website, right? It becomes a very beautiful thing. So now since I do this auto segmentation, keeping the lateral movement and minimizing that blast radius that thing can't bounce around and do wild things. But in true Zscaler fashion, we have to figure out how do I broker bit connectivity? Like what happens if IoT needs to talk to application 3 or OT needs to talk to application too? Like how do I stitch together that kind of stuff? Do I want to leverage MPLS or SD-WAN? No, absolutely not. That's still grossing yucky. If you're familiar with Zscaler private access, then you'll be familiar with some of these concepts. But I do this completely different, right? I come over here at your data center, and I don't want to connect networks together anymore. I'm going to give you VM that we'll deploy like N+1 for redundancy. And I want you to make any changes to your network. I don't want to make any changes to your applications. This VM needs to be able talk through applications internally. Now what's even cooler about this is, I'm not going to allow traffic to come inbound, it's completely dark. It takes that zero trust principle, keep things of -- keep users off the network, started at zero, right? That's one thing that's really huge with us. There is no implicit trust with the Zero Trust Branch. We started Zero and build the policy out, and this thing doesn't wait for traffic to come inbound instead it reaches outbound in the Zero Trust Exchange right here. So now if I have a user or -- yes, we'll pick on the user. If I have the user that wants to talk to application 3, that traffic is to come here, it's going to meet in the middle of the Zero Trust Exchange. And look at the identity of the user, I'm going to look at the policy. I can even posture and do all the good stuff and then create a verdict, allow, deny, steer, isolate, warrants, [indiscernible] coach, whatever. And if the verdict is yes, you can talk to that, right? That little E.T. Phone Home moment. We make a little connection baby. And let's say that this user was asking for app 3. That traffic is encapsulate this tunnel. It comes over here to the Zero Trust Exchange, policies in force. And on this outbound connection, I do an inbound micro tunnel over here and then I allow that user to talk to application 3. Now this is where I'm fundamentally different and the old school setup, whether they're VPN, whether they're in the branch. Chances are, unless it was like a day-to-day DMZ, right, applications 1, 2 and 3 could be adjacent to be on kind of the same flat network, which means this user, if you could talk to application 3, it can talk to applications 2 and 1. But in Zscaler world, what we do is we take your internal applications and we immediately make them cloudy. And what I mean by that is that you can access them the same way you would like Office 365. Do you have identity, do you have authorization that posture you, but you will never again be in the same network as the application. So this user, if they don't have a reason to talk to application, 2, they can't. In this world, they can do that all day long, right? They can bounce around the network like a field mouse is leaving a path to destruction and we may be able to be able to prevent that. And the same thing, there's OT device, right, just to kind of draw the dot line if they were trying to talk to the database over here, maybe it's like video stuff. And they even say that this is carved off its own little special world. Again, I just need to have that application Jason and they'll be able to talk to it and again, I'm going to look at this, this OT device is going to say, hey, I want to talk to that database. And that's the -- let's call it this database on blah.com that traffic is coming over here. It gets intercepted transparently. No agent needed by the Zero Trust branch comes over here. Again, we look at the identity or that's that OT device, and it's a lot of talking stuff. Not everything is that one, micro tunnel back over here and then allow the OT device to interact with this application or this database without putting them on the network. There is no implicit trust. You don't need to have complex firewalls here. You don't have to worry about NAC anymore in VPN. Now every once in a while, people will be like, oh, what if Chupacabra sneaks into the office and they unplug like your Zoom conference tools they find out Mac address of that, and they get a computer and they spoof that Mac address and they're on the network. And they want to do like a layer 2 broadcast, like how are you going to stop that, right? We have a deception, decoys and things like that, we'll pick that up very, very quickly. So again, attack surface has gone, the ability to move laterally, it's gone. Everything is predicated on an identity. No more implicit trust, it's gone, it's bad. And at the end of the day, we want to help reduce that attack surface shrinking down as small as possible. That way, if there is an issue, it's just going to be that one person or that one device here, not your entire network. Anything else want to add to that, Ameet?

Brian, one question that just popped up on chat. In Zero-Trust branch world, do I still need an SD-WAN router and run as a Zscaler appliance? Or how does that work? Where does my ISP connection terminate?

Great question. It's going to terminate right here on the branch connector. So you will buy them as a payer. "oh, this is something that's very beautiful." The branch connector versus like a firewall appliance, right? That firewall appliance are here is doing the processing locally. On a branch connector, I don't want to have to do that. I'm forwarding that traffic over here. This thing is the 500-pound gorilla in the world, right? And so that is taking care of it. So you don't have to really worry about that sizing sprawl effort they have to worry about before. I'm just like, well, how many users and devices you have. we're going to send it over there. But to answer that question, ISP stuff can terminate here, you'll have multiple -- you have redundancy that way if there's a failover with Internet is going to be transparent to users and your devices.

And can we also do application are bad selection, so send certain maps, certain ways through certain ISPs.

Yes. Good question. Do you want to add anything to that.

Now I think this is a good view of the old world and the new world and how Zero Trust branch Cafe-like architecture is different and better and beneficial, right? So just -- I know you kind of showed this on the left side, but you mentioned we get rid of NAC, right? What else can we get rid of in the Zero Trust branch world?

So Zero Trust branch world, yes, the firewall is going away, MPLS, SD-WAN is going away, NAC goes away. I know it's probably hard to even see it anymore as the road is small. But like the VLAN, you just get rid of it make a flat VLAN there if you really wanted to send again, that traffic is being processed over here. Now there is some local things going on where we're going to do some auto segmentation of the devices right here. That was an acquisition made late last year. I think in March, a company called Air gap, basically what they do, it's actually kind of clever and I'll highlight it right now. So let's pretend that either one of these networks over here is a VLAN 100, right? And so then we have users over here, right? And then we have some IoT stuff, and then we also have some OT stuff. And if you're on that network you can talk to each other. And most likely, the environment would be like, oh, this is on 10, 1, 2, 0/24. So we're like we're all in a room, we can just kind of all talk together because we had that [indiscernible] /24. And what we do, that's actually really, really cool in the scenario is that we take it from a /24 and we move it to a /32 and the only thing when that happens is we take you from like this room in which we can all kind of talk to each other and this -- like no more, no more of that at all. We become a network of one -- and is the principle that has secured every cellular network that's known to man, especially the most vulnerable ones running Android devices, right? If you own one, I get it, right? But at the end of the day, these are devices connected to the Internet and yet they don't have a lot of problems with it, right? Am I taking this to /32, what I'm doing is I'm saying, hey, we're all on this network, but no longer can you just talk to each other you have to go to the branch connector anytime you want to talk to me. And then -- so we're getting true micro segmentation, but the details really -- the devils are in the details, excuse me. The branch connector right here is really the kind of the enforcement here. And I think everyone would be like, Brian, you're on crack, if you think you're going to take a user that needs to send a print job all the way to the Zero Trust Exchange and back down. We want to be able to do that locally. But the magic is twofold. Number one, /32, the network of one. And then the other part is, we do -- now this is a dotted line because I'm not sending traffic here. I'm sitting telemetry to the Zero Trust Exchange to help create the policy, right? We've been trying to do Zero Trust micro segmentation for 20 years, right, that you, me, like the entire world, it's always failed. And one of my biggest questions on doing this is like what's the largest deployment that we've ever done, right? Because I've seen deployments of 5,000 and 10,000, but I've never seen anything really beyond that. When we had made this acquisition last March, the largest rollout that we had done was $200,000. And you have to think about that mesh of connectivity because it's not this VLAN 100, but it's VLAN 200, 300 everywhere, right? And what happens is by taking that telemetry, we're able to figure out what should talk to what. We can push a policy down right here. That policy goes into an observed mode and says, hey, Had we used the suggested policy by the Zero Trust Exchange. This is a traffic that would have communicated, and this is the traffic that would have been blocked 9 times out of 10, if it was blocked, it would have been malicious.

Brian, so we've covered a lot of ground here. And as I'm looking at this sort of this sounds like we're getting better security, we're able to eliminate a whole bunch of point technologies, right? And presumably safe cost as a result, simplicity, just one appliance that will manage security, and our ISP connectivity and everything in one place, right? So I think it sounds like a win-win for a lot of our customers. Now one thing I see here that I think maybe interesting to talk to users about is talk about M&A, right? A lot of our customers are frequently tasked with integrating a company that just got acquired and trying to do M&A integration in the old-fashioned way with network integration is freaking nightmare, right? You need to set up NAC gateways, you need to merge the networks, you need to renumber of things. With this architecture, walk us through how this gets simplified the whole M&A integration process?

Well, you were just hooking me up left and right today. So let's take the principles that we know like that Zero Trust branch and let's like look at M&A. So let's come over here, let's draw it small, right? We're coming over here and your company is getting ready to acquire a company called Acme and Acme has their own applications, A, B and C, they're slightly different. This could be a data center, right? But Acme also has users and branch and just know like when -- we talk about securing users, right? When I say work from anywhere that means at home, at Starbucks, abroad and here, right? So when I draw this little user right here, that user is at Starbucks, but it's also in their version of a branch. And yes, the time to do an acquisition, how long does it take you guys to do? A majority of my customers, I would say conservatively 18 months, and then there's all other kinds of things going on. So not only do you have the work of trying to figure out hey, we have this data center, we have this data center. This data center is on the Tenet and so is this one. So we have PATs and NATs, we re-IP everything, how do we move these applications and put them into AWS or Azure, there's a lot going on. You have to contend with transitional service agreements, right? There's the pressure of being able to move really quickly because there's penalties associated with it. And then last but not least, you just bought a new company, you want to protect it. You want to get them feeling like this. So what do you do, right? I didn't kind of highlight it down here, but like the way that the traffic gets over here, we do have something called Zscaler client connectors that are a little agent. But on day 1, your new Acme people just going to say, hey, you know what, you get an agent and that means all your traffic is going right here. That also means I'm going to figure out the identity. Now you can cut them all new identity or they can bring their own identity. Let's say that your Azure and Acme is Okta, not a problem, it support multiple identity providers. And what's neat about this is, you have on day 1, you know who the user is. Number two, you know that if you're going out here to the Internet that they're going to be secure. And number three, if this new person, that is being onboarded part of your company talk to application 3, they can't, right? I'm just going to kind of meet them in the middle, but the problem, right, historically with M&A is like, oh, do they walk around with 2 laptops, they have to turn on VPN? Gross. No, I don't want to do that. And what I'm going to do is I'm actually going to come over here. I'm and going to give them something called App Connector, it's very similar to this. It gets deployed. You can talk into those applications and it reaches outbound here in this direction, right? And so now we're taking the Zero Trust principles. This is gross and yucky, I don't trust it. Hey, this is gross and yucky. I don't trust anything. There is no implicit trust. And then based upon the identity or the workload that can allow these things to talk to each other. Even this user -- I'm sorry, over here, if this person work in the office, their sole goal in life is to take applications A, B and C, and then to move them to Azure. That's not a problem. I can do that. That user can come over here hit the Zero Trust Exchange. Are you part of the acquisition team? Yes. Now you can come over here and just do a little micro tunnel back over here and allow you to interact with applications A, B and C. And this user, right, they can open up and I want to talk to application A, it's going to come over here to look at identity and boom that user can talk to it, they can talk to application 3, if there is a business reason for it. I would be conservative -- I think we tell customers, this is like a 3-month thing. I have one customer that had over 100 nonintegrated entities in their life. They are currently in the process. They're onboarding. I think and "nonintegrated entity" and then making them integrated in less than 8 days at this point in time to just take it, boom, they're good to go. They're cycling through that day in and day out. Of course, there's other work that notify the company, and things like that. There's a little bit of a change, but the ability to do something in 8 days versus 18 months fundamentally better. So I mean, I think there's a couple of other use cases. Do you want to highlight that via PowerPoint, and I'll hand it back over to you, my friend.

Sounds good...

Thank you, everyone. And go ahead and share my friend.

Yes. So we walked through the whole reason for Cafe-like branches, right? And why that's helpful. We walked through the M&A integration use case. The other place where this architecture really helps us factory environments, right? Brian talked about this concept of segmentation into a network of one using /32 IPs, right? Immensely powerful and factory floors because you're dealing with OT equipment that costs millions of dollars but maybe running a very old stack of IP or software or OS that you -- and upgrading that is just the $10 million budget, right? So it's not easy to pull off. So you got to work with what you have and with this architecture by just changing the net mask /32 you can work with a lot of legacy systems. You can work with a lot of OT systems and actually protect them without having to go revamp your whole land infrastructure, your whole factory floor. And that's been really powerful with a lot of our customers. And also visibility, right? Visibility is a big issue with an OT environments because in some cases, you can't run scanners that go probe the network and send things out to these devices. Some of them are just too delicate and sensitive and when you start pining them they might do unpredictable things. So that's just something you cannot do. So by having visibility into the traffic, East-West as well as North-South, can provide much better visibility or what you have and then once you can see it, then you can start protecting it, right? You can't protect what you can't see. So again, Cafe-like branches is where the world is headed. We saw all the benefits. We saw all the advantages of this approach that our folks are seeing. But also, we can see why CIOs love it so much, right? It's saving them costs, it's helping them get things quicker, it's helping them integrate acquisitions quicker. So it's a win-win all around. And if you want to learn more, feel free to reach out to us to get a demo of any of this, we can dive deeper. We can look into your specific environment and how this architecture can help you, how you can implement Cafe-like branch and -- or you can go to zscaler.com/ztsase and will find a lot of great resources to help you understand this a little bit more. But thank you for your time -- and most importantly, thanks to Brian for that wonderful light board introduction into Cafe-like branches. Hopefully, that was helpful, and you understood a lot more on how to implement a cafe-like branch.

And team, if you are watching this, and you're like, you know what, I have so many more questions or maybe wake up in a cold sweat. Good news. I would love to meet with you. We do this virtually, any time you want. But if you rather go grab a beer with me, I will be at RSA this year. We can either do like a briefing, give me -- at the booth, whatever means the most to you. I would love to shake your hand and say hello. Thank you so much for your time. Ameet, always love working with you my friend, you're a gentleman and a scholar.

Thank you, Brian.

Thanks, everyone.