Zscaler, Inc. (ZS) Earnings Call Transcript & Summary

All right. We will get going here. Thank you all for joining for day 2 of the UBS Tech and AI Conference. I'm Roger Boyd. I cover cybersecurity here at UBS. Very pleased to have Jay Chaudhry, Co-Founder, Chairman and CEO of Zscaler. Thanks for being here, Jay.

Thank you, Roger.

Yes. We're going to do a fireside chat. I've got the iPad up here. So if you have any questions, you can submit them through the app, and we'll weave them into the conversation.

I wanted to jump into one of the big debates coming out of the quarter, which was the concept of organic growth. And I felt like it masked a lot of what was a really strong first quarter. But just kind of in your words, what have you been talking about in terms of organic growth? I felt like there was pretty good success on the organic business in 1Q. And how should investors think about that? I know it's not the focus going forward, but address it.

I think probably -- yes, the very important point to cover for us, probably I can show you a slide to make it clear. So if you look at our ARR growth overall, this is the growth number. You know historically, what we've done, last quarter we had about 22%. And this year, yes, the total growth is 26%, but in line with the Q4 growth we had. So the business -- organic business is strong by itself, okay? And I think we expect the organic to keep on staying strong. The question gets asked is, why aren't you peeling off the Red Canary numbers, right? So Red Canary is the first acquisition we had, had some revenue. Others were very, very early-stage revenues out here. And Red Canary was acquired to give us 2 main things: one, agentic technology they have to do SecOps functions better because they have been doing for 10 years. They had playbooks and all to do it right. And number two, they have the expertise in this area. We're not trying to build an MDR business. As we evolve our SecOps platform, that's the business I want to count, that's the business I want to share with you. So that's one piece of it. And the numbers, when we went through the audit and looking at the numbers of the company and getting complete with auditors, we were comfortable recognizing about $83 million of that number, which is reasonable. And then there's some renewals around left over. So the business, they've done quite well, but this is a small contribution of the business. That's why it makes no sense to keep on focusing on it. So the issue is not that we're not trying to share information. I think we should share information which is relevant to our business, which is our focus.

Yes. Cool. Thanks for addressing that. And then I wanted to shift to one of the areas of strength, in my view, was the strength you have in Zero Trust Everywhere and now 450 customers that are buying across 3 different platforms. What's exciting about that? Kind of where are you in terms of bringing that to the entire installed base? And what's driving that momentum?

So we started Zero Trust market. We are the pioneers of the market. It started with Zero Trust users. That means making sure users are not on the network, they simply access on an application. It's the opposite of network security. We've done very well there. Then it's natural for us to pioneer the next areas, Zero Trust cloud, cloud workloads. They're someone like users, they should talk to each other in a Zero Trust fashion going through a switchboard. Then Zero Trust Branch was the next thing. And in the branch IoT/OT devices. It's a natural part of security to go and become Zero Trust Everywhere rather than just the users. So we are seeing success in all the areas. And it's also a differentiation for us as some of the copycats are coming from behind and say, "Oh, we do Zero Trust too, even though they're spinning off firewalls the market. When it comes to Zero Trust Everywhere, there's really no competition. It shows our leadership. So we're seeing strong adoption. And when we started the program about 3 quarters ago and said, let's target how many customers are becoming Zero Trust Everywhere. And the target we set out -- we set the targets. It's good to see better, faster adoption happening. So I expect Zero Trust Branch and Zero Trust cloud will be a big part of our growth. When you talk about growth, you look at the growth rate and you look at the meaningful contribution. You can start with a higher growth from a very small base and that's where you're going to see in security for AI applications starting from nothing. But the big contribution to our growth in the next 12 to 18 months, one is our core platform because people still start with Zero Trust users. Zero Trust Branch, Zero Trust Cloud and data security are big pieces. The pillar you see on the right side under AI security, security of AI applications and agentic operations. Agentic operations are SecOps and all this stuff, which is relatively new. We'll be launching some of those solutions in coming months. And I expect both of those to grow rapidly from a small base. But there's plenty, plenty of platform for us to sell. And it's integrated platform. It's not a platform by buying these 5 companies and they're dissimilar products.

Makes sense. I want to come back to data security, but specifically on AI security and what you're doing around security analytics. It felt like with Avalor and Red Canary, there's been more of a platform expansion in that direction. And you talked a little bit about this, but why is that compelling right now? It feels like there's a big opportunity for you to get more strategic with customers, provide more around detection and response. Like what's the opportunity there?

Yes. So Zscaler is processing over 0.5 trillion transactions a day. I mean that's a massive number and that number becomes a basis for doing security operations. So our customers have been telling us, you do all the things, you have all the logs, and then I have to go to Splunk or somewhere else. Why can't you provide me more value when you are the source of data? That's number one. Number two, I believe that AI is the biggest disruptor for security operations because AI can do that stuff in a much, much better way. And AI models are only as good as the data. If we have the best data, we are in a better position to do this than anybody else. That's why to build this thing, we started with our own data, some of our own technology, then Avalor giving us the semantic layer and Red Canary giving the front end, stitching all this thing together becomes a very compelling, very effective solution in detecting things, investigating things than the traditional market out there. And it also established a closed-loop system. I find something, I send it to Zero Trust Exchange to change policy, to block certain things in near real time. Today, it can take days or weeks for things to be found and do that system. So it's a very compelling solution that we offer to our customers, and that's what we're counting on as a part of our expansion strategy.

Makes sense. And then to talk about the size of that AI security bucket. I think you just crossed $400 million in ARR and Red Canary in that. You have some products that have been in the market for a while like ZDX that are contributing there. But it does seem like there's been some pretty strong momentum on specifically the AI for security business or security for AI. AI security posture management is something that you've had for a little bit. What does the momentum look like there? And what are customers telling you about that AI for security?

So first, clarifying 2 buckets under AI security that you see on the screen. Agentic operations is using AI to do certain solutions. It's either security operations, which is what we talked about, or it is IT operations, which is user experience. We -- the reason that sits there from day 1, actually, ZDX was built by using AI. We started predictive AI, then Gen AI came along. So that and SecOps, yes, they are a bigger piece of it, and they are powered by AI. They are -- ZDX has done very well. It's growing very well. Security operations, we expect it to start showing growth. We plan to do the first launch of integrated services next month. And then we'll keep on adding functionality as time goes along. The other area, security for AI applications. This is a brand relatively young market. We have built a number of solutions in this area. We acquired SPLX, a small tuck-in to round it out. It's starting from small -- customers have tremendous amount of interest in it. Those are deal that are starting with small, people are trying to learn and understand it. And we have to have a strong foundation to start with these deals and grow from there. But AI security is a very important area for us. We're making sure we have the right solutions in place and be a meaningful part of that market.

Yes. And to that point, you noted a couple of larger AI security posture management wins last quarter. I think there's a view amongst investors that, that market is still relatively early, but it seems like you have some traction there. And I'd be curious to get your perspective on what gives you the right to win in that market. We've seen all the other vendors go out and acquire products there. I think you feel like you've got a differentiated product and a point in line with applications. But what gives you the right to win that business?

So one of the things customers are looking for, for securing AI applications is that they don't want to deal with 5 different vendors. They look at what's needed to have a meaningful security in that case. One is we start with Gen AI security. When ChatGPT and all these Gemini came out, customers are worried about loss of data. We're sitting in line. We built the product for securing the data. That is number one, over 2 years ago, that has -- now that gets bundled in data security because it is about not -- making sure data doesn't leak out. The second thing we built was AI discovery, essentially risk and posture. What do you have? How risky is it? All that stuff is very important. That's a [Audio Gap] want to start there. And AI SPMs, AI security posture management is part of that. And then the third was red teaming. Companies are building more and more AI applications. And when you build applications, you want to know essentially the vulnerabilities around those applications. Red teaming is essentially penetration test of those applications. That's a young new area, and that's what SPLX gave us because they built a very good product. And AI guardrails is the fourth product. This is when you build the models, how do you put guardrails so the traffic of users and agents goes through you to make sure they're not doing what we call prompt injection or we call data poisoning type of stuff. So you have secure use of it. So our customers need a comprehensive solution in this area that we have. A lot of vendors, there are 100 red teaming companies out there, okay? We look at -- we started with 70, and we whittled down and bought one of them, okay? And they are all kind of point solutions. Integration becomes important and richness becomes important. We are pretty well positioned to do that. Now many times, companies go and buy 6 companies out there. Just because you bought 6 companies, doesn't mean they are integrated. The benefit of going to a single vendor is to have an integrated solution that's easy to deploy and easy to operate. That reminds me of an interesting dialogue I had with a large customer, they had about 2,000 stores, retail customer. This is about a year ago. He said, I was sold a platform, so to speak, with all these products. And as I tried to deploy it, I discovered that the only area of platform where I could get value was consolidated billings for 8 products, okay? All these other things are individual products. Our goal is not to be too like that. Our customers are very proud of Zscaler. Our Net Promoter Score sits between 75 and 80. We've got so many repeat customers who go from company A to company B to buy us. That's because we have the best solution, it works and scalable. So integrated great solution is what we take pride in rather than becoming a Computer Associates who buys all these companies and pick one, and that's not Zscaler.

Yes. Maybe to round out the emerging products. In data security, you've had a pretty unique entry to that market with in-line CASB and DLP. How do you think about that market evolving? There's obviously a bunch of noise around the data security posture management side. Do you find that customers are trying to consolidate that? Do you feel like that's going to continue to progress over the next year?

Data security market is becoming bigger because your data is sitting in all kinds of locations. So you can no longer just do 1 or 2 pieces. Data security is also hard to put policies in place, enforce them, false positives, all those things happen. Often CISOs tell me, doing one data security vendor is hard enough. Now I'm doing 3 vendors to do policies and all, it becomes almost impossible. So about 6 years ago, we decided that we want to be the most comprehensive data security platform and that's because we already had very good solution in DLP, in-line DLP that has traditionally been served by companies like Symantec 1, 2s of the world out there then we expanded into CASB of the world. And it's also natural for us to do data, DLP because we are sitting in line, the traffic is already flowing through Zscaler. Then we added CASB, we added SaaS security posture management was important. We did a tuck-in that brought us third-party supply chain for SaaS security. Then we added endpoint DLP, and we built e-mail DLP, then cloud DLP for S3 buckets and the like. So we have integrated very, very good solution. The area you hear a bunch of noise in lately is what Gartner coined one more 4-letter acronym called DSPM. Now what's DSPM is about data security posture management. It starts with discovering data, where -- what all data is sitting where. Once you discover it, you want to classify it, what kind of data is it. And then once you classify, you want to be able to show what policies can be applied to what data. We have been doing pieces of DSPM all along. But with a new focus, there's a bunch more functionality we have added in this area. So DSPM itself doesn't do data protection because it doesn't really stop data from leaking out. You need DSPM plus in-line DLP to do proper data protection. We came from strong DLP side of it, and we have enhanced DSPM, the 2 together makes the best solution. Customers do not want multiple data security vendors. Look, with $450 million ARR in the space, that has been growing very nicely. If this business of Zscaler were an independent company, it will be the largest data security company out there. And I think we're just getting started. There's a big, big opportunity to grow this area.

Yes. One of the other questions I got coming out of last week was what is -- what's going on with the core business? What's the strength of the core business? And I think it's kind of a challenging question because the core business is ZIA, ZPA, but increasingly ZDX and data security and agentic AI. Like how do you think about the market for -- I won't use a SASE term, but how do you think about the core market for user security?

Right. So a very sizable part of our business comes from core business. I was listening to some of the comment last week and said, well, they used to tell us, are you expanding your platform? Are you growing your new business? We've been telling you the growth of emerging products for the last many years. And suddenly they say, oh, what -- if new business is doing so well, is core business weak? It's like, okay. So core business, and if you look at just some of the stuff, even Zero Trust Everywhere, when we talk about Zero Trust Everywhere, we talk about customers who actually have both ZIA, ZPA, ZDX branches, cloud and everything. So there's part of the core business sits out there. It is true that the new pillars of growth are bound to grow faster than the older pillars, but there's plenty of opportunity for core business. Take even ZIA, ZPA, ZDX. We have 45% of the Fortune 500 companies. It's not that others are gone. We still are finding lots of new companies to go and embed. We are adding new logos at various levels. Now the size of the business is sizable, so you're going to find a lot of business coming from upsell. And when business comes from upsell, what do you sell? You are getting some of the new pillars. And when I went public, it was about 20% upsell and 80% was new logo. We didn't have very many customers to upsell to. In fact, at that time, investors used to ask, you're a ZIA company, would you ever become ZPA. ZPA added ZDX and all these products. You're seeing the story. You're seeing us prove that all this can be done. Every quarter, our upsell has been going up. It should go up. Upsell is easier. Now we are sitting in the 70%, 30% range. And if you look at the ServiceNow model, they're sitting at probably 80%, 90% upsell. They have a lot of customer base. But I think you'll see growth from both areas, the new logo. We are also getting new business. Now the entry point for us is also, for example, security for AI applications. I do not need my core platform to sell those things. That becomes a new entry point for us. In data security, the DLP side generally has been upsell. But some of the DSPM part doesn't even need an upsell. We're doing some of the DSPM in the new logo space as well. So we -- I feel very confident and comfortable about the business at the core level as well as the platform level, there's a good synergy between the 2.

Great. I think I want to talk about go-to-market changes and efficiency that's coming back there. I think maybe you admit that last year was a bit of a challenging year for Zscaler. You had some turnover in the go-to-market organization. Mike Rich has now been in place for over a year. Where are you today? And how should we think about sales efficiency, sales capacity over the next year?

Yes, last year was a transitional year for us. We told investors that we're going to make changes at the management level and to the sales level and the process and focus we bring to the table. And amidst changes, we showed you the numbers we'll deliver. There are a bunch of skeptics talking about the second half committed billing, not committed billings. Okay, while we change all the tires of the car, we delivered -- we exceeded the expectations we set. All the changes we plan to make were made or done at the end of last fiscal year in July. We are essentially now growing and focusing on. If you look at Q1, our sales productivity went up pretty nicely. In fact, we -- the beat we had, we passed all of that beat for the rest of the year. That's good stuff. That also implies expansion in margins. So the sales machine is doing very nice. All the changes are through. And the estimates we're giving you, the guidance we're giving you is taking into all the factors, and we feel very good about the business.

Awesome. Like some other vendors in the space, you introduced a Flex contract with Z-Flex and the momentum has been really good there. I'd be curious to get your view of how customers have received that and what you've seen from a contract duration perspective, what that means for additional flexibility to try new modules, expand across the platform? How has that reception been so far?

First to clarify, I mean, Z-Flex is not ELA. Some companies do ELA, ELA sits out there. ELA says, here's all of my stuff, do whatever we need to use and create shelfware, okay? We are very mindful of adoption of our technology. Now Z-Flex says, you have the flexibility of swap some of these modules. If data security has 8 modules and the customer says, I'm ready with a budget and all to do 4 of them, which 4 do I want? Ability to swap those things makes it easier for them to make a decision. And also, sometimes they say, I can only consume these 2 first year, these 2 next year. So the ramp gets involved in it and there's rate card to change stuff. So it's a good, very good initiative to reduce some of the procurement back and forth kind of stuff. It doesn't generate pipe on its own. You still need to go and work with the customer to show the opportunity, the pain they have for cloud or workloads or DSP kind of stuff. So what's the impact we're seeing of it? One, we generally ask for a 5-year commit deal for this. So most of our deals with Z-Flex are 5-year deals. You are seeing impact of that in some of the RPO, the RPO is going up as the Z-Flex has a part to play. But you're probably also going to see some of the, if may use the negative impact on the billing side of it, if you're building some of the ramps kind of stuff, that's going to reflect in the billing part of it. But overall, it's a very good program. I'm surprised how quickly it has grown. And I think it will be good for us, and it will be good for our customers.

Yes. Very good. I want to get your impression on the M&A strategy. And you've obviously made a couple in the past few years. You've had a pretty consistent track record of acqui-techs, acqui-hires have rolled into the platform. We've seen some of your peers, competitors make more strategic M&A. How do you think about kind of the balance there? And how do you think about markets like observability? Is that kind of within the realm of where you want to go? Or is it more targeted?

So some vendors want to expand in -- probably in more random markets, if I may use the term, random means markets aren't synergistic, aren't really tightly coupled to us. We are thoughtful about the markets we want to go to. There's no point in trying to expand too much and become like Computer Associates, for example, or one guy -- one investor said, do you want to become a PE firm? Or do you want to become a company that offers an integrated platform? We are going to stay in the offer integrated platform, but that doesn't mean we don't expand. You've seen our thoughtful expansion. It started with ZIA, ZPA, ZDX, then it became Zscaler users, then cloud, branch, IoT/OT, data security. We have done extremely good job in building integrated solution with tuck-in acquisitions that have given us pieces to integrate. The beauty of tuck-in is it's small early enough, you can build it as part of the platform, and most of these have been pre-revenue out there. So for AI security operations, we looked at 25 AI security companies that would do SecOps. But as we dug underneath, there really is more demoware than real stuff. We couldn't find any customers who had done business with us. With Red Canary, we found some good technology underneath it. So that's why we acquired it. So we don't really look for big acquisitions out there. We look for meaningful acquisitions because customers like the integrated story. Now we'll keep our eyes -- ears and eyes open, but as a strategy, I think it has worked. It's almost like what traditionally ServiceNow has done. They've done a bunch of small acquisitions. They have a good integrated platform and that platform allows our customers to expand and get integrated offerings. So you'll keep on seeing what we're seeing, there is no change in strategy from M&A point of view.

Great. Maybe 2 questions to close. I think with any technological change, it sort of necessitates a rethinking about how to do security. And we've seen adoption of SaaS and remote work, poke holes and the concept of perimeter defense. How do you see AI kind of accelerating that or changing that further? And I know you've seen some strength with Zero Trust Gateway, which is a relatively new product in terms of how to secure the cloud. How do you see that kind of evolving from here?

So there's no doubt that AI security is creating some big, big security issues. It discovers your attack surface. You can ask ChatGPT and say, tell me all the firewalls and VPNs with vulnerabilities for this customer and give it to me in a tabular format. In the past, it would have taken weeks for a hacker to find it. Now under 60 seconds, you got the answer. Okay? And you can see automation being used by hackers, the Anthropic thing that came out a few weeks ago, the agent got hijacked, and you could do all kinds of stuff with it. So while there are many AI security products that will come out, the best way to block this kind of stuff is to have Zero Trust as a foundation. What Zero Trust says, every location is an island, every branch is an island, every application is an island. That means if something got compromised, the blast radius that is contained to that and that place itself. So having a strong foundation of Zero Trust becomes even more important for AI security. And then you need to do securing AI applications on top of that red teaming, discovery and the like. And then the third area where AI is truly disrupting everything is SecOps. Literally, rather than having people to do the stuff, AI agents can do a lot of that work, and we think that's a very, very exciting area. And the other disruption we see is at the branch and user level -- sorry, branch and cloud level. Look, things may take some time. But when you have a great solution, it works. We are seeing adoption of Zero Trust cloud where people have traditionally used east-west firewalls, north-south firewalls. They're complicated. The world of cloud is hard to deal with IP addresses that firewalls depend upon. We see a big opportunity there. Take Zero Trust Branch. We're the only company that's actually talking about that. Everyone else is mesh network, SD-WAN, this and that. And as we built a solution 6 or 9 months ago, I would think that this is such a wonderful solution. We already talked to a dozen, 2 dozen customers who loved it and said, how will the broad market respond to it? I have no idea. Now having talked to hundreds of customers, I haven't found one that says, I want to stay with my SD-WAN, my mesh network. It's exciting. I mean, I don't know exactly the reception. The reception is strong. When you have a platform, when you have technology that's so differentiated, branch is unique. Zero Trust Cloud. There's nobody else who offers Zero Trust communication cloud workloads. The competition there is legacy virtual firewalls. And when we bring all these technologies to the market, our customers appreciate it. That's why they're spending money, they're growing with us. And as we finalize, as we have honed our go-to-market engine, we think we're very well positioned for the long run.

Awesome. Well, it's -- I think we're up on time. So we'll end it there. But Jay, thank you for being here. It was great. Thank you all for joining.

Thank you. We appreciate it.

All right.