Zscaler, Inc. (ZS) Earnings Call Transcript & Summary

All right. Well, good morning, everyone. Welcome to day 2 of the Barclays Tech Conference. My name is Saket Kalia. I cover software here. Honored to have with us the team here from Zscaler. We've got Kevin Rubin, Chief Financial Officer. Also have the Investor Relations team here with Kim Watkins as well as [ Catherine Hua ], who I think is somewhere around here as well. So we've got about 30 minutes together. Let's take maybe the first 20 or 25 minutes to go through some fireside chat with Kevin, which I know is going to be real fun. And then -- we'd love to make this interactive. So if anyone's got a question, just pop up your hand, we can get a mic around.

So with that, Kevin, thanks so much for being with us here today.

Thank you for having us. We're thrilled.

Yes. So it's -- we've been very lucky since the IPO to have Zscaler at our conference for years. But I think this is the first Barclays conference where we've had you here as CFO, hopefully the first of many. Maybe with that said, just tell us a little bit about your background and what attracted you to the opportunity at Zscaler.

Sure. So I've been in enterprise software for about the last 15 years prior to joining Zscaler. Prior to that, I had been in other elements of technology. My experience is kind of abstracted as the tech stack has abstracted, started with wafer fabrication into data storage and then more recently into software. After we sold Alteryx, which was my last longer-term gig, I got introduced to Jay and candidly didn't know a lot about Zscaler. But as I got engaged and learned more about the company and the opportunity, it was very clear to me that we had a very differentiated opportunity in the space. And aside from the fact that I thought the management team was exceptional and people that I would love to partner with and work with, I really thought the Zscaler opportunity was incredibly unique and one that I wanted to be part of.

I totally understand that. Very, very helpful context. I think everybody here in the room is certainly familiar with Zscaler. But just to make sure we're all on the same page, can you just recap some of the points from last quarter that you were particularly proud of?

Yes. So for us, Q1, like many other enterprise software companies, tends to be the smallest seasonally quarter -- seasonal quarter within a given fiscal year. For us, it was a great start to the year. We had 26% ARR growth. Within that, we had 22% organic growth. For those that have followed us, we did acquire Red Canary at the beginning of the quarter, which contributed to ARR for the period. But we really did see strong performance across -- broad-based performance across the organic business, whether that's geographical dimensions or product vertical dimensions. We really did see strong organic growth. I think Jay even mentioned on the call that it exceeded our internal expectations. And so that was really color intended to share how we saw the performance in Q1. From a profitability perspective, it was a Rule of 78 quarter. We had 52% free cash flow margin. Now that is also seasonally affected. Q1 tends to be the highest cash collection quarter of the year. But all things considered, we felt really good coming out of Q1. That strength in the underlying organic business gave us confidence to raise guidance, which we did for the full year. And we think it really does position us well.

Yes, absolutely. I totally agree. That 22% organic point is very helpful, and it was clear that, that was ahead of your internal expectations. I think this is the first full quarter that we had Red Canary as well. Remind us, how did that do versus what you expected?

Yes. So as we had mentioned going into the quarter, we expected Red Canary to contribute $83 million of ARR at the close. So that was the amount of underlying business that we picked up. And then we had shared that we expected Red Canary to deliver $95 million throughout fiscal '26, which effectively implies, if you just straight line it, $3 million a quarter. And our commentary was that they actually did a little better than that in Q1. So in addition to the underlying strength we saw in our organic business, we also saw better performance in the Red Canary in the quarter.

Yes, absolutely. It was a good start to the year. I want to take that point just on organic growth and a better start with Red Canary and maybe think about kind of what we've said for the fiscal '26 ARR guide. Have we given any guardrails around how much we should think kind of coming about -- coming from organic? And more importantly, what are some of the fundamental drivers that you think about in terms of underpinning that growth?

Yes. So our guidance going into the year on the fiscal '25 call implied that net new was 6% or 7% growth in fiscal '26 organic. And hopefully, the takeaway from having raised guidance is that's now going to do better. So as we think about the opportunities in the business, we are more bullish as we're here in Q1, obviously, than we were in Q4. When we think about the growth drivers, we talk about 3 growth pillars, right? That is Zero Trust everywhere, and I'll talk a little bit about what's included there. Data security everywhere and AI security. I think what has gotten lost in that discussion is we're actually seeing very good growth still in what people have described as the core business. So you think about ZIA and ZPA for those that know Zscaler, basically, our ability to provide security for users. Zero Trust Everywhere extends that into other types of resources. So yes, we have accelerated growth and higher growth in our 3 growth pillars. But we are still seeing pretty strong performance in just the core ZIA, ZPA business.

That's a great segue, and I really want to talk about sort of the growth differentials between the 2. But those 3 growth pillars, I think, are super important. Maybe just -- and I want to dive into each one of those individually. But can you just remind us what we said about the scale and the growth of those businesses collectively?

Yes. So as it related to Zero Trust Everywhere, we described that in the context of how many customers were Zero Trust Everywhere customers. And how we define that is Zero Trust users, that is the ZIA, ZPA customer base. And then we have since released Zero Trust Cloud. So how do you apply Zero Trust principles to cloud workloads and Zero Trust branch. So how do you extend Zero Trust to your IoT, OT devices that are sitting in your branch offices. And we know that there are millions of branch offices in the world. So moving a customer from a Zero Trust user to a Zero Trust Everywhere customer, not only does it from the customer's perspective, allow them to employ Zero Trust principles across all of their resources, it does result in a 2 to 3x increase in ARR for us. So that movement is, we think, incredibly strategic. The target that we set was to achieve 390 of those customers by the end of fiscal '26, and we actually achieved over 450 in Q1, so 3 quarters earlier.

That was a very healthy start to that goal. I want to follow up on that. That was a great summary and particularly want to dig into kind of the Zero Trust branch part of that opportunity. That feels like one of the bigger ones as we think about the 3 things that a customer has to fulfill in order to become a ZTE customer, right? So can you just talk about how you think about the Zero Trust branch opportunity within the customer base? I mean, should we think about all ZIA customers as candidates for Zero Trust branch? How do you think about that?

Yes. There -- from our point of view, there is no reason that a Zero Trust user customer would not be a Zero Trust everywhere customer. If you have bought into Zero Trust principles being that anything that is connecting to anything should be authorized, should be authenticated before it has an opportunity to connect as opposed to, I authenticate you coming into the network and then I let you run free. If you bought into the notion that Zero Trust is better security, there's no reason you shouldn't apply that to cloud workloads, applications talking to applications. There's no reason you shouldn't apply that to badge readers in your buildings, security cameras, printers, anything else that would need to have access to your network. There are examples of those devices getting hacked and it end up permeating into issues within your corporate network. Steve House, our Head of Product, mentioned in an earlier conversation this morning, you don't want to see somebody hack your set-top box that happens to sit on your network and ultimately affect SAP or have an issue with those. But once you're in the network in a traditional architecture, you're in the network and you can run around and create issues. But in a Zero Trust world, you are authorized and authenticated for that particular use and that use only. You don't even have exposure or visibility to anything else existing. So back to the question, we see no reason why if you've adopted Zero Trust for your users that you wouldn't extend that naturally to any other type of resources within your environment, including agents, and we can talk about that in the AI security section. But there's no reason that agent-to-agent communication shouldn't follow the same principles. And you're going to have -- if everything plays out the way that people are predicting, you're going to have far more agents communicating with agents in the world in the future than you have users. And you're going to want to also apply these principles to that communication.

That's interesting. And just to put a bow on Zero Trust Everywhere, did you say a 2 to 3x uplift? So Zero Trust users only moving to a Zero Trust Everywhere contract, that's a 2 to 3x uplift is that what we said? Well, that's compelling Interesting. Got it. I want to move over to data security everywhere as well. And maybe just foundationally, can you just walk us through some of the key modules that are included in that pillar? And similarly, what have you said on kind of size and growth for data security specifically?

Yes. So we have 8 modules that we offer from a data security perspective, things like in-line DLP, endpoint DLP and other types of data security-related protections. The concept of Zero Trust allows us -- we sit in line of traffic. So we inspect packets, we apply policy at that level as you have communication running through your network. That is a unique position that allows us to also naturally do data protection and understand what data is being transmitted across that in-line communication path. We have, to the best of my knowledge, the largest purpose-built security cloud in the world. And we operate 0.5 trillion transactions in this cloud each and every day. That's orders of magnitude greater than just Google searches. And I think that competitive advantage and unique advantage is underappreciated. And because we have this such broad platform that is in line to all of these communications, it allows us to naturally extend into areas like data security. So at the end of Q1, we mentioned that data security had exceeded $450 million in ARR. So it's also a very significant concentration of our business. And I'm very proud of it.

Yes, absolutely. And I think you answered one of my next questions, which is what gives Zscaler the right to win in that data security space, particularly with all the M&A and sort of the noise that we've seen in kind of the CSPM space in general. And it sounds like by sitting in line, right, with kind of that communication, that's what gives you the right to win there. Is that a fair summary?

Yes, 100%. I mean there's no reason that you should think about data protection in any area of your network outside of the communication path that is happening. So that's the approach that we've taken that is core to Zero Trust principles. And again, I think, we -- I think it's underappreciated the size and scale of the actual platform that we operate and that we offer to our customers. So we provide customers the opportunity to be able to start with simple Zero Trust for users. We give them the opportunity to then expand that use into data protection modules. We give them the opportunity to expand that into SecOps and ITOps with respect to some of our AI security offerings. We give them the opportunity to inspect AI-related traffic. So that you can understand prompting when your employees are interacting with the language model, and you want to make sure that they're not asking how do I build a bomb on company resources or how do I do things that I should not be asking my LLM within a company to do. So we have the opportunity to inspect those prompts. We have an opportunity to ensure that the policy that you want to apply to that use is properly applied. So again, we have a right to win, I think, in both data security and AI security by the nature that we are sitting in line to that traffic. We see -- we have access to the largest possible data set underlying that traffic, and we can use that for things like understanding pattern recognition and understanding vulnerabilities and threats and be able to apply that across the entire Zero Trust Exchange, which is incredibly unique to our platform and one that none of the other vendors can claim or offer.

Absolutely. So we've talked about Zero Trust Everywhere. We've touched on data security everywhere. I want to just kind of wrap up the trifecta here with AI security. Remind us -- similar question, sorry, just to frame everything. What have you said about size and growth there? And walk us through some of the more material modules in that part of the business?

Yes. So our AI security growth pillar exceeded $400 million in ARR at the end of Q1. So it has been doing incredibly well. It includes -- we bucket it into 2 elements. We have securing AI. So I talked a little bit about understanding prompts and guardrails around how organizations are interacting with large language models and applying policy to that activity. That's securing the use of AI. And then there's AI security. So how do you then use AI to provide better security. And again, when you think about just the breadth of the platform and the underlying data that we see, it gives us a massive competitive advantage in terms of being able to use AI to then provide far better security and posture to our customers. Things like AI guardrails, right? So that's the prompting. AI asset detection. So how we think about understanding the actual posture of your AI environment. We recently acquired and spoke to SPLX, which allows you to do AI red teaming to stress test your AI applications before you deploy it and make sure that you have an understanding of what vulnerabilities may exist before you expose those to customers. So AI is a significant opportunity for us in an area that you've seen us participate from an M&A perspective quite a bit. And lastly, we have within the AI security, that's where our agentic SecOps activities exist. And it started with the Avalor acquisition that we made a few years ago -- a couple of years ago. Around how do you contextualize your data, how do you synthesize your data for purposes of understanding and vulnerability management. And then now that we have the agentic technology from Red Canary, we can start to apply that to this massive data set and be able to provide better security and vulnerability management to the broad-based customer base.

Interesting. So we've kind of -- we've talked about those 3 pillars. I want to kind of bring it all together. If we think about those growth businesses making up over $1 billion in ARR, this is one of the topics you touched on earlier. I'm curious to hear how you think about that [indiscernible] is a total $3 billion ARR business. How do you think about the other $2 billion plus in ARR that comes from kind of what we call core or maybe those a la carte purchases of ZIA, ZPA and ZDX. It feels like that Zero Trust SASE market continues to see healthy secular growth. But I guess as we see more customers move to Zero Trust everywhere, for example, could we see some business shift out of that $2 billion bucket into that $1 billion bucket? How do you think about that sort of dichotomy?

Yes. I don't -- I think we've kind of created a little bit of unnecessary confusion in how we've talked to kind of these growth pillars and by extension then what it implies to the rest. Yes, I think mathematically, the challenge is as the underlying Zero Trust user customers begin to adopt more of the elements that are sitting in these growth pillars, you just mathematically kind of create this movement of their underlying business into the growth pillars, which I think a little bit obfuscates what's happening underlying the growth. We've actually seen pretty strong performance in our ZIA and Zero Trust user business. That does not come through, I think, in the way that we have talked to these elements of the business. And so we'll think about how we better provide clarity to investors on what we're seeing underlying the business. But we are seeing broad-based support. We have about 45% of the Fortune 500 companies as customers today, implying that we've got more than half of those that are not yet customers that we have intent to go out and capture. We have about 40% of the Global 2000. So again, you've got over 50% of the Global 2000 companies that we believe should be Zero Trust and Zscaler customers. So there is a significant opportunity both within our existing base to upsell into more of the Zero Trust user population, more of the Zero Trust Everywhere population into data security, AI security. But there's also just a significant opportunity from a net new logo perspective vis-a-vis these large customers. One other data point just to keep in mind, we have about 4,400 customers that we would consider kind of an enterprise customer, meaningful size organization with a meaningful sized user count. We estimate there's no less than 20,000 of those customers that are addressable by what we do. And so if you look at it from that perspective, you've got about a 4x opportunity in that context, if you want to look at it separate from Fortune 500 and Global 2000.

Very helpful. And maybe that's a good segue into -- one of the questions I get sometimes is just on the competitive landscape in the Zero Trust/SASE market, particularly as we think about some of the firewall vendors, we just had Fortinet here, right? As we think about some of the firewall vendors getting into the SASE space, of course, we've got some smaller pure-play vendors as well. Listen, I think about this as a rising tide type of market. But maybe you can just talk to us a little bit about how -- what are you seeing in terms of competitive win rates? Do you think this is a rising tide type of market just based on the number of opportunities? Or how do you think about kind of that competitive landscape and the metrics that you can see?

So when it comes to SASE, we think very clearly about Zero Trust. And that is a fundamentally different approach to just generic SASE. It's -- as I kind of described earlier, it is this notion that you're adopting principles that you believe that only certain resources should have access to each other for only the limited purpose that those need. So you're not creating -- you're not simply creating a network infrastructure that previously was on-premise and pushing that infrastructure into the cloud and calling that cloud security. You are approaching cloud security in a fundamentally different way. We offer that through our Zero Trust Exchange. We offer that through the ability to basically trust nothing and nobody and only authenticate and authorize as it relates to a particular task at hand. So when we think about that market, I agree. I think that there is a lot of effort and push that's going into the need for Zero Trust. You look at the proliferation of AI and soon to be agents, and there has got to be a methodology to be able to orchestrate that communication between those agents. We think we are uniquely positioned in that, specific to what I kind of described through the Zero Trust Exchange. We have talked a lot about being -- creating an agentic exchange, so extending the Zero Trust principles that apply to users to cloud and branch, but then also to agents and being able to orchestrate that communication since again, we sit in line, and it's kind of the natural way to do it. The other thing I would just reinforce when you think about Zero Trust architecture vis-a-vis traditional architecture is the cost arbitrage to deploying Zscaler, I think, is also significantly underappreciated. You no longer need all of this heavy legacy hardware equipment to be able to offer better security. You're doing so in a point-to-point relationship through our cloud service. And so you don't need your SD-WAN architecture. You don't need your VPN architecture. You don't need your firewalls. And simply shifting that investment into a cloud service is not eliminating the need for those costs. But when you adopt Zero Trust through Zscaler, those costs go away. And so that is an incredibly powerful tool that we use, especially in difficult markets to make very compelling value-based arguments from a competitive perspective.

Yes. Super, super helpful context. I want to dig into some financial questions here on the time that we've got left. Kevin, I know that we've talked about sort of investing for growth, which makes a ton of sense given the market opportunity we've talked about. But at the same time, I think we've reached really the top end of the long-term margin target that the team gave several years ago, right? I think the range was 20% to 22%. We're close to the top end of that. So looking forward, maybe I'll ask the question broadly, how do you think about that balance between growth and profitability?

Yes. We have been, I think, very fiscally responsible in our growth. We've been -- fiscal '25, we were a Rule of 50 company. We have been a rule of 50-plus company since going public in 2018. So we have been very responsible with how we deploy capital and resources in the organization. And there's no intention to change that philosophy going forward. Now we've also been able to do that with higher levels of growth. And as we mentioned on the earnings call, we are one of only 5 pure-play software vendors that are growing at 25% or greater at a $3 billion or more scale. And so we continue to be able to grow at high rates. but deliver significant profitability in doing so. As it relates just to the longer-term model, we do intend to hold an Investor Day later this year where we take an opportunity to kind of reset how we think about the opportunity ahead, what's the strategy underlying that? And then what's the longer-term financial model that you should expect given that strategy. I will put out there if anybody has any recommendations or thoughts on things that you'd like us to address, please reach out to our IR team. We're happy to have those conversations. But that will be a good opportunity for us to be able to kind of reset how we're thinking about the business from the perspective of investors because we haven't provided a lot of update to that since, I think, '21.

I think that's going to be a great event. I can't wait to hear more specifics on it. Maybe just to follow up on it. I think that Jay has anecdotally talked about a path to $5 billion in ARR. You even kind of dangled the $10 billion ARR on the last call. I mean now that we've shifted the focus metric here to ARR, which, by the way, was great, you've -- as we said, we've kind of reached the high end of the long-term margin target. I mean, how is Jay sort of thinking about those kind of top line targets? Because at $3 billion in ARR, $5 billion doesn't seem that hard anymore from what it's worth. Broad-based question, but curious your thoughts.

Yes. I mean, ultimately, we'll go into far more detail and share our view of kind of the path to a much larger company. What I will just say offhand is, obviously, Jay has a lot of aspiration and a lot of confidence in our business. And his aspirations don't stop at $5 billion and frankly, probably don't stop at $10 billion.

That isn't surprising at all. Maybe one point that I wanted to touch on as part of that, one of the things that launched this year, and I think it has done really well is Z-Flex, right? So maybe we can just dig one level deeper into how those contracts are structured. And I want to be sure that we talk about, could there be any kind of model impact as that Z-Flex concentration or mix grows that we should know about?

Yes. So Z-Flex was -- is our offering that provides our customers with a very flexible deployment model. It allows them to think beyond kind of an initial order and plan out what could a much broader Z-Flex -- excuse me, a Zscaler deployment look like over time and give them confidence that whatever commitment they're making is protected in that they have opportunities to mix and match the technologies that they use from Zscaler over time. So if dynamics in their business were to change, those monies that they're committing and investing in us are protected. So that is our approach to providing customers with greater value, greater flexibility. And in doing so, what we find is those customers tend to make longer-term commitments to Zscaler, and those deals tend to be notably larger, because of the dynamics of Zscaler. One of the other natural byproducts of these longer-term broader contracts is you go through a negotiation, a pricing discussion and a contracting discussion once. And so every time a customer wants to expand, deploy more technology, they don't have to get their procurement teams involved. They don't have to stand up additional PRs, purchase requisitions and purchase orders internally. They've already gone through the process. They know exactly how much each of the modules on the platform are going to cost them and what it takes to deploy. From a modeling perspective, there's nothing per se unique to the Zscaler contract that is any different than an a la carte purchase structurally other than these features that allow them the opportunity to easily move into more modules, different modules and then they tend to be larger and longer.

Excellent. Excellent. Well, in the time that we've got left, I want to ask kind of a little bit of a deliberately open-ended question. But as you look at your own internal metrics like pipeline and opportunities and all the fun stuff that you folks get to see, what do you sort of -- how does this sort of feel in terms of customers' willingness to invest and spend in security in calendar '26, open-ended?

I think it's fair to say this is still a challenged market. Budgets are not free flowing like we saw in '20 and '21. Customers are very mindful as to where they deploy capital. And to maybe just draw back to one of the points I made, one of the very powerful conversations that we can have with customers is the cost arbitrage that they can see by deploying Zscaler. And one of our sales motions is to be very explicit on as you deploy more of the Zscaler platform in your environment, what costs are you able to remove from your environment with other technologies that are no longer needed. And that dynamic is incredibly powerful.

Super compelling. I couldn't think of a better way to end there. Kevin, team, thanks so much for the time. Appreciate it.

Thanks for having us, our pleasure.