Zscaler, Inc. (ZS) Earnings Call Transcript & Summary

Minute early, since I have to read these disclosures, and I think you would all rather hear from Zscaler. So for important research disclosures, please see Morgan Stanley research disclosures website at morganstanley.com/research disclosures. If you have any questions, please reach out to your Morgan Stanley sales representative. I'm Meta Marshall. I cover cybersecurity here at Morgan Stanley. I'm delighted to have Zscaler here today. Jay Chaudhry, CEO, founder, multi-hyphenate, and then Kevin Rubin, CFO.

Maybe let's just kind of circle maybe to start with before we go high level on fiscal Q2 earnings. You reported 25% ARR growth, 21% organic. You raised full year ARR targets organically, but maybe organically, it was viewed as a step-down from fiscal Q1 results. Where did you see the strength in the business in fiscal Q2? And what left you kind of encouraged for the rest of the year on both businesses?

Yes, I'm happy to start. There was a couple -- a few things with respect to the first half that I think is notable. First, we mentioned we had a record number of Q2, $1 million deals for Q2 -- for Q2, which I think just underpins the transformation that we've made in our go-to-market. So that was -- I think that was a really good proof point. We also talked about Z-Flex, which is our flexible buying vehicle for our customers. We did $290 million in TCV bookings in the quarter with Z-Flex. And since we launched the program, we have about $650 million in TCV under the Z-Flex program, which, again, if you think about what it represents, it's longer-term larger deals that our customers are making with Zscaler. So another area, I think, that just underpins some of the strength that we're seeing in the business. And then to your point, I mean, we did see strong growth in the first half of the year. My comment would be that we did raise the net new ARR expectation for the year. And it was reasonably consistent with the performance thus far. So I think we're feeling really good as we go into the back half and what we can do.

Got it. Jay, I know you addressed this on the call, but just given how topical it is, what do you think investors are missing right now about kind of this dialogue around whether AI can replace cyber versus kind of the discussions where it had been, which is that you need cyber in order to have AI?

So for us, AI is net positive opportunity. So to deploy AI security, you need to secure AI, because unlike many other technologies, AI can be a very dangerous tool. Hackers are embracing AI faster than enterprises are. So when I talk to lots and lots of CIOs, they're all doing some kind of projects out there. And they're all nervous by rolling them out, and they really look at 2 things. One, tell me what AI use is happening in my company. So understanding of getting visibility and risk associated with that. Then as they are building applications, they want to do testing, vulnerability assessment. So red teaming type of tools are needed. When they deploy them, then they want some guardrails to make sure those applications and models aren't abused. So that's one product set, maybe call it solution we launched on January 27, we call it AI protect, integrated or comprehensive, so they can get moving with it. And the next thing they are all excited about is AI agents. Because they think that AI agents can give them the productivity that's needed. And that creates a whole new kind of challenges. Traditionally, a user has in the weakest link from a cyber point of view. It's very much expected that AI agents will be the weakest link. Imagine agents getting hacked or hijacked in your enterprise, they have access to all kind of application services. And users move slowly, agents move on the dime. Users are thousands and agents will be millions. So they want to make sure there's a policy engine that can really allow right agent to access right application or talk to right agent. And that's our core competency. So we are very excited about it. We are talking to lots of customers. We have a growing pipeline.

Got it. What we found in our checks kind of despite some of the negative commentary around AI, is that you're finally seeing kind of broader SASE adoption that's being spurred by AI. Just beyond kind of the visibility and the agent protect, just what are you seeing as the biggest catalyst today for organizations maybe moving from kind of one piece of SASE to kind of a broader SASE adoption?

So first of all, SASE is a catch all phrase, it's kind of open buffet. You pick whatever you want to pick. We like to talk more about Zero Trust security. Because that's what's trying to fix security. The security is broken because we have been doing it by trying to secure the network by building firewalls and VPNs around. When Zscaler came on the scene, and we said forget firewalls, forget network security. You don't need to trust the network, you don't need to trust the users. Everything is untrusted, Zero Trust. You give this much trust, so you can access application A or B or C without being on the network. The first part of Zero Trust was users. Users being able to access certain applications. The next part became workloads. Workloads are somewhat like users. They talk to Internet, they talk to each other. Very natural for us to extend or exchange for workloads. Now what's being done in the workload areas so far? Same thing that has done for 25 years. Virtual east-west firewall, virtual northward firewall. So this is the next phase we brought. And the third phase we brought is Zero Trust for branch offices. A typical compromise happens this way. A single infected machine in a branch office gets compromised. The malware moves laterally and this mesh network, brings everything down. In the world of Zscaler you don't have lateral movement, you don't have mesh network. Every device from the branch talks through our exchange. So that policy gossip to the users to workloads to branches. And the next phase is agents. We think it's a wonderful opportunity.

Okay. You addressed this on the call as well. Zscaler continues to lead to market share gains for SASE. Our checks continue to kind of point to strong positioning. Yet we get questions about the number of competitors in the market. Have you observed any changes in win rates or kind of the competitive landscape around SASE?

In the large enterprise space, which is our primary segment, that's about 20,000 employees. If anything, I would say the competition has become less. Why do you say that? Because these large enterprise customers are CIOs, CISOs, they all know us. They understand what we bring to the table. And they also listen to some of the competitive story, where underneath its virtual firewall sitting around. So they see the difference. And they're pretty savvy. There's less -- when you go down market, there are more competitors out there. But I can tell you that any of these new competitors coming in, having talked to hundreds of large customers in the past few months. We haven't really seen any increase in competition there. The biggest focus from CIOs is, one, I want to remain safe, give me Zero Trust and help me secure my AI initiatives. Number two, can you do it with greater ROI and remove some of the cost out of it. We are able to do both. A firewall company won't do that, even though they try to talk about platform because the biggest spend in security still is firewalls. They have to cannibalize it. We like to cannibalize it. They don't. So we are able to go out, take some of these products out, make the case very compelling. That's what's driving our growth.

Got it. We've had kind of additional discussions over kind of the past months about seat-based models, and SASE has traditionally been a seat-based model. You guys talked about 25% plus of new bookings being non-seat-based for Q2. Just how do you think about kind of that overall value proposition to customers and kind of what that method of charging for it should be?

Yes. Traditionally, most of our business has been seat-based for ZIA and ZPA, but also some of the business has been known seat based. When we do guest WiFi, there's no fixed number of seats. It's charged based on the traffic flow. When we charge third-party contractors, suppliers and customers, that's not a fixed number of seats that's linked to traffic. So we have had those things. And then you go to the next level, take some with Zero Trust workloads. Workloads it's based on number of workloads and the amount of traffic. Take data security. We have 8 modules. A couple of those modules are based on number of users, but many of these modules aren't linked to users. When I do data discovery around terabytes of data or I classify it, it's not linked to users. So this piece of the ARR has been growing steadily, and it got to 25%, and I thought it was a good milestone. We expect it to keep on growing. The biggest new growth factor in this area will be 2 pieces. One is AI security products, which is about red teaming to guardrail, all this stuff. That's all based on tokens essentially and then AI security exchange, or agent security. They will be all token-based.

Okay. We've spent some time talking about AI security. We've spent some time talking about Zero Trust Everywhere. Kind of that third growth pillar has been the data security everywhere. Those 3 businesses have now kind of crossed the $1 billion in combined ARR, growing faster than the overall business. Just how do you see kind of maybe some of these growth pillars over the next couple of years developing?

So Zscaler, Zero through Branch has gone through an inflection point. We are seeing very rapid growth. It eliminates traditional networking, SD-WAN and the like. Five, 7 years ago, I used to say MPLS is going to disappear. People said you're crazy. Where is MPLS today? It's by and large gone. I think SD-WAN will follow the same fate too, it's a matter of time. About a year ago, when we were just getting ready to launch Branch, I used to wonder, what percent of Zscaler customer will embrace it? And what percent will say, I need to keep my SD-WAN, I love it. Again, I've been surprised that almost every customer I have talked to, they're all ready to make Branch like an island and, no mesh network, no SD-WAN. Big opportunity. I think 3 to 5 years, people are going to say, what does this SD-WAN you think used to be? So that's big growth. Zero Trust cloud workloads, the only way it's being secured, the only alternative to Zscaler is old-school virtual firewalls. They are hard enough and complex enough in a data center, dealing with IP addresses and all firewall is a network device based on IP. This source IP address can talk to this destination IP address. It's a nightmare in the cloud. Since with Zscaler, this VPC can talk to this VPC. It's wonderful. This solution is growing very well. Data security. Data security, we started many years ago. We've done DLP. Then about 5, 6 years ago, some of the CIOs told me, we get tired of managing multiple DLP policies. Even one product is hard enough, dealing with policies for multiple is very hard. Zscaler, you should really offer full data security offering. So we went all the way, not just in-line DLP, e-mail DLP, endpoint DLP, SASE, SSPM and on the cloud data security. It's the most comprehensive solution. And we are in line, we are a proxy. So hence, we can inspect before the traffic goes out. If you aren't sitting in line as a proxy, you can do that. That's why you don't hear from firewall vendors that they could do amazing data security because they aren't able to properly inspect it. So this is a big area. I mean sitting at close to $0.5 billion in ARR. If we -- if data security was an independent business for Zscaler, it would probably be the largest data security company. So it's good. The many growth engines for us that are working.

Right. Okay. Maybe turning to another one of those Red Canary. You talked about -- can you talk about the long-term strategy for this business as it kind of becomes not Red Canary separate, but kind of part of Zscaler altogether.

Maybe I can make broader comments on strategy. Kevin, you can give some color to it. As we said, we wanted to get into AI Agentic SecOps because AI can disrupt SecOps. Our customers are telling us they're paying too much money building these data lakes. And they said, we have probably the biggest set of logs, and they get put some where they pay for them. So that's how we started to move into the SecOps space. Once we have the back end, we needed the front end. We needed agentic technology SecOps agent that could really solve this problem and do it in a faster and better fashion. And Red Canary actually has that technology even though they're MDR company, they've been doing this for 10 years. They had playbooks and they took the playbooks. They had converted those playbooks into agents in production. And we are integrating the agentic technology with our back end. So there's one AI SecOps product that we can go and disrupt the market. So it's -- that product is coming along well. Red Canary technology is integrating very well. So we think it's a good opportunity for us because, if there's one area, AI will disrupt more than others. It's a SecOps.

And then, Kevin, I mean, just in terms of it's outperformed maybe kind of the expectations you had coming into the year. So just what are you kind of seeing from the business now having owned it for a number of quarter?

Yes. So I would describe when we acquired the business, we mentioned that current year renewals were not picked up as part of our initial recognition of the original $83 million in ARR. And that was, by and large, because MDR businesses historically have higher churn rates than we have in our business. And you have a much larger company purchasing a smaller company. And keep in mind, about half of their business is in what we would describe as the commercial segment, which is companies that are generally smaller than Zscaler support or at least intend to support directly with our go-to-market resources. So there was a lot of uncertainty from our perspective as to how much of this business would likely renew. Now that we're 6 months later, we have seen what those renewal rates have looked like. And my commentary on the earnings call was they have been elevated. So I'm glad that we took a more conservative approach to those expectations. The guidance that we have provided and updated in the last earnings call, reflects now what we've seen from a renewal perspective and what we expect at the end of the year. So yes, it was an increase driven in part by what we've seen from a renewal perspective. I don't know that I would characterize it as exceeding expectations. I think it's part of the mechanics that we came into the year with?

Okay. I mean, Jay, you've done a number of acquisitions kind of over the last 12 months. Most recently, kind of SquareX, you kind of announced for browser security. Just how do you think about kind of where the white spaces are in the platform and just how M&A will be a portion of that strategy?

We are quite disciplined about what we want to offer, what we don't want to offer. If we want to offer or be in a given market, we want to do the best. Otherwise, we won't play into the market. And we look for markets that are synergistic to us. When we went to Zero Trust Exchange area as we added ZIA, ZPA, Branch, for example, we bought this company called Airgap Networks. It rounded out our Zero Trust device story, very synergistic. Came along extremely well. Take Zero Trust for information access, secured browser. I'll share my position as compared to the market. We have been offering Zero Trust access using remote browser, which runs in the cloud and offering this functionality. We have a pretty sizable business doing this browser business, remote browser. Now there are some use cases for unmanaged device using my own device, my own browser, people want to access information. And in many cases, it used to be third-party suppliers or customers. You could use Zscaler remote browser to work with that. There's one piece that customers are wanting. They want device posture check from security point of view. You can't do posture check unless you put something on the device. The stand-alone browser companies would say, download my full browser and you can do the check and you go direct. A couple of years ago, we actually looked at some of them, even looking at see if you could buy this company. We didn't feel right. Customers said, "I don't buy 1 more agent." And this wasn't the agent. This is the mega agent. I mean it's a massive thing. That's one problem. The second problem was as we looked at the stuff, all these browsers are based on Chromium, which is built by Google. Chrome has become big. This is the 1 billion lines of code and so many vulnerabilities are being fixed every week. Reminds me of windows, vulnerabilities that will happen every week. And so how are we going to keep up with that? You can't. So we said we will not go into the space. What we acquired is this company has done very innovative approach using browser extensions. We are able to check the device posture. So you can actually achieve what third-party browsers are talking about without having to ask the third parties to download one more browser. I think it's an elegant approach and then we have Zero Trust on the back end.

Okay. Got it. Kevin, maybe turning back to you, Z-Flex, you mentioned kind of upfront has been a huge area of success. It's like -- can you just walk through how Z-Flex is changing customer buying behavior and kind of how it's changing your visibility on the business?

Yes. So Z-Flex maybe just by way of background, a lot of software companies have offered flexible purchase arrangements. And for us, that manifests itself in the opportunity for customers that are willing to make larger commitments over a longer period the flexibility to swap in and out of products. We offer the ability to ramp generally in the first 6 to 12 months of the contract period. And then more recently, it's actually given us some flexibility around billing arrangements as well. So if we wanted to provide a customer with the ability to pay a little bit less today and pay a little bit more tomorrow, we can -- we have the flexibility to do that through Z-Flex. It also facilitates the prenegotiation of pricing across the suite of products that are available to the customer in Z-Flex. So there's a lot of advantages if they want to be able to extend into our data security products. They don't need to go through another buying and procurement process. They already know what products are. They've got a negotiated price, and then they can go ahead and deploy. For us, as I mentioned, we did about $290 million in bookings of Z-Flex this last quarter. To provide a little context of the Z-Flex business for us, they're generally 7-digit deals, and they average today about 4 years. So they are a bit longer. And when we do go into a Z-Flex arrangement, it is generally a larger ACV commitment than they were making outside of Z-Flex. So it does drive bigger deals, it drives longer-term deals. And then as I mentioned, it facilitates upsell, right? They know exactly what's available to them at what price. So we think it's an attractive opportunity for some of our most strategic customers. And over time, many of our customers.

And are you seeing kind of that module adoption, the quicker adoption of kind of the additional modules as they move into that?

It's still a little early. We've had this in market for about 3 quarters now, but it certainly continues attract more and more interest, which tells me that customers are finding a lot of value.

Got it. Kind of moving back on to the AI security front. You have GenAI Security, you have security posture management, AI guardrails, AI red teaming, agentic exchange. Just how do you think about those separate kind of pieces in an AI portfolio versus kind of overarching portfolio.

That's a great question. In fact, generally, investors are wondering what's where new market. So we have 2 main solutions for AI. One is what we call AI Protect. We launched it on January 27 after integrating a number of products we've built and a couple of products that came through the acquisition of SPLX. So AI Protect has about 4 areas of functionality. First is giving visibility. Any external, internal AI application, we can tell you what you have, what's the risk. Two is, secure access to those applications, who can access, what can be access policies by user, by group and the like. Third is securing application you have built, how do you secure them? You start with doing the red teaming for vulnerability assessments. You know what the risks are. Then our guardrail product, which inspects prompts to make sure people can do bad things like prompt and like, that's the third area. And the fourth area is governance and compliance. All 4 are integrated as a single solution and you can buy some of it if you want. That's one bucket. The second is taking our exchange for agents. This is in-line policy enforcement for agents. That's a very powerful solution, highly differentiated because we're sitting in line. And that's how our customers look at it. AI Protect is already being bought significantly, exchanged in early stage working with some of the customers.

Got it. And then just how do you think about overall SASE adoption and where we are in that. I think we get questions sometimes about kind of where we are on the core business. And how do you differentiate that maybe of kind of this grab bag where SASE means a lot of things to a lot of people, so how do you differentiate kind of within those areas?

I think it's a good question because SASE whatever. So this is how you should think about it. First of all, you need to understand that Zero Trust is fundamental for security, more and more important in the world of AI. That means things A talks to B through a switchboard. That's where the world has to go. From Zscaler point of view, we have 45% of Fortune 500 companies doing that today and 40% of global 2000 companies. Our large enterprise base that we target is 20,000 companies, 4,400 of them are customers, which is less than 25%. This means we have a sizable new logo base to go after, and we are pursuing that. Also, it means there's a lot of opportunity for upsell, okay? And we have seen a number of million dollar deals going up, number of $5 million customers going up. In fact, last quarter, we had the largest number of $1 million deals in Q2. That's excellent. We also -- we're looking at last quarter, we learned that from the initial buy -- in 4 years, our enterprise customers will have 3x of the ARR. That's pretty good. And this is over the years when our platform was much smaller. As the platform has gotten bigger, we expect that this thing should continue or get better. So both opportunities, meaning significant upsell and significant new logo.

Yes. Okay. Perfect. I want to step ahead to go to market for a second. Can you just kind of talk about the evolution of relationship with channel partners? And just how you see kind of relationships with GSIs evolving?

In relation to them?

For go-to-market.

Go-to-market, yes. So we've gone through transformation of go-to-market and we've gone through it successfully. We walked you through, we did get projections, we met our projections. We are seeing the trajectory moving in the right direction. If you look at Q2 our sales productivity was up in double digits. Our total number of large deals moving up. Our channel contributions getting much better. At a broad brush basis, when you look at lots of channel partners, you talk to them, you're going to get a mixed feedback because we don't deal with 5,000 of them. Global system integrators work well with us. We have worked very hard with them. Why do we need them? Here's the difference. A typical VAR will sell the boxes and they may get some deployment services, may not. They largely do a lot of fulfillment. When we go in, we -- you're not replacing Zscaler with Zscaler, a firewall here, a firewall there. You are transforming, you're removing lots of stuff. To remove all these branch firewalls, routers, switches, load balance. You need somebody who can do services. GSIs do a good job there in that area. So GSIs are working well for us. Selected channel partners who do these services, they are working well for us. So it's good. Our trajectory is moving in the right direction. Now we're working on upping that work. Kevin, you want to add anything to that?

No, the only other proof point that I would just offer is we had very strong pipeline conversion in the second quarter as well. So just another indication that things are building momentum nicely.

And I know we just talked about this, Red Canary, but any -- how -- should we think of it really as getting to that -- the 25% penetration you guys just talked about. Getting that to be a higher number? Or is there anywhere down market where we should -- that you find attractive opportunities?

I mean, to Jay's point, I mean, our focus are the largest companies in the world. Our direct sales organization is targeted at enterprise customers, which we estimate to be a little more than 20,000 companies in the world. That's where we go after with direct resources. Anything below that would be served through our channel, and that would be indirect for us. So our focus really is the largest companies.

Got it. And Kevin, maybe a question for you. You guys are rule of 50 company, obviously, leading growth and profitability. How are you thinking about kind of that trajectory going forward or just opportunities for operating leverage. And I want to bring into that discussion. There's maybe been a little bit more scrutiny of stock-based compensation. Just how you guys are thinking about stock-based compensation versus cash compensation.

Yes. I mean as a tech company providing alignment to our employees and stock is important, and I think investors appreciate that alignment. We also know that it has been a little bit elevated and we are acutely focused on bringing stock-based comp down over time and achieving GAAP profitability over time. So that is certainly something that is in focus. As I think forward in terms of areas of investment and opportunity, we expect to see continued improvement in sales efficiency as we continue to move forward. And as I've gotten through the transformation efforts that have been ongoing over with Mike joining us a couple of years ago and going through that process. So we think there's opportunities there. And not to pull on a topical thread, but AI over time, will also provide areas of leverage.

Okay. Another topical point, memory costs. You noted -- remember, you hadn't seen any impact yet, but you have a good amount of inventory, both of kind of branch appliances and data center equipment. But just how are you thinking about potential impacts to pricing and CapEx just as we work through this memory cycle?

Yes. So it's a real issue out here. If you are a real box company shipping lots of boxes, you will be feeling the pain. Since we aren't. So the impact is less because we have been maintaining good inventory during -- starting during the COVID time. But we do expect that it will have some impact and we will pass some of the cost to our customers. So we will adjust some of the pricing. And -- but I think from modeling point of view, we are still targeting to really stay at about 80% gross margin. That's a good number for us. It also allows us to really introduce products at a faster pace. Rather than trying to optimize gross margins, I would rather get in the market faster by 6 months and 9 months and take time to optimize it. But back to your pricing. It will have some impact, but not significant, and we'll manage it.

All right. Jay, maybe I want to end with, you've built an incredible company. Just how do you think about the next 3 to 5 years? And what is your vision for Zscaler over that time?

So if you look at 2 big areas, Zero Trust Everywhere is meant to do 2 things. One, make sure you don't get compromised. Number two, to make sure you don't lose data. Sometimes I jokingly tell CISOs. Your job is really 2 simple things. Nothing compromises you or breaches you and nothing leaks out. We have built the best Zero Trust Exchange, and we are in the first inning of the journey with a lot more opportunities ahead of us. Now comes AI. AI is fundamentally changing everything at many, many levels out there. So we have some very key differentiators in AI security. The exchange is probably the biggest one for us to differentiate us. And also the amount of data, the logs, the proprietary data we are getting is probably better than anybody else. It is with SSL inspection, we can see everything. So it expands our opportunity in the SecOps area. But overall, I see our business growing in 3 pillars: Zero Trust Everywhere, data security everywhere and AI security at all angles. This will give us plenty of opportunity to get to $10 billion ARR and beyond.

All right. Perfect. Well, Jay and Kevin, thank you so much for being here today.

Thanks for having us.

Thank you. Great.