Zscaler, Inc. ($ZS)

Jay, thank you so much for joining our conference. I really waited for this session because I read an interview with you that you believe that investors -- you don't do a good enough job to explain your company to investors. So I want to give you the opportunity to explain your company.

And the first thing I want to start with, normally, I don't ask about the quarter, but I do want to ask about the quarter because I thought there was a difference between the way you performed financially and the way the stock reacted. What is misunderstood by investors in your company's performance?

Okay. So first of all, as you saw, the Q3 performance was very good. We beat all metrics that the investors look for. I think for going forward guidance, there're 2 aspects to it. One was Q4 and second was fiscal '27. And the 2 factors for us to be more cautious about the guidance, one was we had a couple of changes where 2 leaders reporting to the CRO moved for 2 various reasons, one for personal reason, understood, and second was an opportunity at a pre-IPO AI company. And when leaders leave, we want to make sure the transition involved and they will have some impact that factor it. And second was the Red Canary customer base. We have built a new product combining Red Canary technology with our technology. And that new solution is getting showcased next week at our annual Zscaler conference. And the uptake of those customers, we still need to understand. So keeping those 2 things in mind, we kind of set the expectation at what my CFO will call as a prudent level. But in terms of the external market factors, the market for cyber has never been hotter. Methos has further put fuel to the fire. They're probably the biggest tailwind since COVID for our company. And this platform has gotten bigger and bigger, loyal, happy customers. And we have essentially gone through the transition of sales that started about a little over 2 years ago, and we've gone through most of it. And we look forward to expecting in Q4 and '27.

So maybe let's start with if you can articulate your target markets, meaning what are the opportunities you're going after? No, I'm not talking about the quarter thing. It could be a 3-year, 5-year, but what are the opportunities you're going after? And why are you well positioned for these opportunities?

And it also relates to the question you asked, what investors don't understand, okay? So investors understand mature established market well. A firewall is a firewall. It doesn't need to be explained much. A router is a router. Maybe the feeds and speeds are better, okay? When you bring transformation, you bring totally new changes, it takes some time to explain itself. And then what happens is the established incumbents fight back because they get disrupted. They like to say we do that, too. It's like internal combustion engine car companies fighting against electric car and say, forget it, I'm better, okay? That's the fight that goes on. So take one example. Zero Trust is fundamental, with methos it's becoming more and more important because there will be more breaches. It's given because you can't be able to patch all the way. And Zero Trust will make sure that only certain parties talk to certain parties, the breaches don't spread, the blast radius will become smaller. Many times, people think that just because a lot of me-toos are trying to say, oh, we do Zero Trust too. And this fancy new 4-letter word SASE, we do SASE too. First of all, SASE and Zero Trust aren't the same. SASE allows SD-WAN lateral movement and the like. And then the second part is Zero Trust started with users. We made user Zero Trust Phase 1. Then we made cloud workload Zero Trust. What's my competition for Zero Trust cloud? 30-year-old firewall technology, East, West, North or traffic. Then we made branches Zero Trust. Each branch is like an island. There's no lateral movement and then device in a branch. We call it Zero Trust Everywhere story. That Zero Trust Everywhere is just beginning to take off. We shared with you at the earnings that now we have over 700 customers doing Zero Trust Everywhere, which means users, branches, cloud workloads and devices. That same number was 550 last quarter. So big opportunities to make Zero Trust Everywhere, market #1. And there's really not a real competition from firewall vendors out there. It's only probably on the lower end of the market because the high-end customers generally are more savvy, they get it. The second big opportunity is data security. For data security, you need to sit in line as a proxy architecture and inspect the stuff. Firewall vendors don't do data security well, they're not a proxy architecture. We have over $0.5 billion ARR business. If it were an independent company, it will be the largest data security company perhaps and still growing over 30% year-over-year. We do that stuff very well, okay? That's -- so those are one set of areas. Then look at the newer areas. Securing -- before I go there, the most important Zero Trust next area is Zero Trust for AI agents. Search for Anthropic's white paper on Zero Trust for AI agents. It just came out 2 days ago. I looked at and said, they wrote what I would have written, literally. They understand it. Their stuff was agent-to-agent communication must happen through Zero Trust, not through the firewall. We actually have been building that solution. We plan to launch it next week at our user conference, and there'll be millions and millions of user -- agents, and they need to be secured. That's an opportunity. Then securing AI infrastructure and applications and models. We have been building that solution. We did an acquisition. And in January, we launched our integrated solution. Our customers want integrated solution not 5 different vendors. And that solution is taking off quite well. We already exceeded $100 million in bookings for that solution, a big opportunity for us. And then agentic SecOps. While there are many players in agentic SecOps, AI actually is useful for building SecOps. There are probably 500 companies, start-ups in agentic SecOps, maybe more. And because they think they're going to build it easily, the advantage will be to vendors who actually have telemetry and metadata to do it. We are in line. We probably have the most valuable data from communication. We are on endpoints. We have endpoint telemetry. All authentication goes through it. We have identity telemetry. So our customers are saying, you got the data. I don't need to pass data to someone to build the SIEM. I want really output that can be done directly with us. So that's an opportunity for us as well. So there's no lack of products, and we do products carefully. We don't go on a buying spree for I mean to say, A, B, C. They're well integrated. They're part of the story.

What makes you be successful in these areas, meaning the current position that you have with customers, what are the parts that can be levered into the new areas?

Yes. So first of all, Zero Trust Everywhere is expanding from what we have. It's very, very natural. When customers go from Zero Trust or users to Zero Trust Everywhere, the ARR either becomes 2x or 3x, okay? Similarly -- and we are natural. If you are a user of Zero Trust, natural to the next. Data security. We're sitting in line inspecting traffic. Most of the time, data leaks through the Internet. We are the natural player to be able to do that. If you think about for agentic stuff, it's natural to be do that. And if you think about the SecOps, SecOps is driven by the fact that we got all the telemetry and metadata. We can do that, but one more point. In minutes, I can figure out some of the new threats. I can do a close feedback system to the in-line system to block those threats in near real time that doesn't happen otherwise. So very synergistic platform expansion.

Yes. Is there a risk of slow take rate? Meaning what I'm referring to is the majority of the revenues today are ZIA and ZPA. You have new areas you're going after. Is there a risk of a kind of transition period?

So if you look at the ARR or emerging growth and new ACV has been growing rapidly. And we have been giving some stats, for example, great to see data security agree so well. We have seen in the past couple of years, we used to do emerging products and some of them already emerged. So we stopped doing emerging. The emerging went from about 8% or 9% to 30% in 2, 3 years. That's a remarkable expansion thing. So if the products are synergistic and the decision-makers are similar, it becomes meaningful. If decision-makers are very different, it becomes a lot hard. That's how we are [ selecting ] our products. One more thing as products have expanded, we now have -- do have specialty overlay salespeople who can go deeper in certain areas, but they work with account execs.

Got it. You mentioned data security, and this has been a focus of yours for quite a few years. Double-click on this market, meaning what is attractive within -- data security is a big space. What is attractive? And what are you addressing within data security?

About 5, 6 years ago, we only used to do DLP, in-line DLP. And our large customers said, doing data security with 1 vendor is hard enough, if I buy 3 products from 3 vendors, it will be impossible. Zscaler, you should focus on building a complete platform for data security. And that's when we expanded to CASB SaaS security. Then we added endpoint DLP, added e-mail DLP, and we added cloud security, S3 buckets and all. Recently, we added -- last year, we added DSPM, discovery, classification of data. So it is the most comprehensive integrated platform. We think we have a big edge. We have very good uptake by our customers. So we're very pleased with the performance.

And again, what -- the same question I asked you before. What makes you better positioned for this market given that it is being addressed by other players as well?

Not really that much. Think of which SASE vendor does data security very well, not a whole lot. There is a class of vendors coming from the start-up side, they call themselves DSPM. DSPM, one more 4-letter acronym, it's called data security posture management. At a simplistic level, it does 2 things. One, it allows you to discover data. Where is my data, data center, AWS, Snowflake, wherever. And then it helps you classify the data. That's important. But it doesn't do data DLP, okay? You do classification and discovery, then you combine it with a DLP and then it becomes a complete solution. We came from DLP side. We added DSPM, so we have a complete solution. And generally, there's a lot of wording about DSPM is important. It is important. And you hear about some of those vendors, but they will have to do DLP to be successful in data security, and we are ahead of anyone in this area.

Got it.

And then the customer engagement tracker working with us. DLP should only be done with somebody who is already sitting in the traffic path. Some new first vendor to come and say, put me in the traffic path is a big ask.

Got it. I want to go back to ZIA, ZPA just because it's a big portion of your business. How is the growth like? And what are the drivers? I mean, when I talk to Cisco or Fortinet -- yesterday, I hosted Ken Xie and Ken said, I'm 1/3 of the price. He said, that's my thing. I'm bundling it together with my firewall. I'm writing on top of the firewall, I'm 1/3 of the price. What kind of a disruption do you see from companies who are trying to bundle firewall with SASE or SSE?

So 2 things. First, if you want product functionality A and you get B, I'm not sure in cyber, if someone gives it to me free, I won't take it. So if it doesn't work -- so they are all firewall functionality. There's nothing zero trust about it. In many product areas, good enough is good enough. Perhaps the HR system, now, they are pretty important, but...

Not as important as cyber.

Yes. I'm okay with a good enough HR system, but I'm not okay with a good enough cybersecurity. CISOs, CEOs have to think that if I get compromised, what's the consequence. That's point Number One, okay? Point Number Two is that customers are understanding more and more the need for Zero Trust. I think the wind is not towards I can give you cheap firewalls. Now it is true that lately, in my view, firewall vendors have been helped from 2 things. One, the prices have gone up. Heck, if you raise the price 15%, if you beat the quarter by 15%, what's a big deal about it, right? It's external factor that brought you in. Two is, I think they're also getting some tailwind from the AI data centers being built. But we are clearly seeing Zero Trust momentum building up. Our growth should not be looked at ZIA, ZPA for users alone. That's a starting point. It's not a core versus noncore. Our product to stay Zero Trust users to branch to cloud, how well is the overall portfolio growing is really an important part of it. And overall, we're doing quite well.

And is there -- just because of the fact that there is more competition today on SASE, even inferior solutions, but Cisco is in the market and Fortinet is in the market and CheckPoint is in the market. These are new players. They were not in this market before. Does it translate into pricing pressure or shorter duration of contracts? Or do you see any impact of the new competition?

So on the high end of the market, which we actually do extremely well, we don't for 2 reasons. One, they understand architecture value. But many times, procurement likes to bring someone in even just to put pressure on the pricing. This is how many times the dialogue goes in. A firewall vendor goes in and say, you're spending $20 million with me, Mr. Customer. Just you need to expand, here's $5 million more. And for $2 million, I'll give you what Zscaler has for free. And they're probably paying us $5 million in that account. And we are able to go in and say, oh, you're spending $20 million on firewall, which is becoming like mainframes. The future is not firewalls. So what if I bring that number down from $20 million to $10 million in 15 months or 12 months and rather than $5 million, you give me $8 million. When the customer sees the math, it becomes a no-brainer. I had been in many of these pricing pressure calls that come from time to time say, oh, Zscaler, my budget is down 15%. I'm asking every vendor to bring the price down by 15%. That call happens as CIO from time to time. And generally, less pressure on security, but many time they come, I can say, Mr. CIO or Ms. CIO, why do you only want to reduce 15%? Why don't I help you reduce actually $5 million or $10 million. They say, really, how? Here are the things we can take out. When that discussion happens, CIO is not worried about saving $500,000. He want to save $5 million to $10 million. And we're able to open new areas and new opportunities in that area. So overall, there's not a meaningful change in pricing pressure.

Got it. I understand. Can you talk about new customers versus upsell to existing customers? What are the dynamics of gaining new customers versus the other part?

So our customers are overall very happy customers, very loyal customers. So upsell is a lot easier. In fact, quite a few times, the call comes in, the customer or CIO or CISO move from company A to B, they call us and say, "Hey, I want to bring Zscaler in." So in fact, it's probably one of the most effective lead sources for us. We got hundreds of customers who has [ CISO ] gone from company A to B to C. And early on Monday, I got an e-mail from a CISO who just joined a Fortune 10 company. And he was in a Fortune 25 company, before another one. He bought us in Company 1, Company 2. And this Company 3, he wanted to connect and he said, "Hey, I don't even have to do much work. Zscaler is already deployed here, but I can probably expand it." So expansion is obviously easier when you have a good customer base. New logos do take more effort. There have been discussion inside the company over the past few years, do we give more attractive comp plan for new versus old? And part of the discussion was, do I want people to do too much focus on new at the cost of upsell? If you are a company with a small portfolio of products, you must get new logos to grow. If your platform keeps on growing, you have 2 ways to grow, upsell and new. We have both of those opportunities for us. If you think about the total customers, about -- over 45% of Fortune 500. And if you go to the bigger enterprise level from 2,000 up, 2,000 is a threshold for enterprises and there are about 20,000 enterprises and about 4,500 are customers. That's about 23%. This is a sizable market to go after new. So one of the things we're changing going forward this year is as we add new salespeople, when company is growing, you need to add salespeople. So we have more being added between 2,000 to 10,000 space, which is largely new logos because our penetration there is limited. So we're adding new reps or new logo focus. We are making sales comp plan more attractive for new logos. And we're also going to be more targeted with VARs because at that end of the market, you do need to work with VARs to have proper coverage.

I asked you about competition, and I forgot to ask you about Microsoft. So I want to go back to it and see, do you feel the pressure from Microsoft? I mean they have very disruptive pricing, but product quality is not the same. So how do you see Microsoft in the market?

So over the years, Microsoft has been a great partner. We were the one who helped Office 365, local breakout big time. That's when we got the highest level relationship with Microsoft. We're integrated with Endpoint, EDR, Identity, Microsoft Sentinel. And about 3.5 years ago, they launched a competitive product. I was kidding -- not kidding really telling Microsoft, you guys even stole my name. It became Internet Access or Private Access. At that time, as I talked to Satya, Scott Guthrie, and they basically said, look, you've got a 15-year lead over us. We need to offer the product. But working with our sales team, my sales team's quota is $100 million. Security in a given customer will be $5 million. They're not focused on security. If your product is good, the customer likes it, they'll be fine. So 3.5 years later, I don't even recall last time I had to say, man, we are competing with Microsoft. Now my data points are more on the higher end of the market because that's where we spend more time. But it is not a meaningful factor.

Got it. So working on the portfolio is one challenge, and you've done great. You have a very articulate product strategy. The second part of the battle is working on go-to-market. So talk about the efforts on go-to-market, the success stories, the challenges, kind of give us the whole picture of how you evolve your sales organization to address the new opportunities?

Yes. So about 2.5 years ago, we made the decision that we need to move from opportunity-centric sales thing to account-centric stuff. We brought Mike Rich, CRO. He has done a great job in making changes. We made big changes at that time. We wanted leadership and salespeople who knew how to deal with large accounts brought in from the ServiceNow model, which was successfully done. So over the past 2 years, we have actually successfully made all the changes. I mean, if you look at the numbers we delivered over the past 2 years, they're pretty impressive. Now they slowed the absolute growth in net new ARRs, slowed down in '24. It picked up in '25. In '26, as you saw the numbers, net new ARR growth has gone up, coming -- going from '24 in the some 0, 1% range to 7%. The first half of '26 was about 10%. The last quarter was 14%. We did pretty good. Now we want to do better. I mean I'm an ambitious person. I mean, I have big aspirations, so really need to keep on moving in that direction. We did have a little setback with a couple of sales changes that we have factored in the guidance. But the market is good. Essentially as we pass through the transition of a couple of sales leaders and changes, everything is pretty well aligned. GSIs, we made a lot of good progress. They're working, doing some very good deals with us.

Got it. What are your challenges? I have -- I want to ask you other questions, but before that, I want to understand where do you put your focus? Meaning what are the things that you think you need to address for the next 2 to 3 years, 5 years?

In general, I have only 2 focus areas: build amazing products, sell and support to customers, okay? Now in that context, if you look at -- I think we got the building product and platform, we got it pretty well under control. We have done very targeted tuck-ins acquisition, which actually add some differentiation to our platform. The Symmetry acquisition was especially very, very good. On the go-to-market side, I think the #1 thing I wonder about fixing is the FUD being created by known Zero Trust companies to confuse the market. I know why they're doing it because they need to protect themselves. But in some ways, it's kind of doing disservice to enterprises who believe that this is real security when it's not. So that's one initiative. We have a CMO who is very good. Now, we've got a number of initiatives in marketing to create brand and awareness. That's number one. Number two, I think related to market somehow has discounted the role we are playing in AI security. And if you really think about that, the biggest thing to be done in AI security among all these things is securing agent-to-agent communication. Nobody is better positioned for that. A number of other areas, can you give me visibility into AI products? Of course, everyone will do it. It will become like CASB kind of stuff. Can you do red teaming? Everyone will do red teaming about it. And we have it in our portfolio. We have to have it. But the hardest problem to solve is communication of agents. And that's what we built. We'll be launching it next week. And I wonder about why has market discounted us for AI. I know the one thing that comes to mind is this methos thing, while we have been part of the Glasswing project from day 1, just that when the press release came out at short notice, our name was missing, and we had to go, hey -- I mean, well, they did it on their own time in a short window, we missed out. And then the following week or so, we're able to go to them, get approval to go out there. But we missed the window and some of the investors and market felt that. Only 2 companies that are listed there are actually AI ahead in the market. I think coming quarters will prove that we'll generate some real, real numbers in AI security to convince investors that we are the real game.

Got it. Most companies in the space are offering some kind of flex programs and you have your Z-Flex. Talk about the importance of it to the customer, to you? And then what's the take rate of Z-Flex?

Z-Flex has exceeded all of our expectations. It's probably 4 quarters or less than 4 quarters, about 3, 4 quarters.

Maybe we'll start what is it? For those that don't know, what is Z-Flex?

Yes. Thank you. What's the Flex program, as name implies Z-Flex, it gives you flexibility to buy certain products and being able to even swap certain products. Otherwise, the customer says, Zscaler, you got these 8 data security products. I'm not sure if I want A or B or C. I'm going to test and test and test. It could take many quarters. Now we are able to say, look, you can select X products, and we'll give you the ability to swap and swap is linked to similar price ranges, so to speak. So they can swap. That's number one. Number two, they said, I want 6 products, but I'm not ready to roll out all 6. It will take me time. So I want to be able to do these 4 and then do 2. So we gave you staggered, the ramp product. We had done ramps before. It just formalizes ramps as they are needed. And number three, if I want to buy a new product, there's a rate card already available. So this thing removes the procurement cycles back and forth. All that stuff makes it easy. Now our program is fairly conservative. We basically are recognizing the revenue for the next 12 months or ARR for the next 12 months. So it's -- but it's worked very well. We just got past $1 billion in the Z-Flex booking, which is good. It's good for customers. It's good for us. And the deal size, length has gone up. Most of the Z-Flex deals are 5-year deals.

Is there a risk -- and I've seen it with CrowdStrike before. Is there a risk that Z-Flex makes it very easy for customers to try and test and systems, et cetera. And upon renewal, though, you'll see a slowdown, meaning companies are trying it, companies are testing it, but maybe renewal rate won't be as strong. Like what's the risk that what we're seeing today, some of the growth we're seeing today is really customers trying new products?

So first of all, Z-Flex is a headwind for ARR recognition.

Got it.

Okay. Because some of that is staggered, okay. Number two, our focus as a company has been to make sure the products we sold are deployed. I get a personal review on a monthly basis to look for deployed versus undeployed products. Many of the compensation of product leaders are linked to deployment. Our customer support team, the deployment team is linked to it. So I think companies should be careful, but we are already very focused on making sure products we sell get deployed.

Okay. We officially ran out of time, and I didn't leave enough time for questions. But thank you very much, Jay. It has been great, and I'm always happy to host you at our conference.

Thank you. I think if I leave the last word for you, methos will probably drive Zero Trust need faster than anything else that's driven out there. And we have the right products, and we intend to do the right execution.

Absolutely. Great. Thank you.

Thank you.