We'll start today, with a short presentation by our CEO, Jay Chowdhury, on our newly announced 4th pillar of our platform. The Zscaler cloud protection or ZCP. Afterwards, we will be joined by Amit Sena President and CTO, and Patrick Foxhoven, EVP of Emerging Technologies And CIO. Then we will open the session for question and answer. All participants will be in listen only mode until the Q and A begins.
If you wish to ask a question, please make sure that your Zoom username is identifiable and use the raise the hand feature in the bottom of the meeting window. When you're selected for a question, please prepare to turn on video and unmute your microphone. We will not be providing any financial updates today. Please be mindful of this during the Q And A session. As noted on this slide, today's session may contain forward looking statements including, but not limited to our view of the industry, product performance, product business outlook, and other statements that are not historical facts, These statements are not guarantees of future performance, but rather are subject to risk and uncertainty.
So with that, I will now hand over the call to Jay.
Bill, thank you. Let me start with a few slides to give you a big picture view of where we fit and the new pillar we launched yesterday Zscaler cloud protection. I know, hopefully, you're familiar with a 0 trust exchange platform. And kilos, ZIA, ZPA, and user experience. These 3 are focused on user protection and experience to make sure a user can get to any application or good experience.
We have been building over time to make sure we have a strong story to expand our offering in the next area. And that is let's go beyond protecting users to being able to protect servers and workloads. So the launch yesterday is a Zscaler cloud protection, which has multiple solutions in it. But the the great thing it does is that it expands our market significantly because we're not just doing user protection. We're also getting into workload and server protection.
I'll give you a quick high level view of it. Hopefully, some of you had a chance to listen to my keynote where I covered it. At a 40000 foot level than Amit and Patrick during their product innovations kind of brought it down to a local overlap. This 4th pillar actually completes our overall offering. Now why do we care about Zscaler cloud protection?
Look at the workloads moving to cloud. The distributed multi cloud. They evolve. They change. The configurations are Pretty complex.
They're dynamic. They come. They go. And DevOps moves faster than security. They're actually going ahead and doing things.
Aren't even secure. And connectivity, trying to take your traditional network based connectivity with all these ingress and egress routes is complicated. Traffic flow east and west, very low controls. So we looked at the problem in 4 key areas as we talked to our customers. Security posture workloads.
When there's so many workloads are being deployed out there, there'll be 1,000,001,000,000 of workloads out there. What's configured properly? What's not configured It is the biggest source of security risks. That's one problem customers are asking to solve. 2nd, They need various applications of workloads to talk to each other within the same data center.
From public cloud a to b to c. What now? That's the second thing. How do I do it security? 3rd, within a cloud risk of lateral movement.
Typically, you connect the networks. Once you're on this beautiful flat network, you can reach any and everything, which is wonderful, but which is also dangerous at the same time. And 4th, right, the most important you may have the secure stuff, but your employees and your B2B customers need to access those applications securely with great experience. So those are the things we looked at, and we have been hearing from our customers that they have been trying to do it in a traditional way with a network security where it's not working. So what do we have?
It's a combination of some of the investments we make in house building upon the 0 trust technology. We built for ZIA ZP and the like. And some acquisitions with focus being how do you protect multi cloud workloads? Multicloud is important because you don't have a hardly any customers who is dependent on one cloud. So cloud security posture becomes important.
Gartner calls this thing. CSPM and it's proper configuration, the like. It's a new revenue opportunity for us. We have started a cloud meeting and evolving and growing it. Dig a little bit deeper into it.
Workload communication that's had workloads or applications setting the data. Sorry, in the Piras, sorry, sitting in your public cloud on an island. They need to talk to each other. Communication need to happen across cloud to cloud. Traffic goes from workload to the Internet, and you were cloud to data center connect all that has to be done.
And we built a very cool technology called cloud connector that powers this communication. And essentially the ZIA ZPA use case, which used to be for user protection. No. It's getting expanded to workload protection, and the pricing will be workload based just like user base and here, workload based, but it expands a cam Significantly. 3rd area segmentation within a data center within a public cloud.
This is where customers have been trying some of these virtual firewalls doing network segmentation or some of these new vendors like Olympias or the world. But really, we haven't seen see this traction. Customers are still looking for better solutions, and we built and expanded upon EdgeWise Networks acquisition. And at the end of the day, all of this is good. Only if the users can access those workloads.
So it actually required ZPA to be able to go and access those applications directly without having to go to the data center. So that's our overall existing 3 major new areas of functionality plus ZPA for users to access these applications. I give you a little bit deeper view of each without getting too deep into it. CSPM is the term Gartner Point. All kinds of workloads being deployed across multiple clouds, including application like Office 365, got to be configured properly with so many knobs out there.
And we we acquired this company for the enhancing it. We're making some serious investments to make sure our CSPM offering is the best in the market. But it starts with discovery of what assets do I have? How are they configured? Being able to match against a lot of standard compliant configurations, identify what's not compliant.
And then prior times, what's the risk of non compliance and being able to do auto remediation alike. Important area. This market is ready out there, and we are beginning to sell this offering out. So that's one. 2, this is probably the most exciting and very unique because Here, we are bringing 0 trust to the data center or call it 0 trust for public cloud.
Almost all vendors out there are trying to do network centric communication. You could throw firewalls here. They're all that type of stuff. But in this approach, I got, say, workload need to talk to the internet. Setting in AWS.
It needs to go to internet. Well, we are cloud connector. It's very smart figures out the traffic can direct it to ZIA policy engine, and you can apply the same policy, same protection. What would you do without it? You try to buy some virtual firewalls.
Well, how do you do a cyber inspection? How do you do SSM inspection? How do you do BLP inspection? That you used to. You miss it.
So we bring all the rich functionality, to the traffic that's non user traffic. That's app traffic to secure it. Then there's a cloud to cloud traffic. I mean, Azure traffic needs to go to from Azure east to I shall rest. Maybe AWS traffic needs to come and app in a AWS need to talk to app in Azure.
All this stuff flows through our 0 trust exchange powered by cloud connector. You also need the same thing. Data center do Today, you typically have a dedicated site to site VPN, expensive, and it's network extension, not really 0 trust type. This third area. 4th.
More and more businesses want to change the old way where they're trying to send larger data exchange and files between 2 companies through some kind of old cognitive system. 0 trust, we can do it in a much better fashion. So this is a exciting, highly, highly differentiated use case. The third area, I mean, this is a diagram we picked up from the internet, how people try to do this kind of cloud protection, the workloads, firewalls, v oh, VPNs to go out to come back in VPN to data center, all that mess. Now for segmentation, we got a very cool approach where Edge Boys gave us the very, very important IP being able to create identity of software, identity of workloads.
Okay. That's the core IP we bought. And to know within a public cloud, you can kinda say this app can talk to this app, but this app can't talk to this app. And all this is powered by a bunch of sophisticated machine learning models because when you have lots of workloads, lots of policies. You need automation and ML is playing a big role and the segmentation policies are automatically generated.
Otherwise, operationally, it'll be very hard to do. And it is it's it's great benefits in terms of operational, benefits, without a lot of overhead and the risk reduction. This is a this is a younger market. It's going to take some time as customers are getting educated in this area. 4th is really the overall benefit.
Once you got your stuff in the cloud, just like I'm showing here, in the old world, you would be going back to the data center and going back site to site over. Now with CPA, all these workloads can be accessed directly through us. They could be in your data center, they could be in GCP, Azure, and AWS. So this thing kinda rounds out the benefit customers are So in in summary, public cloud is happening. We all know that traditional security is a problem in a public cloud.
It doesn't work. The new approaches are needed. And, really, that's what we have built here. Essentially extending 0 trust to public cloud. That's number one point.
Number 2, think of the opportunity. You know, just like endpoints are looking at saying, I am going to take EDR to the servers. Here, we're saying, I need to take use it to app communication, 0 trust technology or app to app or workload to workflow communication. So it expands our our 10 quite a bit. So with those remarks, Bill.
Okay. Thank you. Now we'll start the q and a session. As a reminder, please use the raise hand function if you want to ask a question. Our first question will come from Andy Nowinski from D.
A. Davidson. Please go ahead with your question.
Alright. Thank you, gentlemen. Very helpful. It was a it was good to listen to a lot of the presentations yesterday as well. Maybe I'll start with a clarification.
On the slide you just presented today, you said that ZPA is a cross sell, but it does seem like it's maybe the opposite. You know, wouldn't they deploy ZCP first, or are, excuse me, they wouldn't deploy ZCP without first running ZPA. So it seems like ZCP, you know, the cloud platform is actually your cross sell it. You'd sell into all your accounts that are running either ZIA or ZPA ZPA already. Right?
So it's it's a good question. So first of all, when I use the word cross that I said, we already are selling ZPA. For data center VPN replacement, it becomes one more opportunity to be able to go to public cloud. Okay. That's one.
The second part is actually there's no proper sequence to embrace ECP. If you look at the 3 pieces of ECP out there, we think CSPM security posture management And the second part where I set, workload communication within a kind of cloud to cloud and cloud to Internet. Both of those, these products are being asked for by our customers today. So you could be stunned. Some of our customers are starting with CSP and some are all starting with, workload communication, but CPA will be needed.
By everyone. We believe that every customer of Zscaler eventually will have ZIS, ZPA, and ZDx. Because once you have those 3 things, you can access any application internal external. And with ZDx, you can know the performance. Security and user performance both get solved.
That makes sense, Jay. Thank you. And then last question for me. Can you just give an example, of an unprotected workload, at 1 of, like, a Zscaler customer? So a Zscaler customer's already you know, committed to transforming their network infrastructure.
They're already running, presumably, a next gen architecture. They're not running a legacy architecture. So what are they using to protect? And, and, presumably, they're already some of the workloads are in the cloud as well already that are Zscaler customers. So what have they been using or have they just not been protecting these workloads, in the past?
I'll start and, Amit, you can add to it. You know, we have a tool called, internet or tax sufferers. We point to a given company called acme.com, for example, and see what can I see out there? Without sending any active traffic because a lot of information is sitting in Google and and short and and the like. We see so many workloads that can be discovered, that can be attacked.
In many cases, customer doesn't even know about it. It's being exposed. So they need a true, like, CSPN to identify it, for example. And in many cases, they can fix the configuration. But in many cases, then they will need some some will be exposed.
They need to go through a tool like ZPA so they don't expose them to the internet. But there's a lack of education in some cases, and there's a lack of the right technologies and other cases. If you want to add things to what I said?
Yeah. Absolutely. I think, Andrew, there's a lot of clouds for all that is happening. If you look at ZIA and ZPA, predominantly, We are we have been protecting users accessing applications, either in the internet SaaS or in in private workloads that require a VPN. But as, as applications are moving to the cloud, things are sprawling.
I mean, you might be moving an SAP application. Maybe the back end is sitting in your data center. The front end is moved to Azure. How is Azure talking to your data center? Right?
Those are the kind of use cases, that, greenfield opportunities for us to expand into. Right? Similarly, as more applications move to AWS, what is happening is people are bringing the traditional data center thinking into AWS. Right? Let me, you know, I had a firewall here.
Let me deploy firewalls. Let me do VLAN segmentation. And that architecture that Jay was sharing becomes hairy very quickly, right, because now you're talking about this VPC talking to this VPC going through transit gateway. Well, the internet access is available only from this transit gateway. All of these are sort of greenfield opportunities as we start getting to app to app communication because people are just still thinking of their legacy way of doing in the data center, except now they are trying to move it to AWS and Azure.
So we believe that many of the 0 trust concepts that we brought to secure user to app communication naturally extend into cloud workloads. And it starts off with those three things. 1, as I get into AWS and and Azure and GCP, configuration management is the number one problem. Right? Do I have an open s 3 bucket?
Maybe I was doing some QA testing to get an entire customer deliveries and put it in an s 3 bucket somewhere, and it was left open. Right? Those those workloads have never traditionally been part of the Zscaler ecosystem and cloud protection brings that into the phone. Thank you.
Okay. Our next question will come from hamzafodderwala at Morgan Stanley.
Thank you so much for, taking my question and thank you for doing, this product presentation. Very, very clear. I wanted to, get your early sense about, sort of what you see as a market opportunity here, right? Cause you mentioned a few times you know, this really expands its hand for you. As mentioned, sort of, you know, bringing you in just sort of a lot of greenfield spaces.
So I guess, you know, for Jay, Amit, or and you and Bill, how are you thinking about, you know, framing that market opportunity as you move to a more workload model? So So another way, you know, there's going to be roughly a $100,000,000,000 or so in past, I have been, today, that's probably going to grow, let's say, by double over the next 3 to 5 days. What percentage of that do you think is going to be a, workload protection solution like that?
So the the unit of opportunity for us is number of workloads. The way. Yeah. And that that bigger the market, we will churn by workloads. Every workloads need to be how each hard for your security posture, how many workloads are we monitoring, and really look in the posture.
How many workflows are talking to each other? It's it's essentially based on that. That's how we see the opportunity. We think with public cloud, those workloads are growing. They keep on growing and growing.
And then they'll need someone like us to protect it. So do we have an idea to quantify at this stage of procurement? But do do we get a sense that it's pretty big, big TAM opportunity.
Yes. Yeah. And so CSPM workload segmentation and workload communication all will be priced on a per workload basis, and, we'll we'll discuss, the TAM at our Analyst Day, which it would be in January. Okay. Next question, will come from
Fair enough. Alright.
Oh, thanks. Next question will come from Joshua Tilton at Berenberg.
Yeah. Hey, guys. Can you hear me?
Yes.
Just a quick one from me. I just wanted to kinda touch on the workload segmentation feature. Just, you know, I understand it's early, but who have you identified as kind of your position in this space? And then how much of a moat would you say do you really have around, an identity based segmentation strategy In other words, why can't others come out and kind of mirror this with their own, identity based approach?
Patrick, you want to take
I can share some insights, Patrick, as deeper insights. It's a good question, Joshua. In order to, to look at this space, again, the traditional thinking has been, I know how to build a firewall, let me bring virtual firewalls into my AWS or GCP workloads. I'm going to have static ports and protocol based the rules that says, here's my UI server, and it's only allowed to talk to this database server over this port. And we all know that You know, that does not stop lateral propagation from happening.
Because once one workload is infected, you know, malware knows how to exploit static rules and propagate laterally. So, we believe that a sort of traditional thinking, you know, even the unions of the world are thinking more around, around traditional network based segmentation inside a modern cloud workflow. The identity based approach, requires a complete rearchitecture. Right? So when we say identity, we are looking at multiple attributes.
We are looking at, well, this is a UI process, and there is a lot of, fingerprinting that is going on. You know, what, what machine is it running on? What MAC address is it coming from? And there's list of attributes that go into a certain identity for that particular process. And doing it at scale is a hard engineering problem.
Right? You're sitting right in the middle of a very high speed communication that might be happening between one workload or another workload, in, inside AWS or or Azure. So doing it at scale is a hard engineering problem. It's not just a simple identity. It's you know, multiple different attributes going into fingerprinting that identity.
That's a tough problem. The third problem to solve is how do you simplify the deployment? Right? So we use machine learning based auto segmentation where you click on a button and it the the, the app, the workload segmentation, will look at the topology of your application and say, this is how it needs to communicate. And that simplifies the dev ops cycle dramatically.
You're not, you know, in tinkering with manual rules. In a complex application, you could have thousands of different pathways. How do you automatically discover and say, this is legit. This is not legit. So all of those are hard engineering problems, that, we've built IP on.
And most people in the space are still traditionally thinking of static and a network based isolation principles that just don't work. Patrick, do you want to add anything to that?
Oh, that was that was good. I maybe just to emphasize that point or pile on to that point that Amit was making almost every other solution in the space, like, on it was saying is network centric, meaning it's IP address. It's a traditional firewall or ACL based approach, and that's why projects like micro segmentation have been so much of a failure. We we rarely see customers have they may have implemented micro segmentation in one piece or part of their network, but not holistically, not across the organization. The the approach that we have, like, it was saying is identity based and then it's a much lower level approach.
It's not at the network level. It's at the process level. It's, it's a, it's a lower level that gives gives us a much stronger form of identity that is just not possible if you're doing this at the network level.
Yeah. So our our belief is that the traditional firewall network centric approach won't work based on what you're seeing from the customers. And and it's an opportunity for us. I to many customers from the forward thinkers who said we'd love to do segmentation. We have tried product a, b, and c.
It just doesn't work. So we think our approach is very promising. Having said that, I'll say this is a is a younger market. It needs freedom or education. I would rather be in a younger market and educate the market than try to go later on and become a me too.
Thanks, guys.
Okay. Thank you. Our next question will come from Tascojaghi@guggenheim. Please go ahead.
Hey, guys. Thanks for taking my question. Two questions. 1, first one is it looks like some of the functionality you have in zzcp will overlap with, I guess native functionality you get from the cloud vendors. AWS, I guess, security gateways and Azure firewalls.
How you how do you address the fact that you would be competing with the, I guess, the cloud vendors in some areas with the ZCT product?
You know, every every cloud vendor will have some piece in there. I mean, should would Microsoft do some kind of firewall? Yes. But, okay, what does that file will do? If you really look at what our CSOs are telling us
that
every server license you have the most workloads talk to the internet from the public cloud. And what is what what do they need to protect? Number 1, fiber threats. Number 2, data loss. All those connections are SSR encrypted.
Somebody needs a proxy architecture with the multi tenancy. So simply send the traffic to some cloud and set goals as our our Fortune 500 global 2000 customers had deployed ZIA. They basically say, I can use ZIA technology. For policy enforcement, DLP, and cyber threats. I had no way to really figure out and send the right traffic off a given cloud.
You could with a cloud connector that's powering the technology, you couldn't have that traffic coming from AWS Azure, DLP, VM, very own data center, same policy, same protection. So it's it's very compelling. Will some of the firewall functionality from AWS or Microsoft get in the middle of it? We don't think so. Will those firewalls do some level of macro network segments.
Probably, yes. That's fine. But I think the opportunity is is big for us, especially for large customers who understand the value of our platform.
That's very helpful. Just one follow-up. And one thing we've heard, we we hear we hear from CIOs is that the world is going more towards a hybrid architecture, more multi cloud world. People are not gonna be using just one cloud. A lot of people using AWS, Azure, and GCP.
Now the GCP product work across clouds and across on prem and and cloud, or will it be limited to just the workloads which are residing within a certain cloud? Amit?
Yeah. It's a great question. I mean, the you answer your question yourself as, right? We are designed for a hybrid cloud world. Cloud connector works on Azure and AWS and GCP.
It also works on your BMware based data center, we're happy. Right? So since we're not living in the world, glarden of AWS, right, you need a uniform approach that can allow any workload to talk to any workload regardless of the infrastructure it is hosted in. Right? So you know, I, to some extent, firewalls have already existed in AWS and Azure.
That's how VPCs are designed, right? I think my router has a bit in firewall. We need to sort of up level and talk about how do we have workloads across multiple different infrastructures, talk seamlessly through common policy engine through common 0 trust exchange platform. And that's really what we've built. And most organizations are not going to you know, just bet on one cloud provider.
They will have scattered and distributed workloads, and they will need to have consistent policies across all of them. And cloud connector enables that. Definitely. So does CSPMPs and workload segmentation, they work regardless of the underlying infrastructure.
And just one follow-up if I may. This would be a service, right, as a as a SaaS. You're not deploying a software on a VM in AWS or or Azure. Correct?
Right. All three services are SaaS. Right. The CSPM is a SaaS service. You know, you you with API as you point to your cloud workload, you you know, we give you all the misconfigurations and auto remediation options.
With the cloud connector, you know, you you can automatically provision in an auto scale, whatever is needed based on your workload regardless of, again, the infrastructure it is deployed in. And, it is all based on the same subscription model, instead of users, we'll go more towards a workload based subscription, but it is all of a SaaS service.
Thank you guys. Very helpful. Thanks.
K. So we'll take our next question from Alex Henderson at Needham.
Please go
ahead with your question.
Great. Thank you very much. I would hope to, get some detail on a couple of the elements. First off, do you need to sell this to the DevOps teams? Do you sell into, you know, the shift left community?
Or is this primarily gonna be sold to the IT administrator, the SecOps teams, back at the corporate And when you define a workload, if I take an application and I deploy it across, just hypothetically, Akamai's 4000 locations. Is that considered a workload or is that considered 4000 workloads because it's running it in four thousand different locations. And then the last piece I just wanted you to clarify is, obviously, policy is critical here. Policy management problems with the flow based architectures of the Palo Altos of the world have been a huge impediment, but I assume that this is a per user per app patient policy implementation, going forward, which I think is core to your architecture. Is that accurate?
Thank you. Let me start with the first one. You got 3 part question. The first one, who is the buyer?
Okay.
You know, the buyer could come from that dev ops side of it or come from security operation network operation inside it. Our primary buyer of Zscaler today has been starting with CIO to enable transformation
with
head of infrastructure and head of security have been a primary fee buyers. For example, the one thing our customers have been asking for a long time, is. And this is being asked by the CSO and the CIO. My users go out to the Internet through you. My workloads need to go through you with the same security, same data protection type of stuff.
Yes. We do get brought dev ops gets brought into the loop, but our primary starts from the production side of it from the security operation side of it. And and over time, we'll get to both ways, but there are 2 decision makers. DevOps is an important player but who runs the operation security and all is important as well. That's part number 1.
Part number 2. Ahmed, you want to check that?
Yeah. What was the specific part 2 question?
So the question is, if you're defining a definition of a workload here, So people think about a monolithic application running on a single server as a workload, but obviously in a CACD pipelining world, they they could be highly distributed and therefore implemented in thousands of locations.
Right. So, the concept number of workload is pretty well defined in public cloud infrastructure. Right? And for example, when we do our CSPN scans, you know, you a typical organization might have a few 1000 workloads. We're not counting, you know, instances like a CDN scenario where you have 4000 copies of the same thing as a workload.
However, even you, if you have a, a VM that's a clear workload. If you have a Kubernetes, cluster with X number of running instances, You know, that's the workload. And, similarly, you know, you might have a a serverless workload. Right? So those concepts are well understood within the AWS framework or the, Azure framework because they believe based on it.
Right? So it's not a ambiguous concept, and we're gonna piggyback on that.
And there was a third part.
Last piece was on the policy.
Right. So, yeah, I guess your question was, you know, we've traditionally been a user to app policy. How does that translate to a app to app word? How does that translate to a in a workload, process to process 1. I'd say translates quite naturally.
Right? You know, when you when you're able to implement policies for an organization with 400,000 users talking to millions of applications, being able to translate that to a few thousand workloads talking to a few other thousand workloads is relatively simple. The the amount of traffic per workload goes up, but the complexity of the policy decision trees is actually getting simplified. And we've done it at a bigger scale. And bringing it back to us to a more manageable scale is easy.
Right. Just to expand, just like today for user, we can do a specific user to whatever. Here, we can do a specific workload based policy, or you can have a group of what loads either way.
I mean, think of it this way, Alex. Right? Today, for an organization like Siemens with 400,000 users, you can go to the Zscaler on serving for every user have a specific user level policy for every destination. Now we'll support it. Right.
We know organization wants to do it. That way, but, you know, we have that kind of scalability building. Workload is a little more static. Right? You might have a server that needs to go to the internet to download latest, you know, Linux batch update.
Right? So those are a little more manageable since we've been done it at that user scale. The ability to translate it to a workload scale is, is easier for us.
That's great. Thank you for taking my question.
Okay. Great. Our next question will come from Brian Essex at Goldman Sachs. Please go ahead with your question.
Great. Thank you for taking the question. I appreciate it, and thank you for doing this. You know, maybe I was just wondering, you know, kind of back to the competitive you see a number of your different, you know, peers in the market approaching this from an endpoint perspective, or platform perspective or a developer you guys from, like, you know, network access perspective. How do you see yourself differentiating yourselves from some of those vendors some of which are partners of yours, you know, particularly maybe compared to, like, a crowdstrike who's, you know, approaching the cloud workflow protection market in a little bit of a different but with a different construct in that, they can have, you know, contextual, you know, contextual data around, you know, access and workloads?
Yeah. So I think we we think through the ecosystem in a pretty meaningful way. Yes. So what's endpoint vendor vendor's doing. Here's my ADR.
Since there are lots of workloads, I should run the same thing on my workload to make sure nothing malicious is going on. It is. It is just like the device it's the workload security by running a v. Just now just because you got cloud strike or Microsoft or or VM, their endpoint, you still need Zscaler. We are.
We're the switchboard. We're sitting in between. So if you talk about that stuff you're talking about, which workload can talk to which workload and under what policy. When my workload talks to internet, Somebody has to sit in the middle. It's like an international airport who goes.
We are sitting in an ideal position to connect the right party to right party. No. That doesn't eliminate the need for having a host endpoint software or or save. What load software setting to for doing the kind of security endpoint does. It's complimentary to us.
We are in between communication from a to b. So that's how we look at it differently. Now the other one who has to do mentions. So endpoint to us is very complimentary. Okay.
And and maybe maybe just
Brian, one one point I'd add there is as you think of the way the world is evolving, it's moving more and more from know, my data center to VMC and AWS to, you know, serverless and kind of Lambda functions and and, and just you know, as a service. Right? I'm running BigQuery. I'm running Snowflake. Right?
So all of these, you know, where will you put your endpoint, you know, agents. Right? So, kind of the same concept that, you know, we thought about when we said, Hey, how do you run this on your iPhone on a 5 g work. Right? So if you think forward, you know, the firewall vendors will think of virtualizing firewalls and running it in the cloud.
The endpoint vendors will think about virtualizing their endpoints and running it in a VM host. But as you go to more kind of, you know, there's the pure SaaS for which we do CASB, and then there is, you know, more and more, just serverless computing. Right? And that's where CSPM is very important. That's where the ability to do policy, you know, this Lambda function can talk to you know, that internet workload, but that's it.
And how do you do it without putting endpoints becomes an important criteria?
Right. So we like a switchboard function. We aren't a switchboard who should talk to who based on the policy.
Okay. Great. And maybe one just quick follow-up is, are you applicable to development as as well as run time?
Applicable, the development and as well as runtime. So the the when we come in line, we're re we're coming in line as a as a process on the machine, that is at run time. It's not in the development CIDC pipeline. That's that's a but it's we would be complimentary to kind of some of the things that would run there, but, we're we're in the in line real time run time, agent.
Got it. Super helpful. Thank you very much.
Sure.
Okay. And our next question will come from met Hedberg at RBC. Please go ahead with your question.
Just one for me. I wanted to come at the kind of the TAM opportunity from a little different perspective. Obviously, ZAA and ZPA are our seat based pricing. But in some of your early conversations with some early adopters of ZCP, you know, if they're spending a dollar on ZIA and a dollar on Z PA. Any sense for could ZCP be $0.50?
Could it be $1.50? Just even from a magnitude perspective, how do they think about the spend in this category relative to your other categories?
You know, early stage, we're collecting data. In fact, we are early pricing. We are at we've gotta learn from the customer. I think it'll be probably a little bit too early to give you some data points probably in a few months. We'll have much better data points.
The data point is a
learning Maybe then just
clearly learning point of view right now. So
And then I guess maybe from those data points, from some customers that have looked at it early, maybe pilot face customers, beta customers, what has been, what have they been sort of most happy with so far?
I think it's arranged. So we're finding that some customers, we kinda try to go and get them early on with very attractive price. Some have tried to pay pretty significant. So the gap is quite big. So we'd rather narrow it down before we kinda share the numbers with you because that's how we'll finalize our prices, well, based on what the market is looking for.
So give us a few months. We'll we'll have it. We'll can share the data.
Great. Well, the the VAN was great. Thanks again. Thanks again, guys.
Okay. Thank you. Our next question will come from Fred Zelnick at Credit Suisse. Brad, go ahead with your question.
Hey, guys. Nice to see everybody, and thanks so much for hosting the event. Jay or for yourself or Amit or or or Patrick even, how should we think about ZCP pairing with SD WAN as it seems like you're adding the application awareness that SD WAN is based on. And maybe in context with your VMware partnership, which I know you've expanded recently. How should we think about the selling motion and and how this could pair with with what they're doing with NSX and network segmentation with with the workload segmentation that you've announced.
Right. So, you know, we look at Zscaler as independent of the network. We'd like to say that we are totally decouple application access from network access. I even questions get asked to us and say, what are you doing with SD WANs? Say, we can take traffic from SD WAN or SD WAN or a router.
It's the same thing to us. It really doesn't matter. I think when it comes to the market of segmentation. This this market is rather to be young out there at this stage. In fact, if you ask me how many customers done network segmentation or any kind of app segmentation successfully, those numbers are very, very small.
Okay. So do we have, you know, data on the approaches? We don't. Yes. I'll be aware of the network segmentation that VMware is doing?
Yes. I think we'll we'll it remains to be seen where the market evolves, but we We like the 0 trust approach where we are. Totally independent of the network. Now the three areas I talked to you about our functionality. I think CSPM is ready for prime time because customers were already deployed 100 of 1000 of workload.
They need security posture and policy configure configuration. The communication between the data center and public cloud or public cloud to internet or communication between Azure East And Azure West without connecting the network. There's a big need out there for that piece. So the crowd a cloud connector is actually enabling and empowering that piece. So that's actually that Mark is ready to go.
The third piece, if you talk with a micro segmentation level, early stage, we're learning and figuring out, as I said, you rather educate the market up front. But to answer your questions, I would say, haven't seen enough data out
Fair enough. Jay, thank you for that. It's always nice to see you pushing beyond limits.
Thank you. Okay.
Thanks. Our next question will come from Walter Pritchard at Citi. Walter, please go ahead with your question.
Yep. Thanks. Thanks, everybody. On just two things. 1, just wanna be clear on what actually has to be deployed in the customer's network to be able to or what you have to have access to to be able to do this sort of three things you're talking about.
So that that's just a clarification. Then I'm wondering as you think about, container serverless, I mean, everybody's coming at this from a different angle. You have the sort of traditional workload that's a VM, you know, you know, virtual firewalls. You have the sort of cutting edge workloads that are not very deployed, but there's solutions today. I mean, all the providers seem like they're taking a different approach on these different workloads.
I'm curious how you expect to see your cloud workload protection offerings adopted initially versus where we're seeing some of these others adopted, because everybody's got a very small initial footprint.
Patrick, do you want to start with that? If you can add on
Yeah. I can I can tackle the what you deploy the first part of the question? So, the answer varies depending on which part of the which part of the the suite or entire cloud protection bundle that, you're deploying. If it's the security posture element, That's, that's just an API integration. There's nothing you're really deploying.
You're you're configuring APIs and enabling us to have access to what you're, you know, governing there. It's the workload communication, that is, a new component that we call a cloud connector. And that is, something very similar to what customers already deploy when they run a VM or a piece of software from us in their environment. That's what the cloud connector is. That's the form factor.
And then the workload segmentation, that's actually a, piece of software that gets installed in the existing. It's not a VM or something on of the network. It's installed on the existing machine or container that's running the workload. And, technically speaking, it's a, it's a, it's a kernel security module. It's a, it's a software process that goes on to, where the workloads are already running.
So, hopefully, I touched on those in the 3 months. Yeah. That that's actually very specific and helpful. Thank you. And then just I'm just curious kinda how you think people will come at, like, different where will you like, if we hear success here in 6 months, where do you think we'll hear the initial success?
What type of workloads? What what scenarios, because it seems like everybody has a bit of success in this market, but nobody really has any share today.
That that's correct because the markets are young. Right? On install customer base. It's all looking for CSPM. Right?
That's number 1. Right? I think that second area, what we call workload communication. We are very unique in that area. I want my workloads video to talk to internet.
Any Zs got a customer say, I I know that's what ZIA gives me such a great security and DLV. Now I can take it to my workload. It's a new market for us or being able to talk among workloads. I haven't seen anyone do 0 trust based communication among the those things. They're seeing, like, what what do customers do?
My data center should be connected to my AWS, my data center to Azure. My data center is They're actually extending the networks over. We have seen situations where something got actually, hacked in a public cloud because of bad configurations. And the the malicious, actor could actually traverse over to the data center because of the networks are connected with each So we bring a unique benefit, in that deployment. So we expect our workload communication to actually have very good traction.
And the third area I said before, it is really nascent. And customers are figuring on, and it's not easy. Microsegmentation in that level, and that market will probably take the longest time. But the the first two, we're feeling very good based on the traction we see.
Okay. Great. Thank you.
Okay. Thank you. Our next question will come from sterling Audi at JP Morgan. Sterling, please go ahead.
Yeah. Thanks, guys. So, actually, that was a great segue thing. So thanks, Walter. So I wanted to know what was deployed on the client side, but now let's go to the other side and understand where you actually delivering the solution from in terms of Zscaler.
Is this running out of your public cloud footprint or your private cloud? And is the entire, you know, ZCP available globally or how are you thinking about rolling it out region by region?
Yeah. So the 3 components of VCP, cloud security posture management. It's a SaaS service. It's available today. As, you know, we, mentioned earlier, all you need is to authorize us to scan your AWS tenant and the Azure tenant.
It discovers it tells you all the misconfiguration. So available globally, nothing is not no no nothing needs to be deployed on the customer's VPC, for example. Right? The cloud connector piece, which is connecting workloads to the internet or, you know, workload to workload across data center or a cross between 2 clouds. That does require a VM.
That VM is 100% managed or orchestrated by the Zscaler cloud. The VM runs in your AWS VPC or your Azure VPC dramatically simplifies your VPC design. You don't need to have complex gateways, transit, VPCs, and all that other stuff that, traditionally goes into designing these. And, it is like, other virtual components that customers deploy from Zscaler. Right?
When they deploy ZIA, they might deploy a log streaming service. Might deploy a, virtual zen, which is our private, service edge, which is extending on to their particular, section. Right? So, again, that's available globally. And,
hey, Amit, if I make one comment to that, let you before you move on to the next topic. Right. It's like a traffic cop. There's not a whole lot to it.
Right.
The the difference is when you deploy firewall, you're talking with the policies in that off. This is a traffic cop that's really directed the traffic where where it needs to go. Hence, it's it's a much simpler deployment and ongoing operational
it's a think of it as, you know, today, users deploy as you see a client connector on their laptop. It's a lightweight traffic forwarding agent. This is a instead of a client that it's a cloud connector, it is sitting in in your cloud where your workloads are and forwarding traffic. Either to other workings of the intern. Right?
So that's available. Again, Globally, nothing nothing needed except deploying this particular small agent on your VPC. The 3rd bit, for the workload segmentation, it's an ascent area. That does require this, you know, a little bit of a post type, type agent that is deployed on those workloads. And again, that's available.
That customer has to do it on there inside the workload. It's available, wherever customers want to try. Alright. Sounds good. Thank you.
Folks, I need to jump and host the CSO panel.
No worries. Yeah.
Thank you.
Thank you. Okay. So our next question will come from roger Boyd at UBS. Roger, go ahead with your question.
Can you hear me? Yes. Very good. Thanks. On on for Fatima this afternoon, I guess thinking about the with the addition of ZCP and CSPM finding a home there, does that change how you're thinking about I guess, the modular add on approach around ZIA in the past, then maybe if we'll see some new bundles around, more of the converged CASB Care Webb Gateway DLP that seems he rest 8 months?
I think it's too early for us to make the decision. We'd like to get some traction, see the degree of traction, then Eventually, over time, we create bundles. Right now, we are in gradually selling ZCP solutions being presented And based on the customer interest, you're selling it, but over time, you can expect us to bundle it in certain things.
Perfect. And then I guess going back to the the DevOps pipeline, given given the fact that you're focused on runtime and and not being sorted into the predeployment phase, How are you thinking about areas to maybe, partner integrate with, the tools that that is in, in, in the CICD pipeline?
So we're we're actually very complimentary or almost agnostic to what's being done in the in the development pipeline. So that's We we don't really just like, well, we're not a firewall. We're not we're we're saying it's a much better approach, but just like a firewall is non to that pipeline and is completely out of the picture. The same is true for what we're doing as well.
Okay. Thank you very much.
Okay. Thank you. Our next question would come from Walter Price at Allianz Walter. Please ask your question. Alright.
Thanks.
Don't know if you can hear me.
Yes. We can hear you.
So my question is, you know, we've we've In the cloud, the the most famous, breaches have been the Capital 1 AWS. And then recently, this FireEye breach yesterday, where people steal identity and then go into a workload that they shouldn't have access to either tangentially in the case of Capital 1 or in the case of FireEye, they they misrepresented themselves as a customer. How does your solution? And I think that's a really, probably a really common way that nation states attack, attack workloads that they wanna get. How do how does your solution, solve that problem?
See, at the highest level, if you think about most threats come because someone gets on your network. And can actually move left and right, discover other services. If they're not patched properly, get into The whole trust is 0 trust is a switchboard approach. You connect someone to a particular application or service Don't put them on the network. That's what we have been trying to do with users.
Now we're taking the same 0 trust approach to servers. I think as more and more companies do this, the notion of your own my network inside, outside, and if that starts disappearing, life will get much better. You know, what I say, there won't ever be any security act. Not really. I think security possible get much, much better.
The 0 trust approach. Our customers are swearing, swearing by. Okay.
Can you
find it?
I'm sorry.
We'll we'll take I'm sorry. Go ahead, Patrick.
Did you have anything to say?
I was just gonna add just Capital One breach is very well known and dissected, you know, there was multiple places where we could have helped in that. The the first place was it was a misconfigured service in AWS, and that is core to what CSPM is meant to help discover and remediate. And then obviously that was then used to, you know, do subsequent malicious activity and, and that's where Jay, the workload protection and, and being in line and the runtime protection is what helps them solve that if they're already in as well. So we kind of tackle it in the Capital 1 scenario in a couple different places.
Okay. Thank you, Patrick. We have time for one more question, and our last question will come from Michael Turits at KeyBanc Capital Markets. Michael, please ask your question. Michael, you will have to unmute.
That should do it. That's gotta be? Thanks.
I hear you.
Great. So, congratulations on this. It it does look like a a big expansion of the 10, as you said, in a real broadening of what what you're doing, from from a a really strong architecture and platform. My question is this. What what you've done to date has largely been a networking service.
You've you've protected users from applications and and workloads. But when you move into the cloud, whether you're doing posture management or, looking at the connections between quote workloads, those workloads are based on, you know, very, very distributed applications. So it requires a level of knowledge, understanding mapping of all those applications that that wasn't really necessary for the prior types of security that that that you delivered. So just so how have you built that expertise? And I know you've made acquisitions But in that sense, this is somewhat of a new area for you.
I'll start and, Patrick, you're gonna add the core technology we are leveraging is a 0 trust exchange. What we have built over the past several years with ZPA, for example, and there's some the same principles applied to ZIA as well. But with ZPA, especially a switchboard approach, a user comes to us. We validate who you are. We look in the policy.
We connect you to a particular application or service. But the switchboard is not just meant for users. It's meant to say a known entity to known entity and we connect you if the policy says yes. We we needed to know the identity of workloads. And in the case of micro segmentation type of stuff, Edu is network brought it to us.
In the case of others, Patrick, maybe you can expand that the second area because we're seeing easy traction, workload communication from our customers. Why do you think it's easy for us to take over the workload communication market. 3, 4 use cases we talk about workload to Internet, cloud to cloud, data center to cloud, independent of the network. That's that's a that's market is made for us. And we expand upon that a little bit.
Yeah. I would I would add to that saying that it's actually not as big of, as a leak as as I think was being characterized from the standpoint that if you look at our customer base, we have many, many customers already on our ZIA offering that is not they're not just sending us user traffic. They're taking their workloads that they've deployed in these environments, and they're actually forcing it via a network tunnel to go through our ZIA stack security stack so that we can help secure that already. So we're already in line to, you know, workload traffic already, even to the point that that's a that's a skew now that we've been charging customer for years for. And we also, on the ZPA side, a core fundamental component of ZPA is to defined named applications, which is workload environments.
And so in ZPA, we've already had to figure out how to discover applications that exist, IE workloads, map them, understand the context of, you know, how wide they are in scope because it's never just an IP address just a name of a, you know, a host. It's it's much wider and broader than that. So we had to build application segments and, all the all the hierarchy around that as well. So it's it's it's not I'd I'd say it's not that big of a leap. We're already, in in this space already.
Great. Thanks a lot. And I think really congratulations on this broadening.
Thank you. Thank you.
Now I want to thank you all for your questions. If you have any questions remaining, please send those to irzscaler.com and we will respond promptly. We will also have today's presentation available for download on our IR website, very soon. We're excited about our additional opportunity to disrupt the data center just as we are doing for enterprise perimeter. We want to thank you for your interest in Zscaler.
This concludes our innovation briefing. Speak with you soon.