Okay, good morning, everybody. Welcome to day three of our Morgan Stanley TMT Conference. This morning I'm very delighted to have Jay Chaudhry, CEO, Chairman, and Founder of Zscaler. Jay, thank you so much for joining us.
Thank you, Hamza.
Before I begin the conversation, a brief programming note: for important disclosures, please see the Morgan Stanley Resource Disclosures website at www.morganstanley.com/resource-disclosures. With that, we'll kick it off. So Jay, you just reported earnings a week ago now. Obviously, a lot of demand for Zero Trust, SASE, modernizing security architectures for this new world that we live in. At the same time, we've heard some data points around there's still budget scrutiny out there, some talk of spending fatigue. I'm curious, what are you seeing today? What's the state of the union, and where do you think CISOs are?
So we aren't seeing any cybersecurity spending fatigue. In fact, if you ask me, the risk of cyber breaches is far higher today than it was six months ago or 12 months ago. Every CIO, every CISO I talk to, they are nervous about it. That means if you can solve the cyber problem, they're willing to spend money. Now, also all cyber is not created equal. The biggest worry is ransomware. You've heard about Change Healthcare this week. There's something last week. Every week things are happening. So while the market throws acronyms like SASE out there, more investors talk about SASE than customers do, by the way, okay? Because it's just the vendor stuff gets to investors. There's more dialogue with some of the terms between investors and vendors than actually with customers. Customers want to solve the cyber issue, the ransomware issue.
If you can solve that, and that's where Zero Trust comes in, and you can save money at the same time, you get the deal done. Great cyber, no cost savings makes it hard. Great cyber, good cost savings make it easy. Since we eliminate a number of point products, it becomes easier. I mean, look at various products. Will a firewall company replace firewalls to save money and sell SASE? Not really. They want to add more stuff on top of that while trying to preserve what they have. What does EDR replace? Symantec, McAfee, do they save money? Not really. Do you save money by buying identity? Active Directory is free. When we go in, essentially most of the DMZ goes away. We are able to save. So that's the combination of best cyber with Zero Trust and saving money is what helps us.
Got it. So natively you've built your solution as a platform that can consolidate multiple products and ultimately save costs across a variety of different categories. But on that front, there's been some debate around platform versus best of breed in cyber. You've been very thoughtful about the areas that you address, right? Ultimately it comes down to the architecture for Zscaler. But I'm curious, where do you think we are on that spectrum? Last couple of years it was consolidation, consolidation, everything. And now it seems like we're leaning a little bit back towards best of breed. So curious to hear your thoughts there.
So I don't believe we're moving back to best of breed point products, if I may say that. The debate has always been too many point products is not good. Best of breed, lots of point products doesn't help. But on the other extreme, there's no such thing as God's security cloud platform that does everything, okay? So our customers want a handful of best of breed platforms that work with each other, that connect with each other. Unfortunately, the word platform has been hijacked just like the word Zero Trust has been hijacked. Platform is supposed to be a common set of services on which you build application A, B, and C. It's not supposed to be a collection of acquisitions and label them under a bundle, okay? That platform is really nothing but ELA labeled as platform, which is becoming shelfware.
If you ask me, one of the feedback I'm getting from CIOs is we are tired of ELAs because they essentially become shelfware. A lot of stuff that's not very good, we don't end up implementing it. Our philosophy has been platform, almost like if I have to give you a good model, ServiceNow has built a good platform that works well together. How many vendors have tried to do a bunch of acquisitions? They never came together. It's supposed to be platform. So market wants best of breed platforms, probably in security. They'll probably bring it down to a handful of them. So you're bringing down 30, 40, 50 products down to a small set of vendors that work with each other.
Got it. Got it. And that makes a lot of sense. So you talked about cost savings when you deploy Zscaler, and there are a lot of different ways you can deploy it, ZIA, ZPA, ZDX. But can you just remind us again what some of the key cost savings are within security and networking as well?
Yeah, of course. I mean, savings are tremendous. In fact, quite often the question I get when we present the cost saving to customers is, where does the catch? Because they think, huh, it's too many. So where does the cost? Even today you'll be surprised that there's so much Blue Coat still sitting out there in large enterprises, okay? When I look at the top 10 deals or 20 deals I get for new logos, a large number of them are still Blue Coat. But that's the starting point for internet gateway. You start with Secure Web Gateway. Then you add DLP on top of that. You add sandboxing. We are the full outbound DMZ. That's why our deal size starts going up. And on the ZPA, ZIA says, I'll give you secure access to any app, any internet destination, or any SaaS application that you don't manage.
You simply use them. With ZPA, I give you access to any internal applications in anywhere, hybrid fashion, in data center, plants, and factories, Azure, AWS, wherever. It starts with replacing VPN. That's a small piece. But then it's essentially replaced the entire inbound DMZ, starting with load balancer to DDoS protection, a layer of firewall and the like. And then ZDX replaces a bunch of point products. So more and more of our customers today buy what we launched about, what, 12, 18 months ago. We call it Zscaler for Users. It has all three products packaged because that replaces a lot of stuff. Now, products replacement, there's a network cost saving, the local breakout. The next big savings we kind of discovered in the past few months is actually massive. This was a dialogue with the CIO a few months ago. He was talking to me.
He said, "I'm so proud of the fact that 60% of my applications have moved to the cloud and only 40% on the data center." I said, "Wonderful. That means only 40% of your traffic goes through the data center." He said, "Perhaps." I said, "That means you shouldn't have upgraded any router, any firewall, any load balancer, or any switches in your data center since the traffic is shrinking." He smiled. He said, "I wish that were true." Now, why wasn't that true? All these branches on SD-WAN still sending traffic back to the data center. Then they got expensive access route or direct connect to go to the cloud. Slow, expensive. And those upgrades of those routers, firewalls in the data center are not cheap. They are $ millions. Instead, with Zscaler, you go direct, saving network cost.
You're saving cost of all those routers and firewalls in the data center. That's what a number of our customers are driving. So this will impact the sales of firewalls and routers and switches in data centers. It should because there's less traffic. And also with what we announced as Zero Trust Branch, we are eliminating the need for any box in the branch. One single box providing you connectivity, no firewall, none of the other stuff needed. It simply has the whole thing and gives Zero Trust connectivity.
Got it. And just for context, I mean, I think investors, they prefer their Gartner IDC market map sometimes. So you started off with the secure web gateway, roughly $4 to 5 billion market based on some estimates out there. You've dominated that space. Now you're going really after the firewalls, which is still roughly $17 billion market. And then there's additional cost savings from networking MPLS, which is anywhere from $30 to 40 billion. So really.
VDI market we discovered a year or so ago. I never thought of VDI solution till a few customers came and said, Zscaler Private Access combined with browser isolation gives you essentially streaming pixels and doing everything VDI needs to do. So it's becoming a very important use case. I'm surprised how many large enterprises use VDI today. They're all either trying to move to the cloud. Even if they move to the cloud, they still go through Zscaler to access intranet. So it's a significant use case.
Yeah. And just digging in, when you talk about the firewalls, there's three aspects. There's the data center firewall, there's the branch, and then there's the edge firewall. So where exactly can Zscaler drive the cost savings?
Yeah. So if you think about branch, when Zscaler gets deployed, you really don't need a firewall in the branch. In the past, we didn't really offer a complete solution. In the branch, we said, here's a piece of software. You deploy on something. It works. We called it branch connector internally. The customer said, no, no, no. I want you to give me a complete solution. I want to hold you as a single vendor accountable for it. So that's why we launched our plug-and-play appliance. So it's my belief that it's a matter of time that Zscaler customers in the branches will have no firewalls. It's a matter of time. Then you talk about the edge. That's the east-west. Sorry. That's the north-south traffic. You don't need a firewall for north-south with Zscaler. ZIA, ZPA takes care of that stuff completely.
The data center is what we have kind of left alone for the east-west traffic. While you can deploy ZPAs to do so, there's a lot of little nuanced stuff in the data center. One CTO I talked to, Amit Sinha, he said, "I don't even know what's in my DMZ and what I'm doing in here. Don't worry about it. Let's focus on the cloud. My data center is shrinking. It's going to become less relevant." So we're focused on making sure the edge and the branch firewalls go away. Data center east-west, while there's solutions, we'd rather focus on doing east-west in the cloud than in the data center.
Makes sense. So the other thing that you battle sometimes, obviously it's a large opportunity and the architecture that Zscaler has laid out makes a lot of sense. And a lot of companies are replicating that. But sometimes you're battling inertia, right? And I think implementing Zero Trust architectures, sometimes you hear from CIOs and CISOs, can be difficult. And maybe that's just because there's a lot of FUD in the market. So what are you doing to battle that inertia and help customers really align more towards a Zero Trust framework?
Yeah. Zero Trust is the most confusing term out there. But it doesn't need to be. Zero Trust means don't trust your users or applications being on the network. What does on the network mean? On the network means, probably the best analogy to give you is the following. If I come to see you at your headquarters, they stop me at the reception, check my ID, give me a badge. And if they said, Jay, no escort needed. Just go to floor seven, room 23. I'm inside the building. I could go where I need to go. Whatever room is open, I go in, I snoop around, I leave. That's like being on the company network. Firewalls and VPN are saying, I'm the gate, like the receptionist. Once you're on, you're on. That's why you try to do segmentation. Let's put a wall here, wall here.
You can't go to this part of the building. You can't go to that part of the building. It's a nightmare. That's why you're not going to find any company that'll tell you I had done segmentation based on network in a very well-fashioned way. It just doesn't work. What's the better approach? If they check my ID, give me a badge, they'll say, Jay, stop. You'll be escorted to the meeting room and meeting room only. And you don't even need to know where the meeting room is. I get taken to the room. Once meeting's done, I get taken out. Think of the building like your data center or your cloud. Think of each room like an application. Zero Trust starts with connecting a user to a specific application. We are the policy engine, the switchboard to do that, an important piece of Zero Trust.
There are two other pieces for Zero Trust that are important. First piece is identity. It starts with who are you? When the receptionist checks your ID, that is your authentication. And the second piece is posture check of the device. Is the device good or bad? And that gets checked at the reception itself as well. Generally, EDR vendors will give you a posture check. Identity gives you identity. And we are the switchboard. Three basic things to get you started with Zero Trust, big benefit. Then the next phase where people get confused ends up being creating what you call user-to-app segmentation, which says salespeople can only access these 12 applications and nothing else, or finance people can access these.
That's the next phase. With Zscaler, it becomes a lot easier because you're not doing network segmentation. So while there's confusion, most of our Zscaler customers have already done phase I. And they have various stages of journey in doing phase II.
Got it. I could talk about architectures all day, but maybe we could talk a little bit about the sales execution. So it seems like this fiscal year might be a bit of a transition year for Zscaler. You had this long-term goal to reach $5 billion of ARR. You're a little north of $2 billion today. To get there, you're upleveling the sales organization. You brought in Mike Rich as your new CRO from ServiceNow, along with others. Talk to us a little bit about the reason for that sales leadership transition and how you factored in potential disruption from that.
So when you go to certain levels, you need to change what got us here, wouldn't get us there. Right after IPO, we upleveled a lot of things in go-to-market at that time. Put proper sales enablements, some of the cadence in place, got us to over $2 billion. To go from $2 to 6 to 8 billion, wherever, we felt we needed to make some next-level refinements. Now, what we're doing is not new. But 6.5 to 7 years ago, I reached out to David Schneider, who was the president and go-to-market leader for ServiceNow. I said, you're the best role model for us. You sell to large enterprises. We sell to large enterprises. You sell a platform. We sell a platform. We have to sell to CXOs. You sell to CXOs. Help us, guide us. So he became an advisor and mentor to me and Zscaler.
And a couple of years later, he joined our board. So a lot of stuff we have been putting in place, you have been hearing about CXO level engagement, large accounts and all, have been essentially being added to the process we have been doing. But now to bring somebody who actually drove it there obviously helps us a lot. And some of the changes we are making, and these are not kind of dramatic changes, we have been some of my large account salespeople have already been selling what we call account-centric sales. You got this account. You work with the accounts. They're, how do I help you? How do you grow you? As opposed to opportunity-centric sales. When you are a young company, you don't have that many accounts. You don't have that many customers. So you look for this deal here, this deal here, this deal here.
You go from deal to deal, which is what you need early on. But at our stage, with 40%+ of Fortune 500 companies, with so many customers who are doing over $10 million ARR with us, so many customers doing $5 million and about 500 customers doing $1 million, every customer in the $1 million needs to get to $5 million. And $10 million, we can go there. We're doing it. We just want to do it rather than 20%, 30% people doing it in a great fashion. I want 95% people to do it. So Mike, having done it, when you do the second time, you do it even better. So it's a refinement of the process. It's not mass scale changes. You'll see more focus on larger accounts. You'll see more focus on working with system integrators. You'll see more refined engagement at CXO level. You'll see more expansion towards the vertical level side.
Got it. And so just to clarify, it's not going to be the sales restructuring similar to what we saw back in 2019 when Dali had come on board?
That's correct. There's no restructuring on the sales side.
OK. Sounds good. On that front, I wanted to ask about the focus on maybe depth versus breadth. Today, I think Zscaler has a little less than 10,000 customers still. ServiceNow obviously has scaled to a big business, $10 billion ACV with tens of thousands of customers too.
Actually, my last number was they got about 8,000 customers. We actually have only about 8,000 customers. We're the same number, actually.
Oh, OK.
They're just about 4 or 5x with the same customer base.
Yeah. No, it's remarkable. And again, there's very few companies that have been able to do that. But I just think SASE obviously is still very under-penetrated, very big market. So what was the reasoning behind going after doubling down those large enterprise accounts versus focusing more on breadth?
Yeah. So first of all, large customers understand depth and breadth of functionality. Large customers understand cyber. The lower end doesn't fully appreciate. They don't have resources to appreciate it. So when we go and engage with large customers, literally, there's no competition. When firewall guys or CASB guys come and say, I do that too, customers kind of take a look and exclude them pretty quickly. So we benefit from our customers who actually large enterprises, they understand the difference. That's number one. Number two, we have seen many, many customers who started with say $100,000 and went to $1 to 5 to 10 million. We had done it many, many times. I think it's a wonderful, great opportunity to be able to do that. That's two. The lower end of the market is probably hard to differentiate because they don't understand the difference.
Sometimes the low end, quite often I see customers say, oh, I bought SASE from Cisco. It got bundled in my network. So I would rather play where a big opportunity is. We think the opportunity in the enterprise, large enterprise SASE, is massive.
Got it. And then it might be a bit of a CFO question, but the metrics that you disclose, how do we, as investors, measure the success of this effort with large enterprises? Are we going to look at million-dollar ACV deals, net retention rates? What are some of the metrics we should be looking at?
So number 1 metric is new ACV we're adding because it's ARR, is accumulation of what you have, what you add. So ARR or new ACV every year, which is the best reflection done in terms of billings because they're normalized things. That's our number one measurement. Now, when you start looking underneath, yes, we start looking at how many customers are crossing $1 million ARR with us, how many crossing $5 million, how many crossing $10 million.
Got it. Got it.
And of course, churn. Minimum churn is always important for us. We are proud of having very little churn. And we think we'll keep on doing it the same.
Great. Great. I want to shift gears on the federal side. So that's been a big focus for Zscaler. You've gotten FedRAMP certified across a variety of your products. Just curious how the Fed pipeline has been looking like with the Zero Trust initiatives in place.
Fed pipeline is very strong. Since the Biden administration actually pushed for zero trust architecture, things took momentum. And why did they do that? This was after SolarWinds happened, after Colonial Pipeline happened. They stepped up. There's this agency, CISA, that's in place to really help kind of advocate this thing out there. So pipeline is very strong. We have 12 of the 15 cabinet-level agencies. All these agencies in government, they have started small, unlike enterprises, which kind of went in for all users. But we're seeing them adding more and more users. I talked about an agency during my prepared remarks. They doubled their ARR by adding more users. So went from over $2.5 to 5 million ARR. And still, only 15% of the users are covered. That means 85% upside is available.
There's a big opportunity for the federal market for us. This is the civilian side. There's a defense DoD side. Today, a very small part of our business comes from defense. In fact, the defense opportunity is even much bigger. We have actively engaged with all branches of DoD.
Got it. Got it. One more question from me, and then I'll open up to the audience for questions as well. I wanted to ask about the competition question in a different way. There's different vendors that are coming at this market in different ways. Zscaler is coming at it really from the security side. There's certain vendors that are coming at it from more the network optimization, SD-WAN side of things. I'm curious, with the focus on single vendor SASE, which really is combining the security and the SD-WAN or the network optimization side together, one, is that something that you're seeing that customers want that conversions, at least at the large end? And two, for Zscaler, is it easier to, let's say, now have an SD-WAN solution or something similar to SD-WAN versus an SD-WAN vendor going more into security? Is that the harder part of the equation?
Yeah. I think it's a weird thing when Gartner came with single vendor SASE. OK. If you really think, well, what did they say? This Secured Service Edge and this network that sends traffic to the cloud. SD-WAN really wasn't designed for that. SD-WAN was designed to connect your branches to the data center over the internet. So it is about a WAN solving a wide area networking problem. We are not about solving a wide area networking problem. We are about eliminating the need for a wide area network. It's the network that's the biggest culprit to really propagate ransomware and all the lateral movement. So the reason I have pushed back on SD-WAN. SD-WAN says a single infected machine in your branch office can traverse the whole network and infect things out there just like what happens in ransomware cases.
So we did not want to be part of a solution that propagates lateral threat movement. So what did we launch? Zero Trust SD-WAN. Your branch office becomes simply like Starbucks or internet café. It's not on your network. There's no route table management, route table propagation. So we have always done innovative, disruptive solutions. Our customers love what we offered. There's big pent-up demand. I expect almost all Zscaler customers over time to embrace what we've built because that's what we're hearing. SD-WAN guys trying to move into the security space is a tall order. Networking is a very different core competency than security. Which vendor has done networking and security well together?
When customers want Zscaler branch box, they're not asking me to give them my WAN. They want to say, please figure out how does my traffic come seamlessly from our branches to your cloud. From there, the policy happens. So we're not solving. We're not trying to build another network. We're trying to eliminate it.
Got it. Any questions in the audience? OK. We'll give it a minute. I definitely have more. Maybe just a question on pricing. I think you've been very adamant around helping customers save costs, not charging for traffic, for example, and giving customers a predictable pricing model. Has that view evolved in any way as you're delivering more value to customers? Have you been able to maybe take more price?
So honestly, when I talk to a CIO, the CIO says, please give me predictable pricing. I'm tired of my hyperscaler bills going through the roof. So by and large, it's mostly user-based pricing. But our ARPU has gone up because we have been selling more and more products. Customers like that. Now, there are some pieces where we do charge based on traffic, some of the workload security because that traffic is not totally predictable. Workloads come and go and that type of stuff. So we will use traffic-based pricing as needed.
We are using some of the traffic-based components in my branch networking solution as well because there are some of these IoT/OT devices. The traffic is coming. They don't know exactly what to expect. Every IoT/OT device is not created equal. So where it makes sense, we are adding traffic-based pricing there. But most of the time, it is the user-based.
Got it. There's been some new competitors in the market who might say they charge half of what Zscaler does on a per seat basis, a third. When you sort of consider the whole TCO, if you will, around reducing costs of appliances and everything else, how does it look, Zscaler versus some of the new competitors out there?
We have seen for the last 3+ years, the newer trends come in and say, buy all of my firewalls for $20 million. I'll give you Zscaler parts for free. Or buy this. We've seen it over. If we were an incidental solution for recruiting or this and that, customer will do that. Customers tell me, Jay's Zscaler is the most mission-critical application. It's more important than Office 365 because you have a switchboard. Everything goes through you. Reliability, availability, security is fundamental to us. So they're willing to pay more price. It's almost like if you really have a hard problem, you don't want to go to the cheapest doctor. If you have a headache, you may want to find the cheapest painkiller. So the positioning, what we do, is fundamental. Availability, reliability is very important. We've done a good job.
The customers still keep on asking more and more. Tell you, if somebody had a five-minute impact on the service today, hell breaks loose. The impact is probably 3x more than the same thing we would have done three years ago. In three years, the impact will be much, much bigger. So the positioning we have is fundamental. Reliability, availability, cyber is fundamental. It's rare for us to see. I have had many cases where a customer came to me and said, hey, here's the issue. I'll tell you the real example. This was a few days ago, this week. This CIO reached out to me. He said, I've been using Zscaler well. This vendor has made an offer, and procurement is coming to me and say, can you squeeze Zscaler to get a little bit more savings? I mean, this is CIO. This is the third-time buyer.
Company one, company two, company three. He said, how can you help me? Told him, hey, you should be using this and this. And I could replace A and B. You can squeeze me for another 3% or 5%. What if I save you the equivalent of 30% or 40% by eliminating a lot of tech that's sitting out there? We're able to identify that, show that. That's how we are able to do a good job. So do we see vendors pushing for it? We do. Is there a little bit of procurement pressure? Some, but not most of the time because we have customers who actually really, really like the solution we have.
Got it. Got it. I wanted to talk about some of the new product initiatives as well. One, maybe around just generative AI. Zscaler processes 390 billion transactions daily. So you have a lot of data that you're working with. A big problem in cybersecurity has been DLP or proper data protection. Talk a little bit about how you're using the power of generative AI to improve that.
That's right. AI is as good as the data that's powering it, the data that's training it. Yes, ChatGPT can train on all this public data sitting out there. But to do what we need to do, it needs private data. So we're able to train our GenAI against all logs of all customers because it's trained on anonymized data. Then what we learn from that gets applied to each specific customer for data protection, data exfiltration, identification, or cyber threat detection. That's what makes it very powerful. So we have the most common case customer come and say, AI/ML, what's the loss of my data being sent out? Can you tell me if I'm compliant against that? We launched some of those services very early on last year to take care of that kind of stuff.
So AI/ML for my data protection and compliance so I'm not leaking data out is one of the big use cases out there. We have done Risk360. That's one of the most exciting applications for a CISO and CIO. Every vendor talks about, I'm blocking this, I'm blocking that. What does that mean to a CISO? It's a bunch of numbers. In the consumer part, you hear credit score of a person or a household. There isn't any meaningful credit scoring for risk for an organization out there. Why isn't it available? Because it needs data to quantify risk. The best quantification of risk can be done by all communication your employees and workloads have. We happen to have that data. So Risk360 is one of the very exciting applications that's built on top of our AI cloud.
Business Insights give you insights about the SaaS applications you're using, underusing, overusing, where you can save money. If you've got 400 locations, how many are hardly being used? How much? How often? Should you expand your facilities? Should you shrink? Those are important applications for CFO and HR leaders out there. So we are taking advantage of the stuff and building things that show value to our customers. Look at even the breach prediction is my personal new favorite project. I want to be able to predict a breach. How do you predict a breach? If you have all the telemetry underlying stuff, we can do that kind of stuff. So we think we are extremely well positioned to leverage AI/ML. And the other thing AI/ML is doing, especially GenAI, it's making it much, much easier to attack. Every attack starts by finding your attack surface.
What's your attack surface in the physical world? Your physical locations and branches. What's your attack surface in the cyber world? It's every IP address that's facing the internet. It's every firewall, every VPN, every application portal that's open to the internet. We hide all of that stuff behind us. That's part of a Zero Trust. When others talk about Zero Trust, they got these firewalls and VPNs facing the internet. And still, they claim to do Zero Trust. That's not Zero Trust. So we think when attack surface attacking becomes important, the need for cyber products like Zscaler will become bigger and bigger.
Got it. Just one last question on maybe how you're thinking about growth and profitability and hiring. Really impressive margin expansion over the last couple of years. Going forward, how do you think about maybe reinvesting some of that margin upside, some of those savings towards continually driving growth to that $5 billion ARR target versus giving more profitability?
Yeah. Remo set out some of the models years ago to say how we are going to look at our margins, net free cash flow kind of stuff. I think you've seen the numbers. We have done a good job there. But top-line growth remains our high priority. Since Remo and I, we manage business well. We don't spend on fancy buildings and mahogany desks out there. So we're able to deliver good bottom line. But as we are, we see a large market out there. We will keep on expanding. So don't expect the same kind of bottom line expansion. We want to give you good results there. But sales expansion, R&D expansion, a big, big opportunity for us. So they'll remain our number one priority.
I've seen you and Remo fly coach. So I can attest to your cost savings mindset. Well, Jay, thank you so much for your time this morning. We really appreciate it. And thank you to everyone for joining us.
Hamza . Thank you so much.
All right.
Great.