Good morning and good afternoon for those on webcast. My name is Bill Choi, and I'm the Head of Investor Relations at Zscaler. Thank you for your interest in Zscaler and really appreciate you taking the time to learn more about us at our first Analyst Day event held in conjunction with our Zscaler Zenith Live Cloud Summit. Here in Las Vegas, we just went through our vision, our technology platform that we've created and some of the new innovations that will be coming to the market shortly. For the benefit of those on webcast, we will be reviewing some of those.
So bear with us for those who are here and listen to this. But hopefully, we could go into it perhaps a little bit deeper in detail. Now, I am going to announce upfront that
3 of
the new products we talked about, CASB, Z B2B and ZDX will be in beta trials with select customers over the next several months. And these products will be made generally available for purchase starting in calendar Q2 of 2020. Importantly, we have not included contributions from these new products into our guidance for fiscal 2020, which ends in July 31. Now we provided all this guidance on our earnings call last week. As you can imagine, I just made a forward looking statement.
This presentation contains some of those additional forward looking statements. All forward looking statements in this presentation are based on information available to us as of the date hereof, and we do not assume any obligation to update the forward looking statements provided to reflect events that occur or circumstances that exist after the date on which they were made. Now moving on to discussing our agenda for the day. We'll provide our view of the market landscape, discuss our technology differentiation and innovation, followed by a customer presentation. And then we'll take a short break and return to discuss our go to market and introduce you to our new CRO, Dali Rake, who unfortunately injured his back and is unable to join us in person today, but we will dial him in.
He will have a few comments and then we'll also be available for Q and A. Now some instructions for Q and A today. We will take 1 or 2 questions at the end of each section, But if you could hold your questions largely to the end when we have a dedicated time for that, around 2:30. And because we are webcasting, I'd ask you to wait until a mic is made out to you before asking that question. And now, I'd like to introduce our Chairman and CEO, Jay Chaudhry as well as Chief Strategy Officer, Doctor.
Manoj Appy.
I don't need it, just this. I'm not sure I want to get on the state. I'll just talk here.
Yes.
Good morning. Good morning. Good morning. Good morning. Good morning.
Well, after listening to the keynote, I'm not sure I need to say anymore. But I guess we got people remotely listening to the webcast. So what Manoj and I are going to do is give you a higher level view of market positioning and essentially the opportunity we see out there, okay. Some of it may be repetitive, because you've probably seen some of the slides being covered, but audience that's remote, probably it's new for them. So let me start off with a couple of slides to set the stage, then Manoj will dig deeper into the technology, and I'll come back and wrap it up this first section.
We talked about the fact that digital transformation is a business imperative. Everyone needs to do it to stay competitive or rather to survive. And this transformation is enabled by some key technologies, cloud being one of the big one that allows you the elasticity to really being able to really build, run, manage applications easily. A lot of data being collected from various sources can be handled by some of the machine learning type of technologies in the cloud. Mobility is extremely important for us to be able to work anywhere at any time.
And Internet is becoming the network that connects various customers, suppliers and partners and the like. So connecting securely these various stakeholders with each other is an important part of access to applications and services. And that's really the business we are in. We always focused from day 1 on fast and secure access. We added more on the reliable side of it as we are launching products like Zscaler Digital Exchange, sorry, experience.
So you can reliably access information no matter where it slips. So think of us as the policy engine that can connect any entity to any entity based on our business policy. So with that, Manoj, why don't you take us through deeper? Sure. So
we've seen this transformation happen over the last few years, right? I was Juniper Networks for 10 years before last 12 years of Seescaler. And in Juniper, we were building these big massive routers, firewalls and TLS networks because all of our users as an enterprise customer, all of your users were sitting in branches, factories, offices, and they all needed to access applications and data to do their regular work. And the key was, how do I provide fast secure access for employees to their applications. And the best way to do that was to create a leased line network that connected you straight to the data center.
And so the entire network, entire corporate network was built to make sure that you had fast quality of service based, reliable, secure connectivity between any branch to the data center because data center was the hub of everything. Now, as we all know, that things survive through the last 10 years. What has happened is everyone is using cloud. And as you start using cloud, but your corporate network is the same, everyone is on the wrong path towards the cloud, first coming to the data center and then fanning out. And there is no it just visually represents to you what the problem is right there.
You don't have to explain it. It's a huge choke point. You can call it 4 choke points you're a bigger company, but it's still choke points. And so the whole notion for Zscaler was how do we provide that all of the things that people were talking about, fast access, visibility, access controls, data loss prevention, sandboxing, DLP, all of these capabilities in this new world. And as we started thinking through what all, like I rattled off a few, it was much more than that.
It is an employee is sitting in San Francisco and wants to go to salesforce.com. He types in loginsalesforce.com. Where is his DNS coming from? Am I just going to rely on Comcast to give me DNS or do I go to Atlanta to get DNS to my HQ? If HQ gives me DNS, then I'm going to have to land on Akamai's front end in Atlanta.
So when you build
yep, we got to provide DNS and we have to
provide firewall and IPS and yep, we got to provide DNS and we have to provide firewall and IPS and sandboxing and SSL termination and proxy. And there's a lot of flack about proxy or not. None of your companies don't have a proxy. So and it's a big difference, right? When you're doing that stack, firewall provides network address translation and separates the external IP space from the internal IP space.
A proxy isolates the 2 networks. Firewall doesn't isolate, firewall passes through. So you need a firewall as an access control mechanism, but you need proxy as the isolation mechanism for networks. But as we started looking through it, that big stack needed to be figured out, not just on the outbound side, but also for connectivity to intranet applications where people had load balancers, inbound firewalls and Patrick did a fantastic demonstration of what an attack surface looks like. Every time you have a firewall, it's listening for incoming connections, which means you have an attack surface.
Right now, you are relying on other controls to stop people from getting to it. But the firewall basically is there to create a hole in your perfect world. And so that forces you to build denial of service, load balancers, segmentation, all of that. And these are problems that we were looking to solve. And one of the biggest challenges that we had as a company was what do we call this, right?
Because this is an undefined market space. It's not firewall as a service or proxy as a service or VPN as a service or DNS as a service. There's several companies that do all of that. What was needed in the market was one stack that provides everything and there was no definition of it. What has and so what we saw people doing was doing the obvious next step, right, saying, okay, so if you are not in data center and if I am in cloud, let's just take that stack and move it to cloud.
And awesome, now I am doing great. Now I am cloud based. But guess what, it's still not going to solve the problem because, okay, you went to 1 cloud, but what if I need to go from Google to Microsoft or to Salesforce or to Workday. You're still going to a choke point to go elsewhere.
But Manoj, you made situation worse. You extended your network over
to the cloud.
I mean, your network is now all over out in public cloud.
Exactly.
It's actually the opposite, maybe the other side of VPN. VPN stretches your network to thousands of places where your users are.
Exactly. And your attack surface internal becomes even larger because now you've incorporated a whole new asset into the attack surface that you had already created. So what is really cool and we are really excited about, and I'm a geek to core, so I don't take analyst reports lightly. I go dig deep. But 2 reports came from Gartner about defining 2 whole new markets.
One is called Secure Access Service Edge, actually, SASE, not network, sorry, Secure Access Service Edge. That is the market that Gartner is now defining as that consolidation of everything, right? When you are going into a mobile first, cloud first world, what is the product that you need to buy? How will you deliver security to your employees, to your partners, to your customers? They are defined that that work is going to be done with this new market called SASE.
It's skewed, s a s e. So Secure Access Service Edge, I highly recommend everyone. I just posted a blog about it on LinkedIn. So if you guys want to click on it, we've got Gartner the going really, really deep into what the architecture should be, what is the way that a service provider should provide that service. So let's say a vendor wants to be a SASE vendor, what are the key criteria that they must meet for it to qualify as a SASE?
And it is not looking at just saying, oh, MPLS replaced by a C WAN or 0 trust as the thing. It truly brings together all of it and says, when you have an enterprise to protect in this new world, this is the new architecture to use. And what is very interesting in that is that they make the point that compute power is at the edge. So you need to move all your compute power as close to the edge as possible. You can't be on every endpoint, but move it as far as possible, right?
That was the premise of Zscaler to begin with, that we said we need to have 150 data centers where we can process, not 12 regions where I bring traffic back, right, actually compute at the edge. The second thing is they are very strongly suggesting that you have to go to a very light branch. So the branch will be just a router and all your services, it's an SD WAN router as the branch and all your services that are security services will be a heavy cloud that is distributed at the edge. The third thing is don't ignore encrypted traffic. That is, the world is encrypted.
If you need in line network security, you have to be able to terminate a cell, which, by the way, only a proxy can do. So you have to have all of that capability. The main takeaway recommendation from Gartner is you have to look at every enterprise needs to look at reducing the complexity of the network to a SASE vendor, which is one vendor that provides secure web gateway, CASB DNS, 0 trust network access, which is ZPA and remote browser isolation in a single platform. This came out on August 30th, right? So we see this as a true definition of the market that we have been trying to go after, right?
It truly pulls everything together and provides you a view of where is the world going. So highly recommend taking a look at it. And so over time, what we have built is exactly that, right? That it's always on, all users, every location, easy to use service that imbibes all of those capabilities. Not all of them are completely done, like we just announced CASB out of time, for instance.
Half of it is here. Half of it is coming now. And remote browser isolation, we just announced today. So the platform wasn't all there and there's a few other things that they are asking us to build into it that kind of is why we are here. And so we are strongly we are really thrilled about that development in the market and we look at it as our guiding principle going forward.
So if you look at Zscaler, what we have built basically is this massive platform that has the ability to provide compute at the edge for doing full inspection of traffic, provide in line inspection, peer with everyone on the planet to be able to be the fastest path between any user any application. And on that, we are building all the products that we are talking about. So with that, let me give it back Jay to talk about the products and then provide a view of what we are building next with Amit and Patrick.
Good. So the offering, some of you who listened to the keynotes probably already saw it. But essentially, a couple of points to highlight here. The model of security and networking you've seen in the past 30 years is fundamentally being disrupted. There won't be the same market segments you see today or you've seen in the future, because some of this is going away, because things aren't being done the same way.
Obviously, some inspection technologies and all are still needed, but very differently. For example, when Gartner talks about 0 trust network access, he's talking about the fact that you don't trust a person by putting them on the network and say go wherever you need to go. So that's if done right, the way we're done with Zscaler Private Access, you saw Patrick talk about kind of anti DDoS, anti firewall, anti VPN. So what we're saying is that we aren't building VPN. We're building something that eliminates the need for VPN.
With ZPA, when you access those services, since we don't allow any outside in connection, so we eliminate the need to have a firewall sitting in front of your applications in the cloud or Azure or AWS, wherever the case may be. If we aren't allow any outside in connection, how are you going to DDoS someone? That's why we call it anti DDoS, because we are eliminating a need by offering this ZPA type of services. So that's why you think about. So that's why the mapping of 1 to 1 of older technologies to new technologies don't really make sense.
That's why when people like to say network security has this, I like to challenge them and say what network security? Your LAN obviously needs to be protected here, but the network we often talk about is the wide area network. That is the open Internet. So that's why we look at ourselves sitting in the middle as an intelligent switchboard or intelligent policy engine. So in our world, there are users or things and applications.
You need to get to certain applications or services. And we are sitting as a platform in the middle. There's no such thing as inside the network, outside the network, off net and on net in our world. You come, you talk to us, we look at the policy, authentication and connect or don't connect based on various rules. So you are so just to summarize, we have 2 you can take all applications and put them in 2 buckets.
External applications that you do not have to manage, you simply use them. This is Internet and this is SaaS. And internal that you build, manage or run within your own enterprise, this could be SAP running in your data center or in Azure or AWS. This may be a bunch of homegrown applications that every company has. And we start the business providing access to internet and SaaS, because that's where a lot of threats come from.
Internet is the Wild West. Even some of the storage services like Dropbox and Box become a wonderful tool to spread files that are infected around. So that's where we started out with Zscaler Internet access with simple goal, block the bad and protect the good from leaking out. And we do this not only for workforce, and the workforce means your employees and potentially your IT contractors and other consultants who are really working and accessing those applications from your premise. And things, things we're kind of calling it broadly, it's either IoT type of stuff, it could be devices, it could be servers and the like, who need to communicate to either SaaS applications or Internet.
So we end up being the checkpost to enforcing the policy. Most of our customers are in this area. That's the service we started day 1 with. Using then moving on, our customers started to say, hey, you're only doing part of it. You allow my employees to go to Internet and SaaS, but you don't allow me to go to my internal application sitting in my data center or public cloud.
Now the technology is very different to be able to do That's where a tool like firewall ends up being in or out, what is it? When you need to access applications fitting in SAP in a public cloud, the need is very different. Manoj showed you the diagram, you're starting with essentially global load balancers and the like. So when we built C. Scooter private access, yes, it's using a number of common set of services, but we had to build something very specific from anti DDoS to anti firewall to anti VPN and load balancing and the like, that firewall guys will never talk about.
So this is one of the fastest growing service for us. And Remo and Bill have talked about the growth and the numbers, they're part of the press release and the like. So this solved the second part. And then as digital transformation is becoming more and more important, Companies are creating a role called Chief Digital Officer, whose focus is not internal IT. CIO is typically focused on internal IT applications to be used by my employees, right.
And CDO's primary role is focusing on digital transformation, where you're collecting data, telemetry, all those things that the business needs to be more competitive. And that's where more and more B2 applications are being built so far before digital transformation. Every company has some level of B2B application portals, but they never got full focus and attention. Some companies where it's extremely critical to engage, they have pretty good presence. Customers like Sanmina, Zscaler customer, right?
For them, a lot of these manufacturing vendors who engage with them And because they're part of the supply chain, they had to build B2B very early on. In fact, that's when those are the kind of customers who told us, why don't you help me here? Because I am trying to build those applications, but I'm trying to really put them in my data center. Tomorrow, I need to build them in the cloud. How do you provide connectivity?
So based on that, we added one more circle at the bottom, our customers, your B2B customers being able to access applications, B2B applications that may be sitting in your data center or sitting in a public cloud. And there are certain technologies that are needed to make that thing happen. The browser based access was one thing, supporting multiple identities was another thing, doing supporting browser isolation for not just security, but for data exfiltration type of stuff or some of the key functionality that we need to support. That's the one we just announced today, okay, very excited about it. And then last, but very important Zscaler digital experience.
This is becoming a big issue for everyone, user experience. Where is my problem? What went wrong somewhere? Between your laptop sitting here and whatever service you're going on, whether you're going to access your e mail or you go to Salesforce or Workday or even a BBC News site, there are 10, 12, 15 hops you're going through. Where is the problem?
That's a new area, new problem to be solved. I'm sure there'll be lots of companies will try to enter the space, right. Anything gets hot, it's natural to have more entrants unless the barriers to entry are so high. We happen to be sitting in the optimal place to provide that service. We are sitting in the traffic path.
We know what's happening on this end, we know what's happening on that end. So Zscaler Digital Access can provide you pretty good, very good user experience. Troubleshooting, monitoring is obviously the first step. Where is the problem? Being able to diagnose, then fix and obviously, as you can expect, more and more learning can take us to auto fixing and the like.
So very excited about this scope and size of offering. I don't think anyone comes close to this type of thinking. People do things based on the background they come from, okay. They see things from those lenses. People who are coming from a given appliance background, they look at things differently.
And that's good for us because we are taking a totally different perspective than traditional security vendors. A lot of you have asked about customer benefits. You heard some of our customers today talk A number of them at SPAB actually quantified it. In fact, these numbers actually come from this book on cloud transformation that Richard Steenan wrote. Richard is a former Gartner security analyst.
That book is available. It's a very good book. If you really want to understand how CIOs, CISOs, CTOs are going through this journey. The book is essentially a collection of interviews without any special interpretation of it. So you can firsthand read and see what these guys are thinking without having to go through all the numbers, but the ROI is a no brainer, okay?
We covered some of these waves during our IPO roadshow last year, right. In fact, early on, when we started the company, the only driver at that time was Internet and web traffic as number 1 and limited number of SaaS applications like Salesforce were there, NetSuite were there. The more traffic that needs to go out to the Internet and SaaS, the bigger the need for a solution like ours because this means more traffic. And also the more business happens on the Internet, the more it attracts bad guys. You see all kind of stories out there.
I don't need to make a case that there are security issues out there. The challenge is how do you handle them. Office 365 became the biggest driver, even though it's one more SaaS application. It's probably 10x the traffic of all other SaaS applications combined. You saw sales force traffic sitting at 1%, Office 360 was sitting at about 25%, okay?
And they're hardly big applications. In fact, part of the challenge is a lot of other Internet traffic is pretty big, okay, because it's rich media traffic, you have to process, you have to handle it, you have to take it back, You can't just tell your employees, you can't go to this site or that site. So all that traffic is acting as a stage. People often ask me 365, are you end of it? Where are you in that journey?
In fact, there's a lot of opportunity. Office 365 is widely sold, not as widely fully deployed. It's because it requires network and security transformation. And that's where we come into help in that area. SD WAN, actually the one of the best catalysts that happened to us, the biggest one outside Office 365 is SD WAN.
Sometimes wonder every appliance vendor starting from Blue Coat 6 years ago will say, we got a cloud offering, we got a cloud offering. And but they won't really go and talk in the market because most of these appliance vendors want to talk cloud to the press and investors. And when they go to customers, they would rather sell boxes. So they keep the cloud in the back, sell boxes. And when the customer says, do you have a cloud offering?
And they say, of course, I do. If they start really making noise about cloud, then the market actually will move a lot faster and bigger. I think we'll benefit from that. Otherwise, we're the only one really talking to customers about it. Now in the SD WAN area, it's good to see a number of competitors.
The SD WAN awareness has gone out there significantly the past 18 months and we are natural partners for SD WAN providers. As you saw, Gartner will talk about it. SD WAN is wonderful because it's a cloud managed, call it, branch 2.0 box that integrates routing, switching, path selection, all those good things. And they can easily forward traffic to Zscaler. And then application access to Azure and AWS, it's a matter of time when most of the applications move to the public cloud.
And today, almost everyone who goes there, the traffic goes back to the data center choke point and then goes out to public cloud, because they can't afford to put security out there. There's no such thing as throw your virtual machine firewall out there. I believe it's a matter of time when the cloud won't really have any firewall. You're going to see some sales of virtual firewalls out there for the next 2, 3 years because people don't know any other way of doing it. Because the only way they know is put a firewall in front of it.
But in general, cloud is not really suitable for putting firewalls, where do you put those firewalls. And that's where I think the Zscaler, sorry, 0 Trust Network Access Technology will take off. We're seeing a number of small startups coming to space, which is a good thing because it creates competition and competition helps everyone, especially if you stay ahead of technology, which we know we can do very well. This partner ecosystem is important. I kind of talked often.
This slide hasn't changed since we started the company, okay. It expanded a little bit from external traffic to internal traffic and the like, but sitting in line and forcing policy is the important thing. I've been asked a few times, well, are you kind of the single point of failure? So, well, do you want 5 points of failure? All right.
And lots of finger pointing, okay. Sitting in line is very hard to really figuring out security, not slowing you down and all this stuff. So we this is our core competency, opening up. Why the market moved from proxy firewall to pass through firewalls? In '90s, proxies were too slow.
It's hard work. Internet traffic took off. The markets had held with security. A good enough security is good enough firewalls, I'll move on. But the market had to evolve.
Today, every aspect of business uses proxies, Akamai is the world and cloud filer is the world when they need to really control traffic and connect to the right parties, it's all proxy architecture. The pass through doesn't work. So you see these 5 or 6 areas, right? Identity is important in the clouds. So we integrate all identity providers and vendors.
Endpoint partnership, we today announced our partnership with CrowdStrike, okay, natural partner for us on the security side of it. On the endpoint management, Microsoft and AirWatch, VMware having good partners. Our goal is really, if we're not competing, we'd rather work with most of them. But some of them that the customer is asking for and they want to work with us, obviously, we end up doing tighter integration and tighter go to market programs with them. On the branch side of it, again SD WAN technology, great partnership opportunities for us.
Security operations, being able to feed logs in real time to all these vendors from Splunk or some of the new offerings that are coming out from Microsoft, Google and other players. And CASB, auto ban CASB again, I think our solution our approach is not to really force one kind of solution. Like many of the Microsoft Office customers have Microsoft CASB. We integrate with them. But the customer also said, hey, many of them don't have it.
They would rather use an integrated offering from us. So we already had in line and now we added out of band CASB. So pretty complete portfolio overall. So now, as we went for our roadshow last year, we shared with you the TAM for ZIA, ZPA based on data coming from IDC, Gartner's of the world. And you know some of these new markets, I think it will be, it's kind of figuring out the TAMs is fairly hard.
But think of it, the number of people who need to access B2B applications is actually far bigger, many, many times bigger than number of employees in a given company, because all these companies need to work with each other. So the numbers will be pretty significant. And Zscaler digital experience, I mean, everyone needs something like that because user experience becomes the most important thing. We have lots of debates internally, how should we come with the size of the numbers. So we obviously talk go to experts, but some of these areas, there are no experts out there.
I mean, I was reading some where it said, when autos were invented, cars were invented. They tried to figure out the market demand for cars. And the only source they could go to are horse buggies, right. Thinking of how many horse buggies versus how many cars are needed, you just can't translate over. So we won't really venture to put any dollar up there right now.
Okay. But we'll let you figure out and imagine what it could be, right. Needless to say, we think there's a big opportunity for us in that area. So with that, Bill?
State your name and the firm you're with. We have 2 mics, 1 on the other side, 1 here. And the first one, I'll give to Alex Henderson here.
Thank you. Alex Henderson, Needham. Really two simple questions. Can you scale ZB2B relative to say ZPA? And how do you think about pricing it on a, say, a per user basis, but also what the penetration might look like relative to it?
And similarly, ditto for ZDX?
Right. So first part scaling Zscaler B2B or digital experience. I mean scaling is our core competency when you build something for the right scale. So we have no concerns about scaling the platform from that side of it.
Yes,
that's not what I was asking.
I was asking what do you
think the scale of the opportunity is versus ZPX, if you would size them?
I think it went to the question I tried to answer to say the opportunity we think is pretty big. At this stage, I'm not sure I can put any numbers around it. I think we'll be limited by the fact that HOP effectively we actually monetize and sell it. And the technology is very good. It's highly differentiated.
The pricing question, so Zscaler B2B, it's probably you don't really have a typical user count base because one company users may go at 10 times a day, other company twice a month. It will be volume based, traffic volume based pricing, okay. And we'll be learning from early customers. As we announced, we are working with a small subset of customers to learn and understand those things and then we go from there. Did I answer both the question So I'll leave it.
The first I couldn't, the second one I answered.
Hi, Jay. Jay, over on the side of the room. Keith Bachman from BMO. Good to see you. I actually had two questions.
The first is, where do you draw the line? And what I mean by that is you announced 2 new products, Z B2B and then ZDX. And if we take ZDX, it sounds like the value proposition is what other people do in APM or application performance management, right? And so that's not to say there is an opportunity, And then secondarily, within where do you draw the line as the beatings? And then secondarily, within where do you draw the line as the B2B, while you're partnering with some of the access management folks like Ping and Okta and those, it still sounds like the value proposition is similar in many ways and that you're trying to get limited access.
So that's the first question. It's it's
a good question. If you think about Zscaler digital experience, it's actually sitting in the traffic path, knowing exactly what's going on. So end to end, but experience can be 3 pieces. 1, what's happening on your laptop? It may have issues, it may be slow, it may have some memory, whatever.
2, the network part of it. Network starting from your PC, your local area network, Wi Fi, whatever, all the way to the door of the application. That's the network. Number 3 is application. Is application slow or fast?
So we can see the entire end to end. But we are not competing with any of the application monitoring tools such as New Relic's of the world, because they are actually inside the application figuring out if application is slow, why it's slow. We actually, since we know everything, we can tell you that SAP is slow, but we don't know why. We would rather partner with those application vendors through APIs so customers can figure out the holistic picture. We take you to the door of the application as a part of ZI and ZPA.
So we are in a natural place to troubleshoot exactly what's wrong along the entire network chain and the PC. So I see this totally complementary opportunity. And we can do it better than anybody else out there because we're sitting in the path. If you're not sitting in the path, if you were to do something like ours, they'll be doing something called synthetic transactions. Let me try to run a fake transaction, try to simulate going to sales force and see what it looks like.
We are actually dealing with real transaction. So that's one that's the ZDX part. The second question was B2B, right. So think about people get confused sometime. They say, Jay, you talk about policy engines sitting in the middle.
I go to identity guys who say, I'm the policy. So the simple explanation is the following. When I leave the country at the airport, they scan my passport and the call gets made by the computer to a database or passport. Is Jay allowed to travel? Is there any issues with this country and wherever?
So is Jay allowed to leave the country? Or where the maybe he can go to certain countries, that's a lookup of database. That's what identity does. But think of this way, identity is not setting the traffic path. If you don't have TSA to inspect in line, you can't do any of that stuff.
You must sit in line to say you can go, you can go. That's how we complement identity providers in that space. So obviously, if someone were to do that, they'll have to get in the middle of the traffic. And figuring out who can get what you can get is very hard. So people sometimes try to get selectively in the middle of a path.
All these CASB only vendors you talk about, they're all out of band or they can say, I'll give you CASB by getting the path of Salesforce and Salesforce only or Office 3 Cs only. But they to get in the traffic path of the entire company, it's a big undertaking. And that's why you aren't seeing very many entrants in that space.
Okay. Thank you. So we're going to move to our next section. I'll be introducing our CTO, Doctor. Amit Sinha and our CIO, Patrick Foxhoven.
Thanks, Jay. Thanks, Bill. Good afternoon. It is afternoon universally across the working world, so it is good afternoon. All right.
How many of you attended the Zenith Live keynotes? All right. Good. So okay, good. So I'm going to spend some time talking about how we think about the platform.
But more importantly, I'm going to spend the bulk of my time talking about
why
virtual security appliances running in 3rd party infrastructure does not equal to a cloud service. Jay already covered our overall platform strategy, right? We what we've built is across 150 data centers. These are compute destinations. We are a carrier neutral service, which means we peer equally with Microsoft, with Akamai, with various service providers.
When we say a Zscaler data center, that is a compute node, that isn't a front door, and you'll see what that means in a minute. And we've used that common platform infrastructure, everything from the control plane to the inline data processing plane to the storage and analytics plane universally across all these platforms that we've built. So when we launched Z B2B or ZDX, we were leveraging a lot of the core platform components that were already in place. So let's talk a little bit about ZIA and the evolution and innovations that have happened on that platform. That's our flagship product offering.
If you see from an access control perspective, everything from next gen firewall to URL filtering to DNS resolution to bandwidth control and traffic shaping have been in the product. On the data protection side, we had DLP, we had in line CASB. And last year, we launched Exact Data Match, the ability to go to a bank and say you have 1,000,000,000 records that you want to make sure never leaks. We can ingest that in a tokenized format and provide data loss prevention on your exact data. Similarly, on the threat prevention side, everything from DNS controls to inline SSL, we'll talk quite a bit about SSL, to sandboxing have been there for a while.
And we also introduced IPS, Cloud IPS Protection as part of the platform. And today, you heard us talk about out of band CASB, right? This is we've done the hard part, which is sitting in line doing SSL inspection, looking at content, giving you all the cloud application controls, the shadow IT reports. But now without a band, we have the ability to go to your sanction apps and via APIs, deliver the same consistent data loss prevention and malware protection without that traffic actually going through the Zscaler service. Patrick is going to talk a bit about browser isolation.
But again, the clean way to look at it is ZIA, ZPA, today, we allow you to access certain destinations. We can block it. We can caution. But with browser isolation, you have more control. I can say, if a user wants to access a suspicious site, I'll allow it, but it will be rendered in an isolated browser in the cloud.
Therefore, the probability of infection cycle is completely eliminated. There's nothing on the user's endpoint. Similarly, on the ZPA side, and Patrick is going to talk about that, maybe there is very sensitive information that you want users to access, and you don't want that information locally on the endpoint. Browser isolation can render it as an image, so you get additional security. We talked quite a bit about Zscaler Digital Experience.
I think there were some good questions. And I think as we have talked to all our customer advisory board members, the resonant theme that comes out is my workforce is out everywhere. They are connecting using the Internet and networks that I don't control. My applications are managed by 3rd parties. I'm powerless.
So give us more visibility and control to so that I can give proper user experience guarantees. And more importantly, even go back to my service providers if they are violating service level agreement. So I would if I'm using Microsoft Office 365 and I'm having SharePoint problems or Skype problems, I'd like to quantify that and then make sure that I'm getting the proper service levels from all of these cloud providers. I think the biggest differentiator for Zscaler in the ZDX space is the fact that, 1, we are already present on the endpoints of all big of all the users of a given organization, right? We're not sampling.
Many of the tools that someone mentioned, these are sampling based tools. These are geeky network tools. In the morning, I used the example of a professional SLR camera versus a phone that you carry, right? Every one of you has a phone. Every one of you can take a picture, right?
And phones are getting better and better. So what you want similarly in the world of digital headquarter facility. That user now goes home and has a completely different network, completely different user experience and you just weren't there, right? So we want to transform digital experience just like phones have transformed photography. Everyone has 1, right?
So the advantage that we had was we are already present. Zscaler app is already present on the endpoint. We are sitting in the middle. We have an unprecedented vantage point. We can see what's happening on the left side of the network.
We can see what's happening on the right side of the network. We can pull your device and see what the health is, everything from CPU, memory, Wi Fi, and we have access to front door of the applications. More importantly, the cloud effect comes in, right? We routinely see issues where a certain cloud service provider is having issues in a region, right? Maybe, as I showed in the morning, maybe Box is not working in Singapore.
Why, right? There are some peering problems going on there. And we can provide that insights to customers, letting them know that it's not just you, this whole area is having a problem. And this is kind of the problem statement that we shared at the keynote. Today, the networks are so disparate, you don't control all aspects of it.
A user can be in many different locations on many different devices. You could have problems with your Wi Fi. You could have problems with your WAN. You could have problems with 3rd party peers. Sometimes you could have a problem with Zscaler, right?
You could have problems with the actual service that the user is trying to access. And that problem only gets compounded as you introduce mobility into the mix. When you're talking of a true 5 gs scenario, you have 100,000 employees all on their 5 gs networks. How do you know what is going on? Where will you run your packet capture tools?
Where will you run your traceroute tools, right? You need to be in line to be able to say this user is having a performance problem right now because of this reason, right? And that is the advantage we have. The platform that we have built is already logging 70,000,000,000 transactions. When you can deal with that scale, adding some performance metrics is very easy, right?
And we are already there. So we are leveraging our position of strength. Most of the other network tools you'll see out there are what I would call a spectrum analyzer. I came from the Wi Fi world. Back in the day when when there was a Wi Fi problem, you rolled in these big geeky tools to see if there was RF interference.
Now if you have Wi Fi deployed in 1,000 locations, what are you going to do? Carry the spectrum analyzer everywhere? No, you have to start building intelligence into your infrastructure itself to be able to pinpoint those types of problems. All right. So with that, I'd like to hand over to Patrick to give you a quick highlights of some of the new stuff that has happened in ZPA and B2B.
Thanks, Amit.
So we launched ZPA a couple of years ago, and there was a lot that went into building the foundation of what ZPA does. This first line here, 0 Trust Network Access, is I think the term that's finally sticking. There's been some other terminology that has been applied to these kinds of concepts in the past. Software defined perimeters was the most recent previous term. Google has been talking about this BeyondCorp term for 5 plus years now.
I think ZTNA, this Gartner term, is going to finally stick. And what it is, and Jay illustrated this well in his opening talk, is it's not another VPN. It's we don't even like calling it a VPN replacement. It's anti VPN. It's an alternative to rethinking how users should access applications in the future, especially accentuated by the fact that these apps often are moving out to the AWS's and Azure's of the world.
It's rethinking firewalls. If you have a inside out connectivity model or ZPA is basically doing this inside out traffic brokering, there's nothing that's allowed inbound on either side. So why do you need a firewall anymore? Manoj talked about that in terms of what firewalls are really good at. And if there's nothing inbound being permitted, it's the tax surface like you would have seen in the keynote is dark, it's invisible, there's nothing there.
And so that's why ZPA can be very often thought of as anti firewall. It also in the same way, obsoletes the need for worrying about things like denial of service. Because again, if there's nothing inbound coming into the network, what there's nothing to DDoS. And so we see those kinds of stacks of technology go away. Also in the same light, network segmentation.
If you're very granular in ZPA policies, we design ZPA such that you could be the way I like to describe it is surgical like in your policies. You're permitting named users to named applications. If you do that right, you don't need to think about segmenting the network. Everyone has gone through the last 10 or 15 years of trying to think about doing mass segmentation, micro segmentation of networks, and almost no one has ever done it end to end because it's too burdensome, it's too challenging. ZPA is something you can actually overlay, it doesn't care what network it's running on, and you basically are creating secure overlay networks on top of what's already there.
And we've seen that be very accepted in our customer base, which actually a project that gets deployed and achieves what network segmentation is trying to achieve. Naturally, to support those kinds of services to do it well, we had to have this concept of if we're brokering connections inside out dynamically for every user to every application, we have to figure out the optimal place to do that brokering. So that's our global cloud footprint. We have 150 sites around the world. Our customers have their apps deployed in way more number of sites or regions than that.
And so we have to choose the optimal place for the two sides to meet. And so part of this EPA foundation was to be able to do load balancing and intelligent pass selection, which also brings in health monitoring. And by the way, every customer early on in ZPA that thought they had an understanding of how many internal apps they actually had in their network, they were all off by 10x or more. So we realized we had to build an app discovery capability to make that easy for them to migrate to a world where it's a 0 trust network access style. And then highlighted down below under access, these are 2 of our most recent additions to ZPA.
So the first one was browser access. When ZPA first launched, you had to have an app on your endpoint, which is good, but not ideal in scenarios, especially like when you start talking about Zscaler B2B, because a third party you may not be able to dictate to a third party install this app. They may not even want to do that for a variety of reasons. And so we launched this last year browser access in ZPA, so that allows a user to get to an application using the 0 trust style approach that ZPA brings just with a web browser. You don't have to have an endpoint.
And then last but not least, and we'll have a slide on this, the most recent addition to ZPA is this concept of doing Manoj introduced the concepts of Sassy, what Gartner is calling Secure Access Service Edge. Well, that's a public form of Sassy is what we do at the core, but we also are extending Sassy down to a private model, and that's what we're calling private service edge. And that concept is if you look at how ZPA works today, I'll build out this slide, you've got headquarters, data centers, you've got an enterprise network down and below. And when someone needs to talk through ZPA and do this 0 Trust approach, those are the inside out broker connections coming from both sides. By design, if a let's say, a user in HQ is talking to something in the data center, you have to do this inside out brokering and that has to go over the Internet to Zscaler.
That's good in some ways because that's what's giving you this new style of application access, but it's bad in terms of let's say that user is talking to the data center locally, Do you want all those connections to go out to the Internet or not? You probably don't in on premise local scenarios. And so what we're doing on ZPA is extending the our cloud in the form of a VM and allowing that traffic brokering to happen on premise. Now it's still the cloud doing the control plane and the logging and it's still a SaaS offering, but the actual traffic flows can be happen on premise without these traffic having to go in essence hairpin out to the Internet and back. We've seen that be as the next once we introduce browser access, the next most demanded feature was let me do traffic brokering locally.
And so we're calling that our ZPA Private Service Edge. And you'll see aligning with that name that terminology, our ZIA customers have been doing private now called service edge, but what we called before private ZENs or private or virtual ZENs that would run on prem to allow inspection to happen. We're doing the same thing now in ZPA. And then last but not least, B2B. So the foundation that I just highlighted on ZPA, inside out broker connectivity, browser based access, that is what B2B is.
And our if you didn't have a chance to see the keynote, the best illustration shows all of this in action is in there. So I'd suggest you go back and rewatch that if you'd like to see it in action. But B2B is all about the same thing that you're trying to do for rethinking users to applications, eliminating the attack surface, doing the 0 trust network access style connectivity approach, that is very relevant. I would argue sometimes it could be even more relevant when it is I'm a company and I'm giving a supplier access to my Extranet or my portal or what I showed on stage was a web development tool that we use internally that we have 3rd parties come in and collaborate with. It's core to how we develop our products.
Very sensitive applications that you're giving to 3rd parties. Think about what the attack surface is, if you can bring those behind a ZTNA style access. You obsolete the need for all the kinds of technologies that usually sit in front of those applications, and you're dramatically improving your security posture with B2B. And the pillars of B2B are similar to what I just showed with ZPA, but there's some new ones. So browser access is key because 3rd parties, you're not going to often be able to dictate install my app to access my business app.
But you also we also had to build in the ability to do multiple identities, which is a kind of a new concept, to do multiple identities, which is a kind of a new concept where it's not just a company or a tenant in a cloud that's consuming identity from their Azure AD or their Ping or Okta or whoever they have, we want customers to be able to federate identity to the 3rd parties because if I'm a company and I'm allowing another company into my network, I don't want to create accounts for that other company in my directory. It would be way better if you can just federate identity to them directly. And so we built the ability in ZPA to consume identity from it's not limited from however many third party suppliers, customers that they have will federate that identity. And then the other piece that we had to build as a part of B2B is browser isolation. So you really need to be careful about the data when you're especially in a B2B context, the data that reaches the endpoint because that's a it's a 3rd party, you're not necessarily responsible for securing that endpoint.
And so we browser isolation gives us the ability, and this was in the demo as well, to allow the access to occur, but restrain or restrict what data can actually leave. And we're doing that by just it looks like it's a web application, but it's actually just sending pixels to the device. There's nothing that's in the cache. The demo that you would have seen, there's if you try to copy and paste content, you can't because it's just pixels. You can't even download files and you can put policies around manipulating that.
And to Jay's earlier point, the only way you can do that style of control or security is to be in line to the traffic flows. No identity provider that's in line just during authorization and then out of line when they're going to the application, no identity provider is going to be able to do that. You have to be in line all the time, which is obviously core to what we do very well. So hopefully that gives you
a little bit of a
peek on B2B and ZPA. And with that, I'll hand it back to Amit.
Thanks, Patrick. All right. So, I thought it'd be useful to spend some time on core technology differentiation. There's a fair amount of FUD in the market, so I thought it's a good opportunity to of set the record straight. So I'm going to talk about what it takes to be a true cloud service security.
And we're going to have a discussion on 4 key tenants that we believe are absolutely critical when you're trying to deliver a security cloud service like Zscaler. So we're going to talk about what it means to be born and bred in the cloud. We're going to talk about a service edge architecture. What does that mean? And where are some of the differences between what you hear in the market versus reality.
I'm going to spend a lot of time on SSL inspection. If there's one thing I want all of you to go away with is without proper SSL inspection, you cannot do security today. And then finally, we'll wrap it up with 0 Trust Network Access. So let's start with being born in the cloud. What's common to Workday, to Salesforce, to even Dropbox and Zscaler?
All of these SaaS companies have built their own multi tenant cloud platforms. And why is that? How many of you have read that article that talks about how Dropbox migrated from AWS to their own cloud infrastructure, right? Good. I think the reasons are very, very simple and obvious.
1, it gives you strong economics, right? Our gross margins are 81%, because we've built a very, very efficient platform. We're using we're not using someone else's infrastructure. We're not using third party load balancers. We're not using storage from Oracle or some other vendor, right?
It's all based on a true multitenant platform that we've built. It gives you elastic scale, and we'll see that in action. And then obviously, user experience, right? If you're able to operate this at scale, your end users get a wonderful experience. So let's contrast that to single tenant architectures.
How many of you love to watch movies on Netflix or Amazon Prime these days? Good. How many of you still watch movies on your DVD player? One brave soul, maybe you invested quite a bit in your home theater system. It's kind of like investing in a data center, right?
You guys just stuck to it. You have to get value out of it for some time. But imagine if your DVD manufacturer came to you and said this you love this player, right? It plays awesome 1080p or 4 ks movies. I'm going to take this and shove it into AWS, and I'm going to start streaming movies.
Do you think that would be a worthwhile cloud service like Netflix? It won't. I mean, look at it from an operator perspective. I'll have to have thousands and thousands of these DVD players. I'd have Mechanical Turks loading all these discs.
If the same movie is being streamed on a Friday night to a 1000000 people, I don't know how to do it, right? Imagine the experience from an end user perspective. Today, when I get on a flight, I download some movies. I watch it on a plane. When I get home, I can start watching where I left off.
All of those are intrinsic services that Netflix has built, which would be impossible if you just had that mindset that I have these beautiful DVD players and I can shove it into AWS and Azure and start competing with a Netflix type service, right? So poor economics for the operator, scaling challenges for the operator, right, and very crappy user experience. So what are security vendors, your legacy single tenant firewall and proxy security vendors trying to do? Well, kind of that, it's a shot from a movie where they look at each other and say, hey, we got to take this firewall, we have this cloud, and we got to deliver a service, right, using only what we have in this room here, right? So I think fundamentally, it's very, very difficult to take single tenant offerings.
And any time you hear a security vendor tell you, we have an awesome proxy, have an awesome firewall, think about the Blu ray player and what Netflix and Amazon Prime are doing, okay? So let's take a look at the user experience a little more closely. What you're seeing here is a traffic pattern for a Fortune 100 company. And
then there was a worldwide spike
where you had 3x And then there was a worldwide spike where you had 3x the amount of traffic. We never saw this. Our customer didn't know about it. In a quarterly business review, this popped up. And then we started looking, and they said, wow, yes, that was when our CEO did his global YouTube webcast and we had to do nothing, right?
The cloud was elastic enough. It absorbed all of that. They never had to do any network configuration changes, right? Imagine if you came home and your kids said, let's watch a movie, and you said, hold on, I got up the bandwidth so that I can see that movie. That would suck, right?
But that's what most vendors push you to do. This is actually how you configure next gen firewalls in the cloud. You choose the amount of bandwidth. You provision compute capacity in accordance. And guess what happens when you have to change that bandwidth?
You get a pop up message which says a bandwidth change will require you to redeploy. Your service IP might change. Your IPsec VPN tunnel will get reconfigured and it might result in 10 to 15 minutes of downtime. By the way, that's for 1, virtual firewall. Imagine if you had 100 of these everywhere.
Imagine the headache that is required to manage it, right? At the end of the day, you either run a service or you don't, right? And then it's important to keep that in mind. All right. Let's talk about the second pillar, which is the service edge architecture.
This is where I think there's a lot of confusion. And I think it's very important for all of you to understand this very basic concept. So if you look at the Internet today and how our customers access services, they fall into 3 layers. First, you have your users and destinations, right, so your users and devices across locations. So this is your organization across many different countries, many different users trying to access services through many different devices.
And then you have compute destinations. Compute destinations are where your servers are actually giving you the processing capabilities, right? And if you look at infrastructure as a service, AWS, GCP, Azure, all of them, they make awesome compute destinations. They have very good infrastructure. But those infrastructures are primarily designed to run a destination application.
For example, it is great when you access Gmail over Google's network. So in order to make that happen, what folks do is they have a few concentrated compute destinations. For example, GCP has 20 regions, 20 compute destinations the world. Think of them as football field sized data centers where they have invested in economies of scale, and that's where all the compute resides. It kind of makes sense.
Why would I want to build football field sized data centers in 100 locations across the world? So they've concentrated that. And then they provide what they call front door services. So in Google's case, there are 6.7 front doors. Let's round that to 7 front doors for every compute destination that is available.
So 20 data centers that give you compute, about 140 front doors. A front door is kind of like a router. You come to the front door and then over Google's network, they ship you back to the compute destination, right? That is the same for Azure. That is the same for AWS.
That's how they have built out their core infrastructure. So let's take a look at this model and what happens when you try to access an application. Fundamentally, Zscaler or any security provider is providing an edge service, right? You're inspecting content in an attempt to not slow it down and provide security and you ship it out. Whatever comes goes out, right?
It's very symmetric. It's not destination as in it's not a server where you come and you get all your data there. It's an edge compute service. So when you try to access, let's say, when a Zscaler customer or any customer tries to access Office 365, in this case, through this architecture, they hit the nearest Zscaler data center. And this is very important.
All the 150 Zscaler data centers have full compute capabilities. We do not run front doors. Every Zscaler data center runs the same hardware, same software, is fully able to process everything locally. So you get local processing at that edge. We peer with Microsoft, with Akamai, with Google, with Apple, with all of these service providers because we have built these data centers where the bulk of the Internet is already pulsing through, right?
So you hit the nearest Zscaler data center. Your entire security stack and all processing happens there. A millisecond hop away is Microsoft's front door and boom, you are on Office 365, right? Now let's see what happens when you try to run a next gen firewall in a cloud, in an infrastructure and take a look at the path. So first, you can only run that virtual firewall in compute You cannot run it on the front door.
There isn't processing capability available there. So what's going to happen is you're going to hit the nearest Google front door, then Google is going to send all that traffic to the nearest compute region where you will run the virtual firewall. You'll hairpin back. You'll come back, enter Microsoft's front door, and then go back to the actual destination that you want it to, right? So this is the core problem when you try to run an edge service in a third party infrastructure, right?
You have to have compute Otherwise, DVD players and shoving it in the cloud and everything is awesome, right? Okay. So Gartner has released this paper, Secure Access Service Edge. Manoj talked about it, Jay mentioned it. It's a great paper.
I urge all of you to read it. By the way, this is by the same Gartner analysts that launched the CASB space and the firewall space. So they are all kind of understanding what it means to be an access edge. I'm going to read a couple of quotes verbatim from this paper. First, legacy inline network and enterprise firewall vendors lack the expertise to build distributed inline proxies at scale, risking higher costs and or poor performance for SASE adopters.
Next, SASE offerings that use only the Internet backbone capacity infrastructure as a service, but without local pops and edge capabilities, what we just talked about, risk latency, performance issues and resultant end user dissatisfaction. 3rd, legacy vendors don't have cloud native mindset. Hardware centric vendors and network security vendors will have difficulty adjusting to cloud native and cloud based services delivery, And it goes on and on. There's a lot of good material there. I want all of you to have a copy of this and read it for yourself.
Okay. See, the other myth is that Zscaler breaks Office 365. It's just bizarre and wrong on so many levels. Let me start off with a graph that we showed at the keynote. Office 365 is the number one application that Zscaler delivers for all our customers.
25% of all the bytes that we shipped through our platform is intended for Office 365. In fact, it has grown 5x since 2016. This is over and above the organic growth rate of our cloud, right? You can see YouTube used to be the number one application. Awesome Office 3 65 user experience without compromising any security.
And that's the reason you have Satya Nadella talking about how Zscaler and Microsoft deliver fast and direct access for Office 365 for some of our most demanding customers like GE and Siemens. Okay, so you talked about user experience for critical applications like Office 365. Let's talk about what it means for the administrator to configure. In the case of Zscaler, you could be an organization with 100,000 employees. To make Office 365 work, you have to click on that checkbox in the UI, and that's it.
Across all 150 data centers, all your users, everything is taken care of. This is how typically you manage Office 365 configuration on a next gen firewall. You install a Linux server. You download a 3rd party application like MIND MELD. You configure the miner to go to Office 3 65, get changing domains and IP addresses.
You configure your firewall to dynamically ingest these rules, enable SSL bypasses, and then you hope and pray, right? So, I mean, imagine you have 700 locations, 700 different firewalls. Today, this was a Skype IP. Tomorrow, this is a Yammer IP. You're just playing whack a mole, trying to make sure everything just works.
Many of our customers have talked about how that's been a hugely problematic experience. And we are an application proxy. We understand applications. Once we know this is Office 365, we have our APIs with Microsoft, and we can take care of all of that complexity for you very, very easily. Microsoft.
Yes. And by the way, that is all Microsoft recommended policies, right? Let's talk a bit about SSL inspection, very, very important. If you follow the news, Google has released this. These are well established facts.
Mozilla has similar facts. Well over 90% of all content on the Internet is SSL encrypted, right? What does that mean? That means that unless you are inspecting SSL, you are blind to most of the threats. So if you're not inspecting SSL, you cannot detect and block some of the most sophisticated threats.
In fact, majority of the threats that Zscaler sees today, the more serious ones, are all delivered inside encrypted connections. If you don't inspect SSL, you cannot do DLP, data loss prevention on the network. Someone attaches a file to their Gmail and sends it. All of that is being delivered using SSL encryption. If I'm not breaking the connection, looking at the e mail, extracting the attachment, converting that to a PDF file and then doing a pattern match on it, there is no way for me to know that this is a violation.
You have to inspect. Now here's the dirty secret. The only way to properly inspect SSL content is with a proxy architecture. You have to assemble different packets. You have to assemble the content and then you have to scan it.
Next gen firewalls are typically Layer 3, Layer 4 attempting to give you some app IDs. They are not inspecting content. They just aren't. That's a huge lie if someone says that a next gen firewall can inspect SSL content. And the important fact here is unless you're inspecting content, you cannot do proper data loss prevention.
You certainly cannot do effective security. So what's the burning question? How do next gen firewall vendors inspect SSL? Anyone wants to take a stab at it? They don't.
But if they say they do, what do they do? They bolt on a proxy, right? So they won't tell you that, but they want to they won't they'll bolt on a proxy. Well, what happens when you bolt on a proxy to a firewall that hasn't really
been designed for performance? Don't take my word for it. Go to the
next gen firewalls and check what happens when you run full SSL content scanning. By the way, that's a high end firewall. I won't name the firewall vendor, but you can take a guess at who it is. The HTTP, no SSL performance is around 8, 8.5 gigabits per second. The moment you enable SSL scan, it drops by a factor of 15x, right?
That is the performance hit you take to basically run, right? Now Zscaler has always been a proxy. We have we were never a firewall. For us, becoming a firewall was easy. It's very hard to be a proxy.
We've been an in line proxy. All our 150 data centers have SSL acceleration built in. We run on bare metal. Guess what, AWS, Azure or GCP do not provide as part of their infrastructure? SSL acceleration, you just get virtual machines that you can run server loads on, right?
So this is a huge problem. And this is where economics and other things come in as well when you start thinking about a service. So net net, there's rerouting overhead. You saw that, the service edge problem, right? You lose about 2x to 3x there.
You lose an order of magnitude when you try to do SSL processing. So we decided to do a simple test. And we chose a user in Texas because my friend Alex there is from Texas. And so we chose a neutral portion of the U. S, right in the center.
And we said, let's do a simple test, a 1 gigabyte file hosted on Microsoft OneDrive and with SSL scan enabled with the users in the center of the U. S, good networks, east and west. What's the performance? This is the Zscaler performance. We got about 2 64 megabits per second in the download with full SSL scanning.
The entire file downloaded in 22 seconds. What's a 1 gig file, anyone? It's a 1 hour Netflix movie, right? So, 22 seconds to download a 1 hour episode. What did the per The entire file took 7 20 seconds to download, 25x slower, right?
So not surprising, because SSL processing is hard. Number 2, when you're going rerouting and hairpinning in and out, you will incur all those latency challenges. Does that make sense? Okay. So this is a slide I stole from Alex.
Alex is here. Maybe I shouldn't have named Alex, but I'm sorry. So the at the end of the day, speeds, feeds, you block this, you didn't block this. That's you hear about it and your eyes gloss over. Finally, what matters is how effective is your overall security, right?
And I haven't seen a better way to quantify security at an overall organization level than this slide. So this is a Fortune 100 company. What you're seeing is the number of machines that were getting infected with the security technologies that were in place. And you can see on an average every month, 100 to 200 different machines were getting affected. And then the company deployed Zscaler.
They also enabled application whitelisting. And you can see that virtually all infections were completely eliminated. You heard Hyatt CECL, Ben, talk about the effectiveness of security with SSL scanning, with caution, with making sure that right policies are set. As an in line proxy, you break those connections, you make sure nothing bad is coming in. If something is infected, they can't communicate with their CNC host.
It is better security than sitting as a firewall and just inspecting session flows. And finally, 0 Trust, Patrick talked about it. I think it's important to reiterate that concept. And think of it from a firewall vendor's perspective and then think of it from a Zscaler perspective. So back in the day, you had your data centers, you had 1 data center, maybe 2 data centers, you put a lot of firewall in firewalls in it.
Your attack surface was well contained, right? You said, hey, these three locations, as long as I lock down these three locations, life is good. When your mobile users started popping up and they wanted access, so suddenly your attack surface started increasing. And your branches started popping out and you wanted local internet access, now you need firewalls there as well. And then as you start moving applications to the cloud with AWS and Azure, that attack surface is just becoming bigger and bigger.
Because if you're a firewall vendor and you have VPN, you only see a flat network and all of these individual appliances that need to be configured properly, right? And fundamentally, firewalls are strong, but managing and configuring them is what gets to you. If you look at it from Zscaler's perspective, you are truly running a dark network. There is no inbound important concepts. And I want you to think So these are all 4 important concepts and I want you to think about it as you analyze a Zscaler service with DVD players in the cloud.
Okay, thank you.
Thank you, Amit. Okay, so we'll take a few questions here. A lot of hands. I'll start here.
Fatima Boolani, UBS. Thanks for doing the session. A question for you regarding ZPA and ZB2B. So they're solving the same functional pain point. So I'm wondering if you can dive into a little bit more detail as to why Z B2B has been carved out as a separate SKU because in theory, nothing would stop me as a customer to deploy ZPA for a B2B use case.
So if you can flush that out a little bit, that would be really helpful. Yes.
I'll share my comments and Patrick can chime in as well. At the end of the day, there are fundamentally different buying centers and different customers that you're trying to address, right? If I'm an organization, I have my IT organization providing access to internal applications for my workforce, right? And then I have a whole partner ecosystem. There's there are new economic buyers like the Chief Digital Officer now, and their job is to transform the overall business.
So you have ZPA is more targeted towards the workforce. Z B2B is more targeted towards your partner ecosystem, right? And the economic buyers are different. The sales motions are different. From a technology perspective, very important for us to develop multiple identity provider support, right?
If you're just dealing with 1 organization, it can be Okta or Azure AD and you're good to go. If you are a bigger if you're dealing with a partner ecosystem, you could have 300 different partners with 300 different identity sources. So there are some fundamental technology differences, right? At the end of the day, they are 0 trust based, but different economic buyer, different sort of end users, one is a workforce, one is a partner ecosystem. And therefore, we feel it's prudent to look at it in 2 different buckets.
And just a quick follow-up on the browser isolation capabilities. I noticed that's only part of the Z B2B SKU. Is there an aspiration or a thought process to bake in some of the browser isolation capabilities in core ZPA?
So
I didn't see the browser isolation bubble.
It is there in both, right? So just to kind of summarize, if you look at ZIA, ZPA, ZIA is for Internet based destinations, ZPA is for private apps. The way we look at browser isolation is it serves both those use cases, right? In the Internet access case, maybe you want a more permissive policy where you want users to be able to go to, say, miscellaneous and unknown destinations, but without the risk for infection. So all of that content gets rendered in a safe isolated browser.
On the private access case, the use case could be for more sensitive documents. You might want to provide visibility, but not the ability to download and have a local copy. So we see browser isolation as helping both across the entire spectrum where you have things that you don't care about, but they are risky and things that you care about deeply and you want to protect.
So just to add to what Amit said in terms of B2B. This is Manoj for the webcast. So the reason it is a completely separate product from ZPA is because of the way it gets deployed to. Actually Sanmina is doing a probably overlapping talk right now about their deployment of B2B. It took them a total of 30 minutes from start to finish to deploy B2B because what did they do?
They changed their DNS name to point to Zscaler, they deployed a connector, they loaded a certificate and they were done. It's that's it. Traffic starts flowing and you have nothing to do. It's pointing to an identity provider of their customer. There's nothing to do.
It's a very different deployment model from what we do for ZPA for employees
for remote access, right. Technology is similar
but not quite the same. The other part for B2B also is having a portal, a landing portal. There's no such thing for ZPA, it's your own applications. But when you log in from for B2B applications, based on your entitlement, what you have subscribed to as services, when you log in, when you go through ZPA B2B, you are going to land on a user portal that shows you, hey, these are the applications that you're allowed to that when you click on, we'll call outbound and connect to you, right? The actual people who deploy it are actually building it into the application.
So it is built with the application. So as they orchestrate it out, the ZPA connector is orchestrated out and just connects up, right. So that is also very different from a form factor of how we do remote access or ZPA for 3rd parties. This is customer facing. And lastly, I think somebody asked the question about how we will price and go to market.
It's not user based. I can't. There's too many users. So it has to be based on how many applications, what is the volume, what type of application. It may be a IoT application just occasionally showing up.
It could be a massive continuous data stream application, in which case the amount lot of things that are very different about B2B and that's why it's a separate product. And Absolute has a or Isolation has a very key element there as well more from a WAF standpoint in this case.
Yes. And given my starting comment at the beginning of the Analyst Day, give us time to give you more information as these products become generally available. We'll give you more insight into that. I think we'll take one more and then go to the line.
Great. Thanks so much. Brad Zelnick with Credit Suisse. Thanks so much for a great day. Amit, in particular, thank you so much for helping to dispel a lot of the myths that are out there.
But I want to hit you with another one that I commonly hear from those that see the firewall as the center as the sun within their universe around which all the other planets orbit, which is that even if I take the performance hit of hairpinning through the front door of a destination cloud and even if I also turn on proxy capabilities in order to handle or decrypt SSL traffic to perform better security and everything else that perhaps there's still a benefit if I'm able to have a single vendor synchronized policy across a hybrid architecture in a state that I still have a lot of data centers perhaps and firewalls and what if I can marry this all together with 1 vendor maybe it does make sense to put my eggs in their basket and take that hit. What would you say to that?
So first, if you look at this whole hybrid model that you just described, where I have a virtual firewall appliance in GCP, AWS, and then I have a physical firewall appliance on premise. This notion that there's a magic single console that manages everything is not true, right? The logging that you get from that service is different from the logging that you get here. Some capabilities work here, but don't work there, right? And you've got to go back to that simple DVD example, right?
Can I stream a movie with a box from an infrastructure? Yes. But you'll quickly start losing many of the capabilities. For example, you're going to lose the ability to play a movie here and start off where you left off. Now if you look at that from a firewall vendor perspective, even basic things like logging, when I buy a Zscaler service, I buy it for X users and I get 6 months of standard logging.
I don't have to worry about storage and rightsizing my S3 buckets or any of those types of things. The fact is when you do these types of hybrid models, it's a shared it's kind of a shared ownership model. You're responsible for procuring the right amount of infrastructure in AWS and Azure. You are responsible for rightsizing your storage buckets. There is all these documents around, if I wanted to get X months of logs, what kind of storage do I have to buy?
So you are procuring all of these different components and trying to basically band aid them together into a service. At the end of the day, users want a simple service that just works, right? You pay a per user subscription. I don't want to manage a different infrastructure. Then you start getting into things like SLA.
You look at the SLA for that type of service, you read through the fine print and it turns out that the basic SLA is 99.9%. 4 nines or 5 nines, you're responsible for spinning up 4 nines or 5 nines, you're responsible for spinning up multiple redundant virtual firewall machines and then try to deal with that, right? So at the end of the day, you can hand wave your way. But if you're a DVD manufacturer, you will probably sell boxes. You will that is your center of gravity.
And then when someone says, but what about my mobile work case? Well, yes, we'll figure out. We'll give you something,
but that's not truly their core strength. And over
time, you have to believe that that's the predominant use case that dominates. Yes. Just to add to that, I think, that that's the predominant use case that dominates.
Sorry about that. Sorry. So to add to that, we hear about the single console use case all the time, but I have a different acquisition of a CSPM vendor, I have a different acquisition of endpoint vendor, I have a different acquisition. It's not really a single pane of glass ever when you acquire companies and try to put it together. The second point to make, actually to add to Amit's Netflix DVD example is you all remember Blockbuster also had started a cloud service, but it would stream only in standard definition.
If you wanted high def, you had to get DVDs. That is because you have to conserve your business model. So when you go to cloud, you get a different performance. When you go to box, you get a different performance. You need high performance.
Great. Let's get hybrid and put boxes in your data center because you need high performance. When did Netflix tell you that? Netflix screams 4 ks to your home from the cloud because they can. Blockbuster would have never done that.
It would be shooting themselves in the foot. So this notion of hybrid is a protectionist notion for a appliance vendor that needs to keep its old stuff running. If you can do it really well in the cloud, why would a customer ever say, no, no, no, give me an appliance to maintain in addition to taking on your SLAs. Just doesn't make sense for a customer. When you talk to a customer, customers never want hybrid.
They get forced into hybrid. They want one solution that fits everywhere. You just heard Mars in the previous conversation, 600 locations. He wants one consistent policy across the board, same speed, same outcomes, no matter how many acquisitions he does. You have to do it pure cloud.
So the last point on that is, we hear about east, west, north, south, or what about on prem stuff? Well, those rules have nothing to do with each other. When you are talking about a employee going out to applications in the cloud versus a server talking to another server, you never use the same firewall nor the same firewall rules. Even if it is physically on one firewall, you have a completely different zone policy that looks like a completely different firewall and that has nothing to do with A and B. So it's cute to say, oh, you got one console, but not the, the teams are not the same.
So they are completely isolated from each other in terms of configuring the policy. The policies are kept separately and the buying centers are different. So it doesn't really chide.
All right. Thank you. Next, we have a, pleased to present a customer of ours, Alex Phillips, the CIO of NOV. We'll also have some time Q and A at the end of his presentation. But after that, we'll take a short 10 minute break.
Okay.
All right. Can you hear me now? Okay, perfect. Well, thank you so much for this opportunity. Has anybody heard my story before?
Okay, a few of you. All right. So I'm going to summarize some of that. We'll talk about what's happened in the last year for us and what we're looking at going forward. So we began our security journey a long time ago and we had to do it with boxes, right, and lots of vendors And oil was a nice high price.
And so we picked best of breed for each area of protection that we needed. And so we had applications all over the world. We've got about 6 35 facilities in 60 6 countries and we've got about 27,000 users today. We used to be 65,000 users, actually employees about 41,000 users. And what was interesting is in 2014, there was this little thing that happened that greatly impacted us.
And the price of oil plummeted from 100 and something dollars a barrel down into the 30s. It was a horrible experience. I would have given plasma to survive, right? I mean, it is bad. And so when you're in the oilfield, you know that it's cyclical in nature.
Well, we had all these wonderful appliances and they were all getting old. They were 5, 6 years old. And anybody that's familiar with appliance vendors, you know that there's a life cycle to appliances. They last 5 or 6 years. And so our appliances were on their last legs.
We're going to have to replace them all. We also do a ton of acquisitions. We've done a lot of growth via acquisitions. I've been involved in about 250 to 300 acquisitions over my 22 year career. And we are like the Borg.
Resistance is futile, you will be assimilated. And so we're always merging people in. And with appliances, you learn the hard way that they're never the right size when you're doing acquisitions. And so you're cranking along with 100 meg box and all of a sudden you need a 2 50 meg box. What do you do?
You have to buy a new box. Well, now what do you do with the old box? And so we're running through this constant problem. Oil crashes, we've got to replace all of our boxes. We now have 10 gig boxes in multiple places around the world.
Due to security problems, we had consolidated everything down to about 12 to 15 egress points around the world because we needed visibility. What's interesting though is we couldn't afford redundancy. All those boxes are really, really expensive. So I had one box. If something went wrong with that box, I just had to bypass the box.
And so then the protection was no longer there. I couldn't afford SSL decryption. At the time that we began this journey in 2016, about 50% of our traffic was SSL encrypted. Today that number is 86%. And so back in 2016, we were only looking at 50% of our traffic for protection.
And so we knew that the world was changing. We knew that our applications were changing. We knew that we had no choice but to do something different to change our ways because our old ways were just too expensive. And so we began down the journey of trying to figure out what do we do next. And we had MPLS circuits everywhere and those are expensive and we knew that we needed to move more towards internet based circuits.
And so we began the journey with Zscaler. We were able to convert all of about 95% of our users in 30 days. And so that was a drastic change. And then we're able to get the remaining 5% in the next 60 days. And then we began the journey on turning SSL decryption on.
And that was probably one of the greatest eye opening events of my career. The amount of evil that is in SSL traffic is truly stunning. And when we started looking at, okay, what are we protecting, what are we finding, We found a lot of phishing. We found a lot of ransomware. And when we started diving into that trying to understand where is all this coming from, it turned out that it was our users' personal email.
And so most of us, I'm sure most of you check your personal email at work. Well, that puts your machine at jeopardy, if there's malicious content in your personal email. And so we were protecting our users from their personal e mail threats. And what's another interesting part is being in 66 countries, there's a lot of privacy concerns. There's work councils you have to deal with.
And with my old solutions, we were never able to get permission to decrypt SSL because we would have access to that data. When we did it with Zscaler, I don't have access to that data. I know because I asked and they wouldn't give it to me. And that's another interesting differentiator. I don't have so they're decrypting the SSL traffic, inspecting it, protecting my users and as a company I don't have access to that data, which is important for an employee.
It's important for me. I check my personal email at work and I don't want my company looking at my personal email. So I found that to be very, very valuable. So we're going along the journey. Things are working well.
We're actually blocking a lot of threats. And we started on the journey of Office 365 and moving a lot of applications to the Internet. And we started noticing that our users were struggling trying to figure out when do I turn the VPN on and when do I not need the VPN. And what's interesting about this is, we'll take an application that a lot of our users use and that's SharePoint. And we're in a hybrid SharePoint mode.
It takes a long time to migrate your on prem SharePoint environments up to the cloud. Well, while you're in this hybrid mode, you've got some up in the cloud, some of them are inside your data centers. If your users are inside your network, both work fine. They don't even notice it. But if they're outside your network and they go to SharePoint online and they're accessing everything's great, but as soon as they click a link that takes them to an internal SharePoint farm, it just fails.
And the users don't know why. And so then you tell these why you got to launch your VPN. And so we started understanding pretty quickly that only IT knew where the apps were, because some of them are being migrated and that wasn't even true. Sometimes we don't know. Is that on prem or if we already moved that?
And so we decided we needed to take the approach where it doesn't matter where the apps at, the user has access to it. And so we went down the Zscaler private access route. And so today, all of our users use that as their sole VPN to access anything inside of our company. We deprecated our old VPNs and those are no longer in use. Some other interesting things.
I recently discovered that my IT career has been to the detriment of performance for my users. So I've been in IT 22 years. And 22 years ago, every single facility that we had had a server. On that server were files that the users used in that facility. It was a print server.
It was their email server. It was their identity server. So everything they needed was at their local facility. Well, being in IT and we have to make things better, we decided that was too much administrative burden. We're going to move all these servers back to data centers.
You guys have heard this story before, right? Data center consolidation. It works really great for IT. It sucks for the users because now the users have to access all their data across slow links. So I did that made the world worse for my colleagues.
And then security problems hit. And so you've got to really get a grip on what's moving over your networks, what's happening on your users endpoints, right, what computers are using. And so you decide you need to hub and spoke everything instead of having a mesh network. Well, that makes the user experience worse. And then you decide, hey, now we need to really harden your machine and protect your machine and we're going to do application white listing, so we can stop files that you accidentally download from affecting your system.
Now certain apps that they need to use don't work. And so my entire career unfortunately has been about making the user experience worse. And I had an executive come to me and say, Alex, you realize that in 1995 with a dial up modem, my experience was better than it is today. And that was a slap in the face. And so I really started thinking about that.
I mean, I have a mission to deliver secure anytime information technology anywhere, anytime on any device, almost any device. We don't support BlackBerrys anymore. But it's one of those things that wakes you up. And we started down the Zscaler journey, we didn't think about it, but we were actually figuring out how we're going to do both, offer great security and great user convenience. And that process has led us down the road to where now we're thinking about, how do we look at user experience?
And there's a lots of tools out there. Most of them you install an agent on a server. You're looking at them from that point of view. Well, what's interesting is, when I think about my users, they already have an agent. It's their private access agent on their endpoint.
All their data goes through Zscaler in the cloud. Zscaler's data centers are the closest thing I have to my SaaS applications, to the destinations on the Internet. So who's going to be able to give me more insight than anyone else, Zscaler, on where the problems are? They have an agent on all my machines and they're at the furthest point closest to the destination. And so as we look forward, we look forward to looking at how do we explore that and how do we figure out how to improve the user experience.
So that's my shortened story. I have lots of slides I could bore you to death, but I'm sure there's questions.
Questions. Yes. So we'll take some questions for Alex. Okay. Mic's coming
your way.
Simple question.
Sure.
What can Zscaler be doing better?
So I have a big long list.
Top 3, top 5.
I think that they can do better in a couple of different ways that we've had to put workarounds in place. So we're big on security automation orchestration. And one of those areas that we struggled with in the past was around some of our dense countries where they're real close together like EU will get the wrong language when they go to a website. So how do we solve for that? Also some websites are not categorized and so you've got that miscellaneous categorization.
Zscaler makes sure that there's no threats on it, but it's just a miscellaneous category. And so I'd like to see that done a little better. Those are the top 2, but I do have a big long list. We shared that with engineering a few months ago. But we've been very, very pleased with how they've helped us transform how we think about things.
Can you also just talk a little bit about how your spend with Zscaler has trended from the beginning of the journey to where you are today in relative terms or whatever you're comfortable with and maybe even relative to your other spend on traditional network security? Thanks.
Yes. So on the original journey, what we found was that there was no CapEx, right? Moving to Zscaler eliminated $2,000,000 of CapEx spend for me, because I was going to have to replace all these old appliances. And OpEx, Zscaler displaced 3 vendors for me and Zscaler's cost OpEx was cheaper than the OpEx I was paying of those 3 vendors combined. So to me, it was a cost optimization move, which I had to do.
Adding ZPA, so the private access was not a cost savings move, but it was a security move and it was an employee experience move. And so that was an add. And we just recently re signed for another 3 years. So we just finished our 3 year commitment and we signed up for another 3 years.
Awesome. Hey, Alex, Saket Kalia at Barclays. Thanks for coming. I think to your point, I think some of us have heard from you before. And the last time we spoke, I think one of the things you were thinking about and you may have touched on this with the $2,000,000 CapEx, but maybe taking a closer look at your firewall footprint in your branch office, right, specifically getting rid of them, right?
I guess assuming that that's been done so far, what did you replace those with? Has it just been Zscaler? Was there any sort of other hardware to come into those branch offices? That's the first question. And then the second question is, ever since then, then, has your security posture changed?
Is there anything that you've learned from that or anything that you regret? Or do you wish you would have done it sooner? Does it all make sense?
It does. So my goal is every single facility has an Internet I want the stupidest box I can put at a facility to route the traffic to the cloud where it can be protected. In 3 years' time, I have not had to worry about patching. I have not had to worry about, oh, this appliance is the wrong size. I have not had to worry about, oh, my goodness, this firmware is blocking something or not working right.
Zscaler has done multiple upgrades and it's just worked seamlessly. When I look at my branches, we're on that journey to giving Internet to them. We're seeing about a 4x savings versus MPLS. We're going with cheap white box solution and we're putting an SD WAN piece of software on there. I would love to eliminate that.
At some point, I would love to just say, hey, Zscaler, here's all my traffic, route it where it needs to go.
Okay. So thanks for that. We'll take a 10 minute break and we'll be back.
And
so is DALL E online?
DALL E is online.
Okay. Yes, I'm on. Can you hear me, Jade?
Yes. Good, good, DALL E. Thank you.
For joining us again. We'll proceed with our next session. We're talking about our go to market. Jay Chaudhry, CEO and Chairman, will be presenting. We also have our new CRO, Dali Reich, on to also make some comments towards the end, and both of them will be available for some questions at the end.
Jay?
Excellent. Thank you, Bill. If you are driving transformation, your sales need to be different as well. So over the past years, early on when we tried to sell like a typical security product, we soon learned that it doesn't really work, right? So we adapted, we learned and we moved on to what we call top down strategic selling or transformation.
It became a visionary sale, okay. And I want to walk you through exactly what we do, how we do, and I'm very excited that DALI is joining us to take to the next level. A few slides on where we sell, how we sell. As I mentioned during my keynote that early on some of the large customer like GE and Nestle, they fell in love with Zscaler, bought it and we kind of said, wow, that's wonderful. And we started focusing on large enterprises.
So if you look at the 4 market segments we're showing on this slide, major is an important part of sales process as we evolved our sales teams, right? It used to be a field sales team first. Then we added some inside sales team. And then field sales team naturally gets more granular doing better segmentation. So we eventually have broken into 3 areas.
There are people who have major account managers, they deal with major accounts. These are some of the largest companies in the world. The next level, we have what we call large enterprises. And these companies are typically with over 10,000 employees. And then we have below, if you get to next level, about 3,000 to 10,000 and that's what we call enterprise, right, next level.
And then below 3,000 what we call general business is driven by inside sales. So if we are doing top down strategic selling, right, we really are identifying some of the key decision makers who can drive transformation. So it's a pretty high touch sale. On the top part, I'm showing it's more of a strategic sale. Now on the lower end, many times we do get what we call transactional sale, right.
Transactional will be typically a customer looking and saying, I am out of support from this proxy box or whatever the box maybe. And I like to move to the cloud. We never say no to taking a PO, right? Customers need it. That becomes a beachhead for us.
But on the other side, if a CIO is starting a project and says, I am embracing the cloud, I'm moving my application, Office 365 needs to be rolled out. Then it starts very differently. Then you have head of applications coming together, head of networking comes together and security gets in the loop to say, if you are doing network transformation, if you're doing local breakouts, I may need to make sure security is done right. So that's what we are indicating, the strategic sales. So the sale can start from either side, but most of the cases, these are strategic top down net sales.
And also, when you're doing something new and different, okay, you have to end up creating awareness and demand and the like. When the market becomes commoditized, then you end up selling more and more channel led. So early on, we end up doing a fair amount of heavy lifting and selling ourselves. So it's a pretty high touch sale. So a lot of business coming from the top, there's a significant opportunity to come down the triangle, right?
That's an opportunity for us. In fact, if you look at most SaaS companies, they start at the low end actually. And they got a lot of business because low end small businesses actually need SaaS. They have fewer resources. Now that's equally true for security as well.
But the difference is large companies actually need security their resources. So we started from top down. And one of the reason to do that was, in my view, companies that start at the low end generally struggle to go up high up, Okay. The products generally are designed for smaller companies. They can handle the richness of functionality that's needed.
It's easier to come down. So our product, if it can satisfy the needs of the Siemens and Shell and DHLs of the world, it can easily meet the needs of small companies. We just dumb down user interface. You don't have to worry about a small box and large box and the like, okay. And if you look at the channel I try to map up there, on the higher end, the transformation SP and SI kind of partners get involved.
We are driving the sale. As you start moving down, we're getting more and more help from SPSIs and we're jointly working on those. And when it comes to low end, it's really inside sales working with the bars. Now that's a broad directional thing. It's not that exactly every situation is like that.
There are some good boutique born in the cloud bars who actually are doing some good business in the cloud, because they don't have a lot of legacy box business to worry about. A number of you saw this slide. We're are very proud of the progress we are making on the higher end, 400 plus of the largest global 2,000 companies. And as I mentioned, it's across all verticals. We are a horizontal product offering.
It's true that some areas where they are more distributed, more spread out like manufacturing on the world embraced us earlier. On the financial services side, as you probably know, the banks have been slow in embracing the cloud. But somehow insurance companies have picked our cloud a lot faster. In fact, a lot of large insurance companies are Zscaler customers. A number of banks have become our customers as well and we are seeing more adoption coming from the large banks now.
And Office 365 is finally actually getting accepted in some of the largest banks and they're all planning to roll it out. They just needed to get full comfort and assurance for Microsoft. But data privacy, we think it's there. Banks are telling us and Microsoft is telling us, get ready for some of those large banks. But very pleased, and I think whether it's 3 of 3 or 5 or 5 or 7 of 11, all these companies, a separate probably exception of few because of timing and all, almost all Internet and SaaS bone traffic that goes through us.
And that's something we're very proud of. So large enterprises, why, right? A number of factors play into it. So first of all, we built a rich product with the functionality that
large enterprises need.
That's number 1. Number 2, is needed. That's number 1. Number 2, maybe founders bias, I come from enterprise sales background during my days at IBM and other companies. So I had natural affinity to go and talk to CIOs and CTO type of people in large banks.
But when you look at the functionality you need, the larger the company, the more security savvy they are, the bigger security teams, they need security, they actually analyze security, proper evaluations get done. And when you have rich functionality, you win. So when we are in a real situation, even though generally it's not even a bake off, but there's a lot of architectural discussions about this and that. I mean, the kind of proxy thing you just heard here, that's just a little tip of the iceberg. There are lots of people out there who don't understand the new way of doing it.
But large teams, good teams, we end up winning in that thing always. Bigger the company, bigger the network
and then you combine the network complexity
with cloud adoption, it actually further start accelerating. That's where things like Office 365 and other applications come in. Appliance overload, everyone really is worried about those and then they want to get MPLS cost, the more pain to bring it down. And data privacy, large companies are into data privacy, small companies and all. When you put all these factors together, all these large companies become better target for us than smaller companies, okay.
And that's why we have kind of focused on large companies and we have done very well there. This is a chart we just recently put together. I think probably most of you are seeing it for the first time. This was our analysis of top 25 largest Zscaler customers. And we looked at various modules to see what kind of adoption are we having based on various modules.
Rather than trying to we look I try to do it by bundles, but bundles are so course just 2 bundles. They don't really give the deeper insight this chart gives us. So the green basically saying what the initial purchase was by the customer. And call it reddish, whatever color you call it, is the upsell, right. Now most of the column you're seeing out here, we have done full breakout of Zscaler Internet access.
ZPA, right now, is shown only as one column. It's an early stage over time as we kind of do more modular stuff. We'll share more with you. But in the case of ZIA, as we said, essentially almost all cases when they buy something, it's for all users. ZPA starts the other way around.
In most cases, ZPA, they say, I want to solve this problem. But you can see pretty good penetration across all areas. First column, secure web gateway. That's essentially is the typical business that you would have competing with BlueCoats and WebSense of the world. And then you're looking at advanced threat protection with SSL inspection, application control to bandwidth control.
Bandwidth control is becoming very popular to make sure important applications get high priority to our cloud firewall, to sandboxing, to DLP. We put DLP in 2 columns, DLP and DLP, exact data match. We can charge a lot more money for exact data match because that's a heavy duty functionality. When customers want it, they need it. And then IoT server protection, we carved out that product probably about 12 to 18 months ago.
We start to see that there was so much traffic leaving the enterprise that was not user traffic. We found there's lots of IoT traffic, lots of traffic coming from servers. GE started using us early on when they would have the traffic moving from servers in the data center to server sitting in AWS and they wanted to go through some security check post They couldn't think of what. They said, oh, C Scalar is a proxy. Start logging and telling me what's going on.
Then they said, oh, logging is good, but I can do a policy. I can say these servers can only talk to those servers. So that's the kind of value we're adding. So that became a SKU by itself because it's a valuable thing. Our pricing is essentially value based.
And then guest Wi Fi security. Typically, every enterprise has guest Wi Fi. You go to the company, there's a guest Wi Fi sitting here being able to charge for that kind of stuff. So pleased with the penetration, right. Moving on, some of you have seen this chart.
So buckets, where from channel point of view that revenue is coming from, right? As seen in this chart, SISPs are essentially a little more than 50%, VARs about 45 some percent direct is fine. Most people get confused with it. They think that direct versus indirect. I would say, as a strategy, all business go through channel.
The reason you see direct is because some customers have traditionally insisted that they want to really give directly the order through us. So this you don't expect this number to grow. The key thing we are trying to work on is getting more and more leverage from the channel, okay. Even if that we do that all the work, we actually end up doing fulfillment through channel. So on one extreme, channel does fulfillment.
On the other extreme, channel does everything that PO shows up in the inbox. I will love to be in the 2nd place. We have a fair amount of work to do to get there today, especially the transformational new stuff. We are evangelizing, we are creating a visionary sale, we end up doing a fair more heavy lifting. But what we're seeing is, as the market is moving, our channel is actually doing more heavy lifting every year than they did before.
They used to be where we had to go and tell the customer now with SD WAN type of stuff happening, more and more RFPs are happening, where customers say I need to do WAN transformation and Zscaler gets listed, becomes part of it because without a proper security cloud, you can do your local breaker type of stuff. In the case of value added resellers, there's a range. There's some who are focused, who want to pivot from the old world and they're doing pretty well with us. That number is still small. While there are others like box vendors, they're hoping that the cloud will never happen.
So it's kind of a that's why you see probably limited business from VAR channel, but it's an important channel for us. So that's our overall channel strategy. This chart tries to show you how and where sales are different from Zscaler versus others. I mean, I've been part of 3 box companies. My first start up, Secure IT, and we sold tons of checkpoint firewalls, a bunch of other appliances.
Air Defense and Cipher Trust, the other 2 security startups I did is all the boxes. I use I would have 400 to 600 channel partners and teams really going and working with them. And most of the time, security sales are done to techies by VAR channel. Here's my really fast shining box, okay. We soon realized early on that, that technical team is not driving transformation.
Transformation is driven from the top. So that's where we start to put more and more focus on figuring out how to engage a CIO, CTO and CISO. So those are actually primary drivers. And along with them, the next level, they bring their architects along. They buy the Zscaler story, they love it and they say, I like it, but let me have my architects poke holes into it.
We end up typically doing 3 to 6 hour workshop and in large accounts, they end up being multiple workshops. So that's what we are talking about strategic and architectural sales. And the second part, in terms of channel, when network transformation happens, customers typically say, I would like to have my SP partner, service provider partner get engaged because they are managing the networks. So quite often, they get engaged with us. We have been working with SP providers for quite a while.
I mean, they used to be one of those things and say it's a little bit conflict, but they all have woken up to the fact that MPLS is going away. They would rather proactively managing it, otherwise someone else will come and do it for them. On the application migration side, where Zscaler private access plays, we are building strong relations with systems integrators. As you know, ZPA is a new product, relatively about a couple of years old. So our focus on SI started a couple of years ago.
It's building, it's growing and it's a very good fit for selling ZPA. And I already talked about the personas we deal with. And on rep side, right, typically, you have rep and SC. I think that's works in a mature market. In our market, a couple of roles, the architects are extremely important role, okay, because they end up driving the change, how does your network change, how does security change.
CTOs and CISOs are actually very helpful. You saw that Dan Shelton, in fact, he wanted to join and evangelize that type of stuff. He has been doing great job. Larry Bijini, who retired from GE years ago, and he wanted to kind of get back and evangelize thing he loves. And those type of things are good for us and we are investing in those resources.
So we think what we have developed here is a fairly differentiated go to market, which is very different than what typical security box vendors do. This is some of the examples of some of the SI's and S3 partners. If you looked at top 10 or even 15 service providers, everyone has done some amount of business with us or decent amount of business with us, some more than others, but they all are engaged. And that's partly because as we went early, we evangelized Zscaler and customer has asked and told ASP, I would like you to provide Zscaler for me. And with that, the opportunity grows.
On the SI side, here are some of the example partners. Folks like Avanade, you may not have seen it, but these guys are big system integrators for IBM. They're actually partly owned by Accenture, a little bit piece owned by Microsoft, a focus on Microsoft consulting Office 365 deployments. Since we are so closely engaged with Office 365, they are good partners. And you see a number of what we call i6, India's top 6S size and Deloitte for the world.
Good opportunity. This is kind of still early stage since we got moving in it in the recent couple of years, but good opportunity. So with that, I'm going to get Dali on stage. He wanted to be here. He couldn't get here.
But Dali is going to share with you some of his thoughts. As you know, he just joined us last week. He's actually officially was supposed to be on vacation. Lots happening. But he will give some of his thoughts and he and I both will take Q and A at the end.
Dolly?
Thanks, Joe. Can you hear me?
Yes, pretty clear.
Hi, everybody. I was looking forward to meeting everybody in person. But to Jay's point, I'm neither on vacation nor am I there. My over eagerness during interval training, I think, afforded me a pinched muscle in my back. So we'll get through it.
In the meantime, though, I thought what I would do is take this opportunity to introduce myself a little bit as far as my background. Then I thought I would share why I joined Zscaler. And then I also thought given I don't have any specifics or details to share yet on plans and strategy, I would at least throw you into some of the philosophies and principles that I believe in and that quite frankly I've executed against throughout my career. So just jumping into this briefly, heritage is Croatian. I grew up in Hamburg, Germany, came to the U.
S. At the age of 16 and to the surprise of my parents after my foreign exchange student here decided to stay and been here since. Lived out on the East Coast, West Coast in Chicago today with my family. And Chicago has always been a great middle point for travel, which I firmly believe in. I'm a fan of being in front of customers and work teams, and I'm going to continue practicing that.
Now why Zscaler? It's an interesting question because when I decided it was time to move on, I looked at some of the top companies in the Forbes Cloud 100 list and decided on Z for quite a few reasons that just stood out as very unique to me. Number 1, if you look at the leadership team, it is experienced, it has serially successful executives on it. And I think as everybody's noticed, they're quite humble, humble in their approach, yet not humble in their goals and aspirations to really drive a paradigm shift in the cloud. And that was very similar to what I experienced at AppDynamics and it was a tremendous journey and one which I was hoping to repeat and maybe take even greater heights.
The market, the teams talked about it. It's a huge TAM. It has huge adjacent TAMs. And it's a transformative and disruptive situation across every vertical. And quite frankly, that's unique to find, especially because the market is ready to be shaped.
And that's, I think, what a big goal is for Zscaler. The product, I've rarely come across a product of such quality at the enterprise level. And Jay spoke to it. Usually, everybody starts small. It tries to grow into big.
We solved the enterprise layer and the complexity first. And that means the rest is really going to be easier to go after, which also is very similar to what I experienced at AppDynamics. Now being customer driven and being really customer focused is a tagline a lot of companies use, but Zscaler practices it and that was also a point that was really appealing. And most importantly, all the great go to market elements that drive true quantifiable customer impact already in place. And that is a really great foundation to build off of.
So to Jay's point, I've not officially started, but I've had the chance to have a lot of great conversations with a few folks. So, I thought, I would share a few of my philosophies that we'll be exploring within the next few months as well. And most of these philosophies really have been shaped throughout my experience at Variant BMC and then most recently, the adventurous journey ahead at AppDynamics. Quite frankly, I almost feel like I'm experiencing deja vu a little bit, similar inflection points, similar market forces, similar competitive forces as to what we went through at AppDynamics about 2 years or so ago. So to start with, I'm a believer in a high velocity land and expand model as what Jay laid out earlier.
The only time you can really practice that is if you have great products. Otherwise, you're trying to back up the truck, sell as much as you can and get out of town. And that's just not the model here where we're partnering with customers and trying to really shape the direction of their business. In order to do that, we are really going to probably explore, as I have in the past, creating a closely knit lifecycle approach across the entire customer engagement. What that means is close linkage between lead creation, 1st contact throughout the sales process, deployment, customer success and then renew or expand.
When a close knit lifecycle is created, seamless process if you will, value realization for customer happens, maximum velocity and yield for our activity happens and stickiness of customers happens. And the entire organization is really working against the same playbook of metrics. Now when you start talking about multidimensional go to market models, as Jay alluded to earlier, that's even more important because you have other elements, outside elements that even though they're partnering and helping you, it's always your brand that's impacted. So having close partnership and that being part of the life cycle is going to be critical. I'm a firm believer that in order to maintain an increased velocity, you have to have a qualification framework that you religiously follow.
And that's been medic for me. It's a model that's been out there for quite some time. I've used it across 3 companies. And what a qualification model means that is executed across every step of the sales process is you minimize any wasted activities, you drive maximum relevance in customer meetings and most importantly, you dictate pace and direction of customer thinking and sales campaigns. So, another point that is really the main one in everything that I've done in the past is creating any metric based model around rep productivity.
And that to me is the stat number 1 because everything else flows off of it. That's time to productivity, size of productivity, productivity across geos, various cohorts and then quite frankly understanding all the ecosystem variables from channel SI, marketing, customer support, engineering, understanding the impact of all those variables to productivity and creating a model that automates that so that we're tracking relevant metrics. And when we talk about relevant metrics, it means introducing a little bit more science, so that we can help reps help the field across all activities understanding progression, conversions, influencing factors on size of deal, on time to deal. When we can automate that and understand it and understand it not just in a lagging way, meaning forecast and pipeline, but start looking at leading indicators, which are more activity based that we know have a probability for success at certain dimensions. When we start looking at leading indicators in an automated fashion, that's really when you start unlocking the power of productivity.
And we'll be exploring what that could potentially look like here. One of the other things, and Jay has alluded to it quite a bit, he speaks of transformational selling a lot. During times like this, when market dynamics are dictating that customers have to look for different ways to solve problems. You have to decide whether or not you're going to deploy a visionary sales approach that's not feature function focused, but rather focused on outcomes and where you can take a customer with uniquely differentiated features and functions. It sounds nuanced, but it's very different as to what conversations you're having, the partnerships you're shaping and how you're guiding CXOs during these turbulent times.
So a value based, outcome based sales model is what I think maximum velocity generator and is something that we're going to look to find to even more from where it is already today. One of the things that impressed me that Jay and team have built out is the strong team of former CXOs and strategic resources, practitioners available that we can leverage in campaigns, that we can leverage in painting a vision, painting a path for our customers to understand. Taking that and understanding how to scale it into business outcome models that every rep, every systems engineer can use is a massive unlock to the quality and level of conversations everybody across the org can have. So we're going to take a look at how to potentially build that out, same way as I've done it in the last few engagements that I've had across multiple companies. The other thing that this does also is there's so much FUD out there from competitors and it's going to continue due to the velocity we're having.
It's great to be the fastest kid on the block, but everybody's coming after you. When you have a value based, outcome based sales approach, it's kind of hard to argue with quantifiable results that you can take somebody to when your only focus is feature and function. And one other thing that I've been a religious believer in is not waiting for market to dictate velocity, but rather drive velocity to the market. What does that mean? I'm a fan of maniacal and continuous pipeline generation programs.
What that means is we are going to have steady days where we drive pipeline all we're doing. We're preparing for meetings with customers. We're reaching out to customers. What that also means is it has to be in a very focused way. It has to be in a way where we educate the channel as well to help us with that pipeline generation.
FSIs, service providers as well as Devars. That focused approach in my past has produced great results because you can act as a partner to companies versus just chasing deals. So you're building a business plan in how to help your customers become better. So, maniacal pipeline generation, focus on accounts that we cover, focus on enabling our partners to help us with that pipeline generation, enabling them are going to be key programs. So, two last elements that I just want to mention that kind of wrap around everything that I just mentioned.
2 key elements that have to be in play in order for everything that I just philosophically and conceptually mentioned to actually be maximized and realized are the following. Number 1 is we're going to continue to focus on recruiting only the best talent and with the highest expectations of that talent. The quest for excellence is going to be our mantra. And what that means is when we're recruiting people, we're going to focus on intelligence, coachability, character and experience and the first three really being the most important. The reason being the market is evolving so dynamically that we need to have people who enjoy being uncomfortable, enjoy learning, enjoy growing and enjoy becoming really the best version of themselves because we're going to give them a platform to do it by executing on the second element.
We're going to build a world class enablement team that's going to not just enable the sales teams, but also sales presales, sales leadership, the channels. And that means everybody will be in a consistent way, in a scalable way, pursuing value creation for our customers and in return getting maximum yield for our efforts. So I think we it's known we've hired a new Vice President for Enabler, Rick Hickard. So I'm going to be partnering very closely with him in building out these models and these frameworks, so we can take advantage of everything that I believe is in front of us. And the enablement portion is so critical because it actually accelerates people's ability to execute, eliminates waste, increases transparency and complete accountability across the team because everybody is educated and everybody understands what their charter is.
And quite frankly, when now it comes together beautifully as it did for us at AppDynamics, that's when you hit escape velocity. And my goal is to help hit escape velocity through the $1,000,000,000 mark in ARR. So, little snapshot. I hope it gave you some insights into what's floating around in my mind. I'm going to look to have this not just float around in my mind, but rather be built into a program within probably 30 to 60 days as I want to spend a lot of time in those 1st couple of months sitting down with people, sitting down with customers and analyzing data.
So Jay, that's kind of who I am, what I'm about and what I'm looking forward to.
Excellent. Carly, thank you. Bill?
Okay. So we'll take a couple of questions here before we move on to our final section.
Hamza Fodderwala from Morgan Stanley. So one of the key debates coming out of the most recent earnings was the longer sales cycles that you noted. And it seemed like it wasn't entirely clear whether that was macro or competitive related at all. So I know it's been, I think, maybe 1 or 2 weeks since, but can you share with us any additional insight or color you might have on that from a go to market standpoint?
Yes. First of all, I'll clarify what we said. We said towards the end of the quarter, we saw some deals taking longer than expected, which really means a number of deals we're working on, they closed, but probably more than normal we expect did not close, okay. So I kind of looked at we sorry, 1 or 2 kind of highlighted as being transparent. But that's a one data point.
As you say, 1 dot is a data point, 2 is a line and 3 is a trend. At this stage, it's a data point. We aren't seeing a trend yet. So, but just wanted to highlight, so.
Jay, if I may add to it as well. Yes. If you and again, this is why I said I had deja vu just having some of the conversations within Z. When you hit a certain scale and a certain velocity and you start adding more and more heads, it becomes critical to have a broad sales enablement model with templates and frameworks so that everybody can learn. And it's not just best practices over here and less best practices over there, but it has to be consciously built out.
And when that is built out consciously, then you will see consistent effort as opposed to some of the lag in how long it takes to close deals in certain regions. So to me, when I looked at the information, again, outside looking in, a robust sales enablement program, right? This is not a couple of people and a few trick dots. This is a legitimate program and an offering that is going to continue to evolve. That is what will help eliminate some of those challenges, and I've seen it before across multiple organizations.
Any other questions? Okay. Next, we'll go with the financial section with Remo Canessa, our CFO.
Great.
All right. Thank you, Jay. Thank you, Dolly. Appreciate you being on the call. So there's no change or update to our guidance that we gave.
The only comment is that our free cash flow will have a negative impact of about $15,000,000 to $20,000,000 for Synantic litigation expenses. We're moving our headquarters, so there'll be cost related to TIs for that as well as duplicate rent. So those expenses aren't picked up in our pro form a, but they'll be picked up in our cash flow. So we expect our cash flow to be 1% to 2% lower than or 1 to 2 points lower than our non GAAP operating margins. We've gone through this before, really strong and powerful financial model with Zscaler.
The comments I've made, I've never seen a model like this ever in my career, with the opportunity that we have. 50% growth, mostly subscription, 81% gross margin, which talks about the strength of our platform. You know, the multidimensional go to market, which you know, the multi dimensional go to market, which Jay just went through. Net retention rate, 118%, which is outstanding, especially when you consider that more and more customers are going straight to transformation. And also the infrastructure, And also the infrastructure, our cloud, you know, infrastructure that we have with the ability to increase our cloud and increase our capabilities is very unique with the type of traffic that we see, and again, at these types of margins.
From an operating expense structure, very leveraged operating expense structure. Over a third of our employees are in India. We have 2 locations, 1 in Chandigarh, and 1 in Bangalore. Our intention is to continue to build that capability in India. A third of our employees are here in San Jose and a third the rest of the world.
So very distributed type operating structure, very leveraged. If you compare us to other companies, the cost per employee, I'm sure it's one of the lowest, if not the lowest on the market. As Jay mentioned, the 2 pillars that we've had is ZIA and ZPA. With the Zscaler B2B, as well as the ZDX, the digital experience, you know, it's a big market opportunity. Even at $20,000,000,000 for ZIA and ZPA, very large market opportunity.
But when you add the other capabilities that we have, along with CASB, the market opportunity just starts getting really big. That was one of the beauties for me or one of the things that really took me when I talked to Jay for the first time, and I took a look at the platform that's been created, you know, coming both from a security and networking background, not a technical person, but with companies like NetScreen, which got sold to Juniper, and also Infoblox. I took a look at the platform which was created for tomorrow, that's what Zscaler built. When I take a look at legacy companies who've built appliances, it is awfully hard. So we've talked about retrofitting those appliances into a cloud.
And that's what these companies are trying to do. They have no choice. Zscaler clean slate 10 years ago, built the platform to go forward. And as you can see, we have additional capabilities that we put on that platform. As we go forward, you'll see additional capabilities.
The advantages of Zscaler also is that, our engineering organization, which is absolutely outstanding, the speed that they develop these type of applications, when you're doing it on a purpose built clean slate is a lot faster than what you can do as an appliance company trying to cobble things together and hope that they work. So, you know, going back, you know, related to how we sell, professional bundle, I'm going to go this in detail is, 1 X, 1 point 5 for business and 3x, I think most of you have seen this. The transformation bundle includes firewall, cloud sandbox, ZPA basically doubles that and the new product platform, we expect to significantly increase that. Secured transformation has gone from 35% last year at the time of public offering was above 20%, and this year it's at 43%. So that's when companies decide to go local breakout.
That's when companies basically are going in all in with Zscaler. That's what makes our product, you know, very, very sticky. We are a large enterprise driven company, over 200 of the G2K in fiscal 'seventeen, over 300 in fiscal 'eighteen and over 400 currently in fiscal 'nineteen. What's impressive is the average ARR has gone up about 50 percent from fiscal 'seventeen. It's gone from $306,000 ARR per customer up to $467,000 per customer.
Customers are buying more, you know, reflection of our ARR with additional capabilities we're putting on our platform gives us the ability to increase that. I would expect that to continue to increase. If you take a look at the penetration of transformation of 43%, We'd expect more companies to go full transformation. If you look at ZPA being 14% of our new and upsell business in fiscal 'nineteen, up from 10%, large opportunity for customers to buy the ZPA. Additional, with our CASB capabilities you know, in the future, as well as the digital experience and B2B, those should increase, you know, our average ARR fairly substantially as we go forward and provide those applications and capabilities to our customers.
Revenue has gone up significantly every year, 50%, average over 50% on an annual basis and quarterly basis. Again, we're a subscription model, which basically it's ratable, so it's easy thing to basically predict. Annual billings up over 50 percent to 390,000,000 comment we made first half full year billings, we only have 4 years, but over the last 5 years and this is also within the 43% to 44%. You know, with Dolly coming on board, you know, we said that expect 42% to 43% in billings in the first half and a little bit more, a little more than normal in the back half. One of the things I've talked about also is that, you know, coming to Zscaler, I've mentioned this many times, I'm not concerned about our operating results is outstanding.
Our mark we have a huge market opportunity. We when we gave guidance, we gave guidance lower operating profitability in fiscal 'nineteen versus fiscal 'eighteen, primarily related to so that we can make the investments in the company to exploit this market. There is no company in the world with the platform that we have or the ability to capture this market like Zscaler. What it's going to come down to is our execution. 1 of the missing links that we had was Dolly.
Dolly, you know, in working, talking to Dolly over the last few weeks, you know, I am excited having Dolly on board, and the capabilities that he can bring and continue to execute. Again, our execution in the past has been 50% growth year over year. Having Dolly on board, you know, I'm excited to see how things work out. Operating profitability 8% in fiscal 2019, free cash flow 10%. When Jay set up the companies I talked about, he did all the right things.
Basically, you know, with the India operation, the we take a look at the R and D people in India, our R and D employees, I asked one of our key engineers, I said, how would you compare the India employees versus the US employees? He said, 1 for 1. That's the type of capability and strength we have in India. You're not gonna hear that from many companies. The reason for that is because that's the way the company was founded from the very beginning, with a significant India influence, with strong employees in India, you know, driving, you know, the culture and the success of the company.
From a revenue perspective, pretty much fifty-fifty, you know, right across the board. You don't see this very often, if ever at all. Most companies start out eighty-twenty U. S, 20 percent international. You get to maybe 60%, 40% over time, 55%, 45%, We're at fifty-fifty currently.
From a long range model perspective, you can see for our guidance, you know, we didn't come out and say 80%, but that's pretty much we target internally. If we see in that 80% range, you know, we're happy. Non GAAP operating profitability, 3% to 5%, down from the 8%. You can expect sales and marketing to be up a couple points. And again, we're an innovation company.
You saw all the products that we're coming out with. So I would expect R and D to be up a couple points also. And G and A, in the same range, maybe a little bit lower. As I mentioned, the non GAAP free cash flow, a couple of points below the non GAAP because of the things I had mentioned, Symantec and the new building in the duplicate facilities. Long range model, no change.
So from the time we were public offering, when we went public just to remind people, I said we'd get to sustain operating profitability, positive free cash flow sometime in fiscal 'twenty. We basically got there right out of the chute. I also indicated that we'd get to this model when we got to $800,000,000 to $1,000,000,000 The reason that we put out that guidance is because we wanted to give ourselves all the room in the world to exploit this market and make the investments that we want. So, in fiscal 'twenty, with the development that we have in R and D, with Dolly coming on board, we're going to step on the gas. So with that, what I'd like to do is get the team up and we can take questions altogether.
Yes. We could get the team up, but maybe take a couple of specific questions for Remo before we open it up for the other execs as well. Okay, I'll take one here.
Fatima Boolani from UBS. Thank you for taking the questions. Remo, around the time of the IPO, you talked a lot about contribution margin. And I wanted to understand with the product portfolio having expanded with your sales reps landing customers with both ZIA and ZPA at increasing incidents. I'm wondering if you can just refresh us on how those contribution margins have trended over the last 18 months since the IPO?
And as Dolly is thinking about sort of accelerating the velocity of land and expand, what sort of impact should we expect that to have on contribution margins going forward?
Yes, good question. I would really things have really not changed with the contribution margin. The 1st year basically, it's high expense related to landing customers. Then you look at years 23, contribution margins in the 60 plus percent range. I really don't see that changing.
When Dolly gets on board, we'll see how it all plays through. But I wouldn't expect a whole lot of change with
that. Dan?
Yes. Dan from Wedbush. So my question is, with Global 2,000 customers ARR right now trending about $500,000 Is there any reason that shouldn't hit 7 figures in the next few years, especially with DALLE on board? Thanks.
Leading question, I can't really go there. I don't have a crystal ball. But we are a large enterprise focus company. I think that the number one thing with Zscaler is basically our execution. I mean, we've got the platform, the delivery mechanism at high gross margins.
We got reliability, scalability. We got the infrastructure in place to grow the company. We just need to execute. And I think that from my perspective, when I take a look at the landscape, the 4 companies, it's really complicated. And what Zscaler does, it basically simplifies it at a low cost.
So I would hope that we'll continue to see increases and we should see increases in that global 2 ks.
Alex Henderson over Needham. So I was hoping we'd go back to the delays in the deals that were pushed out. There seems to be several possible variables that you've highlighted, but one of the ones you didn't talk about a whole lot is the bias that you're having to much larger, much more complex deals, which ultimately means there's more boxes to check, more process that has to happen within the customer. That could easily just as easily be an excuse for why that occurred. Can you talk about the size of the deals that were pushed out?
Were they biased to very large deals that inherently take longer and hence may be a function of you just getting bigger and the deal sizes you're chasing?
Yes, that's a good question. So when I take a look at our deal sizes below $500,000 new ACV, our growth rate year over year was substantial. When you take a look at our growth rate over $500,000 in new ACV, that's where we saw some slowing down of the deal sizes. Again, from my perspective, as you get bigger, as Dolly said, things change. But I also think that basically putting a sales enablement process in place, knowing when to go after deals, when to pull out, selling value, I think that's what we're going to do going forward.
I would expect things to be I would expect things to be strong for us.
It's Tasco Zhangi from Guggenheim. Reba, you're just talking about your durations ranging from 1 year to 3 year for your deals. Can you talk about the trend in the duration over the last couple of years? If you look at the blended duration across all the deals, how has that trended since IPO or even before IPO to now? Has it
gone up a lot or has
it remained pretty much the same?
I would say it's been pretty close the same. I mean, we made a push before I got at the company that we pushed 3 year deals. So and since I've been here, when you take a look at 3 year deals, over a 4 quarter period, it really hasn't changed, it's been about 70 percent of our new business have been 3 year deals. On renewal basis, they're lower. And again, once a customer goes annual and you're trying to get into 3 year, it's a little bit more difficult.
But for new business since I've been at Zscaler, pretty consistent right around 3 year 70% it's been 3 years.
The blended duration will be around 2 years, if
you look at the new deals.
70% in 3 years.
It's higher. Yes, it's higher.
Yes, it's higher.
Yes, it's higher.
Yes, it's I would say it's above 2.5 years.
For new deals? For new Thank you.
Okay. So now we're going to get all the execs up and have them available for any questions that you might have saved since the beginning of the Analyst Day.
We're
going to stand.
Okay. This is Yifu Li with Oppenheimer. I think Dali talked about earlier that usually corporations go from smaller customers to larger customer and obviously Zscaler did the other way around, the harder route going target large customers? And going to Hanz's earlier question about the sales cycle was a little bit longer for some of the larger deal. Are there any plans to go be more focused on the SMB customers, so as to lessen the volatility on the larger Elephant deals?
Right. I'll answer that question. As I said during my section, we started from the top. We are going down. As Remo indicated in some recent quarters, our growth actually in the enterprise space has in fast higher the growth rate than on the high end.
So we are making inroads in there. Going all the way down to SMB fundamentally changes the lead general, the stuff. Look at typically in the enterprise, there's this one mix of sales and marketing. In the low end, it's a different mix of sales and marketing. We have an inside sales team that's kind of generates a small part of a business.
It's an opportunity for us. But I think it's an incremental opportunity. Obviously, when Dali comes aboard, we're going to take a look at it to see where all we expand. To me, it seems like naturally going down the triangle is a natural approach for us.
Just to add to that, I spoke about it just briefly. I'm a big fan of multidimensional go to market models and then unlocking which of the different tiers is going to be covered either direct or with what type of partners because even you can parse the channel community into tactical bars, which will engage with anybody and more transformation for their customers. So identifying the multidimensional model, the elements of it and what velocity accelerants are is absolutely going to be something we look at. It's I'll tell you the last 2, 2.5 years it's what's helped AppDynamics explode its business by taking advantage of everything without diluting productivity per head across the cohorts in each category. So we will be looking at it because velocity and the opportunity is there, but we're not going to do it at the expense of top line productivity trend.
Good.
Hi, everybody. It's Michael Turits from Raymond James. Thanks very much for having us to the user conference and for the day. So Amit, you laid out this framework for position how you're positioned implicitly relative to next gen firewall vendors, born in the cloud, service edge, SSL inspected inspection in ZTNA. If you use that same framework, how would you position yourselves against the CDNs who are weren't before the club.
And do you certainly still do edge and Akamai particularly is already doing something that you could call ZTNA?
Right. So if you look at the Zscaler platform and what we have built, it is 3 things that have come together, right? 1 is this high performance architecture that allows us to inspect without slowing down traffic. That's engineering. The second is physics, right?
We have built these data centers across 150 locations where compute is present right there. So there's an engineering challenge that we have solved. There's a physics challenge that I talked about where we're not rerouting traffic and hairpinning and tromboning and incurring latency. And the 3rd aspect, which was implicit, is the domain expertise, the security domain expertise, right? All of these three things come together to deliver what we call the Zscaler service.
Now if you look at CDNs, CDNs like Akamai's, they are very good at building data center footprint, right? They do they have some of the high performance engineering? Yes. Do they have all the security domain expertise? No.
Also, when you look at CDNs, they are front ending servers. So they are fanning a single server like a wellsfargo.com or a Bank of America. They're sitting in front end and sending content out so that multiple users can access it. Zscaler service fundamentally sitting in front of users. We allow a user to go to any destination, right?
So while there may be a few areas on those three pillars that I talked about where, yes, the edge footprint might be there, but it's the coming together of all of those three things. And fundamentally, the service, you have to look at 1 as front ending servers and the other as front ending users from a policy based connectivity perspective, one user to every possible destination that you can go to, where CDNs are one application fanning out to multiple different users.
If I may add a couple of comments to that. It's important to understand user facing versus server facing that Amit said. Otherwise security starts looking confusing, right? Take united employees goes through Zscaler for their protection.
And
second is probably and second is probably DDoS protection kind of stuff. So their core competency is sitting in front of servers and actually CDN is the biggest core competence. And the DDoS of the stuff was natural for them to add because they're sitting in front of servers. Though it's a new acquisition for them. Us sitting in line taking all traffic from all over the world is very different and very complementary than what they have done.
Now your second question, is everyone trying to move into a different space? Yes. From SaaS C point of view, what Gartner said, I mean, CDN vendors don't really play in that game. From the second party is ZTNA, being able to access applications with 0 trust. Everyone is trying to figure out, we got a much bigger lead over others.
Yes, some of the CDN vendors have tried to either buy technology or do something out there. But if you look at the core space versus where vendors are trying to get to, we think we are actually in the midst of that core space with core competency, while others are trying to come from different strengths.
I can add on just one more piece. Don't discount the combination of Zscaler Internet access with the 0 Trust Zscaler Private Access together. Companies to do that well, you have to deploy an agent. That's a very hard proposition than a CDN saying I'm going to do Zero Trust Access for websites and that's it. The combination of the 2 are very powerful.
Hi.
Hello? Brad Zelnick again, Credit Suisse. Remo, if we take a look at your guidance and appreciate all the color commentary you've given us around it and the increased investment this year, just given the massive opportunity. But specific to Dolly coming on board and the playbook that he's going to run, can you give us a sense of how much is represented by the things that he needs to invest in, in terms of sales enablement, etcetera? And he hasn't even arrived yet.
Is there any chance that you didn't properly account for everything that he's going to need once he gets here and assesses what it takes to run his plays and implement his program?
Good question.
I can't I'm not going to talk around it, but make some specific comments to it. Our growth rate in RSMs last year was about 40%. Our growth rate that we're planning for internally for this year is 60%. So, also related to sales enablement and things that Dolly is going to bring, you know, we put some things aside for that also. So, we went into this planning period, you know, basically knowing that we had an opportunity to really capture this market.
We knew that Dolly was close coming on board. And basically, we wanted to make sure that we gave him the runway and the resources basically to do the things he needs to do. In addition, one of the things I want to talk about, which is separate, is that the 42%, 43%, you know, that is to give, you know, Dolly the runway, let's say. B, you know, as Bill mentioned, the new products, don't expect any revenue this year. We're not planning for any revenue for the new products.
The obsolete acquisition, it's going to increase expenses 7 to 9,000,000. I think we made that comment a couple of calls ago. So we're looking at this year as a year of investment. Like I said, I'm not concerned at all about our operating profitability or free cash flow, 0. I'm concerned making sure we make the proper investments to really exploit this next generation networking security company.
And I think the best one in the world.
Thanks, Remo. And is Dolly still on? Do we can I ask him a question?
Of course. Awesome.
Yeah, I'm still on.
Thanks, Dolly. Dolly, can you maybe just share with us any prior examples from your career, where upon arriving somewhere in a situation such as this, the amount of time that you think it takes just to appraise what the state of the state is and what the work is that's cut out ahead
you? Yes. I'm not going to comment on time just because it would be speculation at this point. But why don't I give you some conceptual viewpoints and then hopefully it gives you the data you are looking for. If you look at AppDynamics, my last spot, it was really single digit 7 figure to quite a large growth ratio.
So we built it and we built it in layers. So it's a little bit different than here, but the concept of building things in layers still applies. And doing it in a very systematic way is not disruptive and doing it in a way where it's a company by templates and enablement allows people to learn, right? If you look at my prior experience at BMC, for example, where I witnessed and participated in and learned from what it meant to really take a business that was sleepy and completely turn it around within 6 months. Same thing with the right sales culture, with the right talent, with the right enablement framework, with the right metrics being measured and impacted and coached to.
That was a major overhaul project that was completed within 6 to 9 months. And then you look at Z to Remo's point, you can disregard the growth that this engine is already producing. So clearly, there's some great elements in place already, right? So the goal really is going to be to take 30 to 60 days to evaluate all data, build models where none exist and evaluate talent, hire top talent and speak to as many people as possible and to get a complete picture, right, all the while making incremental progress. I'm not a fan of standing still and I'm a fan of iterative progress and sometimes even pulling back if it wasn't the right step and doing it quickly.
So I can't speak to the time, but I can speak to the sense of urgency. I can speak to the fact that there are already great elements in place, so we're not having to build from scratch or redo or undo things. And that obviously is always a positive. I did dig into this and kind of to I'm going to answer a prior question a little bit too. One of the points that I did discuss in great detail with both Remo and Jay was the types of investments that would be required in order for us not just to scale this for now, but to build a scalable engine so that we never talk about worrying about scale again and what that would take this year and in the years out.
And I can say with complete alignment, all of us left the beating on what's required and what we're committed to and what we think is going to be the winning formula. So I don't see any surprises and I see a solid plan being laid out, which is part of the reason why I'm obviously very excited.
Cool, thanks.
Great, thank you. Andy Nowinski with Piper Jaffray. So I just want to start with a clarification. So Palo Alto says they now have over 100 on boarding locations, which substantially improved their performance. Are the on boarding locations they're referring to the equivalent to what you call the front doors where there's no compute capabilities and therefore their performance didn't actually improve?
Amit, before you answer the questions. So they set 100 on boarding locations and how many data centers did they say?
Well, they didn't say data centers. I think we
That tells you something.
So you can look up Google Cloud GCP. GCP, when I last looked up, reports 20 compute centers, right, so 20 regions. And on an average, about 6.7 front doors or onboarding locations for each of them. As I described in my presentation, if you are Google and Microsoft, you're building these giant football field sized data centers, it makes sense to aggregate them in certain locations. It's wonderful if that's your ultimate destination.
If you're trying to run an edge service where you need to come in, get inspected and go out, it just it's a physics limitation, right? So the short answer to your question is yes, it's onboarding location, think of it as just as a router. It accepts traffic. And then over a private circuit, it ships that to one of the compute regions. That's where you can physically run a virtual firewall.
And then you come back and then go to where you have to. If the whole world was located inside Google, perhaps that would work, but that's not the case. A user needs to go to many, many different destinations. And fundamentally, what Zscaler has done is in every one of 150 of those POPs, our compute is sitting right there. On top of that, we do app neutral and carrier neutral peering with not just one provider.
We peer with Google. We peer with Microsoft. We peer with Akamai. We peer with Apple. So a user gets to the compute as soon as possible, the entire security stack, all their policies show up and then a millisecond or 2 hop away is the front door of whatever service or destination that they go to.
And we have invested heavily in carrier neutral pulsing through. So we're right there. And that's really what you need to do to deliver this high performance service where you get all your security without any user experience compromise. So that's FUD. When you hear front door equals compute, that's absolutely not the case.
Okay. And then I just
SSL SSL scanning enabled. I guess in the debate of proxies versus firewalls, you pointed to SSL decryption as one of key differentiators. I believe you're both using commodity hardware chips to do that. So why is your performance so much better? And why can't the firewall vendors achieve that same performance level with SSL decryption?
So, great question, right? I touched upon this in the presentation, but let's let me reiterate. First things first, to do SSL inspection, you need to have a lot of compute resources, right? That's a fact. Now if you try to run a virtual firewall in AWS or GCP, none of these infrastructure vendors give you hardware accelerators on their platform to begin with, right?
So you have to Specialized hardware. For example, we run all our infrastructure on bare metal. These are Intel servers. We use Cavium, Nitrox cards to do SSL acceleration. That's one bit of it.
On top of that, over the last 10 years, we have refined our TCPIP stack, our SSL drivers to squeeze every ounce of performance. Because we started as a proxy architecture, we had no choice. We assume that the world is going to be 100 encrypted. As a proxy, you have to intercept, you have to look at content. So that's what we designed for.
Firewalls were designed as a Layer 3 device looking at source IPs, destination IPs, throwing a bunch of DPI to detect app IDs and things of that nature. But at the end of the day, if you have to do any meaningful DLP or any meaningful security these days, you have to decrypt, you have to look at content, and then you need to fire all those engines. And the reason why you saw the NSS Labs report, all of these firewalls, when they bolt on a proxy, they suffer an order of magnitude performance degradation, right? Because the drivers are not tuned. And when you move that over to a virtual setup like AWS and Azure, you don't even have hardware accelerators that you could derive some extra performance from.
So those are all undisputed facts, right? And people will try to muddy the water saying, yes, yes, this all works. But those are undisputed facts.
But other comment I could make is there are architectures you design for. You don't change architecture overnight. You can add a feature or function to it. Designing your inspection check device for proxy architecture or a pass through of fundamental decisions. Once you make the decision, you unless you go and read out your stuff, you can't change it.
That's where this thing is happening.
If I could add one more emphasis on the fact that to Jay's architectural comments, we're multi tenant from the beginning. There is not a marriage of a customer to a VM in our architecture. So that gives us crazy economies of scale that only true multi tenancy will do, meaning we have a pool of resource available to do SSL. SSL is expensive no matter what at the end of the day. That pool is shared among all of our customers, not a VM that we deployed that was still a single tenant VM in a particular compute region for that one customer.
We have scale across all customers sharing a common pool that gives us a crazy advantage.
Another way to look at it is from an infrastructure load perspective for Zscaler, there isn't any difference between 1 organization with 100,000 users or 10 different organizations with 10,000 users each. If you had a single tenant architecture, you remember the Netflix DVD example I gave, You will have to spin up 10x more virtualized infrastructure because they were single tenant to begin with, right? You do not get to use that pool of capacity is available. And that pool of capacity is limited given the fact that AWS and GCP do not give you that bare metal performance that you need for SSL interception.
It's Howard from Jeffers. I have a follow-up on Palo Alto Networks. So in the last couple of weeks, there's been some noise in the markets following Palo Alto Networks Analyst Day in which they mentioned some competitive wins, including a top 50 customer from Zscaler. So could you do you dispute that commentary? And could you provide some additional color?
Thank you.
Yes. I thought I was pretty explicit in my earnings call. Did you listen to it? Explicit in my earnings call. Did you listen to it?
Did you? I did read the transcript afterwards. Okay.
So what more clarity do you want? This is what I said. I said, I personally know every customer, whether a 1000000 users. Okay. Do you think that customer go get displaced and we don't know about it?
We haven't seen any change in that. The second comment was, they displaced the Fortune 50 Retail. We know I personally and my team, every Fortune 500 customer that Zscaler has, they're all happy and working with us. I don't know where the numbers came from. It's silly.
That's all I can say.
Really, I appreciate you hitting the point home.
Hi, Alex Henderson, Needham again. I wanted to ask a question about the data lake that you described building. Clearly, the architecture that you've described is an edge architecture with edge compute, but a data lake generally is a centralized architecture. How do you put those 2 together? And how are you designing that lake?
Can you talk a little bit whether you're going to do a CrowdStrike like threat graph? Or what are you doing with that information? And how do we think about that performance? It hasn't really been fleshed out at all.
Right. So designing a proper logging architecture was a day 0 design consideration for Zscaler. What we did when we started building this platform was to separate the control plane, which is where policies reside, from the enforcement plane, which is the high speed inspection from the data analytics and storage plane, right? And some of our fundamental patents around Nanalog are around the ability to live stream logs from any one of these data inspection points to log aggregation clusters. And the reason we don't do one for 1 is because it helps with things like GDPR.
Maybe I'm a European customer, and I want to ensure that I get the best performance for all my users anywhere in the world, but I want my logs to be written and stored in Geneva, right? And we have the ability to live stream that. This is one of the strengths of the platform. Any user log on any 150 of our data centers will show up within a second or 2 on the administrative console because of the fundamental architecture
that we have built for logging.
And once you look at the volume, 70,000,000,000 transactions a day, each log line itself is about 2 to 3 kilobytes of data, right? It's a staggering amount of information. So a lot of the engineering that we did around was how do we compress that 50:one and still be able to provide live streaming analytics. And the reporting capabilities of the platform is one of our strengths. Now contrast that to what happens when you do a hybrid architecture.
In a hybrid architecture, here's the reality, you should go and ask all the appliance vendors. Here's my firewall. That firewall is dumping logs locally on that box. There is some cron job somewhere that is trying to pull these logs from different sources, trying to put it together into a data lane. If you have portion of this of your service in sitting in AWS or GCP, well, that logging might be different from what is happening here.
The amount of storage there dictates how many days of logs you can do. Think of it from a privacy perspective. I'm a Fortune 100 company. Now I have my logs sprayed across hundreds of these boxes. If a user comes and says, I have the right to forget, eliminate my logs from everywhere, there is no way you can guarantee that.
The Zscaler architecture was designed so that the data enforcement plane never writes anything to disk anywhere. Everything is sitting in RAM. And then we use these high speed streaming services to send the logs to the designated log cluster. And so if you are the CIO and you say, for my Fortune 100 account, I want my logs written to a disk underneath my desk, we can guarantee it by design, and it won't be written anywhere else in the world, right? So those are some fundamental engineering problems that we have solved.
And the reason why you see us launch ZDX and Zscaler B2B is that core platform is providing all of those services, then we can just easily re leverage. When we talked about ZDX this morning, what is the biggest challenge for other troubleshooting vendors? If I have 100,000 end users, how do I log everything from every one of those devices every 5 minutes? It's a staggering logging problem, right? We've already solved it.
We are doing that for every transaction. And so for us to add that incremental telemetry data is something very, very simple and trivial. So that's the power of the platform that we will continue to re leverage as we launch newer and newer initiatives.
If I could ask the second piece of that. So in regards to the CDNs, they all get some benefit from sitting inside the service providers in terms of improving the performance of the service provider. They get free bandwidth or free location reduction in cost. Can you talk about your positioning against that functionality? Are you also seen as one of those edge providers that in fact improves the performance enough with the service provider or partner enough with service provider to give you that value that you get that reduction in cost associated with those relationships.
Right. So I can add a comment. So first thing I'd mention, I think this question was similar to CDNs versus Zscaler, right? Again, fundamentally, look at that problem in those 3 buckets. There's an engineering problem.
We've talked quite a bit about what it means for high speed inspection, what it means for logging, all of that stuff, right? There's a physics problem, which is your compute needs to be right next to the users and destinations. You've solved that. The third aspect that I want to double click on is the domain expertise. We're running a security platform.
Our security platform is getting 120,000, 130,000 unique threat indicators every day, right? How do you ingest that? We get feeds from 40 different security vendors. We get feeds from VirusTotal, from Google Safe Browsing. We get from we are part of Microsoft Maps program.
All of these things are coming in real time. How do you ingest all of that the the user experience, right? So all of that is a lot of security domain expertise and engineering coming together. While CDNs, yes, they have some edge footprint, right, and they have front ended servers, I think to deliver a Zscaler service, all those three things have to come together: high speed engineering, your edge architecture and a lot of the security domain expertise that we have refined over the last 10 plus years to be able to do that in line.
Amit, there's a second part of the question. I think what you said is, sitting there, the bandwidth benefits you're getting, that few years ago, Internet peering at exchanges was not very common, right? And in fact, 3, 4 years ago, every service provider was talking to Microsoft and said, hey, I'll sell you special exchange. You come to me and I'll take you to Office 365 ServiceNow and wherever pretty quickly. We're very excited about it.
What has happened in the past 3, 4 years is Internet exchanges. There are something called Internet exchange, as the word exchange means for very nominal fee, any provider of content can become participant in it. So a typical exchange in Chicago, New York may have 300, 400 providers there. So who are these guys? Either they are bandwidth providers like service or actually majority of them are content provider.
Google, Salesforce, Apple, Zisk, all these people are there. So once you get there, for a nominal fee, you're part of the exchange. Now you're 1 hop away. So the advantage of being sitting next to the telco is actually hasn't become good. In fact, we debated, should Zscaler data center be sitting with AT and T, Verizon or BT?
The answer came back in their data center. Answer was no, because we needed carrier neutral data centers, Equinix or Talicity or Global Crossing because in those places, generally, all carriers try to come. So because of peering, when your volume is large, we actually get a lot of benefit of bandwidth savings, which is good thing. So we are taking full advantage of it. We are extremely well peered, and that's a big plus.
So you can for example, if you go to peeringdb.com, right, you can see Zscaler listed. Our AS numbers are listed in various Internet exchanges because we are a true cloud service. You should do the same checks for some of the appliance vendors and see if they are present there. And the answer would be no, right? So in some of the Internet exchanges, we are right up there with some of the biggest cloud service providers.
You would see Verizon, Netflix, Zscaler in the same kind of screen on the peering DB website. So that's a very important point. Being carrier neutral, being app neutral, being able to connect a user on the fastest path with the application they care about is the most important criteria for
us. Okay. So I want to thank the team. I'd like to thank the analysts and investors, who have made themselves available with your investment of time to learn more about Zscaler. Hopefully, we gave you a lot to think about what the next world looks like for cloud and mobile.
We'll be here to take additional questions in the room, but I will conclude our program here. Thank
you. Thank
you.