Excellent. Thank you, everyone, for joining us. My name is Keith Weiss. I run the US Software Equity Research franchise here at Morgan Stanley. Very pleased to have with us from Zscaler, both CEO and founder Jay Chaudhry and Remo Canessa, CFO. So thank you, gentlemen, for joining us. So it just came off of a really solid quarter for Zscaler. Maybe just to start with a state of the union, what are you guys seeing in terms of overall security demand? What are you seeing in your backyard in terms of how people are shifting towards a more software-focused network security and security overall?
So first of all, cyber is no longer only CISO's business. CIOs care about it, CFOs, CEOs, and the board cares about it. So it is becoming more and more central, and that's driven by all these ransomware attacks that are happening.
I was asked by a group of CFOs a few months ago that said, "We're spending so much money on cyber. Why are attacks still happening?" And my answer was, you know what happens typically? A breach happens. The budget opens up. You had 200 firewalls and VPNs. You buy 200 more. OK, you're doing the wrong thing. You need to move to the right architecture. So there's focus on cyber, but you also need to be able to save money.
The customer says, "I need Zero Trust Architecture, and I need to save cost." If you can do both of those things together, you can do good business. And that's what we are driving towards. When we go in, we eliminate so much stuff. If they're spending, say, $20 million on network security, and we can cut it in half, literally.
Yeah, got it. And in terms of what is sustaining or kind of driving budgets on a go-forward basis, I've always thought in terms of security, there's three fundamental demand drivers. One, expansion of the surface area to be protected. Two, the threat environment. And three, it's regulatory.
Sometimes it's mandated that we have to do this on a go-forward basis. It seems to me AI is a big accelerant for the first two, right? Expanding the surface area and arming the bad guys, if you will, to enable them to make the threats worse. What are you seeing from kind of your position? Is AI expanding the market opportunity for you guys?
So let's talk about attack surface. Everything that can be seen from the internet is your attack surface. Every public IP, every firewall, every application out there, every branch office is an attack surface. Before AI, it used to take a lot of time to find all the attack surface areas.
Today, you ask a simple question. Show me all the firewalls and VPNs and application portals of a given company and the ones that have vulnerabilities. It shows up very quickly. So easy to find. Attack surface discovery is easy. The second part ends up being with sophisticated threats. How do you go in and compromise? That's the second part. Attacks haven't gotten more and more sophisticated, but there's some basic attacks. For example, phishing, probably the most common one because people fall for it.
It used to be those emails you got on phishing from Nigeria where there are typos and misspellings. Not anymore. Write that phishing email from a CFO using CFO style to really go and get these users. So it's getting easier to get in. Once you're in, you can use automation of AI to find the most precious application and servers you want to go in and encrypt. So AI is dangerous, but the same AI is used by companies like Zscaler to do better protection.
In the firewall and VPN model, your things are sitting as a gate. I am here to protect. I am here. Come and attack me. In the Zscaler world, all of your applications are sitting behind our cloud. They are not discoverable. So that's one thing we do that's extremely well. If they can't find you, they can attack you.
The second part ends up being, how do they break in? The reason most attacks happen is not because of very sophisticated stuff. Most attacks happen. Identity gets stolen. You log in as a VPN. Once you're in, you're home free. In the zero trust world, you're never on the network. We connect you to one application at a time. If your credential got stolen, maybe they compromised one application, and that application may not be that relevant.
So these are the type of things that companies are working with us that's driving our business acceleration and phasing out the legacy stuff. Now, it has taken a while to phase it out, but the cost pressure is further helping us. There's real cost savings when you remove legacy stuff out there.
Got it. So we talked about AI as kind of an expansion of the surface area. It's also an opportunity for Zscaler to improve your products. I think about it in terms of the amount of data that you guys have visibility to. I think you guys talk about over 500 billion transactions daily.
Per day, yeah.
Which is unbelievable. It seems like that's a massive amount of data that can utilize to sort of get better protection. So can you talk to us a little bit about how generative AI is changing the product portfolio, how you're able to leverage that to improve the security?
If you think about Zscaler from day one when I started the company, I had a North Star. We'll be the exchange, the switchboard. Users will access applications through us, almost like an international airport. We log everything, who goes in, out, whatever.
Then we expanded the portfolio to do the same thing with workloads. Workloads are somewhat like users. They talk to the internet. They talk to each other. Same core technology, but second use case. We expanded to IoT, OT devices. Their devices need to talk to each other. We added for B2B, your customers, suppliers, and partners, but same core engine. That engine is delivering about 500 billion transactions. That's so many communications go through us. Some good, some bad, reconnaissance activities, all this stuff.
Now, you take all of that, and then we added a next area for the first time, a new, call it North Star, second North Star. How do we take all of the data, use AI and GenAI to find meaningful information to detect threats that can't be detected before? That's why we bought a company called Avalor last year. It gave us the data fabric, and we're building things on top of that.
What are the kind of things we're building? My favorite project is breach prediction. Predict the breach before it happens. How can you do that? It's very, very hard. If we could do it, there would be no breaches. But think of it this way. When you got 50 million users going through you, one new attacker comes. It attacks these 10 companies, 20 companies. Some people fall for it.
If half of the Fortune 500 companies are our customers, we see it. Then we see it across. When you see the machines got compromised, with the agent sitting on the machine, we can see what the bad guy is trying to do, where is it trying to go. We can build the attack graph, see what's happening. Now based on the configuration, we can use AI/ML to see what's the likely thing they're going to do.
So tell them, we see ABC happen. You can do this kind of stuff. This is the power of AI/ML. For example, in our early threats, the early AI work, we took 10,000 attack kill chains. We trained our engine on it. Now it can figure out the next attack kill chain on its own without we having to train them. That power is only good because we have the most precious proprietary data for it.
Got it. I want to shift gears a little bit and talk about sort of the customer journey, if you will. I'm going to show my age a little bit. When we were doing the Zscaler IPO, there was almost a no-brainer entry route for you guys into customers. It was MPLS replacement, and it was a really great value proposition.
Now you're selling a much broader platform. Now it's a whole Zero Trust Architecture, which frankly is harder to implement, harder to get customers on board with. So how does Zscaler evolve in terms of go-to-market, in terms of customer success, to enable that adoption, to get the customers on board with that fuller vision?
Yes. The platform has gotten bigger. The early story was traffic goes direct, MPLS expensive, better experience. But now the platform has gotten much bigger. Now our story starts with the following. You got 50,000 users. They got a gateway to the internet. You got 10 boxes sitting to go out. That's taken care of by our service called Zscaler Internet Access.
Then you got a dozen boxes sitting on the internal traffic, your DMZ, VPN, load balancers, DDoS protection. All of that goes away. You could be sitting at home or wherever simply with an agent. The traffic hits us. We know who you are, where are you going. We make the connection without you having to worry about anything. So the implementation is simple, and we haven't even touched the network and the complexity. So our number one goal is go and get it turned on.
If the traffic is taking a longer path, things may be slow for the time being. Then we go in, and this is where we actually seek help from global system integrators. Somebody has to remove the stuff. You got 200 branches. There's firewalls, some routers, and this, and all the switching. Over the next few quarters, they remove all the stuff. There's a lot of cost savings, and that becomes very good, and the customer sees the results, the savings, and there's a lot of pressure on IT leaders to do cost reduction. We do that with transformation. That's really driving our business.
Now the sales force has to get a little bit more sophisticated. The training has to be done better. We have some specialists in certain areas. When we sell Zero Trust Branch, we got some people who actually are very good at it. They get pulled in by the general account manager. But partners like GSIs are helping the customer to do some of the deployment.
Got it. So maybe we could dig in there a little bit. I know you guys brought on board Mike Rich in November 2023 to help evolve that kind of go-to-market strategy, if you will. Can you talk about some of the changes that Mike has put into place and how that go-to-market strategy has evolved?
Yes. Before Mike Rich, when we had the previous CRO and around IPO time frame, just after IPO, we were a much smaller company, few customers. The focus was let's identify opportunities, close them, close, move on to the next or next one, which is great. That's what driven our growth. But then our customers started to tell us with 45% of Fortune 500 companies as our customers, they want focused people. So we evolved to the model we borrowed from ServiceNow.
I have admired ServiceNow for years. Eight years ago, when I met David Schneider, who was the President and go-to-market leader, I said, I want to learn from you. Please mentor me. He became an advisor to us. Then two years later, he became a board member. They have large enterprises. They know how to sell platform. They know how to sell CIO level.
So we essentially have been implementing some of those things for a long time. But last year, when we brought Mike in, it was said someone who has been doing it at ServiceNow for America's business, which is about 70% of it, let's bring him on board and help him drive the stuff. So Mike upleveled a number of leaders and wanted to bring in people who came more from solutions selling background rather than box selling background rather than security geeks.
Then we upleveled many of the salespeople underneath, and these people have been ramping up. And basically, we have the methodology that has evolved. So that's one thing we've done. All that is in place. The transition is complete. Now, the people we hired in the past quarter or two, they're still ramping up, and we're seeing the productivity benefit of it.
His second focus was to bring GSI global system integrators along and doing that as well, so I'm pleased with the progress, and the results we're delivering is essentially a result of the changes we have been driving.
ServiceNow is a fantastic template. We have a product we call SaaS X-Ray, and we try to understand the underlying unit economics of companies, and ServiceNow is amongst the most efficient kind of go-to-market strategies there is. You talked about the success in the Fortune 500, and you guys have traditionally been that enterprise-focused company. You started to focus a little bit more on sort of coming into more of a mid-market. How do you do that? How do you sort of capture that broader part of the market opportunity?
Our biggest opportunity is large enterprises who are demanding, who need deep and wide functionality of broader platform. Yes, we have some presence on the lower end, but that's not the focus. If you really think about it, the Global 2000 is the number one focus. Then go from 2000 to 10,000. That's the next one. And there's a tier below that. We have presence, but not the biggest presence. We have such a big platform that I do not need 20,000 customers.
Look at ServiceNow. It was funny when I talked to David Schneider years ago. He was sitting at $3 billion. We were sitting at about $200 million. And I said, I want lots of customers and growth like you. He said, do you want more customers or do you want more ARR? I said, both. He said, pick one. I said, ARR.
Then he said, "I have only 3,000 customers. I'm sitting at $3 billion ARR," so they had a platform. If you have a platform, you don't need to go to the lowest level. The go-to-market significantly changes the majors to SMB to low end. SMB market is very different. They don't really understand sophistication sometimes.
Telcos can bundle the router and firewall with them. If the orders come from the low end, we take the order. We have an inside sales team, a small sales team to take care of that, but our primary focus will remain large enterprises, and we're very good because they understand the difference in technologies that some of the lot smaller ones don't.
Got it. So let's dig into the platform. I think it was about a year ago you launched an SD-WAN offering. So now you could offer the single vendor SASE solution, which combines both the secure edge and the SD-WAN components onto that single platform. Can you walk us through the decision to finally start offering that SD-WAN piece of the equation? And how does it differ from what's in the market today?
You use two terms, but neither term is what I like. We don't like SASE. What is SASE? It's a collection of one more four-letter acronym to really give something to every network and security vendor. We are about Zero Trust Architecture. SASE is not zero trust. If we've got zero trust, the reports on SASE will be bought only by a small number of vendors.
Those research reports need to be sold to everyone. So SASE says SD-WAN plus SSE. We basically have stayed out of SASE, though in customer conversation, they talk about Zero Trust Architecture. In investor conversation, analyst conversation, you guys ask for SASE because you talk to more vendors and customers. Every vendor has SASE. That's why you hear about SASE. SD-WAN, I've always said, SD-WAN enables lateral threat movement. Why is that?
The fundamental networking was designed so you get on the network like getting on a highway. You're going to go left and right. There are no lights. You go unfettered. That's why lateral movement happens and lateral attack happens.
Now, my marketing is using the term Zero Trust SD-WAN. The SD-WAN is no lateral movement. I call it Zero Trust Branch. There's no SD-WAN in our offering. We aren't offering SD-WAN. It's literally a single plug-and-play appliance, just like you have it from AT&T or Verizon at home. Is there an SD-WAN? Not really. In our world, a branch is becoming like a cafe, like your home. You simply have a device that plugs. Everything happens. No route tables to manage, no lateral movement alike. That's what our customers are excited about. We're getting tons of traction.
I mean, we were surprised to find that the customers who bought our Zero Trust Branch, 57% were actually new logos. I didn't expect that. Now, why did that happen? Because our customers are buying bigger bundles. The most common bundle we sell these days is zero trust for users, ZIA, ZPA, ZDX. And the customer says, oh, I'm buying this. I'll also add on Zero Trust Branch .
So we think the world is moving where these mesh networks do not need to be managed and run by companies. Do you worry about the network when you use this? Why should you worry about the network? It's a matter of time when internet will become your corporate network. Before nations built highways, if you're a big corporation, you could afford to build private roads connecting your headquarters to different offices. But after highways, you shouldn't.
As the internet has become a mature cyber highway, companies shouldn't be building networks, internet to the network. That's a big part of the cost savings as well. Networking is expensive. We are taking a lot of cost takeout of networking as well.
Got it. So there's a lot of vendors who are talking about having four-letter acronym offerings that I'm not going to mention anymore. But it's prevalent across all the network security vendors and even sort of CDN vendors that are evolving and trying to offer this as well. From an investor perspective, there's the concern when it comes to Zscaler. Yes, you've led in this market, but now it's a lot more competitive. So from your perspective, has it become more competitive? Is it harder sort of to differentiate in that marketplace and get your message across?
The short answer is no. There's a lot of confusion four or five years ago when some of these firewall companies started to say, I do zero trust and all this stuff. Now most of the market heard the story. So it's easier some ways. Now, in the past year, the remaining firewall companies are becoming four-letter acronym as well. I'll tell you what's good about what's happening in the market.
Firewall is one architecture. Zero trust is totally opposite architecture. If you want to get the market, you take what you have, you repackage it. Just like Siebel Systems, but 10 years ago would say, I can really run my VM in the cloud and do what Salesforce does. Really? It's like having your DVD player spin up in the cloud and say, I offer Netflix service.
So as long as the architecture is wrong, this thing is not going to work. They're going to play it out. They're going to allocate some of the revenue to zero trust or whatever. I think the wrong inline service is better work. If it doesn't work well, if it doesn't really protect you, you're going to phase out.
Got it. So let's talk about the opportunities within sort of the product portfolio. ZIA was a starting point. How much opportunity or runway is left? Is there still a lot of greenfield for ZIA on a go-forward basis, or is it shifting to become more of a replacement opportunity for you guys?
In large enterprise, we are focused. Good amount of runway. We have over 45% of Fortune 500 companies that have ZIA, ZPA, or both. We have 35% of global 2000 companies, and if you go to the top 10,000 companies, our penetration is probably in the 20% range. That means there's a lot of upsell.
Now, these large enterprises don't have firewalls installed because firewalls never did user protection. That market belonged to Blue Coat, Symantec, Websense, McAfee, Cisco. And some of the large deals we closed today, actually the number one source of starting point is still Blue Coat and Symantec. It's interesting, and that's one, then you look at ZPA. ZPA came as second leg. It's selling very well. It has been very successful, but if you look at large enterprises, about 60% of our large enterprises have ZIA and ZPA both.
That means 40% is still headroom on the ZIA side, sorry, ZPA side. Then data protection is becoming the big engine. Early on, when customers deployed us, they deployed for cyber protection, blocking bad things. Deploying data protection is a little bit more complicated. You have to have data classification rules need to set up. For cyber, you don't have to set up a lot of rules. It's our job to figure out what's bad and what's blocking.
So our data protection business is growing. It's growing pretty well. It's growing 40+% year over year. Then the other product that there's one product I hadn't thought of early on. That was digital experience. When I started the company, I wasn't thinking of it. The customer said, you're sitting in line. You should be able to tell me where the issues are. ZDX has grown very, very nicely.
It has become very good, and then now Zero Trust Branch, Zero Trust Cloud. We have lots of products. We just need to make sure we sell them in a most optimal fashion. That's where the notion of our account managers, quarterbacks, some of the specialists come in. Those are the things we are refining and learning from.
Got it. Maybe we could be zooming into the conversation and help us kind of frame this in reference to perhaps maybe sort of total revenues or kind of the new revenues. How should we think about the proportion between ZIA, ZPA, and the emerging products in terms of what's in your revenue base today versus what you're seeing in terms of what's coming in the door in terms of the new business?
Yeah. I mean, currently, if you look at emerging products, we're expecting emerging products this year to be for new and upsell in the mid-20% range up from what it was last year. If you take a look at ZIA and ZPA, just those two products, ZPA is about 40%. So it's about 60% ZIA.
Following on what Jay mentioned, the 45% for the Fortune 500 and 35% for the Global 2000, the opportunity we have to sell on our existing base is six X just for the users. So when you look at these new products like the AI, the data protection, data protection on a year-over-year basis has increased 40%. AI has almost doubled. Jay talked about the branch product, which is for new customers, 57%. All those things are really boding well related to the market opportunity.
The focus, I mean, you take a look at it, our focus is large customers. And once you're in the large customer and you get that trust, the ability to expand within our existing products and new products becomes very large. That's the ServiceNow model.
You take a look at our new and upsell. Our new and upsell, when we went public, was probably 80%, 75% new, 25% upsell. Now it's basically 65% upsell. And if you take a look at ServiceNow, it's probably closer to 90% upsell. That's what we're going to evolve to. So get large customers, focus on the large Global 2000, get a footprint, get their confidence, get them understanding of Zero Trust Everywhere, then expand our platform. So great position, absolutely great position.
Got it. So maybe we could dig into some of those emerging products, some of those upsell opportunities. Zscaler Digital Experience seemed to really kind of hit the mark as we were focusing a lot on the hybrid workforce and the need to sort of understand the performance of that hybrid workforce. Does that necessity wane as I'm starting to come back into the office and the focus is a little bit less on sort of the hybrid environment?
No, no, no. All of our products are actually needed no matter where you are. So ZDX says, I'll be user-focused no matter where the user is. I'll tell you end-to-end experience. People used to talk about ZPA too and say ZPA will need it only when people are outside the office. Zero Trust Everywhere. Customers realizing that they have higher risk when the user is sitting in the office with an infected machine because the machine can traverse on the network and bring things down.
So, in our Zero Trust Everywhere model, you're sitting in headquarters, you're sitting on guest network. You are untrusted. So, with that, it goes through our ZPA for every application access. So, we are seeing every customer moving towards having ZIA, ZPA, and ZDX for all users.
Got it. Data protection, in the current environment, I mean, data has always been important, but it's rising in importance. But even more so the governance and the effective governance of that data. People are worried about data leakage, especially when we're using these models. It seems like that should be a good tailwind behind your data protection offering. Maybe you could talk to us about how large that, how fast it's been growing. Are you seeing that demand pick up that tailwind, if you will?
Absolutely. In the past, since the AI thing took off, the one product that got a bigger boost than others is data protection. The first thing was, oh, are my employees submitting things to ChatGPT, my source code, and other stuff? We're natural. We're like an international airport. Everything goes out through us. So for us to build a policy engine was pretty easy. We've done that.
Then the next level came. Oh, we are putting Microsoft Copilot. It's pointed to OneDrive and SharePoint to really get all the information that got trained. These things are so powerful. Once you train them, they have every answer for you. They can answer the salary and bonus of every employee as well. How do you put guardrails around it? We have data protection that can do data classification, build rules and policies around it. That part is helping.
The next customer is worried about the models getting poisoned, the kind of inspecting prompts, inspect and response. All those are big areas for us, so we've seen very good acceleration, and we really don't have a lot of competition in data protection.
Two reasons. Now, AI is an accelerator, but we are sitting in the traffic path, going to the internet. Every bad thing comes from the internet. Every good thing leaks through the internet, so if you're sitting in the path, they can't go to someone else and say, provide me the stuff, so that's called inline DLP. We built that. That's what customers are adding. But then the data has also grown. It's sitting in SaaS applications, sitting in S3 bucket, it's sitting on endpoint, it's going through email.
So over the past six years or so, we expanded our data protection because customers wanted one single policy for no matter what the data is. That type of development is really giving us the biggest platform. And a firewall company will never do good data inline because they're not a proxy architecture. The traffic flow through to really inspect data, to make an inspection and policy, you need to be able to open it, look at it, and make a decision. And proxy architecture, the foundation of Zscaler, is very good. So we think data protection has a long runway for us.
Got it. So you guys have this great foundation within network in ZIA and ZPA. You've expanded out the product portfolio extensively. We're talking about a go-to-market motion that is focused on selling up into that customer base. Does the pricing strategy need to evolve? And we hear a lot from some of your competitors about some more token-based pricing or platform-based pricing. How are you guys, if you are at all, evolving the pricing strategy to try to incent that bundling motion?
Yes, pricing strategy is evolving, has been evolving. Early on, it used to be for users, it was simple user-based pricing because customers wanted simplicity. Then we took Zscaler to protect workloads, what we call Zscaler Cloud. It's cloud-to-cloud communication.
First initial was, oh, let's do number of workloads. Then we realized some workloads are very ephemeral, some are long-lasting. So we combined number of workloads along with some of the traffic flow. IoT OT devices, the same kind of stuff. How many devices, what communication? So we have already evolved into using traffic as an important part of it because you'll have more and more data out there. You'll have more and more communication. They'll need us more. We talk about agents.
One other question everyone will ask is, oh, users are going down, agents are going up. Now, agents are evolving. There'll be different types of agents. But if you look at an agent that's doing customer support, for example, if it's going and accessing the system, if the user was doing it for policy, the agent needs the same kind of policy enforcement as well. We become natural policy enforcement point. And the charge will evolve. I'm sure there'll be agent-based pricing versus user-based pricing or traffic. We are evolving, and it should evolve.
Got it. Remo, I apologize. I've only left two minutes for margins, but Jay's very engaging. You guys had five percentage points of margin expansion in FY25. It was a great year in sort of pushing leverage. How are you thinking about that balance between growth and profitability on a go-forward basis from here?
Our operating profitability this last quarter was 22%, which when we went public, we said we'd be in the 20%-22% range. From my perspective, it's a huge market opportunity. We're significant positive free cash flow. Our free cash flow margin was 22% this last quarter. Really, we'll be mindful of operating profitability, but it's really, from my perspective, it'd be a disservice to our shareholders and to ourselves.
With the product platform that we have, not to invest, continue to invest in the company. The game is basically not to drive profit short term. The game is basically to get market share and really get that dominant position. Our run rate revenues currently, we're a large company. We're $2.5 billion run rate revenues. We're just in a very unique position. We're the pioneers. We're the leaders. We're the innovators. And we got a great team. We're going to keep on investing.
Got it. And if we think about that, sort of you feel like you're in a good place in terms of operating margins. You want to have the capital to invest. If you think about the capital intensity side of the equation and how that's going to sort of translate into free cash flow, anything we should bear in mind in terms of which direction we should expect capital intensity to trend?
Yeah. I mean, the capital intensity, we called out there'd be a headwind with our CapEx this year related to investments in our data centers. Next year, you can expect to be in the high single-digit type range, which has happened in the past. We're not a capital-intensive business. So, I wouldn't think much about the capital intensity related to CapEx investments. It's going to be in the higher single-digit type range going forward after this year.
If I may add, with the amount of traffic we handle, if someone else were to do it with a less optimized architecture, this will be very capital-intensive business. Gross margin will be low. It's the design of the architecture and optimization you've done is delivering 80% of the margin. You've seen that we have been able to sustain it even when the traffic is going up.
So Zero Trust Exchange is understood. The second part we look at is how about AI now? What kind of investments do we need in that area? Because those GPU and all could be very expensive. We are dealing with a large amount of data, but proprietary data. We're not trying to take all the data in the world and try to train on it like ChatGPT does. Our training is on the proprietary data of security communication.
So, we don't think it'll have any massive impact. We're also going to charge money for those products. We believe at this stage we should be able to keep the gross margins in the kind of range we are. And if there's some one-time investments at all, we'll call it out.
Excellent. Unfortunately, it takes us another time, but I think this is a great note to end on. It's really about the right network architecture is what's positioned Zscaler for this opportunity, what enables Zscaler to be so efficient in going after this opportunity. So, thank you, gentlemen, both for kind of sharing that perspective with us at the TMT Conference.
Thank you. And then combining Zero Trust Architecture with AI, the two together becomes very impressive.
Excellent. Thank you [Inaudible] .
Great. Thank you very much .