Okay. Good morning, everyone in the room, and good morning and good afternoon to those who are joining us on the webcast. My name is Bill Choi. I'm Head of Investor Relations at Zscaler. It's a true pleasure to actually welcome you in person. I think the last Zenith Live that we did in person was close to three years ago, so welcome. Today, we had the start of day one of our conference, and for those of you who were here, we had keynotes talking a lot about new innovations, customers on their Zero Trust journey with Zscaler, and more. What we want to do with this briefing is really focus on innovations, right? What's new on the platform, how customers would leverage it, and how we would sell it. It's innovations centric.
We do want to make this interactive. For those in the room, we will have a mic. Since it is being webcast, I'd appreciate it if you could wait until the mic gets to you. Also would be helpful if you would identify yourself before asking your question. Our presentation today will contain forward-looking statements that is based on information we have available today. If you want to quick take a look at the safe harbor statement, and then we could get started. Now I'll hand over to our founder, chairman, and CEO, Jay Chaudhry.
All right. Bill, thank you. Great. How was the morning?
All of you attended, I suppose. If you did a good job, do we need to do any more discussion? We'll largely make it Q&A centric. Go through a few slides simply just to set the stage, a reminder about a couple of things we did not cover. Let's see. I think the key point I want to make here was building a product is one thing, building a platform and platform that works in the cloud is another thing. I knew when I started Zscaler that building this highly scalable, high-performance platform that takes all traffic in line, opens SSL, inspect every byte for cyber and DLP will be hard because you have to do it without slowing down. I did email security company before. It was so forgiving. You could take a minute or two, it didn't really matter.
You could have all email processing happen in 3 data centers. Nobody cared about it. For this thing, it's a big deal for us to do that. I learned that building a cloud and running and managing a cloud is probably 10X harder. You don't control lots of stuff. Where is traffic coming from? Where is it going? What's going on? The customer expects that you take care of those issues. Being able to run a cloud with operational experience is probably one of the biggest learnings we have had. I think if it takes so much to figure out with an architecture highly optimized, imagine if you're trying to spin up some stuff or trying to build new stuff. It's not trivial. We think our barrier to entry is significant.
Building the platform was a big deal for us. Platform that's extensible. Hopefully, you got a feel today that we're no longer randomly taking products here and there and calling it a platform. The core technology, which is maybe for simplicity, call it the switchboard, connecting users to applications, connecting workloads to workload to internet. It just is the same core competency we're building it with, which is very, very important. Okay. We covered all three areas. You're seeing our positioning rather than creating all these three letter acronyms, which I hate, okay? Moving, because as we're coming out with so many products, we'll need some kinda cheat sheet to figure out all these acronyms. I'm trying to eliminate all the acronyms if I can, so there's no explanation needed. Zero Trust for users.
Essentially, you saw Zscaler for Users, essentially all user stuff, workloads and IoT, OT. This diagram is showing two things. One, there's inline security piece of it. You must be in line to do that. Second is kinda data at rest piece of it, where your traffic or your data could be sitting in SaaS application, public cloud, and the like. Being able to understand that from API point of view becomes important. Our goal is to do everything that needs to be done to understand the risk and data protection overall. Sometimes people confuse and someone said, "Are you a networking company?" I said, "Why would you say that?" Right? He said, "Well, do we sell any networking products?" We don't. Okay. We do eliminate the network.
If that's how you want to call us a networking company, then we are a networking company, but we aren't. It's all about protecting your data. It's about user experience and the like. This is an eye chart, but the idea is to share with you. Amit, Patrick, and team are busy innovating like a startup. We kept the pace, we kept the intensity, and it's an interesting learning. How do you keep on building and growing without slowing things down? Lots of innovations. ZIA is not a product. It has so many point products that are brought together in a nice way. The beauty for us was, if you build a right platform, and if you make sure the things you're building are synergistic as expanding concentric circle, life gets easier.
Building our workload communication to take the core ZIA, ZPA switching technology and applying to workload, I thought was brilliant for us to do. Someone else to build the stuff. The switchboard is not simple. There's a policy engine, there's inspection, there's logging, there's reporting, all that stuff goes with it. We leverage what we built and expand in a meaningful way. That's why we've not been kinda keen to jump onto some of the new and the latest and hottest trend out there. Some of these end up being a fad. They come and go. We are pretty disciplined about what we want to do or not. Better security makes your business run faster. This is Charles from CSA. You'll hear him present, I think tomorrow. If you have better understanding of it, you can do transformation securely. It's a good competitive business advantage.
We gave you some reading material as you fly back. This is to try to dispel all the misunderstandings that legacy vendors are trying to spread because they're so afraid of getting disrupted. It actually walks you through in a meaningful way. It's meant for architects a little bit deeper. Some of the guides I see you guys write are so deep, I tell you, some of you certainly will enjoy. With that, Amit should be next.
Thanks, Jay. It feels a bit like showing you the movie and then showing you a trailer. We will make it more interactive, right? It's a smaller group. Look, our core DNA has been sitting in line, right? Sitting between users and destinations. As I've always said, we've solved a physics problem, an engineering problem, and a security problem, right? We built 150 data centers, so we can be as close as possible to the source as well as the destination. Then you get all the traffic. It's an engineering problem to be able to, you know, run it at scale. Then, of course, you want the latest and greatest security intel being applied. You know, you're doing all of this to provide security.
We've done that exceptionally well for users, and workload communication is bringing ZIA and ZPA to workloads, right? What we launched today is Posture Control. While workload communication is essential, right? You wanna make sure that if there's a workload, nothing bad is coming in, data is not leaking out, workloads are talking to other workloads using Zero Trust principles that we've talked about quite often, and it's there in the book. You wanna take it and shift left, right? You wanna make sure that workloads, when cloud-native environments are being spun up, you know, they are secure by design, by posture, right? What are some of the things that we talk about? Let's say, you know, you have an AWS EC2 instance, right? What's the overall posture associated with that?
Who has access to it? What is its configuration, right? A lot of this infrastructure is now written as code, right? You wanna make sure that, you know, you are actually looking at those templates and fixing any issues that could lead you to instantiate insecure cloud-native environments, right? That's kind of the configuration scanning piece, where you're looking at who has access to it, what are the configurations, are my templates secure? Then you start looking at these workloads from an exposure perspective, right? I have an Amazon S3 bucket. Is it exposed to the internet? I might have a compute instance. Is it accessible from the internet? What software is running on that compute? Does it have known vulnerabilities? Does that resource have access to sensitive data? All of these are things that come under posture.
There are a lot of point products for each of those areas. One of the biggest challenges I see is the ability to provide that holistic end-to-end view all the way from building cloud-native environments to running them and being able to correlate all of these threats, which is what we were trying to demonstrate in our innovation keynote this morning. I'll just share one slide, which was kind of the key message that we were trying to drive through the demo that Rich was doing. You can see how individual point products have emerged around cloud-native environments. Here you have an EC2. You know, it's an Amazon compute instance.
You can see, you know, that your SOC might have gotten an alert that says, "Hey, a malicious IP seems to have connected to this compute instance." Right? How do you know, how do you stitch together what has happened? More importantly, how do you make sure that that doesn't happen by design? What has happened here is John, who's a user, might be part of a security group that has excessive permissions. Without realizing, they went ahead and changed a security group setting, which is mapped to that compute instance that all of a sudden is now allowing Internet access to that compute instance, right? That's how it got triggered. Now, you know, when you scan. Now the next question is, okay, it's exposed to the Internet, is it vulnerable?
Maybe it's running a vulnerable Log4j, you know, Apache code in it, right? Maybe it has other Linux vulnerabilities that haven't been patched. Step one, is it exposed? Step two, if it's exposed, what is it running? Is that vulnerable, right? If you see malicious activity, you want to start correlating. Is someone exploiting that vulnerability, right? That's where you start getting into threat correlation. Finally, what's the end game? Why is someone trying to, you know, get into an asset? It is simply to, you know, gain access to data or, you know, maybe do a ransomware extortion attempt. I mean, that's really the end goal, right?
What ends up happening is, in most legacy security environments, you know, you have five or six of these products that are. It's kinda like, you know, five blind men feeling an elephant, right? They all get different views of it, and it's very, very hard to get a good, holistic, correlated cloud threat view of your cloud-native environments, right? That's what we have done. You know, you probably have seen companies do CIEM. What is CIEM? These are all Gartner's acronyms. I think Jay mentioned it. You know, there's one analyst per acronym, so there's some value in creating acronyms. CIEM, Cloud Infrastructure Entitlement Management. It is a complicated beast. Why?
Because in your directory world, you generally have users, but when you get to cloud-native environments, you have, you know, machine identities and groups, and they get mapped in funky ways. You might have 5,000 employees, but you might have, you know, 100,000 combinations of entitlements in your environment. CSPM stands for Cloud Security Posture Management. That is generally looking at your configurations. Are these configurations compliant with a standard that you might have to comply with? You might have to produce an auditor report, right? You want to run your configurations against those controls to be able to produce that report. DLP, Data Loss Prevention, right? There are companies that focus just on that.
What we're trying to do is two things, a holistic view of end-to-end workload security, particularly for cloud-native environments. The big new addition that we are doing is Posture Control. That is bringing together all of these individual point products that lock down your configuration, make you compliant, make sure you don't have excessive privileges, you know, make sure things that you're running are scanned for proper vulnerabilities. Then more importantly, use that along with all the, you know, the core communication benefits that we've had through ZIA and ZPA to essentially have that Zero Trust-based fabric for communicating and make sure that, you know, nothing bad is coming in, nothing good is leaking out. Being able to do that holistically on one platform has tremendous benefits. You get very high signal-to-noise ratio when it comes to detecting threats and taking actions on it.
Okay, I'd like to invite Patrick Foxhoven, our Chief Information Officer, to also join us in this Q&A for technology and innovation. Okay. It's good to have you as well. Okay. We'll have the first question here.
Sure. I'll just stand up.
Just give Patrick a chance to come on up.
Sure. Thank you.
[Brad Zelnick] with Deutsche Bank. Hi, guys. Thanks again for a great event, even though it's been 2.5-3 years in the making. Really interesting announcements around Posture Control, posture management today. For me, the light bulb went off when I think about that space as being kinda noisy.
I think about Zscaler's right to win there and why you guys deserve to win. Combining it with workload communication, like, is what really, for me at least.
Makes it very clear. When I think about protecting workloads versus users and applications, workloads are, especially today, far more fine-grained, far more ephemeral when we're thinking about containers, Infrastructure as Code. There's always gonna be some design trade-offs.
The two questions I have are one around policy. How can you evolve policy fast enough to keep up with that dynamic nature of infrastructure and workloads today? Maybe we'll start there with the positive perspective.
Yeah.
Just even the performance trade-offs. Even if we're talking milliseconds.
Yeah
Having two workloads directly connected in physical proximity is naturally gonna be different. If you can address those two-
Yeah
Those, you know, questions, I'd appreciate it. Thank you.
Maybe I can start off, Jay, and then.
Yeah. Of course.
If you look at a core Zscaler policy, right? It's generally a criteria and a set of actions, right? Security policies are pretty obvious. You don't want anything bad, right? There's no complexity around it. When you start getting into access policies, what are you allowed to communicate with? I would argue that user policies are more complicated than workload policies. Why? Because if I have, say, a Red Hat server as a workload, right? Or maybe even a Lambda function, ephemeral workload, I kinda know by design what this workload needs to talk to, right? The kinda policy there is pretty straightforward. You're allowed to download software updates from here. You're allowed to talk to these API endpoints, and that's it, right? Policy definition for access control, I would argue, is simpler than it is for users.
Also, generally, they don't move frequently. Location part doesn't come in.
Yeah.
The device part doesn't come in, on here and here. It is simpler.
It is simpler. Now, the third aspect of policy is data loss prevention, data protection. What do you want? You know, do you want to make sure things are? Again, you know, that stuff is simpler. The way we have designed our policies, it's a very flexible framework, right? It has identity. Identity for users is well understood. Identity for workloads is evolving, but, you know, we have very flexible ways to define that identity. We have flexible ways to define risk associated with that identity, and we have flexible ways to define context around that identity. For a user, it might be location, department, group. For a workload, it might be what VPC you belong to, you know, what application segment you're part of. These constructs have been designed in a well-thought-of way.
I don't see that, you know, writing policies for workloads is going to be very complicated. The other thing I'd add, and we'll show that tomorrow, is the bigger challenge for enterprises in workloads is their internal workloads are not named properly. It's a big, giant, confusing mess. A key thing that we are announcing tomorrow is the ability to use machine learning and AI on our ZPA logs to naturally group your internal workloads into meaningful policy objects, right? You don't want 50,000 IPs to become 50,000 identities that you're trying to manage. What you want is the ability to say, "This group of workloads is called SAP. This group of workloads is my directory.
This group of workloads is something else." Meaningful groups of users or meaningful groups of workloads talking to each other will be an AI-recommended policy that the platform spits out. We've thought quite a bit about keeping policies simple and flexible, but also making policy management easier for organizations.
Add a short point, but we'll keep our answers short, otherwise we'll only take three questions. Because once you know so much, you want to keep on explaining. The second part of your question was, time. Workloads sitting within a VPC. Generally, they need to talk to each other quite often. That's why they're sitting there. VPC A, VPC B, VPC C, and then that's one part. You can say within a VPC, across VPCs, then you can say across regions and availability zones. Those. That's how you think about it. I mean, what the world is doing today for communication, they're extending your data center to every region. It's a mesh point-to-point network. Because your workloads are all on the network, they can traverse, they can find each other.
That's where the lateral threat movement issue comes in. What we're basically saying, if you're across regions, you don't need to go through an extended lateral network, routable network. You can go through our public clouds. If you are sitting within a given availability zone or region, we actually bring our switchboard within that. It's running there. You don't go out for latency. The communication, VPC A wants to talk to VPC B. You go through a switchboard. Now, you start getting to granular level, process level. That's where microsegmentation comes in. That's where our offering that we acquired from Edgewise is built in. Segmentation, what I learned, what people are trying to do is really all messed up. They're all trying to do process-level segmentation on tons of workloads. They can barely do any segmentation.
They haven't even done user-to-app segmentation, which is starting point number one. User is the weakest link. Being able to say, "VPC, group of VPC X, Y, Z can only talk to A, B, and C." It's a trivial thing in ZPA. We think we have a systematic approach to get to a meaningful segmentation rather than trying to do process and micro for everything that shouldn't be done. Okay. Here.
Yeah, Alex Henderson over at Needham. One of the things that I was very happy to see in the stuff that you've announced is the automatic feedback to the coder on how to fix issues that arise in your posture management. That's great news. But I didn't see anything talking to how do you address the policy at the DevOps level, and it seems that that's the logical next step to tie into Snyk, you know, some of the people who are in the pre-deploy phase. Can you talk a little bit about what you plan to do and what you don't do? This is one of the things that you stress as your skill set is we know what we do and we know what we don't do.
Is that the threshold where you stop, you know, doing and start partnering?
So-
Thanks.
The quick answer, what we showed this morning, around infrastructure as code scanning and getting embedded in GitHub and getting embedded in IDEs for developers, we were kinda showing you the developer view, but it has a full policy, that you define in our Posture Control product. To give you a simple example, your security department might come up with a policy that says all DevOps can use the AWS EBS volume as long as encryption is enabled on it. That policy is defined in the Posture Control product, and the plug-ins that the developers are using is automatically enforcing that policy right in the template itself. When they did the Git pull request in the example, it's just the enforcement is happening there, but the policy is being defined.
What we want our customers to do is their security groups or their engineering groups or their developer groups can have a clear sort of a sandbox in terms of policy, what's allowed, what's not allowed, and then, you know, shift it all the way to Infrastructure as Code, so when they're building up that cloud-native environment, it's secure by design. Now, how far we go left, right? You know, that's kinda looking too far ahead, but I think, you know, we feel pretty comfortable with with being able to define those policies and have it enforced with developers and DevOps in their build environments.
Question on the left side.
Joshua Tilton, Wolfe Research. Simple one from me. Can you guys just clarify what in Posture Control is new versus repackaged functionality that you guys already had?
We did acquire two companies. A CSPM company called Cloudneeti, right? And a CIEM company called Trustdome, right? You saw the diagram I showed, it was kinda two aspects of it. These were again, standalone point products, right? What we have done is we've leveraged some of that CIEM expertise and some of the CSPM expertise, and this is a built from the ground up, brand new Posture Control offering. It starts with a common data warehouse where all of these, the logs and identities are being collected. The correlation is very important. What are the new things we've added? We've added infrastructure as code scanning. We've added vulnerability scanning. We've added, you know, container repo scanning.
There's a whole bunch of posture things that we have done on top of some IP that we acquired through these acquisitions, and it's on an integrated platform. By the way, that platform now very nicely works with the core ZIA, ZPA. One of the things that I talked about was how, you know, where does posture end and where do you start doing communication and DLP scanning? Great, I have an S3 bucket and I locked it. But don't you want to know what's on it, right? Don't you want to run the same data protection engines that we're running in line? We're bringing all of those things together. It truly is an integrated offering with, you know, some DNA from the acquisitions that we made.
Good morning. Thank you for doing the presentation, gentlemen. Fatima Boolani from Citi. Amit, a question for you. One of the standout architectural attributes of Posture Control is that it's 100% agentless, so I was hoping you can kinda talk us through the merits of kinda the agentless versus agent-based approach. I can fully appreciate there's, you know, services and functions in the cloud and, you know, certainly more in the future that are just not going to be instrumentable. Outside of that sort of obvious reason as to why agentless is kinda the approach here, you know, why kinda go this route?
Agentless, very simple to deploy, right? I'd say cloud-native environments have rich logs, right? I do agree it's a lower barrier to entry. Anyone can access those logs. That's why I don't think that just CSPM, CIEM point products, you know, are a lasting standalone product to begin with.
Even the Posture Control itself.
Overall, right.
Is the smaller barrier to entry than the workload communication side.
Correct.
To me, sometimes Posture Control reminds me a little bit like a CASB type of extension. API calls go and do the stuff.
Yeah. Your question on what do you give up, right, by not having an agent. I think the way we have architected the platform with workload communication and workload posture is really the best of both worlds, giving you the frictionless deployment that, you know, without agents, but without sacrificing sort of the in-line controls that traditional agents bring, right? If you look at, you know, one of the acquisitions we did was Edgewise. Edgewise uses an agent.
It's a kernel agent that sits on every server, and it's trying to enforce traffic flow as part of the agent. The challenge, of course, is effective, but then how do you deploy it? How do you manage it? It might take a little longer to get deployed with, say, 5,000 workloads. How do you deploy an agent on a Lambda function? There is no server to install it. We've kept our Posture Control agentless for rapid deployment, but we have not given up any of the controls because all traffic, all communication is going through ZIA and ZPA, which gives you all the in-line controls that a traditional agent could, you know, some of those could be provided through the agent, right? Like blocking in-line and things like that.
Okay, we're gonna move to the next, on the agenda. One more question? Okay. One last one, yeah.
Great. Thanks so much. Adam Borg with Stifel. Maybe just on the pricing front, how is this priced, and compare pricing for Posture Control relative to workload communication.
I think probably that's a longer answer, and honestly, we are also early stage. We figure or refine the price as we go along. Overall, it's based on simplest way, based on number of workloads is the simple way to do it. There are certain areas in communication we use. Look at the traffic volume as well.
Great.
Okay. Thank you. All right.
Next, we are pleased to have one of our longtime customers, Alex Philips, who spoke at the keynote this morning. He's the CIO of NOV. Alex.
Here too, Alex, they saw your movie. It's probably more about Q&A, but it's probably I'll stay here.
Okay. Well, great to see everyone. As you know, I have no shame, and I show all my mistakes, if anybody saw my keynote. We're a good-sized company and all over the world. As I shared in the keynote, the challenge that we had was pain. How do we transform? We couldn't keep doing the same thing. We're down to 27,000 employees. We think that's changing. We're hiring all the time now, thank goodness. You guys all enjoyed cheap energy prices for seven years, and things are looking a little different now. We are excited about the future. Zscaler was a big bet for us in 2015-2016 timeframe, and it was. I was a brand new CIO at that time. Before that, I was the CISO.
What's interesting is when you're the CISO and you go through a lot of challenges with security, nation-states attacking you gain a lot of trust. When I became CIO, I had that native trust already built. Then I took a gamble on Zscaler. Was it gonna destroy the trust? I'm happy to say, no, it didn't. We've continued that journey. We've pushed them along the way, and they've helped expand our thinking of how we go forward, what can we transform next. It's been a great partnership and more than happy to share any details on that or answer any questions that you should have.
Roger Boyd with UBS. Alex, nice to see you again. Could you just talk about your journey with Zscaler? I think it started very early on with kind of doing internet breakouts to get rid of MPLS and move to SD-WAN. How do you think about that going forward? Is there room in your strategy to go more branch light, and how do you think about the longevity of SD-WAN going forward?
Yeah, great question. I believe SD-WAN is a transitional technology. I believe that it helped us achieve massive cost savings by using the Internet as our network. As we move forward, our goal is to destroy our network. We do not want a network. You know, as you heard earlier, most of the problems come from users. As much as we train them, as much as we put layer after layer after layer in place, most of the problems that we face come from users. Our goal going forward as we analyze our estate, we believe that 80% of our facilities will have no routable network, and so it'll just be isolated like an internet cafe. Our view of it is our endpoints are hardened, and so we are gonna have one network. Users will be on that network.
There will be customers, there will be vendors, there might be competitors, right? It's a small isolated island. Just like when you guys are at Starbucks or at a Hilton, you're there with everyone else. It could be competitors. Our offices will be the same thing. The big challenge that they're finally solving, I'm so excited about, is the IoT. I'm a user, and I'm in an ERP system, which a lot of our users are, and they need to print something to a printer in the office. There's no network. How does it print? That's the beauty of Zero Trust Exchange that Zscaler is creating. We're super excited about that. The beauty of it is it's not a big bang. It is as we need to, right?
We just focus on one facility, get them defined in the Zero Trust Exchange, all the different communication elements, and I don't have to worry about things that have identity. If you're a user on a notebook, you already have identity. It's all those things that don't have identity.
Hi, Joel Fishbein from Truist. Good to see you again. Can you go into a little bit more detail about the branch office? Th at you talked about on in the keynote and what you're using, how you're doing it, and what you're replacing at the branch office?
Okay, sure. Today we have branch office. It's normally anywhere from, you know, a few handful of employees up to 10 or 20 employees. That's 80% of our 500+ facilities. When you look at that, we have an internet circuit. That internet circuit hopefully is as fast as possible, right? We all want fast internet. You have a dedicated SD-WAN appliance there. The vendor we chose, it can run on an x86 type box. You've got this device and there's all the routing and stuff happens there. We route all internet traffic to Zscaler, and then we have that IPsec big broad network. The goal is that we will have a virtual machine to begin with that will live there in place of the SD box, and it'll route all traffic to Zscaler, internal or external.
There is no IP forwarding. There's no IP routes. If a bad actor gets in that network and they do a scan, the only thing they can scan is local. They can't scan remote. That's kind of the process. Did I fully answer your question?
Yeah. I'm just trying to understand what you're replacing and what the cost savings looks like.
It's significant. SD-WAN is not inexpensive, but it's not, you know, outrageously expensive. You've got hardware that you're having to manage, so there's people involved as well. Then you run into, okay, how do we gather all the security logs? How do we gather the access logs? I think one of the huge things that people don't realize is you've got these three components. You've got the CIO, who's worried about the business function, how do we make things work? You've got your security team that's 100% concerned about all the traffic flowing. How do they get the logs from all this? Where is their visibility? Then you have the infrastructure team, and the infrastructure team is who we all blame when things don't work, right?
We're having to make all of them work together in a cohesive manner, and that's what Zscaler allows us to do.
One point I'll add is what I hear from customers, when you're managing routes for every branch office, there's a fair amount of operational overhead. In this model, it goes away. Your branch office overhead is just like overhead of one household. Your 80,000 household being managed through ZPA, same kind of overhead.
Yeah. It'll allow us also to have one central control plane. We define all the objects in the control plane that don't have identity, and we say where it can talk to. If an ERP system in the cloud or in one of our data centers needs to print to a local printer, that's the only thing it can communicate with. It can't just communicate with anything. From an enterprise standpoint, it is a little more challenging for people that are just trying to deploy things, right? Oh, we're just gonna throw a printer here. It's not gonna work unless we define it, which is, from a security standpoint, genius. The centralized logging is the huge part.
It is dealing with logs and trying to sort through you know, literally billions of logs, trying to find that needle in a haystack of evil is difficult.
Hey, Alex, just to belabor this conversation a little bit further. When I picture like, to your point, like, your future network, which is no network, there's no routable, like, IP addresses, there's no routers at all. Like, would that have to then be on a 5G network? Because I'm trying to like, how do you have Wi-Fi access points that don't. If it's not 5G and it's Wi-Fi, like, how do you have access points that aren't on some sort of network, right?
There is a network, right?
Okay.
It's a local network, just like your house. Sorry. Just like your house. All you have is an internet circuit. You're gonna have access points, you're gonna have switches, and you're gonna have users and devices, and they're all gonna be in this happy little isolated network. When they try and communicate with the outside world, it will go to the Zscaler virtual machine locally at that office, and all that traffic will route through the Zero Trust Exchange. Up there, we do policy decisions, right? We don't do routes. We do policy decision. Who are you? What are you? Where are you trying to go? We can apply more security policies or internal, you know, routing of that traffic. It's all DNS-based, not IP-based.
Okay.
If I may add, the Salesforce head of security said, "Think of each location like an island." A branch is an island. Today, everything is interconnected. You go through a switchboard. Island A talks to island B, and there is a local area network in a given branch office to connect the local stuff. There's an access point, there's a router to send traffic. But they're not connected with a routable network.
Same thing at a Starbucks. Starbucks has Wi-Fi, but it's not on your network, right? You've got to launch a VPN or a zero trust access to your remote apps.
The Zscaler virtual machine would basically be. Would that compute be installed, like, with the internet circuit? Is that how to think about it?
In-
'Cause there's still a thing there, right?
Today, yes. There's still a thing there. My dream world, right? The thing I keep pushing them on is I just wanna build a tunnel to you. Just like ZIA, we build an IPsec tunnel to Zscaler. That's my dream world. I wanna build a tunnel to Zscaler. I still am gonna have to have something there, some sorta device, and just route all the traffic to them. Today, to do that, I've got to have a virtual machine. The same thing with SD-WAN. I've got all these x86 boxes at all my branches, and I just need to put a different image on them.
Yeah, we love customers like Alex who challenge us. He kinda said, "Hey, take everything away." You'll hear in coming months and quarters to say, "Haul your branch router and simply point a tunnel to us." Nothing new in the branch besides the basic router.
Thank you.
Okay. Thank you, Alex. Appreciate you being here. All right. Next on our agenda, we'll invite Dali Rajic, who's our COO.
Yep. Hi, everybody, and thank you for being here. I just wanna walk through a couple of data points and just give a little bit of perspective on numbers, operating model, and momentum. If you look at kind of the chart, 'cause everybody's here to understand how we're equipped to sell all these new technologies, emerging technologies, and how we're able to continue to maintain momentum. If we take a look at these numbers, they tell a pretty good picture. The question always is, how'd you get there? How we got there is really satisfying for all of us. You have to look at the different geos, the different investments we've made over the last 12-18 months. You have to look at the different sales segments and the investments that we've made.
The whole objective is really to build a predictable, repeatable, scalable go-to-market model. Build an ecosystem that supports that model that then simply allows us to add new technologies in a seamless way and continue increasing the TAM per account. As we've mapped out more sophisticated ways to really track our TAM by account, by vertical, by all these different elements across the different geos, what it's allowed us to do is to understand not just how to tweak our go-to-market motions, but also how to maximize in, I'm gonna call it the most expedited way, the initial land.
Knowing that we have a platform and an architecture that's essentially, you know, one code base is what Amit is striving for and executing on, it's really simple to have these conversations with customers on why to use us for their Zero Trust platform transformation, cloud migration, and network transformation. I mean, you list it all off. The entry points sometimes really don't matter. What matters is which group has the highest pain or the highest willingness to change. What it's allowed us to do is really look at our customers from a life cycle standpoint. That means it's not a transaction, it's not a deal. These are relationships, and we've built an organization to support those relationships and to support the progression of those customers with us.
Very guided, very programmatic, very structured, and always focused on driving value and outcomes that are quantifiable with these customers. When I look at this data, and we dissect it in many more layers, we're quite satisfied with momentum across the different sales cohorts and across the different geos. Now, as we're broadening our portfolio, and since we are traveling at quite the pace in hypergrowth, I can never add the right expertise to somebody who's been on the job four months. We have tremendous enablement, tremendous training, and I'll touch on that in a little bit. It's very structured and guided. Having said that, we're gonna encounter accounts and/or specific resources and/or partners who maybe don't have all the competence at the layers that we need quite yet, so we can maintain pace.
What we've essentially done is added another ecosystem element to our go-to-market motions, and that's specialization. These are not overlays. This is specialization, another layer of technical depth. What we've also done is started segmenting out systems engineers to really focus in on a discipline at a whole different layer than just being a generalist systems engineer. We've done it in a very structured framework and ratio-based way that allows us to be predictable in when we wanna inject these resources with what motions and what the outcome is that we're anticipating. These are gonna be resources that we're gonna continue to scale but at a very measured pace because our SC community is quite talented. The objective and the goal is not to keep adding people and then have just a bunch of generalists and a bunch of specialists.
That doesn't scale very well. However, in order to continue scaling at pace, given how many people we're adding, this is gonna make sure we don't lose momentum and velocity. In order to tie all this together, you've heard me speak about this before. We've built an enablement engine, that I believe is world-class, and we've built it in a very integrated fashion. What this means is that from partners to internal resources to customers, we're speaking the same language. We understand the same architectures. We understand the same progression of how we need to travel. And we also understand at which point throughout your life cycle of maturity you should be considering what technologies based on what we've mapped out together as your roadmap. Now, the way we've scaled out through our partner community is by making sure that they're participating in this enablement.
We scaled this out in March when we officially launched an automated way to provide all this out to our partner community with Channel Academy, and the uptake's been tremendous. If I even just look at the certifications over the last 12 months of these partners, not just wanting to participate, but wanting to be experts, it's pretty tremendous. I think Accenture, they spoke this morning. Last year, they had about 120-ish or so architects certified. Today, they're at 630 and growing. That's just one partner. The goal really is to understand the practices and the offerings of our partners, drive a common language, a common mindset and framework of what the journey needs to look like, and the true definitions of Zero Trust and the elements of it.
When you can do that, you can scale out your motions 'cause you don't depend on superheroes that know it better than somebody else over here to the left or to the right. The goal really is to do this programmatically. I keep using the word because we are tracking who's progressing how many people. These are immersive training sessions, labs, guided training, persona-based, live ad hoc trainings, and all of this is connected back into how we then tie this into our value delivery model. What does that mean? We've spoken about this before. We have a very involved element of how we deliver our value vision in phases to our customers, and it's accompanied by a quantifiable value prop tied to those phases and tied to specific use cases and tied to how we do it different.
Now, wouldn't it be great if we could teach partners how to do the same thing? Isn't that a great way to potentially move them out of, "This is how I did it yesterday," and move them out of kind of the standard motions? All of what we're teaching our people internal is how we're starting to enable partners as well to have communications, drive campaigns, quantify the value of those campaigns, and start listening to their customers on how to really work with Zscaler and them as a partnership, that's well-defined on all levels. If I take a look at any other products, anything else we wanna add in the future, we just click it into this factory. That's it. You just make sure you disseminate it out via the exact same channels that you've already built, that you're tracking or proven.
If something looks like it's sub-optimized or inefficient because we understand the metrics of progression. If I'm liking something, if I'm seeing that it's resonating with my customers, I'm gonna want series two, three, four and five. If I stop at series two, that means whatever you're giving me, Zscaler, is not sufficient enough. Being able to adjust this as we're getting direct feedback via interaction with our partners and seeing the certifications really going through the roof, along with additional requests for demand, has us feeling pretty confident that we're on the right track to really not just bring new products in, but to continue accelerating our motions with partners without having to do undos and redos. This is at the heart on disseminating and not, quite frankly, needing to add 1,000 people for each new product that we roll out.
Simply putting it into the factory and making sure employees, customers, and partners partake in the education process. That was all that I had. I think we'll probably go to Q&A now.
Yes. I'll invite all the executives up and we can take any of your questions for today.
Hi, everyone, this is Sanjit Singh from Morgan Stanley. We have a question from Hamza Fodderwala, who is my analyst. This is for Dali Rajic. How are you enabling the sales organization to sell the broader portfolio? And is the buyer of new offerings in ZCP fundamentally different from buyers of ZIA versus ZPA?
If you think about how our entire go-to-market motion was constructed, it's outcome and results based, so it's value-based. What this means is we're having platform discussions out of the gate with our customers. We're not feature function flinging on a specific use case, but it's really having the dialogue around platform, around transform, and the different paths you can take to do that. The go-to-market motions are not gonna change from that standpoint. All we're doing is expanding the use cases in areas where we can look for value, and all we're expanding is the different ways to articulate it at a layer of depth with some of the specialization. When you're outcome based and you sell high and you talk to CXOs, they're not interested in a very narrow point. They'll wanna know, what can you do for me holistically?
Can you help me tools consolidate? Can you help me vendor consolidate? What's the ROI you're gonna provide?
I add a couple of more quick points. Dali already alluded to it. When you sell at CIO/CISO level, they actually take care of overall responsibility. A CISO has accountability not for users, but also for workflows, so it's the same buyer. The second part of the question was different personas. It is true that for workloads, the DevSecOps is playing a role, but CISO still has the overall accountability. We start with our relationship at the CISO level, then expand to the DevSec level.
Yeah, just all of our training is persona use case outcome based. That's our entire go-to-market engine, which is why it's so fundamentally different from all of our competitors and what some of the legacy vendors are doing in this space.
Fatima Boolani from Citi. Thank you so much for doing this again. Dali, for you, I'm gonna ask a similar question, but with a slightly different angle. When you came on board in 2020 or 2019, the portfolio was half its size. I think ZPA was, you know, barely 10% of revenue. You know, you've had a massive expansion in sort of the product footprint that an average salesperson can sell. You know, what I'm curious about, and I'd love to get some granular perspective on this, how do you manage the sales cycle process where you have so many, you know, tips of the spear, if you will, where a salesperson in theory can kind of have, you know, conversations on conversations?
How do you sort of, you know, mitigate that, you know, potential for elongation because
Yeah.
There is so much in the bag?
Yeah, it's a very disciplined, well-defined land and expand process. Instead of trying to do the whole thing out of the gate, three, four, five phases, it's just not our model. It's you go where the value is. You go where you think the customer can digest. 'Cause you gotta remember, our customers are dealing with either staffing shortages, too many projects, turnover, whatever it is. So teaching really how to segment this out into most critical in the most critical phase into a value-based cover the entire account go-to-market model. Then having metrics to track progress at the leadership level where you understand. Listen, I understand what my rep in Des Moines is doing compared to the rep in Tokyo compared to the rep in London. It doesn't matter where they sit.
The metrics that we track to understand progression, conversions, and quality of leads allow us to course correct if I have a new rep that maybe doesn't know any better yet, right? When you go through a series of these trainings, all of our instincts are to look for platform, phase it, understand initial area of value, go in, prove it out, and expand. Our numbers are showing that it's working as we're expanding, and it was September 2020.
If I may add a little color to it, the linking the products. You know, when you sell individual products and you try to expand, it gets much harder. When we started out with ZIA, it was to replace the entire outbound DMZ, and probably you could count 10, 12, 15 different products, but we never went there. We said, "We'll make sure users have secure and fast access to internet and SaaS." That's what we sold. We sold at the C-level. Then adding
Access to internal applications was natural. Adding user experience was natural. When we are dealing with three key leaders, CIO, CISO, and head of infrastructure, all these products that make most of our revenue today, ZIA, ZPA, ZDX, they're sold under one solution more and more. That's why Zscaler for Users will ensure how we can take care of all three areas, becomes powerful, and the same way we go and expand. Literally, you could say, "Customer, here's what we're selling you. You don't need to link into each point product." A third of the products need to go away. It's working well, and the focus of CIOs to eliminate point products, the complexity, and cost, and now probably more scrutiny is expected as some of the recession worries are coming up, CFOs looking for more, cost reduction.
I think it plays well for us.
Alex Henderson again over at Needham . Can't let Remo get away without asking some questions here. Clearly, conditions continue to be changing pretty rapidly. Europe under a lot of duress. We've seen interest rates rise. Any change in any of the key parameters like pipeline or rapidity to close deals or deal sizes? Or alternatively, are you seeing benefit from that as a result of your ability to improve user access, user experience, and productivity and all of the other transformation benefits? And then you do sell in dollars globally, which is a great thing given what's been going on, and I think you've been hedging some of the OpEx costs. Can you talk a little bit about if the exchange rate's having an impact? Thanks.
A lot of questions there.
We wouldn't wanna let you off easy.
I know. The you know, the global economic you know, situation's clear for everybody. You know, it's impacted the you know, commercial and consumer side you know, of you know, businesses. You know, not so much large enterprises, but if it continues, I do see an impact from my perspective. It just makes sense you know, for all the reasons you mentioned, Alex you know, related to interest rate hikes.
You haven't seen it yet. Yeah, have not seen it yet with inflation. From a FX perspective, you're absolutely correct. We sell in U.S. dollars. We do hedge our balance sheet and P&L. We do forward contracts both on balance sheet and P&L. We minimize the risk, basically, of the FX movements. The dollar strengthened significantly. We are getting into, you know, basically a method each quarter, you know, four quarters out, you know, basically, hedging our foreign currency exposure.
The OpEx side is protected?
OpEx side is protected, yeah.
Hey, Remo.
Can I just add one more point to what Remo said? I know we keep talking about value and outcome-based. It's enough fancy words. We create CFO-ready business cases. We consolidate cost across multiple dimensions. This has been our focus, so this is gonna continue being our focus. As far as I'm concerned, and to Remo's point, I think what we do and how we do it, whether or not the market is good or not so good, there's a quantifiable outcome that we drive, and I don't see that changing yet.
Hey, Remo, it's Brad. Just a follow-up to Alex's questions. Can you remind us the extent to which the newer products are expected to impact the P&L embedded in your guidance, if at all? Obviously, you have expenses associated with a lot of the investments that have been made, and go-to-market investments I imagine that are made as well, specialized to some of the newer offerings. What are your expectations in terms of when they should really start to generate revenue, impact the top line? Thanks.
Yeah. I mean, they're doing well, you know, currently. What we talked about that, for ZX and ZCP, we'd be in low teens% of new and upsell business, and that's what we're tracking to, you know, for this year. Going forward, you know, we do expect the emerging products to, you know, contribute, and as we go forward, they should contribute, you know, significantly. From a profitability perspective, you know, the gross margins for the products, similar to the gross margins that we have. You know, the advantage that Zscaler has is the, you know.
I made the comment before, we have a lot of levers we can pull, and what I meant by that is that when you're in a recurring model with great gross margin, with that ARR, building that ARR, it gives you a lot of runway, basically, to change your business. That's one. Two is basically our contribution margin. First year, contribution margin's negative, then years two and three and thereafter, it's 60%. Those are the levers you can pull, and from that, you know, how do you influence it? You influence by headcount, right? The comment that we made is that we're gonna continue to aggressively invest in the business for growth, and nothing's changed on that.
Hi, Charlotte Katie from Goldman Sachs. I have a question from Brian Essex. Understanding we're still in the early stages, can you help us understand what you're seeing competitively in the cloud-native application protection platform market? Are you seeing platform vendors such as Palo Alto that have already begun penetrating the market, new vendors like Sysdig penetrating with the best-of-breed market, best-of-breed technology, or is most of it greenfield?
As we said, the Posture Control market doesn't have a huge barrier to entry. Everyone gets access to the same CloudTrail logs, right? The key is the integration of Posture with communication and being able to provide the holistic end-to-end security from build time all the way to runtime, right?
You do, you know, if you search for CSPM and CIEM, you're gonna find many point product vendors, right? They're all looking at it from a little bit of a lens, and nobody has that holistic view. You know, a couple of competitors you mentioned did acquire a few point product companies in CSPM, CIEM. One of the things that I've learned through the process is, each of these, you know, 70%-80% of the functions are common, and it's wasted. Really what you're looking for is the holistic integrated platform that can provide the view of correlated threats from every vantage point.
Otherwise, you're just adding too much operational cost, you're hunting down alerts, and it isn't an effective security solution.
If I may add, I think CSPM, CIEM kind of stuff, what we call Posture Control or what Gartner's calling CNAPP now.
Yes.
CNAPP, Cloud Native Application Protection Platform. They became quite clever, I guess. Now, that area, with smaller barriers to entry, you'll see a lot more players coming in. I can probably count 100+ vendors in there. Till a few months ago, literally a new vendor will enter every couple of weeks, okay? Now that's slowing down, obviously. I don't think it's room for standalone companies to do just posture control, okay? It has to come together. We did the smart job, bought two companies, but fully integrated them to have a very good product. I think what's our sustainable advantage is not posture control. It is workload communication, which is implementing Zero Trust for workload-to-workload communication, workload to internet. What is the competition in that space? It's all legacy virtual firewall, period, okay?
We think our entry point is that, then we expand to Posture Control. The two together becomes very compelling story.
Hi, Sanjit Singh from Morgan Stanley again. We have a question on federal. Could you give us an update on the pipeline there? What are the typical deal sizes that you're seeing to date versus a few years ago or maybe a few quarters ago? Thank you.
We've invested significantly in federal over the last several years. Our certifications for ZIA and ZPA, you know, we've talked about. ZPA is FedRAMP High, and ZIA is basically FedRAMP High ready. We see the federal market being a big market for us. It was mid-single-digit% of our new ACV sales last quarter. Don't wanna give exact percentages, but we're well positioned in federal to move forward.
Okay, great. Thanks. Gray Powell, BTIG. So, yeah, thanks for taking the questions. From the keynote this morning, it looks like Zscaler is taking some initial steps to develop its own SD-WAN product. I just wanna make sure I was interpreting that correctly or just make sure, you know, I fully understand what you're doing there. If so, like, what do you see as the opportunity?
We aren't building an SD-WAN product, okay? We don't really believe in WAN, which is routable networks. What we're doing is we do want to eliminate routable networks, okay? You need a router in every branch office. A router connects things to things. No matter what you do, you need a router in every branch office. We are not getting that space. A router or SD-WAN device can create a tunnel to Zscaler and connect with us, and we'll take care of the rest. It is not trying to be an SD-WAN company, but minimizing the need to create a WAN. Call it SD-WAN without a WAN.
Did anybody else not get that?
Okay. Let me give you some color. You probably have your home network, okay? You have devices in your home network. You have your PC. Let's say if maybe you have an Alexa device, right? Let's say if Amazon came and said, "Hey, for your Alexa device to work, you need to have an SD-WAN box and set up a full flat network. A routable network, so all of Amazon's services, your home network, and 1 million other home networks are all on a good routable IP network.
Would that be a good design? Absolutely not. First, Amazon would never allow you to do that, right? Look at how simple your home network is. You have a router, and the router says, "I'm not going to allow any inbound connections at all." Hopefully, that's true for you, right? Your devices inside do outbound connections to the internet, and that's just, you know, your attack surface is very minimal. Nothing is exposed, right? What happens in branches is that's not the case. When you start deploying SD-WAN, you have a device that is taking the network in your house, spewing it out, and it's extending, connecting all of these things onto this big, flat, routable mesh network.
Because they want to find each other.
They want to find each other. I want to reach this printer. I want to go here. I want to go there. That creates a lot of the lateral propagation risk that Alex has talked about, and pretty much every exploit that you have heard about or significant breach has had that as the root cause. An infected machine came in, and it spread. We want to avoid that. You might be thinking here there's an SD-WAN box. Now Zscaler is saying a VM. Maybe that VM moves to the cloud, but it's the architecture that is fundamentally different. There is no IP routable network, right? It's a y eah, if you want to connect to something, you come to that, it just forwards traffic to our exchange, and it's a policy-based decision of this user is going to this application, right?
That's fundamentally what we're trying to do. It doesn't do traditional networking, it doesn't do BGP, it doesn't do. It's not looking at it at Layer 3, right? It's just assuming there is some internet transport, but I'm going to make pragmatic Zero Trust policy decisions saying, "This user, this app is allowed to talk to this destination." That's what we're trying to do.
Just adding one more point. I think SD-WAN boxes are wonderful next-gen routers. They're cloud managed, they're simple. I think the future belongs to SD-WAN box as a router, so to speak. Creating a route table network that where you can move around is the problem, is the security. That configuration changes. We bring in Zero Trust to SD-WAN devices. That's how we look at it. That's why we won't get into routing business. That's a basic networking business.
Coming back for seconds. Remo, I wanted to revisit some of your big, hairy, aspirational goals with respect to $5 billion ARR target. Just in the context of a lot of the innovations that Amit's been very hard at work with respect to the ZCP portfolio, is there an aspirational mix that you see? Maybe to add kind of another layer to it, the velocity with which you get to $5 billion in ARR, is that going to be from accelerated disruption in some of your core markets? Because I can appreciate ZCP sort of has almost an evangelical element to it 'cause you can only run as fast as your customers are running. If you can kinda help us put some contours on that $5 billion ARR target.
Yeah. I mean, the $5 billion market that we've got with our existing customer base. If they bought everything that we have for ZIA and ZPA, there's a significant opportunity of our $1 billion ARR, significant just for ZIA and ZPA. We put together a five-year plan, which is a detailed plan related to, you know, by product segment, by geography, you know, by channel. You know, related to where we expect things to be over the next five years. What I can say is that we expect you know, the emerging products to be a significant portion of that. We'll see. They'll grow at a faster pace than ZIA and ZPA. You know, our main products are still gonna be ZIA and ZPA for a while because they're so big and so much momentum.
Thanks for taking the time today. Ashish Bhandari with Ashlar Capital. Good to see you all in person. Just had one other quick follow-up to the competitive landscape, and specifically, you know, it sounds like you're really entering into the CNAPP space, but CrowdStrike also has, you know, capabilities that they offer as part of their Falcon platform. Of course, you have strong partnership with CrowdStrike. Curious how you view kinda the differentiation between your two platforms for those specific capabilities. Just had a question for Remo or Dali. Just, you know, we're hearing a lot about headcount reductions or slowdown in hiring, specifically in tech, but, you know, with the recession looming, you can kind of anticipate that moving to other sectors as well.
Curious how you think about kind of the ZIA ZPA expansion motion and how you're kinda prepping for maybe what's looming, maybe not today, but a year or 18 months from now? Thanks.
I'll take the first part. Yes. Almost every vendor is kind of looking at what can be done in the cloud. CSPM is what CrowdStrike acquired, so obviously they're looking at the posture kinda stuff. Every vendor will have CSPM kinda stuff. Now, where do they expand, where do they go? That remains to be seen. The second part of that question is partnership versus overlap. You know, as companies succeed, they naturally expand, and there's bound to be some degree of overlap. Okay. Just because there's a little bit of overlap here, that doesn't stop us from working with this. There's so much synergy between our companies. That's how I look at CrowdStrike. I look at Microsoft the same way, right? The first overlap we had with Microsoft was CASB. They have MCAS, we develop CASB. It's very understandable.
There's a little bit overlap here and there, and there may be some here and there as well. I think you look at strategic partners where the core business is complementary to you, then you work with them. It's working very well. None of that is stopping us.
We're not looking to slow down at all, you know, at this point. You know, again, we'll monitor the, you know, the business conditions as we go forward. As I talked about, if a recession does, you know, come and hits basically large enterprises, we'll adjust to it. Now, having said that, you know, the comment I made about the levers that we have in the business, you know, which is basically, you know, the ratable 80% gross margin. You know, and you have a large AR balance, you're gonna get, you know, significant revenue, you know, from that in the following years. That gives us a good runway. In addition with that, the contribution margin. If the business were to slow down, you know, the contribution margins in year two and three are over 60%.
Right now, we are not looking to, you know, slow down. We see this as a huge market opportunity. We think we're well positioned, and we're gonna go after it. I'm not saying we won't, but, you know, at this point here, there's no thoughts about slowing down.
We aren't slowing down any investments.
Great. Adam Borg again from Stifel. Thanks so much. Maybe just for Dali. Obviously still really early days for ZPA and even ZIA, arguably. A lot of focus at this event is on the workload segmentation, right?
Kind of what needs to happen to really accelerate customer adoption? Admittedly, that the products are only data. We have a lot of announcements today, but what needs to happen to help to evolve these customers on the journey, like we heard from, you know, the speaker earlier today? Thanks.
Yeah.
C an I make one comment for you? By the way, today's focus was workload. Tomorrow is.
Users.
I'll miss reading to you. Okay.
Yeah. I'll go back to, if you look at the last 18 months and what we've developed as far as the true lifecycle engagement model with our customers. Different customers, different stage in their maturity curve and experience. If you don't have an integrated model built from the moment you presale to the post-sale with services and partners and customer success and architects and thought leaders, some of which are, some such as our CXO teams that we have working with us to provide thought leadership, visionary, you know, brainstorming with customers. You got to have that integrated framework built, and then you gotta have a really tight control mechanism in place 'cause you gotta nudge it along sometimes, right?
'Cause at some point, customers have to take what they perceive to be risks, and we have to explain why they're not, and show them a path that's specific, not a few general slides and hoping they get it. Having built that, and we've been building it over time now, that is how we're guiding customers along. When I use words like, you know, we're doing this together and it's a true partnership, it is because we're engaged throughout. The number of meetings that we have in these accounts, give or take a few by account, but it's a lot compared to anybody else out there. It's 'cause we're doing forensic work and discovery and then coming back with ideas that are holistic across the entire team, not just rep and a CE and hoping, you know, they figure it out on their own.
That's how you make sure that the adoption is there. We track adoption, we track users, we track bandwidth. I mean, you name it, and we build models for everything from a risk profile, acceleration profile, and we apply them to all of our customers by different cohorts 'cause everybody travels differently based on where you are size-wise. It's a scientific formulaic approach, and we're continuing to tweak it as we keep learning more from customers, but it's been working pretty effectively for us.
Tony is more analytical go-to-market leader than I have ever met any.
Okay.
Just coming back to the conversation that Gray sparked a few minutes ago. We talk about like VPNs and firewalls being a part of the problem. They create attack surfaces. Is it really that BGP is the problem by advertising? Like when you talk about like the virtual machine or whatever sort of this future state is, like, is a big part of it that you're taking away the self-advertising part of where the Internet connects to this local area network?
Yeah, let me take that example a little further so you can understand. You know, let's say I have a house, and I have a small network, and it's a self-contained island, and I have the same Alexa device. Now, I visit my friend, I go to your house. If I need to access my device, the VPN firewall mindset would say, my house network and your house network should be connected over a VPN, right?
Now imagine extending that to a complex organization with hundreds of thousands of employees in so many different locations. That's the exploding attack surface. Now, the problem is, in that simple example, my house, your house, I'm in your house. Now, both the networks are connected. If there's any threat actor, anything bad that is happening, they can just discover because the way firewall VPNs are, it just says, "Hey, these ports allowed." Right? You can just run a simple scan and just discover it. If you look at how modern applications behave, how does your iPhone talk to your Alexa device? It's agnostic of any network. It could be, you could be on 5G, you can be on your friend's Wi-Fi, you can be anywhere.
You're not trying to say, "Before I have access to any this application, I need to be on a consolidated routable network." No. Right? Your phone talks to Amazon. You authenticate at Zero Trust. You know, you authenticate who you are. Your device talks to that cloud service, and then based on policy and everything, the connection is stitched. It just works.
Let me say, in that case, Amazon is acting like a switchboard.
Exactly. Right?
Party A goes to switchboard, party B talks to switchboard. That's how communication happen. There's no routable path between the two. Switchboard says, "Stop. The way Alex explained to me the other day, he said, "When I explain this thing, I say a firewall is like a bridge. You made the connection, you can go across from here to there. But the true Zero Trust is a switchboard. You can go from A to B." There are two pieces of problem. Lateral movement. Once you get on it, you're there. Almost like our highway system. You're free, you go everywhere. There's not a single light. It's wonderful. Now, if you're to introduce lights, gonna say, "Gee, could I create all these, what do you call them? chargeable,
Tolls.
-tolls.
Yeah.
Can you go in? Where do you get on? Where do you get off? You know, what's that? That's my segmentation, microsegmentation. Imagine trying to create tolls on American highway system and who can go and where, who can't. It's a problem. That's why. Lateral movement is trying to be solved by microsegmentation, and it creates bigger problems. The goal is not to really get people on the network. That's point number one. Point number two is also your attack surface point.
Today's motion, the way things is, broadcast, tell people, "I am here. Please connect with me." What does VPN gateway does? Says, "I am here." You scan the internet, you find VPN, every VPN server out there. If they're not patched, if they're vulnerable, you can get on them, and you could try to create compromise. In our world, for example, maybe I'll use the switchboard analogy. In the old world, you publish your phone numbers. If someone needs to find you, they dial your number, they get to you. Great. Every phone number is discoverable, right? Because it's published. In the same way, all IP addresses open to the internet are published. They can be discovered, they can be exploited, and they can definitely be DDoS'd. The newer analogy would be you hire a switching service. You don't publish your phone number anywhere at all.
You give a list to the switchboard service that these 15 people can talk to me. You don't even give them your phone address. Person calls, if he's on the approved list, they check the list, they connect you no matter where you are without sharing your information, where you are, what your phone number is. All other parties simply get denied. That is really how you're hiding your attack surface by sitting behind the switchboard service. We are that switchboard service that connects right party to right party. Your applications are hidden behind us. Now, the question is, are you an attack surface? Yes, we are an attack surface, but that's how we built in 150 locations, all kind of stuff to make sure I am the switchboard, I connect the right party. Firewalls will never do that.
When you hear about the cloud service of these firewall guys. You go to the website, the word firewall disappears, VPN disappears, all cloud-based, Zero Trust service. It's the same thing underneath. When you deploy that cloud solution, every branch office has a network and networking and all extended to every edge, Google or AWS region. If the network gets messy, it's really crazy. I just wonder sometimes, how could you conscientiously sell that kind of solution to your customers? When you know it's bad, you are being kind of, you know, creating a false sense of security. It's not good for the country, it's not good for the economy and our companies.
Yeah. Just think of the simple example I gave about your home, and imagine if all your friends' houses have to be on a network just so you can do the basic stuff. Unfortunately, that's how a lot of enterprise networks are designed.
That's how networking, IP-based networking works, and the firewalls were created to be little bridges in between. If you need to talk, the bridge has to open up. That's a problem. There's a connection sitting out there.
I guess the way the internet was designed, it no longer really suits for the complexity we're doing.
It's IP-based networking.
Yeah.
Think of Internet as destination. Internet is fine if you treat it as the transport and plumbing.
I like the phone directory analogy.
Yeah.
That was helpful. Thank you.
Hi, Sanjit Singh from Morgan Stanley again. This is a question for Remo. You mentioned that you aren't really seeing a macro slowdown, but you're really mindful of the recession risk. As you're thinking about the fiscal year 2023 guidance a couple of months from now, is recession a scenario that you're considering reflecting on the outlook? Thank you.
Not at this time. We're not looking at that. Okay. Yeah. I mean, we'll, as I mentioned, as we go forward, if we see things, we can adjust. Right now we're not putting that into our planning process.
All right. I guess that's all my questions.
Good.
Back to you, Jay, for any concluding remarks.
I think it's good. We appreciate your time. We appreciate your interest in Zscaler. Ashwin and Bill are always available to answer any questions, and I hope the session was worthwhile. Any feedback about this session or the session this morning? We always like to get feedback and then always learn and get better. The morning, the demos and all are pretty clear and easy to follow.
They help. I tell you it's hard. Just like Sasha from Salesforce and I was talking about, "Hello, I did my VPN. I connected. I connect with Zscaler." It's the same. Okay. It really isn't, right? It's the. It starts getting interesting when we start showing demos. For example, it gets a little geeky. There's a command called Nmap. It means network map. You type and say, "Show me what's on this network." You type in Nmap, and generally, if you do VPN from your home, you type in Nmap, you'll see hundreds and hundreds of things out there because with VPN, you're logically sitting in the office, okay? Your PC is logically connected there because you're extending the corporate network to your home. You see everything you'll see from the office.
You do with ZPA, you type in same network map, shows nothing. Nothing, because it doesn't go anywhere. It's not on the network. In fact, even more interesting, you do VPN, you say, "Which IP address am I connecting to?" You actually see a real IP address, 191 whatever whatever. You say, "What is Zscaler connecting me to?" Because it's some made-up numbers. You don't even know what IP address you're connecting to. That's really, it's hiding behind. It, it's a new approach. See, 30 years ago, when networking was created as IP network, it was an amazingly wonderful thing because the previous architecture was IBM SNA network. Totally proprietary. IBM dominated every enterprise. IP-based networking with TCP and all, standard got created, so everything could talk to everything. When it was created, security was never a concern. It was all, "Can I reach?
Can I talk? This basically said, if a user connects to a network, an application connects to a network, they'll find each other, they'll connect. That was the biggest and the best invention. It's just that the security risks are kind of making a problem. Security is never considered into this. It's really fast, a real architecture change in networking since late 1980s, early 1990s. The early 1990s network made Cisco what it is, because at that time, you needed all those wonderful routers and switches. Then firewalls were brought in because if you go on the highway, sorry, let's put some tollways out there, right? The tollways are no longer working in today's mobile and cloud worlds, and that's where we are needed. I think you'll see a bunch of noise out there.
You know, when Siebel and Salesforce had a fight for a while, I used to watch it because I was in the early stage of Zscaler. I used to talk to people, "How are you competing?" I talked to my friends in Oracle who are selling Siebel. I've talked to some people who are selling Salesforce to learn how that battle is going, because it felt like Siebel dominated everything. Salesforce, tiny. The right architecture made a difference. We think this right architecture will win for us as well. With that, thank you for your time.
Thank you.
Appreciate it.