Good morning, everyone. Welcome to the Investors' Innovation Briefing at Zenith Live 2024. Before we begin, I'll request you to look at our Safe Harbor statements. We got a great line of speakers today for you. We'll start with Jay Chaudhry, founder, CEO, and Chairman of Zscaler. Jay will talk about our expanding platform and the opportunities that it's creating for us, followed by Syam Nair, our CTO. Syam will talk about some of the AI innovations, and you'll have some really cool demos from Raanan Raz, who is VP of Data Analytics, and Deepen Desai, our Chief Security Officer on UVM and Risk360. Following that, we'll hear from Moinul Khan, who is GM of Data Protection.
He'll give you an update of the business there, followed by Naresh Kumar, who is our VP of Product Management, Zero Trust for Networking, talking about Zero Trust Branch and some of our initiatives there. We'll have a small Q&A section focused on products after the executive speakers talk. Before break, we'll break for about five to 10 minutes, depending on how we do with the Q&A. We'll meet right back here at 11:30 A.M., where you'll hear from a couple of our customers. After the customers' session, we'll have Mike Rich come on stage, talk about go-to-market strategy. At the very end of the session, we'll have a Q&A section with Jay, Mike, and Syam. Pretty packed schedule today. I would request you to line up all your questions for the Q&A section so we can keep the session moving smoothly.
With that, let me welcome Jay Chaudhry, Chairman, Founder, and CEO of Zscaler.
Thank you. Well, thank you all for joining us. Hope all of you had a chance to join the keynotes this morning. So all the questions are answered?
All right. So I won't repeat any of the stuff. Make a few comments. First of all, in the agenda you saw, there are a number of great leaders. As our business is growing, we're expanding our leadership across products, across engineering, which is important for us to really scale our business. I'll give you a little bit of a view of how we look at our business, our growth. And this is one way of thinking about when we sell to our customers. Secure communication is the foundation of how any of these entities talk to any of the entities. The core thing, right? ZIA, ZPA, ZDX, and the staff workforce we've done extremely well. Workloads are nicely getting adopted. IoT is a massive opportunity. Every large company you see out there needs to do IoT, IIoT plants, factories.
IoT takes a little longer in terms of sales cycles, but it's fascinating. B2B, all those are part of the secure communication area. If you think about it, that's what customers are trying to do. Securing data becomes very important. We have always done securing data, but the platform is expanding, and Moinul will give you a bigger view of it. The area that's expanding the most is data protection because data is just everywhere. It's becoming a bigger problem. Customers want one policy engine to do all of that. Securing your applications by hiding behind us is an area of big investments for us. Here, we started on hiding our attack surface. Essentially, we call it app cloaking. Deception is a honeypot technology. Identity Protection, WAF, attack surface, all those things are a new area that's evolving for us to expand our solution further.
Zero Trust Networking is essentially about making it easier and easier networking. We are not in the networking business, but we make sure you can easily get the traffic to us. Then actionable insights. You heard Syam talk about the fact that this is one new area we are expanding, investing significantly. All the rest has been inline so far. This is kind of out-of-band, taking all the logs. That's how we think about investment areas. In terms of our serviceable addressable market, I think we gave you some views about three years ago. It has been expanding quite a bit. We've done some early work in this area. IoT devices, about 1.5 billion. That really can be covered.
The acquisition of Airgap is actually giving us a piece that is missing for us to get inside the factory because when you talk about IoT, IIoT, before we could do communication, but inside the factory, we needed something. We wanted to do something that's Zero Trust, not legacy firewall-centric stuff. And then the fabric is essentially a big area for us too. As you see, the way Ashwin has done, serviceable, incremental future, there's tons of opportunity for expansion. The issue for us is really not the market size is not there. It's massive, no matter how you look at the numbers. And the issue for us is not even that competition has a similar solution. The challenge for us is this is disrupting a lot of stuff. It's overcoming inertia. It's really educating people so they really move forward with this kind of technology.
You saw some of these largest customers out there who have tons of legacy, who have tons of inertia, actually stepping up and embracing our solution. Now, when you take this kind of stuff, you look into numbers. Last time in January of 2021, we presented to you was about $72 billion TAM. It gave you an incremental view of it. You think about the data protection. This is an area that's expanding and growing. Big, big opportunity. And for us, every customer who is using ZIA is a natural customer for us to do data protection because then you're not going to go and get somebody else when we are sitting in line because everything essentially that's stolen gets sent to the internet. Natural for us and with great product portfolio in that area.
Now, the second big, the new SAM, the Zero Trust factories, it's our Zero Trust appliance we launched last time, eliminating the need for SD-WANs of the world. And then inside IoT, IIoT has become the next bucket. And the third bucket, which will grow significantly over time, is taking all the data, building applications, whether it's Risk360 or Business Insights, or Unified Vulnerability Management that came through acquisition of Avalor. But the most importantly, Avalor gives a platform to build a lot of stuff on top of that. So essentially, you're seeing our cut from $72 billion to about $96 billion. I think the market is bigger. I would rather be conservative. It doesn't really matter. Even $96 billion is a massive number. It's really for us to go and get a good, decent chunk of the market.
So a few words on how are we handling some of these new products. When your product portfolio grows, your salesperson can handle all those products. Now you start figuring out some level of specialization. What do you do? What do you don't do? We have been learning. We'd like to experiment, figure out. We have a notion of a Takeoff Team. Takeoff Team says some of the new important products, if you really give them to a large global sales team, it gets lost out there because the sales team is trying to deliver the numbers irrespective of the products. So three key areas where we are focusing on the Takeoff Teams. It's a next-level refinement. Data protection is big. The reason it's Takeoff Team is because this thing takes off and eventually becomes part of mainstream.
thing takes off, and then maybe in a year or two, we'll have new product area, new Takeoff Teams out there. Zero Trust Networking is a combination of all the Zero Trust communication products we need to do. We have Zero Trust Branch in this area. It's a network disruption story. We have Zero Trust for Cloud, for cloud communication. We eliminate the need for extending your network to every cloud region. It just goes through us. And the IoT, IIoT, the acquisition, Airgap, all those are essentially a holistic story of Zero Trust Networking. And that's it. Takeoff Team and AI cloud solutions are the solutions that take all the logs, take all the data, and create meaningful, actionable information, whether it's risk or Business Insights or Vulnerability Management and more. This is we have done this work over the past two years. We've seen success.
That's how you've seen some of the growth in these products. We will keep on refining it to make sure these sizable emerging products get attention, the right level of attention working in the field. That's probably the main thing I have here. With that, let's talk about the platform innovation. Syam.
Thank you, Jay. So thanks for the opportunity to talk about our platform innovations. I think the way I would actually say this is we've been innovating across the board. And of course, you talk to anybody, especially in the tech, the word AI will be there multiple times. So I'll try to not say that and prove that we are actually investing in a lot of those technologies across the platform. So what's new in our world? I know Jay talked about Zero Trust and how Zero Trust is becoming more and more profound in terms of cybersecurity. One of the things that I was talking in the keynote, I said, look, when you really look at threats today, they are happening at such a faster pace that reactive remediations are mostly remediations after the fact. That's why it's called reactive. We need to move into proactive.
We talk about threats that spread within two minutes and seven seconds, as one of the IR report talks about. You really don't have a lot to do after the fact. So there are two things that can actually help, and that's where we are innovating. Number one, is Zero Trust. If you stop lateral threat movement, which is the power of Zero Trust, and Zero Trust becomes the first line of defense and the last line of defense. So even if something happens, it's just isolated to a very small environment. This is where, again, that power of Zero Trust and the power of AI comes into it. Second is being able to get actionable insights, drive those actionable insights, and connect it with the integrated, integrate it with the platform that we have.
So the way we have done this is organically, we have been investing a lot in AI. For about five to six years, the entire Zero Trust Exchange platform is powered by AI. Whether it's segmentation, whether it's policies, whether it's the feeds that we get, we are talking about high volume of data, the veracity of the data that we can verify, and the velocity at which it is coming. This is a large cloud with 400-450 million transactions, 500 trillion signals. These are large numbers, and you really need the power of AI. Now, with Avalor, what it adds is that capability to bring it together as a data fabric. The world has been spending a lot of time and effort collecting logs. Collecting logs are essential because you want to get insights out of it.
How can you really move that from collecting logs to connect, contextualize, and provide the real-time insights? That's what we try to do with the Avalor acquisition. It's integrated into the platform so that you see this as one platform, one inline Zero Trust Exchange and the fabric. The fabric opens up a lot of opportunities for us. Many of them are applications that we have, Risk360 that Jay talked about, Business Insights. Avalor brings in Unified Vulnerability Management. It's a differentiated solution. This is just the beginning. We are talking about Breach Predictor, our own managed threat response services that we are building, and detection and engineering and security graph. We will be able to find an attack path and be able to tell proactively what needs to be done.
If the analyst actually gives us the intent of what the outcome needs to be, that can be applied in the platform. So I think I'm super excited about what we can do in this particular space. It's just the beginning of it. What better way to go through this than actually demo the products? We have Raanan here, who is a CEO of Avalor, Deepen, who is our Chief Security Officer, Moinul from Data Protection GM. So we'll walk through the products and where you can actually see all of those innovations coming together. So who's going first? I think, yeah, Raanan.
Thank you, Syam. Hi, everybody. Nice to see you all. My name is Raanan. Let's see if this works. Yeah. So before getting into all of the details, I would say the main aspect or the main theme that we're trying to convey here is around the context. The whole point of the fabric is to get signals across all of your third-party sources together with the first-party data that Zscaler has today, which is a gold mine of data and a gold mine of signals that can be used to do real risk scoring. So when you look at a score initially, you get a number. That number doesn't mean anything. And by the way, that number changes between different vendors. So you can get one number from vendor A and a different number from vendor B on the same specific risk.
Then if you look at it from a context point of view, you can actually go ahead and see, okay, let me get some additional information about that specific problem. Does this asset have an EDR on top of it that may be mitigating some of that risk? Not only that, it's a dev environment. That's not necessarily something that is easy to understand across all of your signals. But on the flip side, it is exposed to the internet. And not only that, with our inline information, we can also see if it's open, what is actually being transferred along those lines of that inline information. And is the CVE itself exploitable? Yes or no? Again, threat intel coming in from third-party vendors. Does it have access to PII data?
Again, talking about our DLP capabilities or data protection, we're able to contextualize that information as well on top of it to see what is the actual risk of that specific CVE. And on top of it, the actual user who's actually managing that specific server or asset, what's his risk? We can actually tap those two together with the identity, with the asset, and the risk itself all in one place. So that's a little bit and an example. And of course, the users or the companies themselves can really customize that scoring to their specific needs or their specific context in what they're doing on their day-to-day basis to actually reduce those risks. So a few examples from the platform. And if you're interested, there are some more breakout sessions with deep-dive demos into that. You're more than welcome to join.
So here, of course, bringing in all that data, we have a vast library of connections, more than 150 connectors. And not only that, you can basically bring whichever data point that you want. And as you know, all organizations today have their own internal data sources as well that are not necessarily easy to ingest. On our side, super fast, super easy. And that data is basically getting mapped automatically. And again, I'm trying to use a buzzword, but using AI to push that data into the fabric. And that basically allows you to cross-contextualize across those sources without really understanding data management, ETL, et cetera. Then once it's there, you can do whatever you want with it. And when I mean anything, you can do analytics. You can push data to your streamlined solutions as far as ticketing platform.
You can throw in alerts, do whatever you want on top of it. Here are some examples of analytics, how to actually measure your risk over time. Here's another basic example to show you how you can actually modify your score of your risk based on the context that you're seeing within your organization. You can see on the top-hand side how the threat intel actually impacts your score. On the left-hand side, how are actually risk mitigating factors impacting that for good and for bad. When the actual practitioner actually comes in to try and solve those risks, he is actually seeing the full lineage of understanding of why is that number actually the number? Why is this specific risk that risk? If I zoom in a little bit, you can actually see the full lineage here. You can see there's business continuity here.
That's number five. That means it's a risky asset. That means I should take care of it in a prioritized manner. Not only that, the power of the fabric also is super powerful in deduping across multiple sources. That means if you can look on the right-hand side, I know it's not that visible, but this is a real number of the amount of vulnerabilities that our customers are seeing based on how they see it across their entire third-party landscape. And actually, after it's being ingested through our fabric and contextualized, this is the amount of numbers that they actually need to take care of. So it's a 99.5% reduction in the alerts or vulnerabilities that they actually need to tackle. And not only that, you can actually track how your teams are doing.
When I mean teams, the context is not just the risk, it's who owns it, what kind of application is impacted by those vulnerabilities, and which person in the organization actually owns that specific problem. So you can really track that all the way through with powerful analytics, month-over-month, day-over-day, whichever metric that you want to bring or define in your company as far as KPIs. I'll let the reins to Deepen. Thank you very much for listening.
All right. Thank you, Raanan. Folks, good morning. I will be walking you guys through a quick demo of Risk360. Just to give quick context, this is a product that I myself kicked off on our end because one of the biggest problems that all CISOs, including myself, face today is how do we holistically quantify cyber risk? What do I prioritize over gazillion things that we're seeing in the environment? That's basically the problem statement that we're trying to solve over here. There are a lot of tools out there that claim to solve it, but they're only looking at one aspect of the risk. So with Risk360, we're trying to solve that. It's now 1+-year-old product. It has a lot of new stuff that we've added.
I will cover some of it, but would encourage you guys to visit our demos, our breakout sessions, our keynotes for more detail. So the four stages that Jay mentioned in the keynote as well are the four stages that we're trying to quantify risk: external attack surface, compromise, prevent lateral propagation, and data exploitation. These are four stages that you see over and over again, whether it's ransomware attacks, whether it's nation-state threat actors targeting the organization. And it's important to look at the risk with this lens. So what we do with this is we will quantify the risk in these four stages. We'll also show you how you fare compared to your industry peers. I mean, you have a risk score of 36. What does this mean? Am I doing good? Am I doing bad?
So we'll also show you a trend of how you're doing in terms of your risk mitigation action. Every spike or dip that you see in the product will call out the actions that your team, your security team, is taking in order to mitigate the risks that the product has identified. Now, the team over the past 2 years, what they've done is we have compiled over 100+ contributing factors, and we have categorized them into four critical areas that most CISOs and security teams care about. That's workforce, third parties, applications, and your assets. You need to prioritize based on these entities and then take action to mitigate your risk criteria. The product does not have anything that we call secret sauce.
It will actually showcase how we are calculating this risk because the goal over here is to work with the security teams for customers to tell them, "Hey, this is high risk because of X, Y, and Z factors that resulted in that risk score being computed high." The product also provides a lot of workflows. I know it's hard to read, but these are basically the contributing factors. The easiest way to envision the 100+ contributing factors that I keep mentioning is there are inherent risk, and this actually goes in the financial world as well. Inherent risk and residual risk.
If an organization does not have a security control in place that falls in that inherent risk bucket, if they have a control, and this is very, very common, which is why we see a lot of the ransomware attacks being successful, residual risk is where the organization already has the platform, already has the product, but they're not doing the right thing of configuring the controls. That's also something that the product will bubble up. And in addition to that, we'll look at the behaviors across those four stages that we're seeing in the environment in order to quantify risk. So that basically allows us to tell you, "Hey, you're not configured correctly over here, and that's why we're seeing all of these activity happening in your environment.
If you do X and Y, you will be able to mitigate this risky activity in your environment." We're able to do this with a lot of third-party security tools as well, which are commonly found in the enterprise security stack because it's not just Zscaler. We want to get signals from EDR. We want to get from IdP. We want to get it from all the vulnerability management tooling as well that security teams are using. Now, one of the innovations that we're all excited about is risk scoring around your assets. So this is something new. It just came out last month. This is where we're literally plotting your asset risk across three different dimensions. And again, the goal over here is things that are not user identity specific.
How do you also quantify risk for those devices that are just sitting in your environment and that can lead the attacker inside your network? So we're plotting that. We're also quantifying risk around your assets. And then there are mitigation workflows that were built in the product around that. Now, the exciting piece that I would want to cover is how we are leveraging this product in our board conversation as well. This is me myself also leveraging this, and I see a lot of our customers starting to actively leverage this in order to showcase what the security posture looks like. The SEC regulation that came out last year, which mandates publicly traded companies to report their security governance, their security posture on an annual basis, we're solving that problem as well with the product.
It actually is able to generate a cybersecurity maturity assessment report using a generative AI model. This is where we're actually looking at all the factors findings in the environment and generate a human-readable report that actually can also be leveraged when you're filing your SEC report. And then finally, there are board slides, which I don't have a screenshot for, but those board slides are where we will be able to actually walk through with several different cross-functional stakeholders on what the risks are, also showcase the financial lens of those risks that were identified in the environment. So thank you, folks. I'm going to head it over to Moinul now.
Good morning. We have a massive amount of opportunity when it comes to data protection, as Jay mentioned. If you look at the whole data security industry, it's super fragmented. If I ask someone, "Who is the leader in data security?" There is no answer. Some people will say Symantec, but because of the Broadcom relationship, it's not that attractive anymore. The biggest complexities that organizations are facing today is that to secure their data, they have to deploy six, seven different DLP engines. And this is a massive amount of complexity because first, you need a 30-, 50-person team who can write regex, but also at the same time, just creating these policies, hundreds of rules and regexes are just super complex.
So when we looked at this problem, we figured that we have the right architecture to really solve this complexity issue because if you look at our architecture, we are man-in-the-middle. We are man-in-the-middle proxy for pretty much all the traffic and all applications. Your data is coming from your users. The data is coming from workloads. The data is coming from OT, IoT devices, your B2B partners. And again, we are in the middle. We are inspecting all that content going into all kinds of applications. If you look at the organizations, what do users do? They come and they connect to different applications. So you have SaaS-based services they're using, Office 365 and Google. They're using different types of web applications. People like to use pdfconverter.com, and they're uploading data.
At the same time, they have tons of data in their private applications that they're hosting either from public cloud infrastructure like AWS, Amazon, Azure, and Google, or they're hosting these applications on-prem. So for all of these applications' traffic, for all of those entities, we are looking at it with the same integrated classification engine, and that significantly reduces the complexity. And because of that, we are seeing some great momentum in our data protection adoption. So what we have done over the, if you kind of look at our journey, we have been doing data protection for about 8 years. For about the last 6 years, we really, really accelerated. So most of the things that we have built, these are all organic developments. So there were a serious amount of investment within our engineering team.
But also at the same time, whenever we saw an opportunity to have a tuck-in acquisition, we leveraged it so that we can expand our portfolio. So over the last six years, we acquired five different companies to expand our data protection portfolio. Again, these are small tuck-in acquisitions, really technology-focused acquisitions that really differentiate our portfolio. And as a result, we have a very comprehensive, fully integrated data protection solution today for all data and all channels. Last week, I was in Washington, D.C., at the Gartner Summit, and one of the very popular, very famous analysts, his name is Neil MacDonald, when I was giving him our update of data security, he made a comment that really resonated with me.
He said, "You seem to be the only one in the industry who is securing structured data, unstructured data, for data in motion, for data at rest and data in use, for web traffic, for SaaS-based services, for public cloud infrastructure, for private applications, for email, for endpoint, and for BYOD." That is exactly why our data protection portfolio, our business, is growing significantly. It is all about consolidation. It is all about reducing that complexity. The market for us, again, it's a tremendous amount of opportunity. The market actually, our addressable market has grown from $10 billion-$20 billion market because if you look at the traditional data security market, it used to be DLP and CASB primarily.
But then now, with a lot of these adjacent technologies that we have built organically and inorganically, we are looking at a $20 billion addressable market for us. So again, it's a significant opportunity for us to grow our business. Some of the notable wins, very recently notable wins, a global bank, 150,000 seats. It's a new logo for us. The way they looked at data security was with the lens of secure services. In the past, they deployed a SWG, which is very different than their remote access VPN, and they had separate standalone DLP product. They wanted to consolidate all of those into a single platform. So we won the deal. Again, they are using now Zscaler as a secure web gateway, ZTNA for their remote access users, as well as the full data protection suite.
They actually got the Data Protection Unlimited bundle that includes everything that we have within data protection. The second one, a Fortune 500 financial services company, this was a huge upsell for us. They were using ZIA. They were using our inline DLP. They were using our out-of-band CASB. They realized that endpoint has become an exfiltration channel. They were worried about people stealing data through USB stick. They are disconnecting their devices and then stealing data. So when they started thinking about endpoint DLP, they said, "This is an extremely simple solution because the endpoint, the agent was already running in their devices. They turned on endpoint DLP, and it automatically fetched all the existing policies, and they were up and running." So we did a 74,000 seats endpoint DLP deployment in this particular case. And then the last one, Fortune 100 technology company.
They were using our ZIA to secure their web traffic. Then it's a technology company. They were really worried about GitHub because their developers were putting a lot of company source code. And they said, "We need to have the data protection platform so that we can secure all the data inline with our out-of-band API data risk detection as well as on the endpoint." With that, I will now hand it off to Naresh.
Hey, Moinul. Thank you. Good morning. So let me start with a definition because we start talking about what we build, how we build, and how we are different. But before I get into that part, I want to start with one important definition, Zero Trust networking. If you look at three to four years ago, there was no such term as Zero Trust networking. The reason for that is if you look at networking in general from past 20 years, the understanding of networking is LAN, local area network. You have a perimeter. You have a location in which you have small networks. You group them. All printers in a group, users in a group, guest Wi-Fi in a group. It's a local area network. Then started the need for connecting these over a wide area network.
The WAN term comes when it comes to whether you're using a flavor of MPLS network connectivity for good 15 years. Then in the last five, seven years, a lot of local internet breakouts with internet as a way to connect these networks. So you will hear a lot of these technologies out there were built to connect these networks. And when Zero Trust came as a foundational framework or thought process on how we have to redefine the connectivity, the first principle or to very simplify the Zero Trust, it is all about don't trust and make sure you verify before you allow the connectivity. And to implement such a framework or approach, it starts with authentication, authorization. I know who you are. I know what you want. Yes, I'm going to give access to a specific resource or an application.
In the past five to seven years, we have seen a huge adoption of completely eliminating the need for having a remote access VPN because that was the technology built. Again, it is a flavor and form of VPN, virtual private network. The users used to connect to a network, and they get to access whatever they want. So all of that has completely changed with Zero Trust approach. And we were the first to take that and lead scaling that to more than 25 million end users with Zscaler Private Access. Now, when we started looking at how could we take this approach for things, especially your printers, your cameras, your OT networks, PLCs, HMIs, all of these devices, it's impossible to put some agents on them.
So when you talk about connectivity, the only identifiable component for any of these devices is IP address, at the best, a MAC address. And today, all of our iPhones have a MAC address and IP address. They can be spoofed. That means you can have the same MAC address. If I know your MAC address, I can spoof it, and I can generate an attack. And the foundational connectivity built based on the premises of VPN, especially for a branch office, a factory, or now the problem is extended into cloud workloads, the technology did not change. The same legacy firewall-based approach of, "I'm going to connect this network to that network, and I put a firewall, I'm secured," is not going to work because the Zero Trust approach foundational philosophy completely gets broken. And that's where, in the past two years, we worked very closely with industry analysts.
Now Gartner is defining the term Z ero Trust Networking. In this slide, what I want to talk about is it's not a concept or term to just define an area of focus like SD-WAN or. It's about connecting everything to everything. How a non-user endpoint can talk to another application or endpoint is the core focus. If you look at still, the way products have been evolved and deployed is in three major areas. The first one is SD-WAN. SD-WAN has done a great job in the past seven, eight years. It has enabled enterprises to move away from an MPLS network to an internet-based overlay network. That means they shrunk the costs by 4-5x down by making internet as a reliable option. And that's where SD-WAN got traction from a cost savings from MPLS to internet.
Second thing is, how do I simplify the overall bringing up a new site through a centralized portal? So those are the benefits of SD-WAN. While they are great, but one fundamental thing missing from SD-WAN perspective is they do not have security-first thinking. They do not have Zero Trust thought into them. 8 years ago, nobody talked about Zero Trust for networks. That's exactly why I was giving all the history on how and where we are today because of the Zero Trust concepts. And we had an amazing opportunity to disrupt and reimagine that with a security-first mindset. What that means is all the 17-18 SD-WAN players today, if you see, they all got absorbed by some customer, most of the vendors out there, and they have packaged that as a feature.
So that means SD-WAN as a core, what it started 8-9 years ago, is more of a connectivity framework. But what we had an opportunity to do is all of the 18 SD-WAN vendors out there were built based on a site-to-site VPN. Everybody. There is no one out there who doesn't have a technology which is not a VPN-based. And VPNs inherently bring attack surface problems and facilitate the lateral threat movements very easily. And with the technology we built for 30 million or 25 million+ end users with ZPA, we had that confidence and scalability to extend that concepts and approach to solving the problem for every device in an enterprise, whether it is in an office, a factory, campus, or data center, including cloud. That is what Zero Trust SD-WAN is all about.
So we have this amazing opportunity to completely eliminate the firewalls from the branch offices because these branch office firewalls are typically small form factors. They can't do any inspection. And if you want to implement a Zero Trust, you need to understand the context. You need to identify. You need to verify. And you need to give access controls. Most of the times, they all are bringing the traffic, hairpinning into data center, and they're egressing from there. Every network is that same way. And with this technology, they got the opportunity to completely break out locally and have all the security stack in a scalable way leveraged through our platform. So that's a big area and opportunity for us to completely disrupt all the SD-WAN vendors out there. There's no one using this approach.
The second area of focus, cloud migration is happening at a much, much faster pace. You hear this network modernization and simplification as a big initiative from all verticals. There's no one vertical which is not thinking about it, whether it is retail, healthcare, manufacturing, you name it. Everyone is having a network modernization. The reason for that is AI is part of the problem. Not problem. It's a part of the trigger, I would say. AI is going to make each and every endpoint either consume data or produce data. So more and more connectivity becomes the heart of everything. Now, if you look at that from a cloud migration perspective in the workload, which is the workload communication product area, we have launched capabilities to protect the workloads, whether it is within a VPC inside one region to another region or between VNets and inter-VPC and intra-VPC.
We are seeing the rate at which the applications from data centers are migrating much faster. We even hear DC-free initiatives like kill the data centers. Most of them are migrating to cloud. We have some customers who completely dismantled. In the transformation keynote, you will hear one of our customers who completely took out their data centers and moved to cloud and how they have taken our workload communication as well as SD-WAN on the branch offices, Zero Trust SD-WAN to make that happen. Huge opportunity for us. Most of the security, again, the same players would go and connect those in workloads. They were using virtual firewalls. Same challenges, what happened in the branch firewalls, do exist with them in the cloud world as well.
The third area, which is where we are very excited and eagerly looking forward to make another disruption, is in the LAN side. In LAN, there is no Zero Trust. There is no vendor out there who can claim that they can do Zero Trust within a local area network. That means if five of the printers are connected in VLAN, those who are familiar with the concept, they can talk among each other through a switch. You don't need to go anywhere because that's what the definition of VLAN is. I'm grouping certain device types into one network group, and they can talk among each other. If one compromised printer can easily infect all the compromised printers within an office, that's how the network is designed. If you go and try to make it individual VLANs, you are hit with all networking challenges.
You can only create 4K VLANs. Your firewall rules increase by 5X if you try to go granular. So that is where we have an amazing opportunity with Airgap acquisition, where we could bring Zero Trust to local area network. That means every device is a network of its own. So that's where a big opportunity for us to disrupt east-west firewalls as well as bring more security and Zero Trust for IoT, OT devices. And that's exactly where we have an amazing new market opportunity. And currently, we are serving customers with close to 1.5 billion serviceable devices because the scope was largely branch offices, badge readers, printers, cameras, and so on. And we have, especially in the area of more than 2,000 employees type of large organizations. Now, with SD-WAN, we even have the opportunity to serve customers in the commercial segment, less than 2K users.
That gives us additional incremental devices we could address with this technology. The big thing which we are very excited and significantly expands our opportunity to secure is OT networks, mission-critical, critical infrastructure sites. More importantly, we have customers talking on how do I make the EV fast charging stations, the electric EV vehicle charging stations, how could we connect that through Zero Trust Exchange. Looking at those use cases, we have an amazing opportunity. Close to 7 billion other IoT, OT type of devices we could now secure with our Zero Trust Networking platform as a whole. With that, we have an amazing opportunity where we can get to $12 billion of serviceable market. Again, you can see the math. We have this $8 average revenue per device. That's what we have seen so far.
If you look at the current serviceable devices, we're close to $12 billion, SAM. We strongly believe this will continue to grow as the devices are empowered by AI and so on technologies. Let me give a couple of customer wins quickly. We started this product one and a half years ago, initially with a virtual form factor. Today, we have close to 100 customers, majority of them on the virtual form factor. About a handful of customers are going into production with our ZT devices, which is the hardware variant we introduced last year. These two, three wins I picked from those customers who completely want to modernize their branch office transformation. There's a global legal services firm based off of the U.K. who is already a Zscaler customer. It's an upsell into replacing their SD-WAN solution. We sold them 70 sites.
They're securing completely all their sites. We displaced four firewalls in that opportunity. There are three variants of our product: ZT400 serving up to 200 Mbps, ZT600 serving up to 500 Mbps, and ZT800 variant goes up to 1 Gbps. We have roadmap and launch coming for up to 5 Gbps and 10 Gbps type of throughput devices. So in that customer win, particularly a couple of highlights, they were replacing complete site-to-site VPN. They completely want to become a VPN-free enterprise. They want to bring Zero Trust for IoT and OT devices. That's the big win. It's a global deployment all the way from African countries into North America. They have sites across the globe. The second opportunity, especially in Europe, we had another big win, a European IT services company. We sold for 45 sites with ZT800 type of offices.
They have many more B2B type sites, which they will be expanding once they start deploying with this. This project is driven by the network modernization initiative. We replaced Cisco SD-WAN in that particular deployment. Same thing, everyone wants to get out of the site-to-site VPN. The last one is healthcare. This is another important vertical for us where ransomware and threats are of a big challenge and issue. We saw the customer deploying up to 90 sites with different variants of hardware. In this case, we were able to completely eliminate a Palo Alto firewall from all their branch offices. Cisco SD-WAN was the solution they have. Again, largely network modernization, transforming the branch offices, making them Starbucks-like was the key drivers. In all these wins, you could see that.
And we have many more opportunities coming in the pipeline. So with that, Ashwin, back to you.
Okay. Well, I would like to invite Jay, Syam, Moinul, and Naresh as well to get started. All right. Questions are already there. Mike, so I request you to just ask your question through the mic. I'll say audience on the webcast won't be able to hear you. It's an AI-powered mic.
Let's try that again. Good morning, Gabriela Borges. Thank you for having us.
So my question is, if you think about some of the foundational decisions that were made at the time that Zscaler was founded, and you think through what your roadmap is focused on in terms of upgrading the architecture, what are the two or three things you would call out from the presentations this morning as essentially bringing the architecture into 2024 and going head to head with maybe some of the startups that claim to have more sophisticated or more advanced Zero Trust architectures that have been founded in the last three to five years?
So the architecture we started with is still the core. If you look at Zero Trust, it became fashionable in the past few years. But fundamentally, we are the switchboard. Connect party A to party B. We are the rule engine. We are the policy engine.
We extended from users for external applications to internal applications, workload to workload, IoT, OT, B2B. It's extending nicely. The scalability of the platform is helping us. I mean, over 400 billion transactions a day. The biggest thing you needed to really do this was scale. Architecture helped us scale. It keeps on scaling quite a bit. The functionality we are adding is all around the switchboard, essentially. A lot of data protection, browser isolation technology, all that is growing in a concentric fashion. Everything has been around Zero Trust Exchange. The next main thing we've done outside that is really building an AI cloud. It's natural for us to take all the logs and really leverage that information to provide more meaningful insights. Very, very happy to see how nicely the platform has grown.
It leads nicely into a question on Avalor and some of the work that you're doing with data intelligence. Help us understand where some of these contextual intelligence points that you're making fit relative to the classic set of SOC tools or the classic set of intelligence tools that your customers may already be using.
Syam.
Yeah. Thank you. So I think it actually a couple of areas. Number one is contextualizing this actually helps us in our inline platform itself. We have always been leveraging its identity is just one part of the context. And we talked about adaptive policies, adaptive policy engine. There's a lot of these contexts that are actually feeding in. From a SOC tool perspective, I'm going to give my opinion is I think today a whole lot of the time and effort is spent in terms of collecting the data.
It's about 79% of the effort is cleansing the data and getting value out of it. It's a huge time sink. And even with that, it is very expensive in doing it, as well as it is not really you don't really get the actionable insights that you want to drive out. So there are definitely companies that talk about next-gen SIEMs. They're trying to do it better, maybe better data lake. So our approach is, look, sitting inline, looking into this entire traffic, we have visibility across that ecosystem in terms of we look at now we are in the middle looking at the entire traffic. So the insight we get, I would argue that about 70%-80% of the valuable insights we can actually get from that.
What the Avalor platform actually helps us or the Zscaler Data Fabric helps us is now being able to connect with the rest of the ecosystem and contextualize it. This is where we're not trying to compete with the vulnerability management vendors out there and say, "Hey, look, we can patch your software or give you CVSS scores." What we are saying is, you get all of this data. We have data. You can actually look at what the actual risk is based on how you're set it up. We can actually tell you what the potential attack paths are. Here is clean action that you can take, which can be policies inline. So I think if I may say it, I think the world of SIEM, SOC tools will be disrupted.
Disrupted because we don't have both the power and the people to look at all of these alerts and come back with proactive actions. I think we are on that path. And I feel like the approach we are taking with value-added applications for Zscaler customers is the right approach to actually get into the market.
Hi, Gray Powell with BTIG. So I hope it's okay, but more of just like a market opportunity question versus products. So look at some of the stats on your slide deck. You have 40% of the Fortune 500, 30% of Global 2000. Some great numbers. I'm curious, how much greenfield opportunity or adoption of Secure Service Edge is left within large enterprise accounts? Do you have a sense as to how many customers have not adopted anything? And then related question is like, how should we think about incremental customer gains?
Is it winning that greenfield opportunity or maybe more displacing firewall vendors, Secure Service Edge customer?
So yes, there's a greenfield opportunity to get new logos, but there's also a significant opportunity to expand with upsell. So both are big for us. For the upsell, you're seeing how the platform has expanded. Upsell is easy, and we definitely plan to do a lot of that. In terms of new logo, yes, over 40% of Fortune 500 companies are customers. I don't have well-qualified data, but I can tell you a large number of customers on the high end we talk to are still actually sitting with some of the old web proxies of old. It's interesting because they're so big. They're so embedded. So those customers will come to us rather than going to a firewall vendor or some of the new companies coming from behind.
I mean, you saw it during my keynote. Look at some of the biggest and the biggest customers. I mean, trusting us. And these customers understand really Zero Trust. They'll never buy a firewall-based solution. The only customer will be buying firewall-based SSE. They just haven't fully understood the value of what real Zero Trust can do for us. If you ask me personally, I think over time we can double the percentage. I look at ourselves, just like ServiceNow, and they're sitting at about 85% of the Fortune 500. I think we have the opportunity to get there. That's what I'm personally striving for.
Thanks for the goodness, Gray.
Hey, Shrenik Kothari from Baird. Thanks for taking my question. So great to see the traction in data protection. You guys highlighted deals as well as the incremental SAM of $10 billion compared to last time.
Seems like you guys definitely have done the work before. Now, since you called out the complexity and the fragmentation of the data security industry, just curious, in terms of this additional $10 billion, how much is, again, in line with the last question, how much is Brownfield displacing these legacy vendors, and how much is this greenfield opportunity? And then, yeah.
Yeah. So yes, a tremendous amount of opportunity replacing legacy vendors. So there are two types of customers, the two segments that we look at. One is one segment, they have been using DLP. When they think about data security, they're thinking about DLP. They need network DLP, web-based DLP. They need DLP, endpoint DLP, email DLP. So that's one part of the segment where we have a tremendous amount of opportunity to replace some of the existing solution.
But also, a lot of organizations are looking at data security with the context rather than just traditional content inspection engine. And this is where we hear about CASB, SSPM, broad spectrum data security platform. So again, in both segments, we have a tremendous amount of opportunity with the new logos as well as upselling into our existing install base.
And maybe the third bucket, maybe this inline stuff Moinul talked about, that's where Symantec Vontu of the world have done a lot of selling, pretty sizable. There's a CASB-related stuff, which is a SaaS kind of stuff. And now even CASB itself is growing. CASB was one piece. Now SaaS security, posture management, third-party supply risk of all the SaaS segment is growing because the data is getting connected. Then the cloud part, the DSPM, and some of the new areas are growing.
If you ask me, some of the new areas are smaller than the traditional inline. It's a matter of time. I think probably in a few years, inline, the out-of-band will be as big as inline because that part is growing. Take DSPM. What data is sitting in my structured databases that need to be secured? Young area, but we are well-positioned. The number one reason why we are a natural partner there is we're sitting in line. And all that inline stuff, there's still a bunch of Symantec Vontu and related stuff sitting out there. Those are natural for us. They're not going to go to somebody else and say, "Let's read out traffic from Zscaler cloud to another cloud to do it." That becomes easy kind of beachhead for us, then expand the rest of the stuff. It's a sizable opportunity. It's hard for us to execute well.
That's why we got the focus and the Takeoff Team to drive it.
Next, Rob Owens.
Yes, Rob Owens from Piper. I want to add on to that question from a couple of perspectives, Jay, because all morning you've been talking about inertia. And if you look at the fragmentation of that space, it's got to be quite difficult to displace some of those vendors. But I guess through the lens of GenAI, where are customers right now, and are you seeing momentum on that front in a Zscaler part of that conversation in terms of the data security aspects?
So lots and lots of discussion on GenAI for how much our customers are buying, what's happening. It's still mixed. Number one thing they wanted from us was, "Can I do secure use of GenAI?" We rolled out the core functionality pretty quickly.
But when you roll out something, customers want it. They want the next level, the next level. A number of things we talked about. A lot of next-gen advanced use of GenAI is rolling out. I think we'll get money from GenAI as it gets more and more advanced. But early on, rather than trying to ask for a lot of money, I would rather have my customers start using them and start benefiting from it.
Yes, just to add to what Jay said. Yeah, GenAI is a super hot topic because all your users want to use GenAI applications because these applications make them productive. From our perspective, though, it's not really a new segment for us to tackle. Because think about this, 10 years ago when Dropbox and Box became popular, people said, "Oh my God, our company data is going to someone's personal Dropbox account.
And how do I secure it?" It is the same problem for us. And we are in the middle of the traffic. So it's the same thing. Someone has a ChatGPT account, a developer uploading company source code and asking ChatGPT to fix that code. It's basically your company data going into an unsanctioned web-based application. So we were naturally fit. And that's the first thing that people are looking at is when our users are using all these ChatGPT and GenAI applications, how do we secure the data? And we are in the middle of the traffic. We are looking at the content, and we are securing that data with a lot of context. So we are natural fit.
Thank you. We'll go to Param and then Peter and Brian.
Great. Thanks. Oh, yeah, Param Singh from Oppenheimer.
So I appreciate that you have now dedicated sales teams to address these new areas. But is there a different kind of buyer for the data security side versus what you've traditionally kind of looked at? Then I have a couple more questions to follow up on that.
So the beauty we have is since we work at the C-level, our primary person from a cyber point of view is the CISO. CISO owns both cyber and data protection. Yes, in large organizations, there will be a data protection person under the CISO, but it's the same team. There may be a cyber team separate, data protection team separate, but they're under the same CISO. Yes, it is explaining the technology, what it takes, how it works, requires some different skill set. That's why we have a Takeoff Team in this area.
But the buyer is the same because we're dealing with the highest level.
I see. No, I appreciate that. So obviously, you have a lot of advantages from any kind of inline security, right? But if you look at out-of-band, you kind of focus on cloud security for a little bit. It's kind of taken a back seat right now. What gives you the confidence that you will be able to have that kind of success in out-of-band data security that you might not have had in cloud or anything else?
Yeah, it's a great question. When you think about out-of-band, it's basically you are talking about data at rest. Now, where is the data at rest? You have it in SaaS-based services like OneDrive and SharePoint. You have it in public cloud infrastructure. You have it on endpoint.
In fact, we have security solutions for all these data at rest locations. This is one of the reasons that we launched our DSPM solution to secure your data at rest in public cloud infrastructure. We actually haven't taken a back seat. We actually invested heavily so that we can go after a large portion of data. The number one reason customers want to do the data at rest or out-of-band with us is they want the same policy. No matter where the data is sitting, what kind of data needs to be secured needs to be driven by one set of policies for here, here, here. That's really what we bring to the table.
Param's just moving on.
Just piggybacking on that, just really quickly.
Any other technology gaps you see on the data security side, whether you want to invest in it organically or inorganically to cover the entire gamut of data security?
We are pretty well set. There will be things evolving. We'll look into stuff. But at this stage, I have no lack of product to sell in this area.
We'll take the last question from Peter.
Peter Levine with Evercore. So maybe just two questions. One, Jay, last year we talked a lot about identity. So maybe just give us an update on what you're doing on the identity front. And then second, with all the data you're talking about, all your other competitors, not competitors, but other vendors in cyber getting into the SIEM market, it sounds like SIEM to you guys is not going to be obsolete, but you don't need it because you can kind of override that.
But just give me a sense of how you think about that.
So first, identity. We're not trying to enter in the identity space. But since we're sitting there, we can do a lot more, for example. So on identity, there's some fascinating stuff. Today, I can enforce multi-factor auth leveraging Azure, Okta. Tomorrow, I can actually enforce do step up. Yeah, step up on our own. Our job is to make it simpler and simpler for our customers. The other sophisticated stuff we've done for talk about adaptive access. You're accessing SAP. We found certain signals that tell us that this is the wrong thing to do. Sitting inline, we can cut off the session, take them out, or step up authentication. The number of these identity-related things we're doing to make sure people don't get compromised because identity is getting stolen.
But bringing a number of signals, and some of these signals may come from our AI cloud, helps our customers be safe. So we're not trying to replace traditional identity. Their market is kind of mature. It's done. But there's a lot of areas where we add value. Identity for us is one of the pieces to go and validate who this person is. Beyond that, we do amazing stuff. For example, we can do time-bound access that says this person will be given access for 30 minutes, and it's cut off. Those are fascinating things we're driving. Second area, talked about the data, the logs. Everyone claims to have all kinds of logs. All logs are not created equal. There are some logs that have lost value.
The logs we needed for the data-centric center model, all those routers and switches and firewalls and all, where are those logs going? Where are your routers? Who cares about it? Those are becoming less important. Three or four types of logs become very important. Obviously, inline communication tells you the most of the stuff. Before any breach happens, a reconnaissance activity, we have the best logs in that area, proxy-based, SSL inspection-based. When firewall guys try to do the same thing, I can guarantee if we talk to 10 customers and say, "What kind of logs are you storing from firewalls?" There'll be short logs or domains kind of stuff because that's what firewalls typically were designed to do. So our logs are great. We need to supplement those logs with EDR. EDR has good logs.
Essentially, if you take our logs, we'll probably bring about 70% of the value. EDR brings another 20%. Identity logs are important, but we already have them. Why do we have identity logs? Because all authentication goes through us. We see all verified identities, connections made. We see all failed authentications. And then there are a bunch of other logs that come from other areas. Having the best logs, the biggest logs available, it's natural for us to take advantage of it. So you've seen us take some of the steps with vulnerability management and risk and a few things. And stay tuned to see where we go in that area. But it's natural for us to take advantage of it. And initial engagement and feedback from customers has been very, very positive.
All right, guys. Thank you.
We'll take a 7-minute break, and we'll meet here again at 11:30 when you'll hear from our customers. Thank you.
All right. Thank you. Thank you. Great.
All right. Now we're going to hear from a couple of our customers. It gives me great pleasure to welcome Manish Patel, SVP and CIO of Sanmina, onto the stage, please. And Brian Morris, who is VP and CISO of Gray TV, please welcome onto the stage. I request Manish to kick-start the conversation and then pass it over to you.
All right. Thanks, Ashwin. Good morning, everyone. My name is Manish Patel. I'm Chief Information Officer at Sanmina Corporation. Sanmina is a Fortune 500 manufacturing company headquartered in San Jose, California.
We build products for name-brand OEMs across a range of industries, from medical devices to industrial, defense, and aerospace, communications, generally commercial and industrial types of products, and not so much consumers. We have over 50 factories around the world and 40,000 employees. We've got a pretty complex environment to secure. We've been a Zscaler customer for about eight years. Very happy. The initial days, we were turning on ZIA. Just before the pandemic, we were piloting ZPA. We had about 700 employees on the pilot. Then March of 2020, everything shut down with the pandemic, and we had to go from 700 employees on ZPA to 7,000 within 60 days. We turned off our traditional VPN solution at the time. We've kept going on that journey and are using more and more of Zscaler's products. Over a few years ago, we started ZDX.
We're using CSPM, which is really a cloud configuration management solution. Then most recently, we just started using Risk360. I'm very excited about Risk360. It really, for the first time, gives us a holistic view of our risk profile as a company. Still early stage, but we're very excited about its potential. Even more than that, I see Risk360 as a game changer. My ability to communicate to my executives and to my board of directors is greatly enhanced. Most CIOs and CISOs struggle to effectively communicate with their boards and their audit committee. I think Risk360 gives us an opportunity to really change that dynamic, to provide meaningful and more complete communications and data around our risk profile. So with that, I'm going to hand off to Brian.
Thank you, Manish. Brian Morris. I am VP, CISO for Gray TV.
It might surprise you that we are a television broadcaster based in Atlanta, Georgia. We're U.S.-based. We have 114 markets and plus some production studios. Just opened a movie studio here earlier this year. We are the second largest television broadcaster in the United States. We have about 10,000 employees across our enterprise. Our operation is to treat pretty much every station as if it's standalone. That is our model to let them operate that way. Like Manish, we started out with ZIA. Actually, it was a company we acquired. We grow by acquisition. We acquired a company that had ZIA, and it was a secure web gateway that actually worked, and users didn't know it was there, which was quite impressive. So we moved from there.
In 2020, because of acquisitions, we had wound up with not just a WAN, but several WANs, and not just one VPN solution, but a couple dozen VPN solutions. We consolidated our technology and started our security department and decided, "Okay, now it's time to deal with this. Now it's time to get the network under control, get it simplified, get it modernized." We began with ZPA. As Manish said, very quickly, we eliminated all our VPNs and replaced it with ZPA, which was a boom. The only security product I've ever rolled out that users came to me and said, "Thank you. This is better than what we had before." It also allowed us to take probably 80%-85% of our publicly exposed applications off the internet, put it in the ZTE, into the private cloud, which was also huge.
That got us a long way down the network modernization. My desire was to get rid of the WAN, or in our case, WANs. It was about that time that Branch Connector started to hit the waves and got demoed for it. We quickly agreed to become a design partner for Branch Connector. We leaned in that with a lot of resources to help to build that, roll that out, get that into production, starting at our data centers. Branch Connector is the WAN killer that we've been looking for. It's turned out to be a fantastic product.
It's almost turned out to be a Swiss army knife where we come along and say, "Okay, well, how do we get this communication going without the WAN?" Or when someone says, "I know you don't want the WAN, but we go back," and Branch Connector always seems to be the answer. So we have it rolled out in limited production now. We right now have a crew that's rolling it out company-wide. And by the end of Q3, we will have it at every single location.
Thank you, guys. Now, you guys can ask questions to our customers. I'll just pass this mic over to you. I request you to just limit yourself to one question, please.
There we go. Thank you for doing this. I really appreciate it. Question for Brian.
Yeah.
As you rolled out Branch Connector. I'm sorry, Brian Essex from JPMorgan.
As you rolled out Branch Connector, I'd be really curious to see what were you replacing in those branch environments? Did you have SD-WAN? Did you look at an SD-WAN use case for it? And what type of other kind of networking environment did you have at the branches as you kind of rolled out Zscaler through that branch network?
Yeah, good question. We had a MPLS. We had SD-WAN. We had SDN. We had a couple MPLS. And we had a lot of just point-to-point. Some of our legacy stuff was just point-to-point. And so coming back to data centers, but we also had station-to-station, was using a lot of point-to-point. One of our first big uses in it was playout logs.
When we design playout logs for what goes on the air when, when do the advertisements run, those logs have to be sent from corporate to the stations, and they have to be sent timely, and they're ingested. Well, WAN works great for that. Point-to-point works great for that. Guess what? Branch Connector works great for that. But I don't have to open the whole network to get it there. I don't have to open everything. I can take Branch Connector, point it to an App Connector on the other end, and it sees just what it needs to see and hits. And it hits quicker than what we had before. Does that answer what you're looking for?
Yeah, that was very helpful.
But I guess when you were going through the evaluation process, did you think about relying more on SD-WAN, or was Branch Connector the default decision from the beginning? Had you done that architectural homework behind Branch Connector that basically solved the problem and got you over the hurdle? And then any kind of ROI or cost benefit to you?
Yes. Yes. As a matter of fact, we had looked at the different solutions, and we had settled on SD-WAN.
In 2019, we bought another larger company, and we'd said, "Okay, SD-WAN is going to be the answer." But when we started looking at what Branch Connector could do, and frankly, the cost was a fraction of what we were paying SD-WAN, it was the numbers won't come to me right now, but when we sat down and actually looked at what we were paying, and we only had SD-WAN rolled out to a third of the company, and the annual cost for Branch Connector was going to be less than what we were paying for a third of the company on SD-WAN, it was a no-brainer.
Thank you. Joshua Tilton, Wolfe Research. First of all, see Brian for my question. Thanks for stealing that one from me. I kind of want to just follow up on that, but maybe outside of cost and just honing on functionality.
Zscaler is up here talking a lot about architecture. You said you had previously bought an SD-WAN product. SD-WAN was the answer. Now you're with Branch Connector. So maybe outside of cost, from a functionality perspective, what exactly was it that Branch Connector had that SD-WAN didn't that solved your problems?
Well, that's a really good question. It was outside of cost. The configuration was much easier. It was much easier to. I didn't have to do as much training on our network end to have people understand it and which SD-WAN did you have, which this did you have. I mean, we had people that were we were siloed that were still doing the old SD-WANs. We were training people on the point-to-points, and we had some people that were on the SD-WAN.
By moving to the Branch Connector, we could bring in one technology and understand it better. Now, I'm not a network guy. I'm a security guy. I point out problems. I don't fix them. But the network people said, "Hey, this is a lot easier to work with. It's a lot faster to learn, a lot easier to work with." If they're happy, I'm happy.
Maybe I can make a comment to clear up the next bit. SD-WAN, you create a mesh network. You're connecting things to things. Managing route tables. You're propagating route tables. So there's a lot of work involved. Branch Connector is like having your Comcast router at home. You don't have to do anything. There are no route tables. The operational overhead goes away. That's the biggest difference. The two are totally different.
One, unlike traditional car and electric car, there's nothing common between the two. But if you ask on the security side, number one driver is lateral threat movement. With SD-WAN or traditional networks, a single infected machine in a branch can traverse and infect others because networks are designed to move things. And we eliminate this with Zero Trust. The branch is not on your corporate WAN. That's the biggest thing you bring to the table.
Thank you.
Hey, guys. Adam Borg with Stifel. Thanks so much for being here. A big opportunity we heard, and for either of you. A big opportunity we heard a little bit earlier today was around just data protection and kind of the legacy solutions and the opportunity to really modernize.
Maybe you could share a little bit about your current DLP or data protection estate, what you currently use, and the opportunity to kind of revolutionize what you're using internally and potentially with Zscaler in particular. Thanks.
So we've dabbled with DLP for over 20 years. And very early on, we recognized that the biggest challenge with DLP historically has been classification of data and just the manual effort that it would take to just classify the information. And it's a constantly evolving landscape, as you can imagine. So we avoided the early DLP solutions if you go back 15, 20 years. But with more modern technologies, we've worked with a couple of different vendors who have built-in DLP technology into their solutions. And they've been reasonably good, but it still requires a lot of configuration to make it work effectively, and it's not complete.
What we see with Zscaler, we're testing it out right now. Their solution is the ability to auto-discover the types of documents and classify them. It really gives us a more complete solution. We really see that as a significant step forward. As with everything we've done with Zscaler, they make it easy not only for the end user, but the security guys, the management guys within IT and on the business side. It's just a much easier solution to use, and it's complete.
Hi. Thank you, Gabriela Borges. I'd love to hear if you're willing to share a little bit of the feedback that you've given Zscaler about the forward roadmap.
So are there a couple of things that, looking at your ecosystem and your tech stack broadly, your security stack in particular, you think that it would be really natural or obvious for Zscaler to continue to expand into over time? What would those things be?
I didn't catch that, did you?
Yeah. He's asking about more forward-looking.
What would you like them to do that they're not already doing? What's the feedback on the forward roadmap?
Yeah. So we have some insight into the roadmap moving forward. So some of the newer things we're working on actively. I mentioned Risk360. We're bringing that up. And our view, we're just connecting in not only we have Zscaler products connecting into that out of the box, but we're now connecting in some of our other security and other technologies into that profile and actively providing feedback to Zscaler.
So we're very excited about that. And I want to touch on Branch Connector a little bit. We're testing that out as well. So in our world, in the manufacturing world, we have a lot of IoT and OT types of technologies that need to be secured. And historically, if we think about network segmentation and then micro-segmentation and so on, it's just been a very, very heavy set of requirements for our network teams to configure those and constantly update and maintain them as things change in the network. So we're very excited about the Airgap acquisition. We're looking forward to essentially, we see that as providing Zero Trust into the OT environment. And I got to tell you, my personal vision has been segmentation has got to be an interim solution. We need to get to Zero Trust in the OT environment.
The great news is we have that with Airgap. So super excited about that. I know that's getting built into the product suites and so on, but those are a couple of areas that we're working on.
And for you, Brian?
I 'll echo some of what Manish said. I think Risk360, we're a design partner on that as well. I think that is huge. I'm constantly impressed when I meet with them about, "Okay, now we're doing this." I bought it as a reporting tool, and it's turned into so much more. So I see that. I'm excited about the work done in data protection. I think that's going to be large and just want to see more into that.
Peter Levine with Evercore. Just two questions. One is from your seats.
Maybe help us understand how do you think about best-of-breed versus platform when you're making these decisions? What's top of mind for you? And then second, maybe to flip the script a little bit is what would have to go wrong for you guys to look at the competitive landscape and maybe lift and shift to go, right? If competitors in the space are coming up, what is it that Zscaler does for you today versus the competitors? And if the competitors come to you knocking on your door, what would you want to see from them?
So we look at that all the time. So we generally look at best-of-breed solutions out there. And then if Zscaler has a competitive product, we're going to put them side by side.
We're open with Zscaler on providing them feedback to say, "Hey, they're not quite where they need to be and where we think they need to improve." So we've got a very great relationship with them. Having said that, I think there's a number of studies out there that says the average large company has over 50 security solutions as part of their portfolio. As you can imagine, managing those, integrating them, effectively using them is a huge undertaking. I think a lot of large enterprises struggle with that. One of the great advantages we see with Zscaler is as we consolidate some of those elements into that environment, into Zscaler's environment, we can reduce the complexity for our security teams, network teams, and so on, and then also improve our capability because we're getting a fully integrated environment.
So I see this as a long-term trend, which is there are a few other large players out there that are looking at taking on bigger parts of the security portfolio. My sense is the world will continue to head in that direction because it does require significant investments from providers like Zscaler to make that happen. But I think security is hard enough as it is. We need to work on making it easier, and then we've got to make it better as well.
That's the only time we have for the session. Thank you to our customers.
Sure.
Sorry, Brian, you were going to share your question.
No, I'm just fine. Okay. The question on best-of-breed just hit me. Cost is a factor, but it's not the only factor. A good decision today replaces a redecision a year from now. And we found that's true with Zscaler.
We started small, and we worked our way up. One of the things that we do have to consider, well, a couple of things. First of all, working with the product, working with it consolidated counts for a lot. The other thing is the user experience. One of the advantages Zscaler has is you have that Client Connector. And so far, everything we do runs off that same Client Connector. We're not going out installing more agents on a computer, chasing down users, and adding this and tweaking this. So as we've grown, we've been able to keep the user we've been able to give the users better functionality, safer environment, and keep the user experience and the environment the same.
Manish, Brian, thank you so much.
Thank you.
Thank you. Appreciate it.
Next up, we have Mike Rich. Mike, please. Okay. All right. Thank you.
Nice to meet you all. Hello, everybody. Mike Rich. I joined the company in November of last year. I came from ServiceNow where I was there 12.5 years previously. The reason I joined the company is I was very excited after meeting Jay and his team about the opportunity to help companies transform and grow. It's a very exciting market, very transformational. I love to be a part of disruptive markets where you can actually help customers get to the next level by helping them solve problems and transforming. That's absolutely what was right here. It was the opportunity that attracted me. Opportunity and the people and the timing I thought was perfect for my experience.
People often ask me, "Okay, what's your core focus?" And when I came in, I observed a sales team very, very opportunity-centric, meaning they knew how once there was an opportunity, how to get in and get that closed very, very quickly, okay? Which is good. That's very transactional. And at the end of the day, you've got to do transactions. However, once you've closed one transaction, if you just go off to the next one and you leave the customer be, this is software. It requires involvement. You've got to get them live and successful and be a big part of that value delivery phase.
So we're converting to also not just be good at opportunities, but to be great at account management and being account-centric and building out multi-year strategic plans to get our customers successful, aligning with them on their business-critical initiatives so that they can go off and do the things they need to do to deliver great experiences to their customers. I'll just go back, actually, one there. The other sort of high-level thing that I looked at was we had partners that are very transactional as well. They're doing deals, basically. They're not really a part of value delivery. And if you look at the Accenture of the world, the EYs, the Deloittes, they're transformational. They come in and they help their customers transform and run a better business. So we're a perfect fit for them. However, we weren't really lined up to them.
It was more opportunistic, and there was really no relationships there. So I'm bringing in teams that know how to build out businesses with the GSIs. The GSIs all want to work with us at the highest levels, which is key. They understand. We just didn't quite have the right people that had done that before. So yeah, you heard a little bit from Manish about their journey. And customers typically start with ZIA, and then they expand to ZPA and ZDX. And then we've got all these beautiful products that we're building out. The normal sort of transition and what we've seen historically is they kind of start out small, they crawl, they walk, they run.
But we also have an opportunity now because we're more proven to have a lot of these great big new logos because we still have a ton to go after in the Global 2000 and the Fortune 500 to get them to going in all in sooner. And then our ones that have kind of limped in or they're still in the sort of crawl, walk phase, if we are truly great at being account-centric and strategic and not just being a vendor, which is what we're transitioning to, we're also going to get them to adopt sooner. We're going to build trust. Again, once you make them successful with what they already own, they take a bet, and they're going to go to the next step with you. And it's all about how fast we can go do that.
So we have a lot of customers that still do that with where we've landed, but we just really haven't expanded yet. Just to dive in a little bit more on the GSIs and what we're doing there. GSIs are supposed to be transformative. They're supposed to take costs out of the operation. When you talk about modernizing the network and all the advantages of that, it's all about reducing complexity, right? Simplify, reduce complexity. We're perfectly suited to do that. We're going to build out joint pursuit plans. This is where we're really co-selling. You've probably heard these terms before. With them, going to market with them on dedicated accounts. We'll have focused account lists that we're going at together. Again, it was opportunistic before. We had customers doing that with GSIs and us, but we weren't programmatic.
This is about being programmatic and having those dedicated people on board that have done it before and are trusted by the GSIs as well. Another key focus area in my experience that we've got, if you look at verticalization, the whole point to verticalize is to get closer to the customer, to speak their language so that they understand how you can help them. They understand you understand their business, and then you understand how you can help them better. One example would be we actually broke out the healthcare and Fed business under one leader not too long ago, and that's starting to reap rewards because we've gotten closer to our CIOs and CISOs in healthcare and federal government, two areas that we're doing really, really well in.
If you just look at the federal government and their adoption of the platform for civilian, it's been amazing, right? 12 of the 15 cabinets have all come on board. And that's because you speak their language. You understand them. You have specialized solutions based on their environment, right? Just a few tweaks here and there with the integrations you do and the language you use makes a massive, massive difference. I think you'll see financial services, which is the largest vertical in the world, as another area that we'll get into. And it's really important from my perspective to minimize the disruption in the field. And you do that by assigning the territories from the bottoms up. And then once you get enough density with the reps, you add first-line managers. Once you get enough density with the first-line managers, you add second-line managers and so on.
So that's what's worked well for me in the past, and that's how we're going to be doing it. The other piece there is once you verticalize too, I think you can innovate faster with the product because, again, you're having more relevant conversations with these leaders. Their feedback to our product teams happens faster. You can just evolve and iterate on the product faster, which is key. So this is going to, again, this is going to help us drive upsells in existing accounts and also get new logos faster. These are kind of my three core areas that I've kind of broken it down into. Just simplifying things, making it easier to onboard reps, making it less complex. We have a very technical product, but at the end of the day, what we deliver to the customer, ultimately, the business value is actually very simple.
We deliver great experiences, customer-employee experiences. That's what it's all about. If you talk to CISOs, they'll still say, "Ultimately, my job depends on keeping the company happy, keeping executives happy," right? So we're going to help keep that. We're going to simplify that and shorten the time it takes to get sellers ready to go. Rinse and repeat motions. We can do a lot more of that internally. And then around value realization, this is really about just making sure that the account owner, you think about a sales rep. I call them account executives. The term the company uses is RSMs. I'm going to migrate those back to account executives. They're focused on the account. They're kind of the nucleus.
Then around the account executive, you have all sorts of technical expertise: solution engineers, solution consultants, architects, product management, the whole host of people that are all dedicated to making the account successful. But that account exec has to be responsible not just for closing the deal and being opportunistic, but for being account-centric and bringing together the right resources to help make this customer successful. So that is going to be the role in the future. It's not so much what's done today. The better reps that we have, especially in healthcare and Fed, do that. They've learned that. We're going to spread that out globally, so everybody's going to be doing that. And then acceleration. So we talked a little bit about the partners, and ultimately, they're a force multiplier, right? How do we get them to bring more to us today?
We bring it to them, and they do a transaction. In the future, there's going to be a lot more of them bringing deals to us. And then with people, we're going to uplevel folks, and we're going to bring in new folks. We're growing. We've got a great team. I love our team. Actually, the more people I meet, the more happier that I get because they're actually very, very, very good. Just direct them to be more account-focused and to own the entire process and own the entire customer lifecycle. So I'll be partnering closely with Steve McMahon, who's fantastic, by the way, to make sure we deliver great experiences after somebody's bought, but the account executive doesn't go away. They don't just disappear to the next deal. And this is kind of like the visual of what we talked about here, right?
You purchase, you get them onboarded. We have a lot of customers today that still need to get fully utilized on what they own. And we're going to focus in to help shrink that period down. From the time they buy and the time they realize value, bring that down because that's how much sooner you can go back and upsell. Super important. You create loyal customers. And that's pretty much it. Yeah. Yeah.
Jay will give his closing remarks.
Click on one slide. Yeah. So with all that discussion you have, if I narrow down to five key takeaway messages, you often talk about competition. Really, if you really think about it, we pioneered this market, and everyone is trying to come on to the user side of it. Our basic offerings, our platform has moved far beyond users. You've got workloads. You've got IoT devices. We've got B2B. Those are massive expansion opportunities for us. And that's because we start early. We are pioneering all these things out there. Second part, our expansion into AI cloud, new area. I'm sure you lost the questions. Well, you'll learn more and more as we expand in that area, but taking advantage of those hundreds and hundreds of billions of logs and really deliver value such as Risk360, Unified Vulnerability Management. you'll see more things coming.
You heard from our customers. Risk360, a game changer. It's a big opportunity for us. You heard about data protection. I think that's a big area. Our customers started on cyber protection first, and data protection is a natural thing for us to add on and grow. The whole SD-WAN area, one customer said, "Oh, they called our Zero Trust appliance as a WAN killer." Okay. I mean, we really don't want you to spend time building networks and all. The internet is your corporate network. You should be able to connect and communicate. So a lot of interesting work in that area. And the segmentation inside the factory, we do some amazing segmentation that no one else can do. What can you do with firewalls? Network segmentation. Totally new approach. Exciting, big opportunities. And last, Mike talked about our strong go-to-market push. I think it's very exciting.
The changes they've made, there'll be ongoing refinement, but the strong team brought on board. Very excited. With that, we're going to move on to Q&A.
That's right.
Good.
Syam?
Mike, Syam will join us. So we got both. Please take a seat, any of you. Okay.
Cool. The sound? Awesome. Yeah, Roger Boyd with UBS. A question for Mike. Sounds like a pretty huge opportunity with the GSIs. At the same time, Zscaler's had a pretty good story over the past couple of years about ramping up with the traditional kind of VAR community that, to your point, can be a little more transactional. I'd love to hear your thoughts about how you see that side of the channel fitting into this more account-focused and post-sales management approach.
Yeah. So the VARs, we talked to them. We've had several partner summits, and we talked a lot about how important it is to become part of the value delivery phase. And VARs, they're supposed to be a value-added reseller. So it's easy. If you just hand them a deal, they're just going to do a transaction. But if you tell them prescriptively what you need them to do, who you need to hire, and dedicate people that understand our business, they're going to go do it. And they want that direction. So that's what we're giving them, and that's what they're building out. So they're local too. They have fantastic relationships locally that you can leverage.
Yep. Also, I have said in the past that thousands and thousands of VARs, a smaller number of them actually do integration and transformation. We generally try to work with them. Okay. But also, second point is GSIs play a big role on the upper end of the market. Many, most VARs play on the lower end of the market. Both are needed. But as you know, we are essentially 80%-20%, no? 80% of the customers, 20%, 20%-80%. So when you hear about some of these discussions, you're more likely to hear more about large accounts and GSIs because that's how all of us talk. But VARs will play an important role on the lower market, lower segment of the market.
We'll go to Josh.
Hi. Joshua Tilton with Wolfe Research. Maybe also a question for Mike. But if I close my eyes and I listen to a lot of your peers talk, give kind of the similar spiel that you give now, it kind of sounds like everybody sees this target pool of large customers, and every company, every vendor all of a sudden has this massive portfolio of products, and everybody's just trying to become that large customer's partner. So that customer buys more product from my portfolio. So if everyone's giving kind of a very similar pitch, what are the—I don't know if it has to be top three or maybe top one—what are you bringing to the table to help Zscaler differentiate in that pitch and make customers really realize that you guys should be their partner of choice?
Well, I joined in November, right? And I can just tell you what I observe is once we're in there and we do the POV, proof of value, and we get in there with the right, we still have to sell high, medium, and low. But once we've done a really good job with the POV and they've actually compared us, feature to feature, function, total value to the others, 90% of the time, we're winning those. So I think technically we have a major advantage, and we just have to become as good, if not better, from the business side of it as well, presenting up the entire value phase and building, that's why I talked about that, building up that long-term strategic roadmap with the customer of where they want to go is really, really important.
Yeah. I think if I may add, the architectural differentiation becomes very clear once we engage. An integrated platform then starts becoming very clear as well. I can tell you I've been in the IT world most of my career. Here, some of the conversations where the customer keeps on saying, "Jay, you guys are in my top three strategic partners," period. I was in Toronto last week. It's a very large insurance company. The CIO, CTO, CISO joined me for dinner. And they said they're only three strategic partners: Zscaler, Microsoft, and AWS. It's very exciting. And that's not a rare comment. We generally, companies have three, four, five, and we're in there because they see the potential of what can be done. If you listen to FedEx, it's like thousands of these facilities. They'll be transformed. The normal network goes away.
You can have a firewall company give you a long pitch. At the end of the day, it's the same network. Network doesn't change. It's the same route table management. It's our same old legacy technology. That's really what sets us apart. And that's why customers so proudly come on stage and talk about it.
We'll get to Brian, Gabriela, and then Param.
Great. Brian Essex from JPMorgan. Mike, nice to meet you.
Nice to meet you.
You're going to be popular with this session, I think. I really like the comments that you're making around building customer relationships and having it be a less transactional type of business. One of the things that we're hearing from software companies across the landscape, particularly over the past few quarters, is how challenging it is for a new logo acquisition. Aside from increasing your penetration with existing customers and building the relationships, can you maybe talk a little bit about your focus on new logo acquisition? As you blend the two, increasing the relationships with existing customers versus new logo acquisition, what are your expectations? What efforts are you making to accelerate pipeline velocity? Maybe your views on that. Thanks.
Well, I'd say for the new logo side of things, customers, the reason it's hard is because they're under such pressure, right? Just with the economy and the way things are going. They'll make a change, though, if you can show you've got an order of magnitude better solution, and it can actually be cost-neutral. Or even you can show over the next several years, you're decreasing cost and complexity, which is what we do.
You bring cyber on top of that.
Then you bring cyber on top of that.
Cyber makes it urgent.
What's the Holy Trinity? Were you guys at the session this morning? Who remembers the Holy Trinity? So I met with him yesterday, and he brought that up. I'm like, "Holy Trinity, can I coin that phrase?" Because I love it. It's exactly the value of what we bring to the table, right? Taking cost, complexity, reducing cost, better cybersecurity, protection.
Productivity was the thing.
Productivity, employee experience. At the end of the day, it's about employee experience, helping them deliver. We can show that during the early phases and the new logos, and we're starting to see, I don't know all the history, but I'm starting to see people come on board at a larger scale with not just ZIA. They're actually buying closer to the whole enchilada.
Yeah. Which is great. Our users are being brought more and more out there. And I think the other comment I made in the past, it's still true. Cyber gets customers' interest. We have a very solid brand name when it comes to Zero Trust, our security. We're number one. We may not be number one SASE or whatever the next four-letter acronym Gartner creates. Okay. And that doesn't matter to us. We're not really trying to do SD-WAN and all that kind of stuff. Cyber gets attention. If you combine cyber with cost saving and reduction of complexity, you get attention. You're able to deal at the C-level. Things move forward. I could be sitting four layers down, working for six months. It may not go anywhere. It's that combination, and that's really going to help.
This message I'm giving you is consistent with what I delivered a few quarters ago as well. The big thing now we have is Mike comes from the background where they actually—this is what he and ServiceNow did. We are trying to do from here to there. I said probably about 20% of my sales team could do it before. Now we want most of the sales team to be able to do this. Yeah.
Gabriela?
Hi, Gabriela Borges. For Mike and for Jay, so I like the earlier question on, okay, a lot of companies articulate similar strategic go-to-market plans, but you actually have the technical differentiation to succeed. My question is for Mike, when you look at the playbook that you're implementing, help us understand where you've tweaked it. So are there things that worked at ServiceNow where you think, actually, they may not be a good fit here? Or are there things that you think, okay, Zscaler can really do X, Y, Z, and you weren't able to pull this off at ServiceNow? So a little bit of a contrast between the playbooks. And then Jay, to the extent you have a comment too, that'd be great.
So at the end of the day, ServiceNow did have security operations, vulnerability management, incident response. So we did sell at ServiceNow to the CISO. So that experience was there. It was very much a platform sale. And at ServiceNow, we learned that early that you have to, it's a journey with the customer. So you got to give the customer confidence that you understand. They'll say, "Don't let us fail. Don't let us fail." You've got to give them the confidence to come in and know no matter what, because it's software. Things happen, right? That no matter what, you're going to make them successful. So it's really that mentality. It's bringing in salespeople with a growth mindset, meaning they're ready to learn a new market, and then they want to share what they know with others so they help cross-pollinate.
So, bringing in, we're going to uplevel the existing people with very focused, targeted enablement around getting them to be more account-centric. And then we're going to cross-pollinate with people that we bring in. We've got plenty of cyber expertise in this company. I mean, I'd say we've got a monopoly of cyber expertise. So there's no shortage of that, which is great. It's just really adding in the people that really understand how to manage account over a period of time. And they already have that trust with the customer. So a lot of the people I'm hiring, they come from the customer loves them because they've helped them out of many situations before that have been very sticky and their jobs were on the line, and they saved their job or they helped them get promoted to the next level.
I mean, that's hard to build that level of trust. It takes years to do. So those are the kind of folks that we're bringing in to cross-pollinate the rest of the teams.
I'll give you my thoughts. What's similar? Platform. They sold a platform. We had a platform. And real platform. Everyone calls anything. They have an EDR with two modules here and there. It's a platform. You got a firewall with three things that it's not a real platform. ServiceNow is a real platform properly integrated. That's number one. Number two, it actually got sold to C-level with a consultative fashion. That's really we had done some.
High, medium, and low sales. But you can't be good here and not good there.
You have to do all three levels. If you can't do here, it won't move.
That's right.
Okay. So that's common. What's different is this - I'll look at it. In any software, ServiceNow is available. These software projects take time to deliver. There's a big consulting component. It may take X quarter, year, 18 months before you actually deliver results. In Zscaler, I can go and roll out Zscaler, ZIA, ZPA, ZDX to a 100,000-person company in two months. You heard CVS talk about that. It can be rolled out quickly because I'm simply deploying an agent on the endpoint, start moving from there. Now, then in phase two, I can start taking out all the network pieces and all that kind of stuff to save money. So we can start showing real benefits and tangible savings better than any other company with ServiceNow or EDR, whoever. Think of it this way. How often do you save money?
In any software company, you deploy and then X after 1 year, 18 months, you start showing productivity gains. But it's investment time. Take security companies. Do you save money with EDR? Not really. McAfee or Symantec were $10, and these new class are $50, $60. You don't save money. Do you save money with identity? No. AD was free. Okay. Did you pay money? We actually eliminate lots and lots of these point products. The whole DMZ, which is full of stuff, goes away. Your branch stuff goes away. There's tangible saving. In fact, for the last few quarters, we're replacing VDI. Our solution, ZPA, combined with browser isolation, is amazingly powerful to replace VDI. And now, as I talk to customers, I'm finding that my conversation with large customers, almost 90% of them have VDI out there. It's ripe for replacement.
It's a lot of cost savings. What I also learned was I thought they don't like VDI Citrix because on-prem lots of headaches. And they tell me, "I've gone to Azure VDI. It's very expensive, and it's not very good either. It's similar to the experience, no better." So there's tons of opportunity for us. Best cyber, best data protection, and cost savings.
We call that application consolidation. Huge opportunity.
Yeah. Yeah. All right. Next, we'll go to Param.
Yeah, thanks. Param Singh, Oppenheimer. So I have one question, but in two parts. So firstly, for you, Rich, obviously, you're changing to more account-based selling, and you're getting a lot of senior salespeople to join the organization. What are some of the areas of friction you've seen in the last few months that kind of need to be addressed? And then the second part is.
Sorry, the areas of friction that what?
Areas of friction you've seen with the changes in senior salespeople and also with the shift to account-based selling. So that's the first part of it. And the second part of it is Zscaler has obviously seen a lot of success with its user-based bundling, right? How do you view kind of a larger packaging and pricing of the entire product portfolio because you're adding a lot more things and you're adding data protection, so on and so forth, and Risk360? And how do you kind of view that as a better way of kind of selling everything to the customer, and how would you kind of price that? Want to get your thoughts and maybe Jay's thoughts on this as well.
I'll probably let you take the Risk360.
I'll take this packaging part.
I'll do the part about friction.
Yes.
It takes friction to make fire, though. That's good. You need some friction. Yeah. I mean, I think if you've got people that are level set and they really just want to keep—they want to sort of turn and burn, do a deal, and move on. New logo, just pure hunters that don't want to be a part of building a relationship and longer-term value delivery. There's going to be some friction with those folks. And we do have some groups that are going to be more hunter-focused in commercial, but commercial is a smaller portion of the market. So we could shift them over to there, or we'll help them find maybe a job with a partner, still be a part of the ecosystem, or whatever. But most folks have that growth mindset, and they want to learn a new way.
They're actually pretty excited about learning about how they can get closer to the customer and be more valuable. There's nothing more valuable for a salesperson than to hear a customer recommend you to somebody to hire. That's what they all strive for. It's very hard to do that if you're a hunter. Those folks that are just level set, "I want to keep doing it this way because I'm a hunter. I don't want to deal with anything. I just want to sell and move." That's the only place there's been friction. It's been very little, really. Yeah. I've been pleasantly surprised.
Yeah. We won't be a perfect place for some of those people as you're applying. That's okay. That's part of a change. Second part of the question, it linked to, I guess, pricing, packaging type of stuff. That's a long answer. We keep on evaluating what products our customers want, how do we package them. And every 12, 18, 24 months, we do refine our packagings. For example, they used to be just ZIA, business, transformation, and the next level. Then ZPA, similarly, about 18, 24 months ago, we created Zscaler for Users package that brought together ZIA, ZPA, ZDX. That's a very popular bundle that we sell. Now we are working on new bundling. I think we'll probably, in coming quarters, we'll have some next-level refinement, which starts bringing workloads and some of those things together. We'll keep you posted as that gets ready out there.
But it's an ongoing process for us to evaluate and change and evolve.
But the simpler we can make it for the customer to understand what the journey is. That's why if you build out the three-year multi-the mutual success plan, you can start to map out that journey, and then you can start to quarterize when they adopt these new capabilities, which is a beautiful thing. And then if something happens, a new person comes on board, and they say, "Hey, that's not the direction we're going," well, we'll say, "Okay, did your strategy change?" And you can get them back on track. So that's another benefit of the account-centric sales methodology. Yeah.
Next, we'll go to Shrenik.
Shrenik Kothari from Baird. So Mike, you mentioned about, of course, scaling of the technical expertise is the core differentiation of Zscaler. But in terms of the magnitude of investments that you see necessary in scaling, as you mentioned, the customer success, the onboarding adoption support, as well as that's the internal side and the external side in terms of co-selling, co-marketing through GSIs to fully leverage that transformative potential potentially.
I'm sorry, I'm not sure what the question was.
The magnitude of investments that you see necessary from scaling customer success and then also co-selling and co-marketing with GSIs to fully leverage this whole transformative potential that you talked about with the investments.
Are you asking which GSIs will help with that?
The investments.
It's kind of the magnitude of investments.
What is investment required?
Oh, okay. Well, it's really the people. Yeah. It's getting the right people on board that understand it, have done that before. So we're adding those folks, and then they're upleveling and training existing. We've got these resources on board now that are dedicated to partners, but we're just adding more that understand how to work with the GSIs and have that relationship. So that's the investment, right? And then getting them to invest dedicated people to our business and build out separate teams that just aren't cyber. They're Zscaler. And that's the ask, and that's what they're doing.
Next, we'll go to Julian and then Alex. Do you have a question?
You noted strong ongoing performance with the 1 million+ ARR customers reaching 500+. I guess, how is competition in the enterprise segment targeting 2,000-6,000 employees? And are you seeing any pricing pressure from companies trying to grow scale in this segment and some smaller competitors trying to ramp logos to compete in this larger market, team?
So there is price pressure, but once you get to the point where you can actually demonstrate the value, that's why we build out business value assessments with the customers. That's a part of the process. And once they start to compare the business value of our investment, which is typically a little bit more than the others that kind of like people that say they do everything that we do, then they understand that, "Okay, this is a better deal because I get a faster return on my investment and a better service." And then how we scale in those markets is the 2,000. Did you ask between the 2,000 and the 5,000?
Yeah, 2,000 and 6,000.
2,000, 6,000. That is what we call enterprise today, but it's really more of a commercial move. You can do a lot of that via the phone and online sales, sort of digital sales resources, and how you scale with them. We're going to get—if you're not careful, that group can be defocusing because you want to make sure you really take care of the top of the pyramid. You nail that, and then you kind of take all those learnings and you move them down. How you scale out, you can't have the same number of resources down here as you have up there dedicated, but you can take those learnings and start to automate with things like CPQ and different systems out there, AI. That's how we're doing it. Yeah.
Next, Alex.
Alex Henderson at Needham. It's refreshing to hear you talk about expanding the channel opportunities. But I was hoping you could talk about the cadence of that process. Obviously, there's some erosion in the sales capacity as you reposition some people who just aren't going to fit. And conversely, you're bringing in a lot of people from ServiceNow and other organizations that you've been involved with. You've been here now nine months, eight months. So where are we in the flow of that? Should we see that accelerate 2 or 3 quarters out? How long does it take to get this process really in gear? And what capacity of expansion of salespeople at Zscaler do you anticipate as part of that process?
We're going to keep adding individual contributors at a constant pace. And I've got my directs and my direct's directs in place now, which is the hardest part, right? And there's good attrition, and there's bad attrition. And what we've seen is more good attrition than bad attrition because people realize, "Wow, now that I understand how to sell.
Good attrition means?
Good attrition is when they should be moved out because they wanted to be opportunity-centric, or they just weren't performing, right? So that's good attrition. And there's been more of that. But I've seen it stabilize. And I expect now, again, because I've got my directs and my direct's directs in place, the sentiment is, "Thank you," because now I feel like I can be a more well-rounded, valuable salesperson in the marketplace, right?
So the cadence of growth is rare?
We've been adding people at a good pace, and we'll continue to do that throughout the year. It's going to be pretty consistent.
To get to revenues. To get to revenues, when does the revenue ramp?
I think we're seeing the revenue ramp now, right?
So first of all, you're seeing us doing transformation. You saw our Q3 results, and we're giving you guidance for Q4. Our guidance takes into account the changes in pipeline and all that kind of stuff. I think we feel very pleased with the progress we've made. We feel very good about it. Growth will keep on happening because it's part of the growth. The market opportunity is there. The products are there. Taking our sales caliber and process to the next level is we're doing it in a very, very nice way.
Alex, we already talked about a few points of headwind for next year on the earnings call. Next, we'll go to Mark.
Great. Thank you, guys. Mark Zhang from Citi. Mike, maybe just to follow up on one of your comments. You said that you're bringing over more salespeople, whether it's from ServiceNow or other organizations. But can you give maybe a sense of the overlap of the sales, I guess, the people that or enterprises they're going after with Zscaler's existing customer base? And does this sort of open up new verticals for you that are maybe undertapped with the old, call it Zscaler, go-to-market, I guess, like motion, just from an end-market vertical basis too? Thank you.
So when you bring over people with the existing relationships, I mean, you bring over that expertise, it helps you ramp up faster, especially because most of the people that we're bringing over were dedicated to verticals, right?
Mike, if I may say one thing, people we're bringing in have sold at the CIO level often.
Yeah. That was a very natural motion that we had to develop.
So that's very, very helpful. We sell at the CIO level. So we want to sell more and more at the CIO level. So that's.
I think there's just the one thing that I found was the average salesperson wasn't willing or knew how to go to the CIO. You had to keep moving up the chain, the management chain to get people that knew how to do it. In order to scale and do that at every account, you got to hire salespeople that can do that themselves. They're already respected. They already have the CIO relationships in the territories that they're in. And it's not a force fit, right? And so they'll also help enable and train the others because they're going to see how successful they are, and they're going to want to learn from them. And it's just like in sales. The best sales-performing teams actually know how to cultivate customers to become their best salespeople. Customers are the best salespeople. Customers listen to customers.
But you have to have salespeople that know how to get their customers to that point where they're comfortable doing that, and they want to do that for them. Those are relationships.
We don't need a lot of security expertise in sales, so to speak. I would rather have relationship dealing with C-level and selling solutions important. So that's why we looked at people who have been selling software solutions at large companies C-level. That becomes important. Our technical folks, SCs, they do come from networking and security background.
Correct.
On the sales side, bring good relationships in place, know how to deal with selling platforms and the like.
They know how to orchestrate a team and bring the right resources to bear. That's key. Yeah.
We'll take the last question from here up at the front.
Hey, thank you, John, from Morgan Stanley. So you called out healthcare as a key focus for fiscal 2025. Can you just discuss the rationale for initially focusing on that vertical? And then also just to piggyback off an earlier question, but maybe ask a little differently, can you discuss the timeline to full productivity for newly hired reps? I know you discussed the billings impacts, but just in terms of the timeline.
I'll do the rep part first. It's basically you bring in a new rep to a green territory. It's a 12-month ramp. That's just what it is to build out deals that can close. But if you do it correctly with your planning, you have territories where you have some existing accounts that are more mature, and they can get deals done faster. So we're going to look for ways to ramp that up even faster. The reason that you verticalize, again, is to go back and get closer to the customer, build that trust. And healthcare, financial services, federal, state, and local, these are all areas where it's already happening. But that's all about accelerating.
So you can get a customer, they trust you, they let you in, they share what their plans are, what their pain points are, and it's a much faster process to get them closed. It's really that simple. But healthcare, specifically, actually, that was one of the first areas that Zscaler verticalized probably about a year and a half ago. And now we're really outside of public sector. Now we're just starting to see the deals that I'm seeing that are coming in there from that team are just more strategic because they got to the CIO and were able to sell at the exact level sooner. You can get stuck down below if you don't, and you can just meddle in that area forever and think you're getting something done, but you're not. It's not until you get to C-level to say, "Oh, yeah, they've done a good job.
I'll support that. Let's do a deal." Yeah.
All right. Thank you, everyone. That is it from us. I want to thank you for being here in person. Also, all the audience that has dialed in on the live webcast. Thank you to our speakers as well. Thank you. There is lunch that is served outside. Please feel free to grab it and eat here. Thank you.