All right. We will get going here. Thank you all for joining for day two of the UBS Tech and AI Conference. I'm Roger Boyd. I cover cybersecurity here at UBS. Very pleased to have Jay Choudhry, co-founder, chairman, and CEO of Zscaler. Thanks for being here, Jay.
Thank you, Roger.
Yeah. We're gonna do a fireside chat. I've got the iPad up here, so if you have any questions, you can submit them through the app, and we'll, we'll weave them into the conversation. I wanted to jump in, into one of the big debates coming out of the quarter, which was the, the concept of organic growth. I felt like it masked a lot of what was a really strong first quarter. Just kind of in your words, what have you been talking about in terms of organic growth? It felt like there was pretty, pretty good success on, on organic business in one Q. How should investors think about that? I know it's not the focus going forward.
Right.
Address it.
I think probably, yeah, the very important point to cover for us. Probably I can show you a slide to make it clear. If you look at our ARR growth overall, this is the growth number. You know, historically, what we've done last quarter, we had about 22%. This year, the, yeah, the total growth, growth is 26%, but in line with the Q4 growth we had. The business, organic business, was strong by itself, okay? I think we expect the organic to keep on staying strong. The question got asked is, why aren't you peeling off the Red Canary numbers, right? Red Canary is the first acquisition we'd had, had a sum revenue. Others were very, very early stage revenues out here. Red Canary was acquired to give us two main things.
One, agentic technology they have to do SecOps functions better because they have been doing for 10 years. They had playbooks and all to do it right. Number two, they have the expertise in this area. We're not trying to build an MDR business. As we evolve our SecOps platform, that's the business I want to count. That's the business I want to share with. That's one piece of it. The numbers, when we went through the audit and looking at the numbers of the company and getting complete with auditors, we were comfortable recognizing about $83 million off the number, which is reasonable. There are some renewals and all left over. The business, they've done quite well, but this is a small contribution of a business. That's why it makes no sense to keep on focusing on it.
The issue is not that we're not trying to share information. I think we should share information which is relevant to our business, which is our focus.
Yeah. Cool. Thanks, thanks for addressing that. I wanted to shift to one of the areas of strength. In my view, was the strength you have in Zero Trust Everywhere. Now 450 customers that are buying across three different platforms. What’s exciting about that? Kind of where are you in terms of bringing that to the entire install base? What’s driving that momentum?
Yeah. So we started Zero Trust market. We are the pioneers of the market. It started with Zero Trust users. That means making sure users are not on the network. They simply access our applications. It's the opposite of network security. We're doing very well there. Then it's natural for us to pioneer the next areas, Zero Trust Cloud, Cloud workload. They're somewhat like users. They should talk to each other in a Zero Trust fashion, going through a switchboard. Zero Trust Branch was the next thing. In the branch, IoT, OT devices. It's a natural part of security to go and become Zero Trust Everywhere rather than just the users. We are seeing success in all the areas.
It's also differentiation for us as some of the copycats are coming from behind and say, "Oh, we do Zero Trust too," even though they're spinning a firewall of the market. When it comes to Zero Trust Everywhere, there's really no competition. It shows our leadership. We're seeing strong adoption. When we started the program about three quarters ago and said, "Let's target how many customers are becoming Zero Trust Everywhere," and those targets we set out, you set the targets. It's good to see better, faster adoption happening. I expect Zero Trust Branch and Zero Trust Cloud will be a big part of growth. When you talk about growth, you took out the growth rate, then you look at the meaningful contribution. You can start with a higher growth from a very small base.
That's where you're gonna see in security for AI applications starting from nothing. The big contribution to our growth in the next 12 to 18 months, one is our core platform because people still start with Zero Trust users, Zero Trust Branch, Zero Trust Cloud, and data security are our big pieces. The pillar you see on the right side under AI security, security of AI applications and agentic operations, agentic operations of SecOps and all this stuff, which is relatively new, we'll be launching some of those solutions in coming months. I expect both of those to grow rapidly from a small base. There's plenty, plenty of platform for us to sell. It's an integrated platform. It's not a platform by buying these five companies and they're dissimilar products.
Yeah. Makes sense. I wanna come back to data security, but specifically on AI security and what you're doing around security analytics.
Mm-hmm.
It, it's felt like, with Avalor and Red Canary, there's been more of a platform expansion in that direction.
Yes.
You talked a little bit about this, but why, why is that compelling right now? It feels like there's a big opportunity for you to get more strategic with customers.
Mm-hmm.
provide more around detection and response. Like, what, what's the opportunity there?
Yeah. Zscaler is processing over half a trillion transactions a day. I mean, that's a massive number. That number becomes a basis for doing security operations. Our customers have been telling us, "You do all the things, you have all the logs, and then I have to go to Splunk or somewhere else. Why can't you provide me more value when you are the source of data?" That's number one. Number two, I believe that AI is the biggest disruptor for security operations because AI can do that stuff in a much, much better way. AI models are only as good as the data. If we have the best data, we are in a better position to do this than anybody else.
That's why to build this thing, we started with our own data, some of our own technology, then Avalor giving us the semantic layer and Red Canary giving the front end, stitching all this thing together, becomes a very compelling, very effective solution in detecting things, investigating things, than the traditional market out there. It also established a closed-loop system. I find something, I send it to Zero Trust Exchange to change policy, block certain things in near real time. Today, it can take days or weeks for things to be found and do that system. It is a very compelling solution that we offer to our customers. That is what we're accounting on as a part of our expansion strategy.
Makes sense. To talk about the size of that AI security bucket, I think you just crossed $400 million in ARR and Red Canary is in that. You have some products that have been in the market for a while, like ZDX, that are contributing there.
Yes.
It does seem like there's been some pretty strong momentum on, specifically, the AI for security business or security for AI. AI security posture management is something that you've had for a little bit.
Mm-hmm.
What does the momentum look like there? What are customers telling you about that AI for security?
Yeah. First, clarifying two buckets under AI security that you see on the screen. Agentic operations is using AI to do certain solutions. It's either security operations, which is what we talked about, or it is IT operations, which is user experience. The reason that sits there from day one, actually, ZDX was built by using AI. We started predictive AI, then Gen AI came along. That and SecOps, yeah, they are a bigger piece of it, and they are powered by AI. ZDX has done very well. It's growing very well. Security operations, we expect it to start showing growth. We plan to do the first launch of integrated services next month. We will keep on adding functionality as time goes along. The other area, security for AI applications. This is a brand, relatively young market.
We have built a number of solutions in this area. We acquired Avalor, a small token, to round it out. It's starting from small customers have tremendous amount of interest in it. Those are deals that are starting with small people are trying to learn and understand it and w e have to have a strong foundation to start with these deals and grow from there but A I security is a very important area for us. We're making sure we have the right solutions in place and be a meaningful part of the market.
Yeah. And to that point, you noted a couple of larger AI security posture management wins last quarter.
Mm-hmm.
I think there's a view amongst investors that that market is still relatively early, but it seems like you have some traction there. I'd be curious to get your perspective on what gives you the right to win in that market. We've seen all the other vendors go out and acquire products there.
Mm-hmm.
I think you feel like you've gotta differentiate your product and a point in line with applications. What gives you the right to win?
Yeah.
That business?
So one of the things customers are looking for, for securing AI applications is that they do not want to deal with five different vendors. Look at what is needed to have meaningful security in that case. One is we start with GenAI security. When ChatGPT and all these Gemini came out, customers are worried about loss of data. We are sitting in line. We built a product for securing the data. That is number one. Over two years ago, that has now, that gets bundled in data security because it is about not making sure data does not leak out. The second thing we built was AI discovery, essentially risk and posture. What do you have? How risky is it? All that stuff is very important. That is what you want to start there. And AI SPMs, AI security posture management is part of that. And the third was red teaming.
Companies are building more and more AI applications. When you build applications, you want to know the, the essentially the vulnerabilities around those applications. Red teaming is essentially penetration tests of those applications. That's a young new area. That's what SPLX gave us because they built a very good product. And AI guardrails, the fourth product. This is when you build the models, how do you put guardrails so the traffic of users and agents goes through you to make sure they're not doing what we call prompt injection or we call data poisoning type of stuff. So you have secure use of it. Our customers need a comprehensive solution in this area that we have. A lot of vendors, there are a hundred red teaming companies out there.
Okay?
We looked at, we started with 70, and we whittled down and bought one of them.
Okay?
And they're all kind of point solutions. Integration becomes important, and richness becomes important. We are pretty well positioned to do that. Now, many times companies go and buy six companies out there. Just because you bought six companies doesn't mean they're integrated. The benefit of going to a single vendor is having an integrated solution that's easy to deploy and easy to operate. That reminds me of an interesting dialogue I had with a large customer. They had about 2,000 stores, retail customer. This is, this was about a year ago. He said, "I, I was sold a platform, so to speak, with all these products.
And as I tried to deploy it, I discovered that the only area or platform where I could get value was consolidated billings for eight products.
Okay?
All these other things are individual products. Our goal is not to do like that. Our customers are very proud of Zscaler. Our net promoter score sits between 75-80. We got so many repeat customers who go from company A to company B to buy us. That's because we are the best solution. It works and scalable. So integrated, great solution is what we take pride in, rather than becoming a Computer Associates who buys all these companies and pick one. That's not Zscaler.
Yeah. Maybe to round out the emerging products, in, in data security, you, you've had a pretty unique entry to that market with Inline CASB and, and DLP.
Mm-hmm.
How do you think about that market evolving? There's obviously a bunch of noise around the Data Security Posture Management side. Do you find that customers are trying to consolidate that? Do you feel like that's gonna continue to progress over the next year?
Yeah. Data security market is becoming bigger because your data is sitting in all kinds of locations. You can no longer just do one or two pieces. Data security is also hard to put policies in place, enforce them, false positive, all those things happen. Often CISOs tell me, "Doing one data security vendor's hard enough. Now I'm doing three vendors to do policies and all, it becomes almost impossible." So about six years ago, we decided that we want to be the most comprehensive data security platform and t hat's because we already had very good solution in DLP, inline DLP that has traditionally been served by companies like Symantec, Vontu of the world out there. We expanded to CASB of the world. It's also natural for us to do data DLP because we are sitting in line. The traffic's already flowing through Zscaler.
Then we added CASB, added SaaS security posture management was important. We did a token that brought us third-party supply chain for SaaS security. Then we added endpoint DLP, and we built email DLP, then cloud DLP for S3 buckets and the like. So we have integrated very, very good solution. The area you hear a bunch of noise in lately is what Gartner coined one more four-letter acronym called DSPM. Now, what's DSPM is about data security posture management. It starts with discovering data. Where, what all data is sitting where? Once you discover it, you want to classify it. What kind of data is it? And then once you classify it, you want to be able to show what policies can be applied to what data.
We have been doing pieces of DSPM all along, but with a new focus, there's a bunch more functionality we have added in this area. DSPM itself doesn't do data protection 'cause it doesn't really stop data from leaking out. You need DSPM plus inline DLP to do proper data protection. We came from strong DLP side of it, and we have enhanced DSPM. The two together makes the best solution. Customers do not want multiple data security vendors. Look, with $450 million ARR in this space, that has been going very nicely. If this business of Zscaler were an independent company, it will be the largest data security company out there and I think we're just getting started. There's a big, big opportunity to grow this area.
Yeah. One of the other questions I got coming out of last week was, what is, what's going on with the core business? What's the strength of the core business? And I think it's a kind of a challenging question because the core business is ZIA, ZPA, but increasingly ZDX and.
Right.
Data security and agentic AI. Like, how, how do you think about the market for, I won't, I won't use a sassy term, but how do you think about the core market for, user, user security?
Right. Still, a very sizable part of our business comes from core business. I was listening to some of the comment last week and said, "Oh, well, they used to tell us, 'Huh, are you expanding your platform? Are you growing your new business?' We have been telling you the growth of emerging products for the last many years." Suddenly you say, "Oh, what if new business is doing so well? Is core business weak?" It's like, okay. So core business, and if you look at just some of the stuff, even Zero Trust Everywhere, when we talk about Zero Trust Everywhere, we talk about customers who actually have both ZIA, ZPA, ZDX, branches, cloud, and everything. There's part of the core business sits out there.
It is true that the new pillars of growth are bound to grow faster than the older pillars, but there's plenty of opportunity for core business. Take even ZIAs, ZPAs, ZDX. We have 45% of the Fortune 500 companies. It's not that others are gone. We still are finding lots of new companies to go and embed. We are adding new logos at various levels. Now, the size of the business is sizable, so you're gonna find a lot of business coming from upsell. When business comes from upsell, what do you sell? You are getting some of the new pillars and w hen I went public, what, it was about 20% upsell and 80% was new logo. We didn't have very many customers to upsell to. In fact, at that time, investors used to ask, "Huh, you're a ZIA company.
Would you ever become ZPA? ZPA added ZDX and all these products. You've seen the story. You've seen us prove that all this can be done. Every quarter, our upsell has been going up. It should go up. Upsell is easier. Now we're sitting in the 70-30 range. If you look at the, look at the ServiceNow model, they're sitting at probably 80-90% upsell. They have a lot of customer base. I think you'll see growth from both areas, the new logo. We are also getting new business. Now the entry points for us is also, for example, security for AI applications. I do not need my core platform to sell those things. That becomes a new entry point for us. In data security, the DLP side generally has been upsell, but some of the DSPM part doesn't even need an upsell.
We're doing some of the DSPM in the new logo space as well. So I feel very confident, comfortable about the business at the core level as well as the platform level. There's a good synergy between the two.
Great. I think, I wanna talk about go-to-market changes and efficiency that, that's coming back there. I think, I think maybe you'd admit that last year was a bit of a challenging year for, for Zscaler. You had some turnover in the go-to-market organization.
Mm-hmm.
Mike Rich has now been in place for over a year. Where are you today, and how should we think about sales efficiency, sales capacity over the next year?
Excuse me, sorry. Yes, last year was a transitional year for us. We told investors that we are gonna make changes to the management level and the sales level and the process and focus we bring to the table. Amidst changes, we showed you the numbers we'll deliver. There are a bunch of skeptics talking about the second half, committed billing, not committed billings. Okay. While we changed all the tires of the car, we delivered, we exceeded the expectation we set. All the changes we planned to make, what made they're done at the end of last fiscal year in July. We are essentially now growing and focusing on, if you look at Q1, our sales productivity went up pretty nicely. In fact, we, the beat we had, we passed all of that beat for the rest of the year. That's good stuff.
That also implies expansion and margins. The sales machine is doing very nice. All the changes are through, and the estimates we're giving you, the guidance we're giving you is taking into all the factors, and we feel very good about the business.
Awesome. Like, like some other vendors in the space, you introduced a flex contract with Zflex, and the momentum's been really good there. I'd be curious to get your view of how customers have received that and what you've seen from a contract duration perspective, what that means for additional flexibility to try new modules, expand across the platform. How's that reception been so far?
Yeah. First, to clarify, I mean, Zflex is now an ELA. Some company do ELA. ELA sits out there. ELA says, "Here's all of my stuff. Do whatever you need to use and create shelfware." Okay? We are very mindful of adoption of our technology. Now, Zflex says, "You had the flexibility of swap some of these modules." If data security has eight modules and the customer says, "I'm ready with my budget and all to do four of them, which four do I want?" The ability to swap those things makes it easier for them to make a decision. Also, sometimes they say, "I can only consume these two first year, these two next year." So the ramp gets involved in it, and there's rate cut to change stuff. It is a good, very good, initiative to reduce some of the procurement back and forth kind of stuff.
It doesn't generate hype on its own. You still need to go and work with a customer to show the opportunity, the pain they have for cloud or workloads or DSP kind of stuff. So what's the impact we're seeing of it? One, we generally ask for a five-year commit deal for this. Most of our deals with Zflex are five-year deals. You are seeing impact of that in some of the RPO. The RPO is going up as this Zflex is part to play. You're probably also going to see some of the, if I may use the term, negative impact on the billing side of it. If you are building some of the ramps kind of stuff, that's going to reflect on the billing part of it. Overall, it's a very good program.
I'm surprised how quickly it has grown, and I think it'll be good for us, and it'll be good for our customers.
Yeah. Very good.
Yeah.
I wanna get your impression on the M&A strategy. And you've obviously made a couple in the past few years. You've had a pretty consistent track record of, Aqua Techs, Aqua Hires that have rolled into the platform. We've seen some of your peers, competitors make more strategic M&A. How do you think about kind of the balance there? And how do you think about markets like observability? Is that kind of within the realm of where you wanna go, or is it more targeted?
So some vendors want to expand in probably in more random markets, if I may use the term. Random means markets aren't synergistic, aren't really tightly coupled to us. We are thoughtful about the markets we want to go to. There's no point in trying to expand too much and become by Computer Associates, for example. Or one guy, one investor said, "Huh, do you want to become a PE firm or do you want to become a company that offers an integrated platform?" We are gonna stay in the offer integrated platform, but that doesn't mean we don't expand. You've seen our thoughtful expansion. It started with ZIA, ZPA, ZDX, then it became Zscaler for Users, then cloud, branch, IoT, OT, data security. We have done an extremely good job in building integrated solutions with token acquisitions that have given us pieces to integrate.
The beauty of token is it's small, early enough, you can build it as part of the platform, and most of these have been pre-revenue out there. So you know, for AI, operation security operations, we looked at 25 AI security companies that would do SecOps. As we dug underneath, there really was more demo where than real stuff. We couldn't find any customers who had done business with us. With Red Canary, we found some good technology underneath it, so that's why we acquired it. So we don't really look for big acquisitions out there. We look for meaningful acquisitions, because customers like the integrated story. We'll keep our eyes and eyes open, but as the strategy, I think, has worked, it's almost like what traditionally ServiceNow has done. They've done a bunch of small acquisitions.
They have a good integrated platform, and that platform allows our customers to expand and get integrated offerings. You'll keep on seeing what we're seeing. There is no change in strategy from M&A point of view.
Great. Maybe the two questions to close. I think with any technological change, it sort of necessitates a rethinking about how to do security. We've seen adoption of SaaS and remote work poke holes in the concept of perimeter defense. How do you see AI kind of accelerating that or changing that further? I know you've seen some strength with Zero Trust Gateway, which is a relatively new product in terms of how to secure the cloud. How do you see that kind of evolving from here?
There is no doubt that AI security is creating some big, big security issues. It discovers your attack surface. You can ask ChatGPT and say, "Tell me all the firewalls and VPNs with vulnerabilities for this customer and give it to me in a tabular format." In the past, it would've taken weeks for a hacker to find it. Now, under 60 seconds, you got the answer. You can see automation being used by hackers. The Anthropic thing that came out a few weeks ago, the agent got hijacked, and you could do all kinds of stuff with it. So while there are many AI security products that will come out, the best way to block this kind of stuff is to have Zero Trust as a foundation. What Zero Trust says, every location's an island, every branch is an island, every application island.
That means if something got compromised, the blast radius is contained to that and that place itself. Having a strong foundation of Zero Trust becomes even more important for AI security. You need to do securing AI applications on top of that, red teaming, discovery, and the like. The third area where AI is truly disrupting everything is SecOps. Literally, rather than having people do the stuff, AI agents can do a lot of that work, and we think that is a very, very exciting area. The other disruption we see is at the branch and user level, sorry, branch and cloud level. Look, things may take some time, but when you have a great solution, it works. We are seeing adoption of Zero Trust Cloud, where people have traditionally used East-West firewalls, North-South firewalls. They are complicated.
In the world of cloud, it's hard to deal with IP addresses that firewalls depend upon. We see a big opportunity there. Take, you know, Zero Trust Branch. We're the only company that's actually talking about that. Everyone else is mesh network, SD-WAN, this and that. As we built a solution six or nine months ago, I would think that this is such a wonderful solution. We had already talked to a dozen, two dozen customers who loved it and said, "How will the broad market respond to it?" I had no idea. Now, having talked to hundreds of customers, I haven't found one that says, "I want to stay with my SD-WAN, my mesh network." It's exciting. I mean, I don't know exactly the reception. The reception is strong. When you have a platform, when you have technology that's so differentiated, branch is unique.
Zero Trust Cloud, there's nobody else who offers Zero Trust communication or cloud workloads. The competition there is legacy virtual firewalls and w hen we bring all these technologies to the market, our customers appreciate it. That's why they're spending money. They're growing with us. As we finalize, as we have honed our go-to-market engine, we think we're very well positioned for the long run.
Awesome. I think we're up on time, so we'll end it there. Jay, thank you for being here. It was great. Thank you all for joining.
Thank you. We appreciate it.
All right.