All righty. Well, hey, good morning, everyone. Welcome to day two of the Barclays Tech Conference. My name is Saket Kalia. I cover software here. Honored to have with us the team here from Zscaler. We've got Kevin Rubin, Chief Financial Officer. Also have the Investor Relations team here with Kim Watkins, as well as Catherine Hua, who I think is somewhere around here as well. So, we've got about 30 minutes together. Let's take maybe the first 20 or 25 minutes to go through some fireside chat with Kevin, which I know is gonna be real fun. And then we'd love to make this interactive. So if anyone's got a question, just pop up your hand. We can get a mic around. So, with that, Kevin, thanks so much for being with us here today.
Thank you for having us. We're thrilled.
Yeah. So, you know, it's we've been very lucky, since the IPO to have Zscaler at our conference for years. But I think this is the first Barclays Conference where we've had you here as CFO, hopefully the first of many. Maybe with that said, just tell us a little bit about your background and what attracted you to the opportunity at Zscaler.
Sure. Sure. So I've been in enterprise software for about the last 15 years prior to joining Zscaler. Prior to that, I had been in other areas of technology. My experience is kind of abstracted as the tech stack is abstracted. Started with wafer fabrication into data storage, and then more recently into software. After we sold Alteryx, which was my last longer-term gig, I got introduced to Jay and candidly didn't know a lot about Zscaler. But as I got engaged and learned more about the company and the opportunity, it was very clear to me that we had a very differentiated opportunity in the space.
Aside from the fact that I thought the management team was exceptional and people that I would love to partner with and work with, I really thought the Zscaler opportunity was incredibly unique and one that I wanted to be part of.
I totally understand that. Very, very helpful context. You know, I think everybody here in the room is certainly familiar with Zscaler. But just to make sure we're all on the same page, can you just recap some of the points from last quarter that you were particularly proud of?
Mm-hmm. Yeah. So, you know, for us, you know, Q1, like many other enterprise software companies, tends to be the smallest seasonal quarter within a given fiscal year. For us, it was a great start to the year. We had 26% ARR growth. Within that, we had 22% organic growth. For those that have followed us, we did acquire Red Canary at the beginning of the quarter, which contributed to ARR for the period. But we really did see strong, broad-based performance across the organic business, whether that's geographical dimensions or product vertical dimensions. We really did see strong organic growth. I think Jay even mentioned on the call that it exceeded our internal expectations. And so that was really the color I intended to share, you know, how we saw the performance in Q1.
From a profitability perspective, you know, it was a Rule of 78 quarter. We had 52% free cash flow margin. Now that is also seasonally affected. Q1 tends to be the highest cash collection quarter of the year. But all things considered, we felt really good coming out of Q1. That strength in the underlying organic business gave us confidence to raise guidance, which we did for the full year, and we think it really does position us well.
Yeah. Absolutely. Totally agree. That 22% organic point is very helpful and was clear that that was ahead of your internal expectations. I think this is the first full quarter that we had Red Canary as well. Remind us, how did that do versus what you expected?
Yeah. So, as we had mentioned going into the quarter, we expected Red Canary to contribute $83 million of ARR at the close. So that was the amount of underlying business that we picked up. And then we had shared that we expected Red Canary to deliver $95 million throughout fiscal 2026, which, you know, effectively implies if you just straight line it, you know, $3 million a quarter, and our commentary was that they actually did a little better than that in Q1. So, in addition to the underlying strength we saw in our organic business, we also saw better performance in the Red Canary in the quarter.
Yeah. Absolutely. It's a good, it's a good start to the year. You know, I wanna take that point just on organic growth and a better start with Red Canary and maybe think about kind of what we've said for the fiscal 2026 ARR guide. Have we given any guardrails around how much we should think kind of coming from about coming from organic? And more importantly, what are some of the fundamental drivers that you think about in terms of underpinning that growth?
Yeah. So our guidance, going into the year, on the fiscal 2025 call, implied that net new was, you know, 6% or 7% growth in fiscal 2026 organic. And, you know, hopefully the takeaway from having raised guidance is that's now gonna do better. So, as we think about, you know, the opportunities in the business, we are more bullish as we're here in Q1, obviously than we were in Q4, when we think about the growth drivers, we talk about three growth pillars, right? That is, Zero Trust Everywhere, and I'll talk a little bit about what's included there, Data Security Everywhere, and AI Security. I think what has gotten lost in that discussion is we're actually seeing very good growth still in what people have described as the core business.
So you think about ZIA and ZPA for those that know Zscaler, basically, our ability to provide security for users. Zero Trust Everywhere extends that into other types of resources. So yes, we have accelerated growth and higher growth in our three growth pillars, but we are still seeing, you know, pretty strong performance in just, you know, the core ZIA, ZPA business.
That's a great segue. And I really wanna talk about sort of that, the growth differentials between the two. But, you know, those three growth pillars I think are super important. Maybe just, and I wanna dive into each one of those individually. But can you just remind us what we said about the scale and the growth of those businesses collectively?
Yeah. So as it related to Zero Trust Everywhere, we described that in the context of how many customers were Zero Trust Everywhere customers. How we define that is Zero Trust users, that is the ZIA, ZPA customer base. And then we have since released Zero Trust Cloud. So how do you apply Zero Trust principles to cloud workloads and Zero Trust Branch? So how do you extend Zero Trust to your IoT, OT devices that are sitting in your branch offices? And we know that there are millions of branch offices in the world. So moving a customer from a Zero Trust user to a Zero Trust Everywhere customer, not only does it from the customer's perspective allow them to employ Zero Trust principles across all of their resources, it does result in a 2- 3X increase in ARR for us.
That movement is, you know, we think incredibly strategic. The target that we set was to achieve 390 of those customers by the end of fiscal 2026. We actually achieved over 450 in Q1, so three quarters earlier.
That was a very healthy start to that goal. You know, I wanna follow up on that. Those are great, a great summary. And particularly wanna dig into kind of the Zero Trust Branch part of that opportunity. That feels like one of the bigger ones as we think about the three things that a customer has to fulfill in order to become a ZTE customer, right? So can you just talk about how you think about the Zero Trust Branch opportunity within the customer base? I mean, should we think about all ZIA customers as candidates for Zero Trust Branch? How do you think about that?
Yes. There, from our point of view, there is no reason that a Zero Trust user customer would not be a Zero Trust Everywhere customer. If you have bought into Zero Trust principles, being that anything that is connecting to anything should be authorized, should be authenticated before it has an opportunity to connect, as opposed to, "I authenticate you coming into the network, and then I let you run free." If you've bought into the notion that Zero Trust is better security, there's no reason you shouldn't apply that to, you know, cloud workloads, applications, talking to applications. There's no reason you shouldn't apply that to, you know, badge readers, in your buildings, security cameras, printers, anything else that would need, to have access to your network.
There are examples of those devices getting hacked and it end up, you know, permeating into, you know, issues within your corporate network. You know, Steve House, head of product, mentioned in an earlier conversation this morning, you don't want to see somebody hack your set-top box that happens to sit on your network and ultimately affect SAP or have an issue with those. But once you're in the network in a traditional architecture, you're in the network and you can run around and create issues. But in a Zero Trust world, you are authorized and authenticated for that particular use and that use only. You don't even have exposure or visibility to anything else, existing.
So back to the question, we see no reason why if you've adopted Zero Trust for your users that you wouldn't extend that naturally to any other type of resources within your environment, including agents. And we can talk about that in the AI security section. But there's no reason that agent-to-agent communication shouldn't follow the same principles. And you're going to have, if everything plays out the way that people are predicting, you're gonna have far more agents communicating with agents in the world in the future than you have users. And you're going to want to also apply these principles to that communication.
That's interesting. And just to put a bow on Zero Trust Everywhere, did you say a 2 - 3X uplift? So Zero Trust users only moving to a Zero Trust Everywhere contract, that's a 2- 3X uplift is that what we said?
That's correct.
Wow, that's compelling. Interesting.
Yeah.
Got it. I wanna move over to Data Security Everywhere, as well. And maybe just foundationally, can you just walk us through some of the key modules that are included in that pillar? And similarly, what have you said on kind of size and growth for Data Security specifically?
Yeah. So we have eight modules that we offer from a data security perspective, things like Inline DLP, Endpoint DLP, and other types of data security-related protections. The concept of Zero Trust allows us. We sit inline of traffic. So we inspect packets, we apply policy at that level as you have communication running through your network. That is a unique position that allows us to also naturally do data protection and understand what data is being transmitted across that inline communication path. We have, to the best of my knowledge, the largest purpose-built security cloud in the world. And we operate 500 billion transactions in this cloud each and every day. That's orders of magnitude greater than just Google searches. And I think that competitive advantage and unique advantage is underappreciated.
Because we have this such broad platform that is inline to all of these communications, it allows us to naturally extend into areas like data security. So at the end of Q1, we mentioned that data security had exceeded $450 million in ARR. So it's also a very significant concentration of our business. I'm very proud of it.
Yeah. Absolutely. And I think you answered one of my next questions, which is, you know, what gives Zscaler the right to win in that data security space, particularly with all the M&A and sort of the noise that we've seen in kind of the CSPM space, in general. And it sounds like by sitting inline, right, with kind of that communication, that's what gives you the right to win there. Is that fair? Is that a fair summary?
Yeah. 100%. I mean, there's no reason that you should think about data protection in any area of your network, outside of the communication path that is happening. So that's the approach that we've taken that is core to, you know, Zero Trust principles. And again, I think it's underappreciated the size and scale of the actual platform that we operate and that we offer to our customers. So we provide customers the opportunity to be able to start with simple Zero Trust for users. We give them the opportunity to then expand that use into data protection modules. We give them the opportunity to expand that into SecOps and ITOps with respect to some of our AI security offerings.
We give them the opportunity to inspect AI-related traffic so that you can understand prompting when your employees are interacting with a language model and you wanna make sure that, you know, they're not asking, you know, how do I build a bomb on company resources or, you know, how do I do things that I should not be asking my LLM within a company to do. So we have the opportunity to inspect those prompts. We have an opportunity to ensure that the policy that you want to apply to that use is properly applied. So again, we have a right to win, I think, in both data security and AI security by the nature that we are sitting inline to that traffic. We see we have access to the largest possible data set underlying that traffic.
We can use that for things like, you know, understanding, pattern recognition and understanding vulnerabilities and threats and be able to, you know, apply that across the entire Zero Trust Exchange, which is, you know, incredibly unique to our platform and one that none of the other vendors can claim or offer.
Absolutely. So we've talked about Zero Trust Everywhere. We've touched on data security everywhere. I'll just kind of wrap up the trifecta here with AI Security. Remind us, similar question, sorry, just to frame everything. What have you said about size and growth there? And walk us through some of the more material modules in that part of the business.
Yeah. So our AI security growth pillar exceeded $400 million in ARR at the end of Q1. So, it has been doing incredibly well. It includes. We bucket it into two elements. We have securing AI. So I talked a little bit about, you know, understanding prompts and guardrails around how organizations are interacting with large language models and applying policy to that activity. That's securing the use of AI. And then there's AI security. So how do you then use AI to provide better security? And again, when you think about just the breadth of the platform and the underlying data that we see, it gives us a massive competitive advantage in terms of being able to use AI to then provide far better security and posture to our customers. You know, things like AI guardrails, right?
So that's the prompting. AI asset detection. So, you know, how we think about understanding, you know, the actual posture of your AI environment. We recently acquired and spoke to SPLX, which allows you to do AI red teaming to stress test your AI applications before you deploy it and make sure that you have an understanding of what vulnerabilities may exist before you expose those to customers. So AI is a significant opportunity for us in an area that you've seen us, you know, participate from an M&A perspective, you know, quite a bit. And, lastly, we have, within the AI security, that's where our agentic SecOps activities exist.
It started with the Avalor acquisition that we made a few years ago, a couple of years ago around how do you contextualize your data, how do you synthesize your data for purposes of understanding and vulnerability management. Then now that we have the agentic technology from Red Canary, we can start to apply that to this massive data set and be able to provide better security and vulnerability management to the broad-based customer base.
Interesting. So we've kind of, we've talked about those three pillars. I wanna kind of bring it all together. You know, if we think about those growth businesses making up over $1 billion in ARR, this is one of the topics you touched on earlier. I'm curious to hear how you think about the, right, 'cause we're total $3 billion ARR business. How do you think about the other $2 billion plus in ARR that comes from kind of what we call core, or maybe those à la carte purchases of ZIA, ZPA, and ZDX? It feels like that Zero Trust SASE market continues to see healthy secular growth.
But I guess as we see more customers move to Zero Trust Everywhere, for example, could we see some business shift out of that 2 billion bucket into that 1 billion bucket? How do you think about that sort of dichotomy?
Yeah. I don't, I think we've kind of created a little bit of unnecessary confusion in how we've talked to kind of these growth pillars and, and by extension then what it implies to the, to the rest. Yes, I think mathematically the challenge is as the underlying Zero Trust user customers begin to adopt, more of the elements that are sitting in these growth pillars, you just mathematically kind of create this, this movement of their underlying business into the growth pillars, which I think, a little bit obfuscates what's happening, underlying the growth. We've actually seen, you know, pretty strong performance in our ZIA and Zero Trust user business. That does not come through, I think, in the way that we have, talked to, to these elements of the business.
And so, you know, we'll think about how we better provide clarity to investors on what we're seeing underlying the business. But we are seeing broad-based support. We have about 45% of the Fortune 500 companies as customers today, implying that we've got more than half of those that are not yet customers that we have intent to go out and capture. We have about 40% of the Global 2000. So again, you've got over 50% of the Global 2000 companies that we believe should be Zero Trust and Zscaler customers. So there is a significant opportunity both within our existing install-based upsell into more of the Zero Trust user population, more of the Zero Trust Everywhere population, into data security, AI security. But there's also just a significant opportunity from a net new logo perspective vis-à-vis these large customers.
One other data point just to keep in mind, we have about 4,400 customers that we would consider kind of an enterprise customer, you know, meaningful size organization with a meaningful size user count. We estimate there's no less than 20,000 of those customers that are addressable by what we do. And so if you look at it from that perspective, you've got about a 4X opportunity, in that context if you wanna look at it separate from Fortune 500 and Global 2000.
Very helpful. And maybe that's a good segue into one of the questions I get sometimes is just on the competitive landscape in this Zero Trust slash sassy market, particularly as we think about some of the firewall vendors. We just had Fortinet here, right? As we think about some of the firewall vendors getting into the SASE space, of course, we've got some smaller, pure play vendors as well. Listen, I think about this as a rising tide type of market. But maybe you can just talk to us a little bit about, you know, how, you know, what are you seeing in terms of competitive win rates? You know, do you think this is a rising tide type of market just based on the number of opportunities? Or how do you think about kind of that competitive landscape and the metrics that you can see?
So when it comes to SASE, we think very clearly about Zero Trust. And that is a fundamentally different approach to just generic SASE. It's, as I kind of described earlier, it is this notion that you're adopting principles that you believe that only certain resources should have access to each other for only the limited purpose that those need. So you're not, you know, creating, you're not simply creating a network infrastructure that previously was on-premise and pushing that infrastructure into the cloud and calling that cloud security. You are approaching cloud security in a fundamentally different way. We offer that through our Zero Trust Exchange. We offer that through the ability to, basically trust nothing and nobody and only authenticate and authorize, as it relates to a particular task at hand. So when we think about that market, I agree.
I think that, you know, there is a lot of effort and push that's going into the need for Zero Trust. You look at the proliferation of AI and soon-to-be agents. And there has got to be a methodology to be able to orchestrate that communication between those agents. We think we are uniquely positioned, in that specific to what I kind of described through the Zero Trust Exchange. We have talked a lot about being creating an agentic exchange, so extending the Zero Trust principles that apply to users, to cloud and branch, but then also to agents and being able to orchestrate that communication since, again, we sit inline and it's it's kind of the natural way to do it.
The other thing I would just reinforce when you think about Zero Trust architecture vis-à-vis traditional architecture is the cost arbitrage to deploying Zscaler. I think is also significantly underappreciated. You no longer need all of this heavy, legacy hardware equipment to be able to offer better security. You're doing so in a point-to-point relationship through our cloud service. And so you don't need your SD-WAN architecture. You don't need your VPN architecture. You don't need your firewalls. And, you know, simply shifting that investment into a cloud service is not eliminating the need for those costs. But when you adopt Zero Trust through Zscaler, those costs go away. And so that is an incredibly powerful tool that we use, especially in difficult markets to, you know, make very compelling value-based arguments from a competitive perspective.
Yeah. Super, super helpful context. I wanna dig into some financial questions here on the time that we've got left. Kevin, I know that we've talked about sort of, you know, investing for growth, which makes a ton of sense given the market opportunity we've talked about, but at the same time, I think we've reached the really the top end of the long-term margin target that the team gave several years ago, right? I think the range was 20%-22%. We're close to the top end of that, so you know, looking forward, maybe I'll ask the question broadly. How do you think about that balance between growth and profitability?
Yeah. We have been, I think, very fiscally responsible in our growth. We've been, you know, fiscal 2025, we were a rule of 50 company. We have been a rule of 50-plus company since going public, in 2018. So we have been very responsible with how we deploy capital and resources in the organization. And there's no intention to change that philosophy going forward. Now, we've also been able to do that with higher levels of growth. And, you know, as we mentioned on the earnings call, we are one of only five pure play software vendors that are growing at 25% or greater at a 3 billion or more scale. And so, you know, we continue to be able to grow at high rates, but deliver significant profitability in doing so.
As it relates just to the longer-term model, we do intend to hold an investor day later this year, where we, you know, take an opportunity to kind of reset, you know, how we think about the opportunity ahead, what's the strategy underlying that, and then, you know, what's the longer-term financial model that you should expect, given that strategy. I will put out there if anybody has any recommendations or thoughts on things that you'd like us to address, please reach out to our IR team. We're happy to have those conversations. But that'll be a good opportunity for us to, you know, be able to, you know, kind of reset how we're thinking about the business from the perspective of investors 'cause we haven't provided a lot of update to that since, I think, 2021.
I think that's gonna be a great event. I can't wait to hear more specifics on it. Maybe just to follow up on it, I think that Jay has anecdotally talked about a path to 5 billion in the ARR, even kind of dangled the $10 billion ARR on the last call. I mean, now that we've shifted the focus, the focus metric here to ARR, which by the way was great, you know, you've you know, as we said, we've kind of reached the high end of the long-term margin target. I mean, how is Jay sort of thinking about those, you know, those kind of top line targets? Because a 3 billion ARR, 5 billion doesn't seem that hard anymore, you know, for what it's worth.
Broad-based question, but curious your thoughts.
Yeah. I mean, ultimately, we'll go into far more detail and, you know, share our view of kind of the path to a much larger company. What I will just say offhand is obviously Jay has a lot of aspiration and a lot of confidence in our business. And, you know, his aspirations don't stop at 5 billion and frankly probably don't stop at 10 billion.
That isn't surprising at all. Maybe one point that I wanted to touch on as part of that, one of the things that launched this year and I think has done really well is Zflex, right?
Mm-hmm.
So maybe we could just dig one level deeper into how those contracts are structured. And I wanna make sure that we talk about could there be any kind of model impact as that Zflex concentration or mix grows that we should know about?
Yeah. So Zflex is our offering that provides our customers with a very flexible deployment model. It allows them to think beyond kind of an initial order and plan out what a much broader Zflex deployment, excuse me, Zscaler deployment look like over time and give them confidence that whatever commitment they're making is protected in that they have opportunities to mix and match the technologies that they use from Zscaler over time. So if dynamics in their business were to change, you know, those monies that they're committing and investing in us, you know, are protected. So it, that is our approach to, you know, providing customers with greater value, greater flexibility.
And in doing so, what we find is those customers tend to make longer-term commitments to Zscaler, and those deals tend to be notably larger, because of the dynamics of Zscaler. One of the other natural byproducts of these longer-term broader contracts is you go through a negotiation, a pricing discussion, and a contracting discussion once. And so every time a customer wants to expand, deploy more technology, they don't have to get their procurement teams involved. They don't got to, they don't have to stand up additional, you know, PRs and purchase requisitions and purchase orders internally. They've already gone through the process. They know exactly how much each of the modules on the platform are gonna cost them, and what it takes to deploy.
From a modeling perspective, there's nothing per se unique to the Zscaler contract that is any different than an à la carte purchase, structurally, other than, you know, the, these, these features that allow them the opportunity to easily move into more modules, different modules, and then, you know, they tend to be larger and longer.
Excellent. Excellent.
Yeah.
In the time that we've got left, I wanna ask kind of a little bit of a deliberately open-ended question. But you know, as you look at your own internal metrics like pipeline and opportunities and all the fun stuff that you folks get to see, you know, what do you sort of, how does it sort of feel in terms of customers' willingness to invest and spend in security in calendar 2026? Open-ended.
I think it's fair to say this is, you know, still a challenged market. Budgets are not free-flowing like we saw in 2020 and 2021. Customers are very mindful as to where they deploy capital. To maybe just draw back to one of the points I made, one of the very powerful conversations that we can have with customers is the cost arbitrage that they can see by deploying Zscaler. One of our sales motions is to be very explicit on, as you deploy more of the Zscaler platform in your environment, what costs are you able to remove from your environment with other technologies that are no longer needed? That dynamic is incredibly powerful.
Super compelling. Couldn't think of a better way to end there. Kevin, team, thanks so much for the time.
Thanks for having us.
I appreciate it.
Our pleasure.