All right. Well, good morning, everybody. My name is Hamza Fodderwala. I'm the U.S. cybersecurity analyst here at Morgan Stanley, welcome to the 2023 Morgan Stanley TMT conference. I'm sure it's gonna be a great week. To kick things off, we have the team from Zscaler. We have the pleasure of having Jay Chaudhry, CEO, Chairman, Founder, as well as Remo Canessa, the CFO of Zscaler.
Before I begin, for important disclosures, please see the Morgan Stanley Research Disclosure website at www.morganstanley.com/researchdisclosures. I'm gonna have to say that 1,000 times this week. Well, welcome, gentlemen. Thank you so much for being here. Maybe I just wanted to start off level set. You guys reported earnings last week. I was wondering if you just quickly recap the results. What is sort of the state of the union in terms of overall macro demand picture? What were some of the positives and perhaps some of the challenges coming out of the quarter?
Right. I'll start. Remo, you can add on. Macro is getting tighter. There's more scrutiny. Overall, if you look at from revenue or sales point of view, you think of two things. Number one, due to tight environment, is there enough demand? Generally, hard times make demand soft. We are seeing very high degree engagement with our customers. Why is that? That's because, number one, all CIOs, CSOs do care about cyber. Cyber interest is not going down.
Number two, if CIOs understand that they can save money, reduce costs, they're willing to engage. It's because of these two reasons we see good demand, we're seeing a record pipeline. The second part is, great, you got pipeline. Can you close the business? 'Cause that's where excess scrutiny comes in. Three, four quarters ago, a CIO could get the deal done.
More and more deals do go to CFO for approval now. The two things we do in that area that help us. Number one, Zscaler has always been selling to C-level because we are transformational. Traditional appliances, firewalls have been bought at the technical level. We started at the CIO level, not even CISO, CIO level. That helps us because there's only one more level to go to. Number two, there's a lot of push on business justification. About six years ago, we started a team for business value assessment. That team has grown. It does a good job. Being able to do these two things is helping us actually do good business. Remo?
Yeah. I mean, from a, you know, from our, basically our call last week, we beat on revenue significantly and also operating profitability. We're at the high end of the range of billings. We increased our guidance for the full year, as well as increased our guidance both on billings, revenue, and also operating profitability. We did announce a 3% restructuring, about 200 employees. Over the last 18- months, we've doubled the size of the company. Basically, you know, just to increase in efficiency, you know, throughout the company, we decided to take out a couple hundred employees.
Got it. Got it. You guys have been, you know, a disruptor in the network security market, and sort of pioneer in the move towards SASE and Zero Trust Network Access. You know, one of the things that you talked about was customers sort of cutting deals into phases. Well, one of the things we think about with SASE is, while important, while it's a cost saver, it is a transformational sale. Are you seeing some pushback on that front that's elongating deal cycle further, saying, "Hey, this is something I wanna do, but right now perhaps I wanna conserve cash," especially as people return to the office and will likely remain in a hybrid model for the foreseeable future?
The world has been hybrid for a long, long time. Zscaler is not about just cloud. In the Zscaler world, with a Zero Trust Architecture, your applications could be sitting in the data center, in Azure, AWS, wherever, it doesn't matter. Users could be sitting in the office or at home. Sometimes people have a misconception that hybrid means legacy firewalls and VPN.
Absolutely wrong understanding. It is true that during COVID, you had to work from home, so only option of working in the office was not a good option. If you really think about the security part, there have been two models for security. Protecting servers and data center has traditionally been done by firewalls. The user security, when users need to access application, has been done using a proxy architecture.
You must be familiar with some of the names, the Blue Coat and McAfee and Ciscos of the world. We basically started to disrupt the user protection. Quite often, people think that we compete directly with firewalls. Not true. Firewalls were designed to protect servers. Now, it is true that firewall vendors are getting nervous that with the cloud, the role of firewalls will disappear. Where will you create modes all over?
You can't. They're trying to pivot and say, "I can do what Zscaler does." Well, not quite. To do what we do, you need to be literally a switchboard with a proxy architecture. That's the opposite of a firewall architecture. Architecture is like the foundation of building. If you have a foundation to build a two-story building, you can't build a 10-story building on top of it unless you fix the architecture.
The easiest thing for legacy vendors is to say, "I can do it," because they kind of put some bolts around things. I believe that it's because of an architecture difference, we will maintain the lead. You may hear a lot of noise overall, but eventually the architecture wins, and our architecture is designed for on-prem, off-prem, no matter where things go. We don't see a negative impact of people sitting in a mixed environment. We think it's positive, actually.
Okay. Let's talk about the competitive angle, 'cause that's obviously a bigger topic again, these days. There are a lot more SASE and ZTNA vendors than there were, let's say, two years ago, or at least companies that purport to be SASE vendors.
Of course.
Right. Has that, in any way, impacted Zscaler's win rates compared to one or two years ago?
If you think about what we started out, we started out with a disruptive architecture. Technology incrementally changes all the time, but architecture change happens every 20-30 years. Okay. I think SASE has become a buzzword, even Zero Trust has become a buzzword. Overall, the notion was, don't put people on the network, connect the right party to right party, and that's what we pioneered.
Now, you can kind of create some of these things in the other markets. I have talked about how Siebel Systems dominated the space, then Salesforce came with a different architecture. Who won the day? The architecture. Let's even talk about cloud. You know where cloud started out earlier? VMware could spin VMs in the cloud and should be really the best hyperscaler. Early on, it felt that VMware will do very well. Guess what?
When AWS built the cloud-native architecture to do this stuff, AWS got a significant lead. We think our architecture will help us win it, while firewall vendors will come from behind. They all claim cloud. Blue Coat tried to do the same thing. They spun up their proxy in the cloud. It wasn't the right architecture. From market point of view, when it comes to high-end of the market, we do extremely well. Those companies understand it.
You're seeing a lot of these large deals we end up announcing. We literally have no real competition. When you come down market sometime, the understanding of technology may not be as clear, and we see a bunch of competition there. That's where a networking company may be bundling a router and switch and firewall and some of the other stuff. We have been expanding our presence there. Once we engage, we win.
Okay. Okay. It sounds like high-end, there's no change in win rates as far as you can see. Is the incremental competition at the very least slowing down the sales cycle because now there's more vendors to evaluate?
On the high-end, I don't think competition is slowing us down. On the high-end, there is impact of approvals and extra scrutiny. Some of the deals you want to get done, they may take longer.
Got it. Got it.
Our pipeline is a record pipeline. You're right, I mean the scrutiny's higher, as Jay mentioned. We're seeing that. We took that into account with our guidance. Over the last couple of quarters, we've seen basically deal cycles taking a little bit longer. For our guidance going out into the second half, we've put a little more conservatism on our close rates.
Got it. Got it. I wanna talk a little bit about the 3% workforce reduction. Jay, I think at another conference earlier this year, the comment you made was that, you know, yes, like things are slowing down, but we're not gonna overly pivot, right? You're still hiring.
Yep.
You still wanna be aggressive. You know, six to eight weeks later, we had the announcement there. Just walk me through the thought process behind that.
Yeah. In the past 18- months, we doubled the company size. We went from about 3,000 to 6,000 employees.
Okay.
As we do know that some of the things are slowing down. Also, you know, when you double in 18- months, there are some level of optimization you need. There's some level of roles they can probably-- What's the right word? You end up adding, you shouldn't be adding. We are not slowing down our core engineering. We are not slowing down our product development.
We're not slowing down our core sales function. What we've done in this area, for example, you don't need a large recruiting team when you are slowing down your hiring. G&A was one part. While core sales is important, sometimes a bunch of supporting function for sales that end up beefing up. Those are some of the changes we made. We expect to keep on hiring in selected areas like core sales and core engineering, and we expect our headcount to be higher by the end of the year. We are bullish for the long-term opportunity. We'll keep on hiring. Making sure we don't add extra stuff that's not needed for the business.
Okay, got it. consolidation is a big theme, these days. Can you talk a little bit about how Zscaler is aiding in that, and sort of what are the major cost savings that you do get when you deploy Zscaler?
Yes. Cost saving is a very important factor in today's market. If you look at various vendors out there, especially in the security space, most vendors and customers know that security is not typically about either cost saving or generating more revenue. It is actually a cost. Take most of the areas, endpoint, identity, where would you save costs?
Not a whole lot of stuff. In the Zscaler world, we actually bring cost savings, not from a bunch of security point products removal, but also from the network side of it. Once you have Zscaler as a switchboard, it does everything your typical DMZ, what's known as demilitarized zone does. A typical DMZ may be sitting with dozens and dozens of boxes. All you need in the Zscaler world is you need something on the endpoint for security, you need identity, and we are the switchboard.
We connect the right party to right party. We work over any network. There's a network savings. There's savings on network performance monitoring tools. There's savings from proxies, DLP. Essentially, most of the firewalls go, where the only area firewalls remain is in the data center, because data center is still pretty cluttered and complicated. Outside that, the simplification, the savings are significant. We actually quantify the savings. Now customers are actually asking us to make sure we can do a quarterly deployment, quarterly savings type of model, which is helping us.
Got it. You know, federal is an area where you talked a lot about in terms of seeing more opportunity. There's been a lot of initiatives recently announced by the Biden administration on that front, and you have multiple products that are FedRAMP certified. I think, in your most recent quarter, you talked about how that business was a little bit slower than you expected. Just comment on that and what you're seeing in terms of the pipeline ahead.
I'll start, Remo, then you can add on the financial picture of it. We started investing in the federal market about four or five years ago, knowing that you do need some of the critical certifications around FedRAMP, then StateRAMP to win this business. Today, we have the most certifications at the highest level as compared to any vendor.
In fact, if you look at certification, the highest level in the entire IT ecosystem, there are about six companies that are there. We are the only cyber company in that space. Who else are there? It's folks like AWS, it's IBM, who have been there in the business for a long, long time. First of all, it's good to be in that unique group of people who have full certifications. When it comes to business, we had a strong Q1 in federal.
Q2 was lighter. The rest of the outlook for the second half of the year is strong. You know, Federal business can be lumpy, bigger deals, they go up and down. Also, as you know that these budgets, last year, you may heard about these Continuing Resolution that delayed funding till March. This time, I think got done in December, January. It had some impact on it. We have a strong pipeline, we have a strong team. We are bullish about this business.
Yeah. The budget approvals were approved in December, you know, we did not see a strong Q2, but we do expect to see a very strong second half. We're well-positioned. As Jay mentioned, our pipeline is outstanding and growing, with the, you know, the FedRAMP certifications that we have, you know, the highest in the industry. We're in a really good position.
If I may make two more comments. 12 of the 15 cabinet-level agencies are Zscaler customers. They all started small, but it's a big opportunity for us to grow that business. Some of the most sophisticated security agencies like CISA, that actually mandate security, is Zscaler customers. We have a public cyber summit this Wednesday in Washington, D.C. We got a number of CIOs of some of the top agencies presenting how they have done transformation. Over 700 people have registered for the event.
Got it. I wanted to go back to sort of the SASE market and sort of defining the SASE market, because I think there's a lot of different definitions out there. If I think about SASE, does it have to be a cloud-delivered service through Zscaler sort of proxy architecture, or is there some combination of both cloud-based and physical elements, whether that be firewalling or SD-WAN?
Yeah.
Securing the WAN edge, for example, which is, you know, not going away anytime soon. Just talk a little bit about the state of hybrid SASE today.
Two separate points. There's nobody saying you must be cloud-based service only or on-prem only. It's the architecture that matters. Today, when we talk about edge cloud, we talk about taking the cloud to the edge to on-prem in many, many cases. The issue is not on-prem or cloud, issue is architecture. What's the biggest problem with network security today?
You know, network security architecture was designed in late eighties, early nineties. At the time, the notion was you get on the network by connecting to the network in your office. Once you're on the network, you're like getting on Highway 80 here. You can reach Miami, New York, or Dallas without hitting a single light. How wonderful. Bad guys can do the same thing. Once you get on the network, the firewall is creating a trusted network, and everything else is untrusted.
This model worked very well when everything was in your data center and your branches connect to the data center, you controlled everything. The biggest change is that your applications are anywhere and everywhere. Users are everywhere. The old model of firewall-based security, you extend your network to every household, every office. Everything is connected to the highway.
Have you been reading about ransomware attacks? Why are they happening? It's all because of firewall-based architecture. You get on the network, you move laterally, you find high-value applications, you encrypt them. The foundation to fix that is Zero Trust Architecture, which says, do the opposite of what firewalls do. Do not connect people to the network. Be a switchboard, like a phone switchboard. What does phone switchboard do? You get connected to party A, party B, party C. That has to be done.
It's unfortunate that with this disruptive architecture, legacy firewall vendors are so worried that they're hijacking a term, they're telling the world, "I got Zero Trust. Well, I got Zero Trust 4.0, 5.0." I understand what they're trying to do to protect themselves, but it is a disservice, because when country and companies need to protect themselves, it creates a false sense of security. I believe that this message will carry on for so long, eventually reality will catch up, and companies with the right architecture will prevail.
Okay, your competitors are saying SASE is about the convergence of security and networking. Zscaler is saying the opposite. Is there some aspect of additional complexity in that you have to go out-of-network to another edge to do the security processing with Zscaler versus where the firewall can provide security within networking as well as, you know, for remote users as well?
Firewalls were never designed to protect users, my friends. They're designed to protect servers. The proxy architecture designed to protect users because the market realized that you must be able to terminate and go. It's the wrong thing to think that firewalls will do user security, okay. Good thing is, firewall guys are adding more and more stuff on the same architecture.
I think in the long run, it won't work. In the old world without cloud, you could ship a box, and it's customer's responsibility to make it work. In the world of cloud, you need to take all this traffic and handle it. There are all kind of issues you need to deal with and when traffic is coming from all kind of locations. You hear us talk about amount of traffic, amount of transactions we're handling.
Around IPO timeframe, Remo and I used to talk about 30 billion transactions we do every day. That was a big number. Today, the number is approaching 300 billion. How do you handle that traffic? Have you heard these legacy vendors talk about traffic? Is it how much of your shelfware as a part of ELA? How much is real traffic for real customer?
No more questions about firewall. Okay, that's it. The transaction is a good segue to the next question. I think Zscaler processes over 270 billion transactions daily through their Zero Trust Exchange, and you're deployed on, you know, millions of clients. How do you see AI changing the threat landscape, and how do you think Zscaler can leverage that data to, you know, be better equipped for this growing opportunity and threat?
You know, for AI ML, data is fundamental. It's about 270 billion-280 billion logs every day. These are not little firewall logs. These are proxy full logs with full information. You need expertise, you need data. AI ML applied to it can figure things out. Now, there's something called network effect or cloud effect.
When you got so much traffic coming to you, AI ML is allowing you actually to analyze the stuff, look for some of the threats you couldn't find otherwise. We are already actually doing some of that. It's giving us far better cybersecurity than most of the other vendors offer. In an appliance-based architecture, you design this thing for each appliance, and then in a batch fashion, you try to bring the traffic back to correlate. Can they do AI ML?
Probably, yes. Do they have the real logs? No. Can they do it in short amount of time? No. These are some of the things that are setting us apart. There are many use cases of AI ML to help our customers. One other example I'll give you is, in the firewall and networking world, you put people on the network, they have access to all kinds of applications.
In the Zero Trust world, you want the right party to access only right applications. You got 50,000 employees, you got 10,000 applications. Which employee should have access to which applications? No one knows. Once they start going through Zscaler architecture, we find the logs. We apply AI ML engine to suggest the customer that these users should access these applications. This is the kind of cool stuff we can do by leveraging all the logs we collect because of our architecture.
Got it. ZIA, that's still the majority of the business. You talked a little earlier about how you're not competing directly with the firewalls. There's still a big sort of replacement opportunity with. A lot of the legacy secure web gateway out there. How much of the opportunity is still replacement versus greenfield within ZIA? 'Cause I think Blue Coat, at its peak, had maybe about 20,000 customers or a billion-dollar install base. Is there still a big replacement opportunity there?
I know on the high end, Blue Coat had 85% of Fortune 500 companies. An impressive number that they publicly talked about. Right? That's because they built the best proxy architecture that others couldn't build. I think those customers understand us, they come to us. I do not know exactly how much the market is left, but I can tell you one thing, every quarter, as we close deals, any ZIA deal in my top 30, 40 deals, it's probably 80% comes from Blue Coat replacement and probably a few from McAfee, a few from Cisco. It's the companies who understand the proxy architecture. On the high end, they do very well. I keep on wondering, when will this end? There's a lot of Blue Coat sitting out there still. Some of the biggest banks are still sitting on it.
You know, a couple, you know, a couple data points. If there's 20,000 companies with greater than 2,000 employees, we've got about 2,000 of those companies. Basically, that's 10% penetration, you know, in the market. In addition, related to what we can sell to our installed base, just for ZIA and ZPA, there's a 6x opportunity. In the market size, you know, we look at it as a $72 billion market, both for users, and also for workloads. Huge market opportunity, very early stage, and the ability to sell a lot into our installed base.
A couple other com products I'll mention is, just like we disrupted the user security with ZIA, ZPA, now we have the same technology available for workloads. Workloads eventually will have no firewalls. They go to internet through ZIA, they talk to each other through ZPA technology. That's what we call Zero Trust workloads, big opportunity for us.
Data protection is still an early-stage market. We've got very comprehensive data protection technology, which really requires a proxy architecture. A lot of Symantec WAN products deployed in large enterprises. Now we're beginning to replace them in significant numbers. That's another opportunity. Also the performance, Zscaler Digital Experience designed actually to give you end-to-end performance. We really have no competition in that space, so we have many points of entry, and we can start from one side and expand to other areas.
Important that all those products are on the same stack, ZDX, ZP.
They are all built around the same core platform.
Okay.
If we buy something, we buy a feature, kind of early-stage product, but we are not a kludge of many companies that are bought, and they are on dissimilar platforms.
Got it. We have a few minutes left. Just wanna open it up to the audience for any questions. Anyone? Or do I See a hand raised? Okay, I can continue. I wanna talk a little bit about M&A. Zscaler has just about $2 billion of cash. You just announced an acquisition of Canonic Security. Talk a little bit about that and just your thoughts about buy versus build going forward.
Yeah. Canonic acquisition extends our data protection portfolio to the next level. We've done CASB, we've done SSPM, SaaS Security Posture Management. This is the next leg of cyber, supply chain. If your sales force is integrated with 30 SaaS applications, how safe are they? It's kinda our thought leadership.
We have always done newer stuff long before others, and those are areas we look at. We've done smart acquisition. We did a browser isolation, integrated the platform, made it very easy with a single click deployment. I think you'll keep on seeing us doing smart, selected acquisitions. They're not really done for roll-up or revenues. We're doing them for key technology where we can get to market and save 10-12 months rather than wait.
Got it. Remo, I guess for the last question, I'm gonna have to end it with Stock-based compensation. I know a very exciting topic these days. You know, the Stock-based compensation for Zscaler did uptick quite a bit last couple of years. I think at its peak, it was about 40% of revenue. Now it's in the 30s, low 30s. How do you see that trending as a percentage of sales over the next couple of years?
Yeah. Can keep on seeing it trending down. You'll see, you know, Stock-based compensation, and what happens is that when you're a, you know, a company going public, stock is a big piece or component of your compensation. As you get bigger, you know, for all companies, that declines. It's a natural thing. I would expect Stock-based compensation. It was 29% this last quarter. It'll be substantially lower this year versus last year, in fiscal 2023 versus fiscal 2022, and you'll see it continually going down on a year-over-year basis.
All right.
If I may-
Okay, go ahead.
closing comment.
Yeah. Don't wanna end on Stock-based compensation.
Architecture always wins. You can go and keep on buying a bunch of companies and win. You've seen the history of how companies with disruptive architecture that executed well, they win. We think we're doing the same kind of stuff.
All right. Thank you very much today, Remo.
Thank you.
Thank you for your time. Thank you, everybody.
Thank you.