Great! Thank you very much for joining us. I'm hosting today, Jay Chaudhry from Zscaler. I prepared a list of questions, and I ask it every session. If you have any question, just raise your hand. We have a mic going on, and I'd love to make it interactive because I'm sure that you have better questions than I have. Jay, first of all, thanks for joining us.
Thank you.
Great to host you here. I wanna start from, kind of the latest and greatest. You had great results, then you reported on some weakness or warned of some weakness, then you pronounced positively and had great results after. What creates this volatility?
you mean, we had lots of strong quarters. Q2 was-
Yeah
somewhat, lower than our expectations. Q3 was stronger. The macro environment has been really tight. There's a lot of scrutiny, though cyber is in a much better position than many other segments. If you can do cost consolidation, you're in a good shape. In Q2, some of the larger deals we had, we couldn't get through the business value justification done in the right time, so there was a little weakness in there, but the engagement has strong, pipeline has been strong in Q3. We refined our go-to-market process, where we engage with C-level sooner. We did more granular, more meaningful ROI, cost savings justifications, and that led to better results. Record pipeline, lots of good engagements, literally no change in competitive point of view. We have very strong technical win, and making sure we get the ROI piece done was the biggest change.
Yeah.
Also, I think that some of the stuff was kinda wrong information spread by some of these funky channel checks always said, for years, we're not a typical box security company sold by lots of ours. We are a transformational player, sold at the C level, CISO level, CTO level, and it's a high-touch sale. The more channel checks you do, the more wrong information you pick up.
Okay.
Right?
Jay, I'm gonna tell you what I'm telling the investors.
Right
from the soldier to the general.
Okay.
Ignore channel checks. They're never accurate.
Yeah, I think you should think about it. If the world is changing, if transformation is happening across the board, don't you think your process of checking things should change, too?
Yeah.
Right? I mean, I tell my company, if we are driving transformation, shouldn't we be transforming all the time? That's what we do.
a few months ago, not long time ago, Gartner put out another Magic Quadrant, and you actually went down in the Magic Quadrant.
Can you take us through, first of all, your response to it, and second, what is happening on the technical part, about your competitiveness and others' competitiveness and competition level in general?
It's all my fault. I should have engaged with Gartner better in a nicer way. Okay. First of all, see, different analyst firms do what they do. To me, the most important check is our customers. Our customer checks are coming from when they are voting with the wallet, buying stuff, growing stuff with us. Gartner does this peer submissions, which is customers actually submit on Gartner's portal in about eight or nine buckets, which vendor do you like for customer satisfaction, technology, and whatnot. This is customer survey results. Zscaler is number one in eight categories, far more than anyone else out there. That's number one. Number two, I do believe I made Gartner unhappy last year by saying that, okay, they had more weightage on CASB, DLP, less on cybersecurity. We think cybersecurity is important. It should get much weightage.
The other areas I think that were not accounted into is resilience, performance, reliability of the cloud, which is fundamental. It's becoming so critical that customers are actually telling me they're not looking at some of these younger private companies because they don't even know if they'll be around, or they can deliver the five nines of availability and all that kind of stuff. Those are important factors, we respect Gartner, we listen to them.
Yeah
... we do what we think is best for the customer.
Elaborate on what you just said. You said that the focus is not on CASB. The focus is on cybersecurity. Assume that the audience here is not a security expert.
Okay.
I'll try... Let's try to explain.
Yep
in kind of plain English. What does it mean?
That's good. Think of security. What Zscaler pioneered was the notion of a switchboard. A user comes to us, we are like an international airport. We check, who are you, where are you going? We're checking your boarding pass, your passport, your visa, and your luggage to make sure the right person gets on the right flight with safe luggage. In that process, we do two things: cyber, make sure nothing bad comes and infects you; data protection, make sure nothing leaks out. Everything bad comes from the internet, everything good leaks to the internet. That's what we do. CASB was created so that there's no oversharing on information from applications such as Salesforce, Office 365, Box, and the like. You could give permission to share a big file at Box or OneDrive to somebody, it can leak out.
That's where CASB came from, by making API calls, not sitting in line. CASB is a good feature. Eight years ago, there were 100 CASB companies. They're all gone away, or sold, or died. Why? It's a feature. If they are left out, they're trying to pivot. To pivot from feature to a platform to take all traffic and handle it, is not a trivial task at all. Sometimes customer confuse between CASB and DLP. CASB is one feature of DLP, data is not lost. Data gets lost to the internet quite often, and someone like Zscaler, who is sitting in line, is actually doing DLP. The biggest deployments of DLP in the market, in large customers, where we do very well, is Symantec one, two. We are replacing that.
In the past three, four years, we have made our DLP offering extremely strong. DLP is getting bigger and broader, and we have positioned ourselves very well. We've done some acquisition in the space as well. We have made investment to make our CASB offering strong as well.
Did I answer the question?
Absolutely. If there is any question from the audience, again, about this topic, it's important, please raise your hand. The other question I have for you is, when you look at ZIA, ZPA, your kind of core products in the market, one of them secures your applications in your data centers. One of them secures someone else's application in the cloud.
There is a third market, which is called CNAPP, or it secures your application in the public cloud.
Where are you in this market? Your competitor, Palo Alto, is having two products, you know, Prisma Access, Prisma Cloud, for these two markets. Where are you in the journey into securing your applications?
Yeah
in someone else's cloud?
Good question. Just rephrasing it. ZIA says, when you access internet or SaaS application, you do it safely, securely, without getting compromised, without losing any data. Zscaler Private Access says, when you access applications, either in your data center or in Azure, AWS, wherever, you do them safely, without needing VPN, without being on the network. CNAPP, in our view, is part of protecting the cloud workloads. When you have workloads, you need two types of security. One is communication security. Workloads are like users in many ways. They talk to internet, they talk to other workloads. We took ZIA and ZPA, which are designed for users, and adapted to ZIA for workloads, ZPA for workloads, so all the communication is done safely. This is a very great innovation because the only competition in that communication area is legacy firewalls, nothing else.
We are the only disruptive solution. This is about communication because that's how you can get infected or lose. CNAPP is about really protecting workloads, call it at rest, through APIs. When workloads are created, you need to worry about a few things, configurations first. Maybe I'll give you an analogy. If I go to a massive hotel or conference room, somebody needs to make sure different doors and windows and all the stuff is closed and open based on the use of that big conference halls. If you leave them open, that's a security risk. That's called misconfiguration for workloads. Workloads need to be configured properly. How do you check them? It's hard. You have a piece of software called CSPM to check these misconfigurations. The second piece to ensure your workloads are secure is permissions.
Taking the example of this big conference hall, if there are 5,000 guests going, some guests are allowed to go to certain floors, some guests are allowed to go to certain rooms. You must do that properly for security reasons. Similarly, if you got 3,000 users, some of them are allowed certain permissions, some are allowed more, some are allowed less. There's another piece called CIEM, for permissions and all. That's an API-based. We did two acquisitions, brought them together, we have a CNAPP offering. While there's a big barrier to entry to do inline communication that we do with ZIA, ZPA, CNAPP is somewhat like CASB. It's done by making API calls. There's not a big barrier to entry with API calls. We believe that the vendors will do well in CNAPP, who get integrated with workload communication.
Our highly differentiated workload communication, combined with CNAPP, offers us a good opportunity. We will not lead with CNAPP, so your channel checks may not show Zscaler competing with CNAPP, but we are off selling CNAPP with our workload communication as a solution for protecting workloads.
Palo Alto made seven acquisitions in the CNAPP world in order to make their product more complete. The process in CNAPP always starts in the developer community. We, yesterday, we had someone, the ex-Google, that said, "There are 1,000 crème de la crème, best of the best security executives at Google, security professionals at Google, but there are 40,000 developers." Even if you have the best security professionals, the risk is coming from the 40,000 developers who introduce risk to the network through development.
Yeah.
The question is, when you think about what's called shift left, and you think about security that needs to start in the DevOps environment, in the development environment,
Mm-hmm.
Where is Zscaler in this concept of developer all the way to the cloud?
Yeah, it's a fairly complicated area to handle, okay?
Yeah.
Where we come in, security typically has come in on the operational side to make sure things don't get compromised. Yes, we have to worry more and more on the development side. It's very hard to see a company that's selling to operational people to selling to developer people. We are moving left slowly. I do think that it'll be a challenge for any company to say, "I'm going to become a developer company." There are companies that start on the developer side. They have the core competency, they understand it, they work with them, and I think they'll do well in the long run. They are trying to move right, company like us are trying to move left. I think there'll be a right balance somewhere.
CNAPP, we offer, is used by developers in certain stages, but doing some of the container-level development security there is far more complicated.
Right
... than doing an acquisition of a company and say, "I got the answer." You know, one has to worry about, do you spread yourself too thin, like some of these private companies do? They copy Zscaler and say, "We got everything Zscaler has." Okay. Or you need to say, "I need to expand my platform, but to a degree where I'm wide enough, but I'm deep enough." We believe in being wide and deep. I'd rather not spread all the way across and have 3% market share in each area. I would have six things to offer with 25% market share than 12 things to offer with 5% market share. We are moving shift left.
We are taking advantage of it, but I can tell you that the market opportunity we have with the current customer base, without even succeeding in shift left, is 6x of the ARR we have today.
There are certain bets you make. You expand, but that's not my mission-critical area. Similarly, when people talk about: Are you going to expand down market? How big, how not, right? The dialogue I had with David Schneider, who was a CRO of ServiceNow about six years ago, I said, "David, you've done this journey. You are a good role model for us. I want to learn from you." One of the things I said, "Hey, I only have," at that time, "2,500 customers." Some of these firewall and low-end companies like Barracuda, they talk about 150,000, 200,000.
How do you get to that big number that's so massive? He said, "Do you care about number of customers, or do you care about ARR?" I said, "Both." He said, "No, pick one." I said, "ARR." We are focused on ARR growth. We have plenty of opportunity in the key adjacent markets we have, and we're executing pretty well.
Got it. Great. I'm gonna take a pause for a second with technology discussion, talk about the environment, and then go back to technology because I wanna hear.
That's good.
-your strategies.
Of course.
How is the environment? Meaning, we are getting mixed views from companies. On one hand, forget the accounting, but they're talking about the weakening environment. On the other hand, Palo Alto and yourself, you had good quarters.
Where are we in the journey of deploying SASE, in the journey of deploying the other products in, when it comes to actual trends right now in the market or as of the last reported quarter?
Yeah. First of all, you're seeing us selling bigger and bigger bundles. You're seeing us doing consolidation. Consolidation is happening. It's real. Zscaler for Users is the bundle we introduced some 12 to 18 months ago, which actually has ZIA, ZPA, ZDX, all three key areas for users, and that bundle has exceeded our internal expectations, which is kinda says this is what it is. It also tells you what I used to say years ago, that we believe every user will be using from a given customer, ZIA, ZPA, ZDX. We're seeing that stuff happening. Consolidation is happening out there. That's point number one. Point number two, there is scrutiny in the market. Scrutiny is not going away. If I could do business value justification a year ago, where I did it year one, year two, year three, that's no longer sufficient.
The CFO now wants to say Q1, Q2, Q3, Q4, and what products are you replacing and how much money am I saving? It's there, and cyber remains an important part of it. Also, if you engage at the C level, you have a better chance of getting your project approved and done, or and if you're selling at a lower level, because the lower-level stuff may not even make it to the CIO. The challenge we face is generally we are engaged at the CIO level to make sure CFO gets approved. I think we feel good about the market. I mean, as we are sitting out there, we have a record pipeline. We had to become probably more thorough in engaging with the customer, better job.
Let's put it this way: We have to work harder and smarter in today's environment to do this, a given amount of ACV than we did a year ago. Okay, the competition has become better in some ways. A lot of riffraff has gone away. 15 months ago, one new startup of, "I got this little shiny toy," that stuff is going away. For the private companies are struggling, too. The customers have asked mission criticality of applications. It's interesting, one CIO talked to me several months ago, he said, "Jay, congratulations.
You are now selected as one of the five strategic vendors, partners for us." He said, "I had to work hard for it." I said, "What do you mean?" He said, "In a large company like ours, our spend has to be $50 million per year to be a strategic vendor, and you guys are way below that." He smiled, and he said, "I'm not sure you should feel good about it or bad about it, but it tells you how strategic we are." Another CIO told me, "You are more strategic than Microsoft 365, because that's only one area. You are more strategic." Really, for someone to come from a private company to build a platform, because people are buying platform for consolidation, and deliver resilience, five nines availability, and be a viable vendor in the long run, is not a trivial task.
Yesterday, we had here, same seat, we had the CEO of SentinelOne, when I asked him about the environment, he had some colorful words to describe the environment, which I'm not gonna repeat. I'll only say in a nice way that he said that the environment is tough, and pricing competition is getting tougher even. Is it only for endpoints, or do you see it also in your own market, that competitors are becoming maybe desperate or maybe more aggressive, and pricing is coming down?
This is what we're seeing. We are getting technology win based on architecture, and we get a clear win because our architecture is very good. There's a pressure on pricing from us from procurement. Okay? Generally, we don't have a pressure directly coming from competitive products. I have seen many situations where the customer said, "This vendor was here to offer a third of the cost or half the cost, but this is a mission-critical application for me. I'm not trying to save a few dollars to take a risk." We feel don't really feel a whole lot of competitive pricing pressure, though they do get used from time to time, but we do feel pressure from procurement to negotiate. What that's leading us is deals are getting more back-end loaded. They know when the quarter end is.
That part is happening out there, and that's resulting in sometimes doing more ramp deals. We want to fit in the budget, at the same time, we want to charge for value, 'cause we do deliver a lot of value, and sometimes it changes payment terms. There's pressure. I think we're doing pretty good.
Got it. Great. I wanna touch on another concept that is driving the industry and get your take on it, the concept of zero trust. What does it mean? For those who don't understand the concept, if you can, we can start with, what does it mean practically? When someone says, "I wanna adhere to zero trust, I wanna be part of zero trust." When a customer says it, what does it mean? Then what does it mean for Zscaler?
Yep.
How do you help customers to be part of zero trust?
It's unfortunate that Zero Trust, such a great concept, has been hijacked, and really, it has lost its meaning. I'm not surprised, because when a new technology comes, and it's disrupting incumbents, they're bound to respond, to do whatever they can do, so they don't get disrupted. I was in Washington, D.C., yesterday. I met with the Defense Department executive, he said, "You know, this crazy Zero Trust thing, we understand Zscaler actually is the real trust, some of the legacy is being mixed around all the time, we are getting delayed to roll out Zero Trust." It is interesting as to see the frustration on this IT leader. Even he feels it. What is Zero Trust? It starts with trust no one by default. Give minimum access to what people need to know.
Here's the best simple example. If I come to see you at your headquarters as a visitor, they're gonna stop me at the reception, check my ID, give me a badge. There are two options. Option one, "Jay, go to seventh floor, room 23. That's where meeting is." I can go and wander around any hallway, any open rooms, and snoop around, and not even go to a meeting room and leave. That's how network security works. Once you get on the network by being in the office or by doing a remote access VPN, you can see all kind of stuff out there and do lots of damage, do lateral movement. That's how most ransomware attacks happen. That's what a firewall and VPN enables. How can you make them zero trust? You can't. What is zero trust in my metaphor?
They stop me at the reception, they check my ID, they give me a badge, and they say, "Yes, stop. You'll be escorted to the meeting room and meeting room only. You don't even need to know what the meeting room is. Your meeting happens, you get walked, escorted out." One to one. If you think of zero trust as a switchboard, a user comes to us, we validate identity as the starting point of zero trust. Who are you? We can do device check, posture check, the second piece of zero trust, that's where endpoint comes in. Then the policy engine that actually makes the one-to-one connection, that's what we do. That's the core part of zero trust. Can you really make a firewall VPN zero trust? Absolutely not. Can you claim and try to spread misinformation?... obviously, because that's part of his job.
It's unfortunate. The reason we are winning the biggest, the big deals, because those people understand it. They are less misguided by it. I mean, last quarter, no, maybe in Q2, we announced a large banking deal, one of the largest firewall customer. Okay. When it came to user protection, the bank said, "I love your firewalls for my data center servers, but when it comes to protecting users, you need a proxy architecture, a multi-tenant architecture, and with lots of traffic so you can see what's out there." 300 billion transactions a day, we are seeing all kind of threats out there with such a large volume. Once we see one issue with one customer, we protect the customer and apply that same protection for all of our customers.
Those are the type of things that really set us apart, and zero trust won't be built overnight. I had one vendor say: "Oh, yeah, we are going to build proxy." It's not a piece of cake you put in the oven and pick it up in a few hours, okay? It takes years and years to figure out how to do a proxy architecture, where you terminate connection, you inspect the stuff, and you reinitiate the connection without introducing latency. That's why if you look in the market so far, there are only two proxy architecture that work very well. Blue Coat was the best on-prem single-tenant proxy. At one time, they had 85% of Fortune 500 companies, and we built proxy over the past dozen-plus years that works well.
Got it. We only have a few minutes left, and I want to go back to something you said. I hosted yesterday a panel on data security.
One of the panelists was from a company, small company, very small company, that is doing SASE, and he said, I'll just repeat what he said, and I want your comment on it. He said, "The existing players, such as Palo Alto and Zscaler, are doing more than networking piece of SASE, meaning they're replacing VPN, they're replacing MPLS lines. However, we," him, "we're doing more data protection. We are not only enabling the connection, but we're also enabling that the right data is getting to the right place.
You touched on DLP. Can you talk about SASE in the context of data protection, how important it is, and what are you doing in this space?
I think that that statement is untrue. Okay, first of all, yes, we are the switchboard. We connect party to party without caring about the network. Network is simply the transfer and the plumbing, so we end up disrupting the network. There's also, we do data at rest as well. Data at rest gets done by technology such as CASB. For SaaS application, the CNAPP part is really data at rest because we are making sure workloads are not misconfigured. About a quarter ago, we announced our endpoint DLP, where data sitting on the endpoint gets secured. Our customers are saying, "I need one DLP policy.
It's that hard. I need to apply that policy for data in motion or data at rest, whether it's sitting in a factory or in data center or sitting on an endpoint. That's holistically what we do, and we've done a couple of acquisitions. endpoint was a small acquisition that gave us acceleration. Our customers aren't looking for buying small point products. I think what you're going to see, security will keep on having a bunch of startups, but by and large, almost all of them will be bought because they aren't in a place to create a platform.
Got it. One last topic before we let you go. Fortinet yesterday also addressed the area of SASE. They're coming from a different area, and what they said, they said, "You cannot do SASE only in a virtual way. You have to have, in certain cases, an appliance. It's not just about a client, but an appliance, because some deployments need an appliance," and that's how they define their advantage over Zscaler. What's your response to that?
I think it's partially right.
Okay.
Look, we listen, we learn, we adapt. We don't do things that are wrong. For example, we haven't done SD-WAN. That's route table and all, because that enables lateral movement. My big thing, diff with Gartner is, when they say SASE means SD-WAN and SSE, and say SD-WAN is anti-zero trust. That's a good point. I think SD-WAN is a transitional technology. It'll go away. We are gonna be sitting here in two, three years and say, "Jay, you were right, because you need every branch to become like Starbucks." I have been wrong a few times. I was wrong when I said, "I don't want any software sitting on the endpoint, because I wanted software-free stuff." We ended up bringing a Client Connector to make it easy to handle traffic. We got 45 million of those Client Connectors sitting on endpoints.
Yes, to send traffic from the branch, we have talked about a software piece of VM that sends the traffic. Our customers are asking us to say, "Can you provide me something that drop ship can do Zero Trust SD-WAN?" I think we're looking at it. Yeah, I may be wrong there, too, and say, we'll shift course, and we'll help and do what customers want. Our focus is delivering value in a new, better way and not do the old way because some of these old technologies create security risk.
Great. With that, thank you very much. We ran out of time. Always a pleasure to host you.
Hal, thank you.
Thank you.
Great!