Good morning, everyone in the room. Good morning and afternoon to those of you joining us on the webcast. My name is Bill Choi. I'm the Head of Investor Relations and Strategic Finance at Zscaler. This event, Zenith Live 2023 conference, this is our second day. For the past 2 days, we've had exciting keynotes and breakout sessions talking about our latest innovations. With this investor briefing, we are going to be focused on the technology aspects of it. What are some of the latest innovations, how our customers leverage them, and also how we partner with our customers in our engagement process. As you know, 2 weeks ago, we did have our Q3 financial earnings report. This won't be a financial-centric briefing. If you look at our agenda, it is 2 hours.
We break it up into two segments. The first one will be focused on solutions, and the second hour will be focused on our customers, and go-to-market. We'll have two dedicated Q&A sessions, so I'm going to be asking you to hold your questions until we get to those times. Before we get started, I want to remind you that we'll be making forward-looking statements, and these statements, are not guarantees of future, not guarantees of future performance, but rather are subject to risks and uncertainties. If you could take a moment to take a look at our safe harbor statement, and then we'll get started. Now I'll turn the session over to our Founder, Chairman, and CEO, Jay Chaudhry.
All right. Thanks, Bill. Hopefully, most of you had a chance to listen to our keynotes. If you have been able to listen to a number of keynotes, raise your hands. Okay, well, maybe I don't have to talk much. All right? We covered a lot of stuff during those sessions. I'll give you a big picture view overall. Summary of key points, I think what you learned, right? Scale matters, reliability matters, resilience matters. We are essentially the switchboard that enables all safe, secure, fast communication. Reliability, in addition to scalability, is fundamental, and that's what we have been pioneering. That's what we pioneer. It's a big barrier to entry. As someone said, there's no compression algorithm for years and years of cloud experience in managing and running the cloud. Even then, the expansion of the platform, right?
You saw Zero Trust, the user is only one piece. The big workload is becoming a very important piece. IoT/OT is more for subset of companies, but B2B, we believe, will be massive, and we are making good progress in that area as well. We'll talk a little more about AI/ML. Hopefully, you saw the keynote on AI/ML, and Syam will give you a little deeper view of it. Part of the reason for Syam to come and join us is part of his experience in large clouds, AI, ML, and related information. You'll hear that the data matters, the users matter, and we have both of that far more than anybody else out there. You've seen innovations across the whole thing. You saw the innovations we talked about, cyber to data protection to connectivity, all areas.
It's not gonna slow down. You'll see innovations accelerating. If you look back five years ago when we had just gone public, you looked at the platform we had versus the platform we have today, is day and night difference. You can only imagine the next five years. It won't be what we did in the past five years. You would expect with the kind of resources we have, the size we have, it'll be multifold bigger than the past five years of change we had. Go-to-market, we always have had different go-to-market motion and strategic engagements, customer engagement, C-level, architectural level discussion, properly backed up by business value assessment. The skills that we've built, that's helping us. We believe it'll keep on helping us.
I also am very mindful of the fact that as companies grow from nothing to a few hundred million dollars and few hundred million dollars to a few billion, then multi-billion, you need to make sure you have the leadership team that can step up and do the stuff. You've seen us up-leveling and bringing seasoned leaders along the way, every year or 2. That's fundamental to us, and I believe we're doing a good job in that area. You've seen the platform slide. The couple of key points here is, while users has been our starting point, and users with ZIA to then ZPA to ZDX, even users is not the 1 piece, the 3 big pieces underneath. Now the same core technology, same core engine, same core switchboard.
is powering workload, IoT, OT, and B2B, because we're designed for that Zero Trust world, connecting known party to known parties. The extension you're seeing on two sides of them, main thing is really on the Posture Control cloud side. This is securing data at rest, sitting in SaaS applications or public cloud, or endpoint of where we are. That's important piece because it rounds out the overall picture. On the right side, that's new focus for us. We have been dabbling and learning in this area, and the interest and from customers is massive. With this massive cloud, we can do things that nobody can do out there, and we'll touch base on some of the critical data we have. You saw a few examples of things we did. Risk360, very exciting. When we think of, there are many companies that talk about risk.
They come up with these cool, sophisticated models, there's no data underneath. The only data companies have for risk out there today is outside in. What can they see from the internet? BitSight Security Score, all these guys can say, "What can I see if I scan?" That's one piece of it, the rest of the data sits with communication logs that we have. Very exciting area from AI cloud point of view. The network effect has been useful in many things. We have been doing network effect for detecting threats for our customers big time.
I was talking to a customer a couple of weeks ago. They had not turned on SSL inspection for a big chunk of traffic, only limited traffic, and said, "Why aren't you doing it?" He said, "Yeah, my team has been slow, Europe and all that stuff." He saw the number of threats we are blocking. He said, "What? How are you blocking such a large number of threats when 95% of traffic is not, is SSL?" Because we're seeing the whole world, we are able to actually help other customers. This network effect is massive. These are massive numbers that give us far better detection and prevention capabilities. The same thing is going to feed into the AI ML engine that we'll talk about, okay?
With that, let me bring Syam Nair, our new CTO here, to share his perspective. Syam.
Thank you, Jay.
Great.
I'm relatively new, joined recently, so I'll tell a story from my standpoint of why it's exciting for Zscaler, especially in cloud scale, and AI, and ML. Like, everybody's talking about AI, ML these days. I'm sure every customer you talk to, every customer I talk to, they're all looking at, "How can we leverage AI, ML technology safely and securely?" Zscaler's opportunity, in my view, comes in, wrongly, two different areas. One is being that zero trust platform, so that we can actually, based on what Jay talked about, we can actually communicate, look at the logs, and help the customers from data leak, data loss protection. As an example, not a lot of people think about what goes into a prompt these days. When you actually write something into a prompt, it's contextual data.
In many cases, it includes IP, information of what that business is about. How can we actually protect such that these kind of leaks don't happen in the world of AI and ML? Instead of being a blocker, it's about being an enabler, so that people can use AI and ML, really, enable it, leverage it, and go with the advancements of generative AI. Why can Zscaler do it really well? With the Zero Trust Exchange, as Jay was mentioning, we have about 300 billion transactions by day that goes into the system. I call it a data fabric, a fabric where structured data, unstructured data, as well as data metadata within the URL, that we can correlate together and form intelligence and information on top of it.
This cloud-scale data fabric enables a lot more of domain expert generative AI models, as well as AI models on top of it, like predictive analytics, business transformation, functionality that we can provide, risk management. These are few of the scenarios. If those of you who have been following the AI world, this is not new, right? It has been in the industry. A lot of these AI advancements have been because users, data, and more value. You have more users, you get more data. You have more data, you can deliver more value. If you deliver more value, it actually creates that network effect again. With the advancements of generative AI, it opens up a lot more capabilities, especially for people, for vendors or for businesses that actually have this data, as well as the users.
We have been looking at our platform at cloud scale. We almost grow like double within 18 months in terms of the number of transactions that go through our system. We are preparing ourself for 10x scale. To prepare ourself for 10x scale, we ourself are leveraging a lot of the AI/ML capabilities, whether it is in terms of how we operate our cloud. Large-scale cloud operations itself require AI/ML from an operational standpoint. Whether it is in terms of how we make sure that we can provide that 100% availability, reliability, and a resilient platform for all the customers.
These two things together, the 10x scale of a cloud, as well as the data that we have and the AI, ML investments we make, makes it very compelling for us to be the leaders in providing the zero trust platform for AI, ML use cases for the customers. With that, I'll invite Patrick, who is our Chief Innovation Officer, to talk about some of the advancements we have actually made in AI/ML.
Thanks, Syam. Thank you. Good morning, everyone. Two points. Some of these are themes you would have heard yesterday in the keynote, I wanted to emphasize it. We've been leveraging AI and ML on our platform for over five years now. There's a lot of different areas that's been sprinkled throughout the entire platform and made really meaningful gains. At the bottom, there's some core technology stacks that we've also been investing in heavily that is leading a lot of the innovation that you're seeing us talk about today. I made the statement yesterday that I think AI is changing everything, has the potential to change everything. We have seen this story play out before, though, in two different ways. We've seen it in the mobile, you know, the introduction to mobile into the enterprise.
We've seen it in software as a service. We've seen it in infrastructure as a service. The one thing that we think is a little different about AI is that the risks this time are much, much higher, and I put some examples there on the right on what those risks are. Syam just mentioned, we see the potential for data loss happening, where organizations want to enable AI, but they don't want to become at risk by doing so. You can't be so draconian and just say, "Block it." You may not even be aware of how it's being introduced, because there's thousands of applications that are embedding AI technology in their core, and you may not even know that it's going to a large language model. We see intellectual property being a challenge.
We see false and fake content also being a big challenge. I gave a good example of that yesterday in the keynote. We've broken up how we are looking at this problem into 3 buckets. We think there's 3 ways that we can enhance what it is that we do by leveraging some of these new innovations. The, the first one is under enable. We want to, like Syam and I both said, we want to enable organizations to embrace this, but in a safe way, without putting themselves at risk. We see a lot of room to innovate, and that could be enhancing what we do already, our existing offerings, as well as bring out new products to market. We also see that there's a groundswell to be able to do radical transformation, just like you've seen...
Chatbots have existed for many, many years. Obviously now with advents of things like ChatGPT and large language model technology, it's gonna make revolutionary changes. We think we can do the same in our domain, in the, particularly in a couple areas, in the areas of security efficacy as well as operational insight. You've seen us talk at the conference about a couple, a lot of AI innovations. I wanted to highlight three that are good examples of all three of these buckets. The first one is the Breach Predictor. You would have seen a good demo of this yesterday. It is leveraging the capability that we have that is pretty unique, because to do things like breach prediction, anytime you're applying or training an AI model, the data in which you train it with is what matters most.
Everyone in the domain will have chatbots. Everyone in the domain will have large language models that they can bring to market. Very few organizations or companies or services like ours have the ability to have insight to logs. You've heard the 300 billion transactions a day happening all the time, but those logs that we have visibility to are not limited. They're not short, they're not abbreviated. They're full fidelity in a way, meaning we're logging every transaction a user has to from the internet, whether it's a threat or a breach or not. It could be purely operational, because we've. Our platform is much wider than that. That is a data set that will give us a pretty unfair advantage, I would say, in being able to do things like predicting breaches before they happen.
We, we also talked about what we're calling Zscaler Navigator, which is leveraging these conversational interfaces to be able to make answers come out of the platform easier and more approachable for customers. Then we also showed off Multi-Modal DLP, which is taking DLP to the next level. Being able to do things like searching for data leaking out in the form of videos or in the same way that you're familiar with ChatGPT, being able to summarize large amounts of information, we think the same thing can happen in how you prevent data from leaking out of your organization. I won't spend a lot of time on the breach prediction to keep us on time. With that, I'd like to hand it over to Steve House to go over some other innovations in the platform. Thank you.
Thank you, Patrick. I'm gonna focus in on two areas to go a little bit deeper. Data protection first, and then I'll move on to the Zero Trust connectivity. You would have heard in the keynotes, when we think about data protection, we want a comprehensive, unified story, set of technologies that cross everything that is Zscaler. You set up your dictionaries, your engines, you use the data classification. All of that happens one time and gets put into all of the different channels where your data could get lost. This includes things that are in the cloud, exposed to the public.
You wanna make sure your posture is set up correctly, you don't have things open to the public that have that sensitive data in it, and it also includes how that data can go in motion out of your control. When we think about the how does that get out of control, we've had inline DLP for many years. That's how we block the content trying to leave to the web. We talked about today adding data protection on the endpoint, which is available, has been for a little bit, as well as in email, because you can SSL decrypt most email now.
Four or five years ago, it was a lot of legacy protocols you couldn't see inside that were wrapped in a, in a SSL wrapper, but now MAPI inside of HTTPS or Outlook Web Access, you can open up and you can see that traffic. It's trickier than just seeing whether it's sensitive data or not, because most email is sent from one person in a company to another person in a company. That's allowed, even though it's sensitive. What we've added is the ability to put policy around who that email is getting sent to. Is it leaving the company? Is it to an approved organization? Now you can only block the things that are trying to leave your environment, as opposed to just being sent through a web interface.
For CNAPP, a new innovation we talked about is connecting that up, not just the posture and the entitlements and the infrastructures code and vulnerability management, but also knowing where those problems also exist with your sensitive data. Integrating in the full data protection is important because it's a much higher priority if your misconfigured workload has sensitive data on it. Then taking it one step further, which is something that no one else on the CNAPP side would be able to do, is what paths do those workloads have? Can those workloads talk to other workloads? Maybe it doesn't have sensitive data on it, but it has an authorized path to talk to your workloads with your crown jewels on it.
That makes a misconfiguration there a much higher priority because even though it didn't have the sensitive data, it talks to things that do. We've also added the ability to scan your containers and your virtual machines to find your sensitive data there as well, and apply policy of where that data is allowed to move. This idea of having that unified data protection across everywhere where your data might live is really important and something that will continue to differentiate us. Switching on to the zero-trust connectivity, Jay spent a lot of time in the keynote talking about what really matters, but this kind of sums up those four key principles, are that, one, applications are the destination, not the network. You don't put people onto the network, you don't put workloads onto another network, you don't put your things onto another network.
You make a connection from a resource to a resource. They never get an IP address on the other side of that. Two, networks become really just about the transport. You don't spend your time securing that network. That whole concept of NAC and securing your branch office shouldn't matter if your office is Zero Trust and your sensitive data isn't there. Treat it just like as Naresh said today, a Starbucks-like experience. You don't try to secure a Starbucks. Even if you've got a WeWork, where you've got 10 salespeople, you don't try to secure a WeWork. Why are you trying to secure one that you happen to have the lease on that property, where your people come to get a high-speed network connection and collaborate with their coworkers?
Three, I already mentioned, you connect to specific apps, not to the networks. Four, even though the networking is there, it's plumbed, just because you're on a network, you shouldn't be able to move around it. You shouldn't be able to Nmap scan, and discover the rest of the nodes, move laterally and find other things. Again, you are granting that authorization from one resource to another resource. Now that applies in the client world. We've had that for many years with Client Connector doing zero-trust connectivity to your applications. We've had Cloud Connector now for just about 2 years, which brought those zero-trust principles into your cloud workload environments, so you don't have to plumb those together with firewalls and IPsec connections, where you're poking lots of holes, but still allowing that lateral movement.
Today, the big announcement or this event, the big announcement was introducing that into the branch office with our Branch Connector. When you look at what is the sweet spot for this, we break it down. We talk to lots of very large enterprises. Often, they have thousands of locations, and they say, "Well, some are really small. They're just our sales office. There's no data there's no printers there's no IoT." All you need there is Client Connector. You just put it on all your machines, it secures your traffic out to the internet and provides zero trust access to the applications they're authorized to utilize for their internal apps. The medium-sized branches are where it gets interesting, where there is some infrastructure.
It could be printers, badge readers, security cameras, OT manufacturing lines, various things that you can never load an agent on, but they still either need to communicate out to the internet. Maybe it's telemetry, software updates, whatever that might be, or back to your data center. Maybe your security camera feed goes to something into a headquarters site. How do you take that branch off the routable network, which is how all that traffic got where it needed to go before, and get it to those devices, or get it to those applications that it needs to be there. That's where Branch Connector comes in, with its ability to take any traffic that's trying to exit that branch and make a smart decision.
If it's going to the internet, it goes through Zscaler and Internet Access, gets the right policy applied, logging, everything you get there when you're securing it to the internet. When it's trying to talk to something that's your application, either in your data center or in AWS or the cloud, it asks for authorization first. If it's authorized, 2 outbound connections that meet in the middle, that stitch together a zero trust connection without ever putting that television set onto your data center network, where it was communicating back to you or whatever that might be.
Then the third type of office is really about the large campus factory environments that still need, you know, high-speed MPLS WANs, some sophisticated path selection, where you want to send this traffic over the MPLS and other traffic, maybe over an IPsec, where those kind of more high scale, high sophisticated requirements are. That's not the sweet spot for Branch Connector today. It's really meant for those internet-only sites, which more and more people are moving larger and larger branches that direction, so over time, that market gets bigger. As Branch Connector evolves, we'll do more of the things that allow us to succeed in the large campus environment as well.
I don't know if I need to spend a lot of time on this, but this sort of just highlights the two different philosophies around building up your branch office environment. One is by having that complex, routable environment, where you're trying to manage how traffic is sent around path versus path. Obviously, when you've got the routable network, you have the ability to move lateral, laterally, which means your attack surface is larger, and the blast radius, if something happens, is potentially more significant. Like we do in, you know, when users were remote and with a cloud, now at the branch, you can do the same idea to have a true Zero Trust branch that is disconnected.
People are really excited about how easy it is to bring up a new branch without thinking about circuits and how to connect it. You drop it in, it connects up, and I don't have to secure it in the way I did in the old world. Then the last piece of it is, from an availability standpoint, the virtual machines available today. We've got people using it in production. We talked about that in the keynote this morning, and we showed off the new hardware appliance that we're working on that's in early access. You know, we'll give you more details on that as that gets ready for general availability. With that is it for my section. Bill?
Yeah. Now I'll invite all of our speakers up to the podium to begin our dedicated Q&A session. We'll have two mics in the room, so for those of you, if you could raise your hand, and we'll get to you. Since we are webcasting this session, if you could wait until the mic gets to you. It will also be helpful if you identify yourself and your firm.
Hey, Jay, it's Joel Fishbein from Truist. Thank you for doing this, and thank you all for the detailed information. Jay, great. A lot of new products. Two questions. Number one, can you give us an indication of how this fits into your current pricing scheme, some of these new products, number one? I guess along the same lines, are some of these products more aligned with a consumption-based model than a subscription-based model? That would be my question. Thanks.
Good. First of all, you saw lots and lots of functionality come out. Traditionally, what we do is lots of features go in our existing products, but some new big rocks. For example, Risk360 is a big, new thing. There'll be SKU of its own. There'll be products that are SKUs, and we charge for them, others that are part of the same bundle, others, they become part of the bundle, but they also help us justify higher and better price. Sorry.
Thank you.
Okay. They help us justify better price, so it'll be combination of all. New, some bundled, some help us increase the overall bundle price. You'll hear more about it as time goes on. Some of these new, we test with the customers early on for a few quarters before we really start finalizing some of those numbers. The question on consumption-based versus user-based or unit-based, so to speak, a lot of stuff, our customers has been a number of users based. Workloads is largely units based, but there's also a piece of consumption-based as ephemeral workloads are coming in and going around. You'll see some combination evolving. It won't be a pure model. Take a B2B area where we have suppliers and customers coming and accessing applications through our cloud. In that case, you can't really do user-based.
Some of them will come once a month, twice a month, every day, so that becomes consumption-based. We'll do the right thing based on what makes sense for the customer.
Okay, next question, Trevor?
Great, thanks. Trevor Walsh, JMP. Maybe around some of the AI announcements. It seemed like from an outsider's view, that the product kind of split between AI focused on threat protection versus more enabling users just within the platform seemed fairly balanced. I would imagine that might not be the case when you look under the hood in terms of AI R&D resources to make that all happen. If you could maybe just tell us a little bit about how making those two different buckets, again, kind of works out in terms of from an engineering and getting them kind of to market, that would be helpful.
On the, enabling users within the platform, how much of an accelerant to hitting more downmarket accounts might that kind of actually kinda yield in terms of the, you know, again, having AI to help users just from a platform?
I'll start, Syam or Patrick can add to it. If you look at the buckets of AI/ML, it has been influencing many areas. Threat detection has been getting better and better, that's incremental. Things like Breach Predictor is very new, very different, and disruptive. You'll see some of the totally new stuff powered by AI/ML, while existing stuff getting better. It's you're not gonna see that everything that touches AI is a new SKU with a new price. It is part of existing products. It'll get better, new products are coming along as well. That's one. Two, it does impact all areas. It is impacting cyber protection area, playing a big role in data protection area. Things like ZDX was, from day one, powered by AI/ML, big model, all that stuff, that's part of it.
In addition, it is also making the user product simpler and easier, so it actually makes it easier to go downstream. The copilot kind of announcement you're seeing from most vendors like Microsoft, they are actually to simplify the stuff. That's no rocket science. Every company will do some of those automation and simplification, we are doing it as well.
Yeah. I think I can add to that, in the context of the architecture itself, think about this as one common data fabric, there are inline data that we collect into compressed logs, there are data that we collect from other form, which comes from other sources, they're all on the same platform. It's more about what data do you train on for specific use cases. Architecturally, it is a very cohesive platform, a cohesive data fabric, on top of which we can provide this different training and different models. Some of them will be customer-specific in terms of, like, Risk360. Some of them, which are more cybersecurity-related, would be much more, would be using much more bigger models.
Hi, team. It's Keith Bachman from Bank of Montreal. Thanks very much for doing this. I'm gonna do two simultaneous or two connected. Jay, maybe for you, the first one is just if you could talk about the Multi-Modal DLP, what are you adding to your DLP solution? It sounds like it's capturing more media, if you will, but I'm just hoping you could broaden it out to how you think it enhances your competitive positioning as it relates to DLP more broadly. The second is you're introducing, you've had cloud, you had a client, and now you're introducing branch as a new solution set. I was just wondering if you could talk philosophically about expectations associated with that, because you've had branches connecting for some time using your technology already.
It's been a wonderful solution. What should we investors be thinking about the opportunity set with Branch specifically?
I'll start with the second, then Patrick will take the multimodal questions.
Sure.
Branches. Before Zscaler, branches will go back, everything will go back to the data center, all traffic on MPLS, that is 1. 2, even when SD-WAN came, before Zscaler, SD-WAN will still take all the traffic back on a cheaper transport internet. When Zscaler came and we said, with ZIA, our first product, internet access, peel off all the traffic at each branch and send it over broadband or whatever connection to Zscaler data center. You would be surprised that the amount of traffic that a user creates, the one going to your data centers and private applications, is actually only about 20%-25%. Most of the traffic goes out, so we're able to peel off by using existing routers that Cisco had for years, creating a tunnel to us. That was first generation.
When SD-WAN boxes came, they made it easier to create that tunnel, literally click, rather than going into command mode. SD-WAN integration we've done has helped our customers. It's still needing a box in the a route table network. You're managing route tables. Every branch you create, you don't only put a box, there's somebody who has to manage routes and stuff like that out there. That's the hard part, and you own the network, you own in the branch. Once you're in the branch, you move here or there on SD-WAN and can access application, which is good, but if there's an infected machine, it can access all that stuff. That's bad. The biggest thing we are fixing with our Branch Connector technology is the simple little branch box. It's like a relay. There's no route tables to worry about.
Just like in your home, what do you do? You get a little router from your local telcos or whoever the telco is, you plug in, the thing works. That's really what our customers are excited about: simplicity, security... and lower cost. That's why our customer pushed us. I told them, "I don't want any boxes." I kept on pushing back for a long time. When we introduced Branch Connector, we offer it as a VM. Here's a little piece of software you can put on any box, it works. They said, "Man, I can't find this box in my lots of branches, so do it." That's what we've done. Did I answer that question? Patrick, multimodal?
Sure. Multi-Modal DLP is, in a, in a simple way, all about making the efficacy of detecting data leaking significantly better. If you look at how DLP has evolved over time, you would have to give it phrases or pattern matches that you would try to find in plain text. More modern techniques like doing OCR and image recognition to try to detect text and images. Multi-Modal DLP, in the same way that you've seen when you see AI services that are taking text strings and generating very complex, realistic images from it, you have to have an awareness of contextually what objects and things are and how relevant they are.
That kind of technique that you see that allows us to create crazy images in 2 seconds from text queries, can absolutely be applied to interpreting data that is leaving an organization and making the efficacy of the DLP far greater. That's in a quick summary of what it is.
It's like a YouTube kind of video. You can put stuff on a YouTube video.
Yeah.
What DLP solution stops it?
Yeah.
Nothing.
Yeah.
We can solve that kind of problem.
Yeah, the example we showed is, if you have sensitive PRD with your internal plans on it, and you try to email it out, DLP would always catch that. The next thing you do is, "Oh, well, if I take a picture of it, a screenshot of it, I could email that out." OCR could catch that. Now if you do a little Zoom recording, and you just scroll through the document, and it comes as a video, that can get through any DLP solution that exists right now, and that's what this Multi-Modal DLP is meant to stop.
Okay. John.
Hi, John DiFucci from Guggenheim. Jay, you announced a lot of new data-related protection products, and you recently announced a partnership with Rubrik, and I know that's a new partnership. How should we think about where you take Zscaler technology, how far you take Zscaler technology versus where you want to partner with others, especially when it comes to data protection and third-party data intelligence?
That's a good question. I'll give you a short answer because the long answer is, we spend hours figuring out how far do we go, how far we don't go. We're pretty methodical. We like to kind of don't jump around from here to here to here. If our technology and platform can naturally extend over to the next level, we do that type of stuff. Otherwise, we don't. Take Rubrik. Rubrik backs up your data wherever. What if the data that's backed up is already corrupted or encrypted, so to speak? It's not a good thing. We are essentially making sure your data doesn't leak. They are also making sure the encrypted and bad data doesn't get backed up. Passing some of the information intelligence we have to them, helps them and vice versa. This is natural partnership.
We aren't going to get into the business of backing up data to secure the data, right? That's a pretty clear boundary for us. Making sure your data is secure wherever it goes is of interest to us. A partner who is doing data backup, to support them is a good thing that helps us and helps the customer. That's how we think about it. On this side. Bernie, you should stand on the front, you can see all the hands and the side.
Mm-hmm.
Right.
I forgot. Hey, guys. Hamza Fodderwala, Morgan Stanley. Thank you for taking my question. Jay, I think some of us, at least me, were surprised at the branch appliance announcement. I'm curious, you know, why now? I guess the presumption would be that most SD-WAN boxes today that you partner with, are controlled by security vendors, I guess why would they want to advance integrations with Zscaler? Secondly, how do you convince a customer who's already on an SD-WAN journey to effectively add another appliance to the edge, or is this a full replacement of SD-WAN?
First of all, as I said, we never wanted to be an SD-WAN vendor that enables lateral threat movement. Okay? Here, so what are we doing? We do need to make it easy for customers who get traffic. Our Client Connector sitting on the endpoint or the phone, transparently make sure the user gets the traffic. You don't even know, you don't do anything. It figures out lots of smarts. It even knows the best data center around. If one data center, one path has issue, it figures out all those things on its own. Now, the branch, yes, we used to do tunnels from Cisco routers, and SD-WAN made it easier. The issue is not the security vendors don't want it on them. Even the networking vendors would rather kind of control this stuff and put it on it.
They also want to charge more and more price for it. My customer says, "I want the branch office to be thin, dumb box." The more software, the more functionality you put on any box, the more complex it becomes. That's how life is supposed to be. That's why you want endpoint of the thinnest, least amount of software on it. You want branch to be thin, so all the expertise or complexity or policies are sitting in the cloud. Our customers said, "I don't really need all that mesh network that SD-WAN gives me, because it connects everything to everything, because that's the risky part. All I need is connect this branch to the internet, period, with the lowest function." We are literally a traffic cop, a relay, that connects you out there.
For that, then the customer wanted to say, "Rather than you point me to these vendors, those vendors, just I want to treat branch as a basic stuff." It's They basically said, "It's a commodity thing. It needs to work. Just make it easy to deploy and manage." That's really doing us. I mean, I can tell you, I mean, we like to listen to our customers, but sometimes the customer like to tell us to do old things, right? When we want to do disruptive stuff, we don't listen to the customers. When we want to really see the pain, we need to take care, and this is one of the areas I kept on pushing back and back. I probably heard from 100 customers say, "I'm having pain with SD-WAN. I just don't need all of this.
Just give me a simple solution." I don't think we'll have issues. We are not really trying to go and fight for SD-WAN market. You can keep the market. Our customers will start from smaller branches on their own. Think of it, a small branch, I said probably in my keynote, 80% of your branches are small branches, like sales offices. They're no different than sitting at home. They need something very simple like this. That's why we came up with this.
Okay, Brian?
Yeah. Thanks. It's... Is that on? Okay. Yeah, thank you. Brian Essex with JPMorgan. Jay, wanted to follow up on kind of the AI strategy, and we see a number of different companies taking different approaches to whether it's kind of controlling the, the models that are being trained or having the, you know, like I think you alluded to, a very large data set that's very valuable and of high quality. How do you think about, you know, where is Zscaler going from that perspective? Are you controlling the models and the training of the models, or are you enabling your customers to leverage your data set to train those models more efficiently? And then how do you-
Mm-hmm.
control drift and quality and governance as those models are developed? How do you think about the opportunity there for Zscaler?
Yeah, look, if you look at to do AI, ML well, you do need data scientists and domain expertise. In fact, we did a first acquisition 5 years ago. This acquisition was all about AI, ML team, so we actually evolved and learned from it. It's not a totally new thing for us. 2, you do need data models. Actually, large language models, actually, they are becoming more and more open source. I think there'll be more and more open source models that everyone has available, but companies like us can actually customize them and extend them to, say, security-centric LLM kind of stuff, and that, even that won't be a differentiator. If you look at barrier to entry, it's not data scientists and domain expertise. There are lots of them out there. It is not the model. It'll be the data, the data that's used to train.
You can put data in two buckets. One is public data. ChatGPT has all the public data. You can crawl on the internet and answer all the questions. There's a private data. All the security-centric data we're talking about, cyber and all, is all private. There may be multiple kind of data, but the most important data for cyber is communication between entities, users, devices, applications, and the bad guys trying to ping you to do reconnaissance kind of stuff. That's the most important data we have. You can make a case that firewall guys have logs too, but firewall logs are by and large useless. They're short logs. They don't have much stuff. Most of the time, they don't even do SSL inspection.
Without that, all you know is this source IP to this destination IP and domain and this user, and not a whole lot out there. We our customers inspect SSL, they got real data, and they got full URLs, and URLs have tons of unstructured data that gives us some of the upper hand. We believe we have a sustainable long-term barrier to entry when it come to the security model, and that's what we are focused on building on. You want to add anything to this?
I think. Okay, Shrenik.
Yeah, this is Shrenik Kothari from Baird. Yeah, I mean, in this new AI world, you announced kind of very holistic kind of value proposition in the form of the Breach Predictor, in the form of the business insights, which are underpinned by proprietary kind of data that you control, the Multi-Modal DLP. We have seen in the past, historically, like wherever there's a new situation, there's a tendency to, for the security world in general, to go towards like a path of least resistance, right? For example, when kind of data explodes, there will be explosion of control points. There has been, like, a tendency to throw kind of firewalls at the problem or boxes at the problem.
As we stand on the cusp of this kind of new frontier, and you guys, of course, talked about the strategy from a solution standpoint, from a kind of a larger go-to-market strategy education, because, I mean, it seems like a brand-new opportunity for you guys to grab. How are you guys thinking about kind of grabbing this opportunity or just strategically going about it from a go-to-market standpoint?
AI, ML. I never felt it's a standalone market for most companies out there. There will be some OpenAI kind of companies that are highly specialized in doing this stuff. You know, there was a time 15 years ago when people said mobile is on the scene. I want to build a mobile company around mobile. Try to create Salesforce from mobile. Does it make any sense? Not really. It's a device. The back end is the same. I do believe that AI ML will become integrated part of every company, otherwise those companies won't survive. The question is, if you do a better job, you can actually leapfrog and get ahead of others. It's kind of painful to see when a breach happens, they buy a lot more firewall because that's all they know.
I think the world is changing. If you talk to any of the customers here, and now we are in the 40%+ range of Fortune 500 companies, these guys are believers. They get it, they understand it, and we're going at a pretty good rate, adding new customers as well. I think you'll get to a tipping point where firewalls will become like mainframes. I mean, I saw that. I used to be at IBM. No one could imagine that mainframes could ever lose the prime spot they had in the heart of the CIO. When we met those CIOs, they only cared about IBM and IBM mainframes. Over time, it just happened. It took care of its own.
Zero Trust will displace this whole firewall stuff. I think we are in a prime position because we don't think you can just spin those VMs to the cloud and take care of it. AI ML will be powered by the logging, the data we have. That's the most important stuff. We're doubling and tripling down to make sure we take advantage of that.
Okay, we're actually going to take a little break here. The speakers will be back at the end for final questions. We will be serving lunch for those in the room next door, Juniper 2. We'll be back in about 10 minutes.
Thank you.
... customers and our partnerships. We're always excited to have our customers who are on this great transformation journey, and to talk about how the unique business value that we can drive together, as they, you know, transform their IT, as well as align to zero trust architectures. With me today, I'm going to introduce Manesh Patel, who's the CIO of Sanmina, and also, excuse me, Matt Ramberg, VP of Information Security. Manesh?
Okay, great. Good afternoon, everyone. I'm the Chief Information Officer at Sanmina. Sanmina is a Fortune 500 manufacturing company, headquartered in San Jose, California. We operate in 20 countries around the world, 60 manufacturing operations worldwide. We focus on manufacturing for name brand OEMs in a variety of industries, from medical devices to industrial, defense and aerospace, communications equipment, and so on. Our run rate, in terms of revenue, is about $8 billion. As you can imagine, our environment is very complex from a network standpoint, a security standpoint, and with the manufacturing environment, we also have a large number of customers as well. We're very invested in protecting our customers' data, as well as our employees and our business.
It's a pretty complex environment, and our Zscaler journey started over seven years ago, very early days for Zscaler. One of the things that really attracted us was their really significant investment on architecture and getting it right from the beginning. That was a very compelling element. Their initial product, the ZIA product, was a big game changer for us in terms of our environment, all of our locations worldwide, connecting them securely to the internet, and making sure that we had great data security for our employees as well. That was the beginning of our journey, and what we saw with the architecture was the potential to really move towards a more comprehensive security environment. That's sort of what we're seeing now, and it's very exciting.
We're very excited about the opportunity to not only continue to build our security profile, but also to really have a comprehensive environment for security. One of the things we, as many other enterprises are seeing out there, is a wide variety of technologies for security, and just integrating all those things, making sure we've got great coverage as the security landscape and the threats out there continue to grow. It's becoming a very complex environment to manage, and one of the things we love about Zscaler is it's really helping us to simplify that. I'm gonna hand off to Matt. Matt heads up our security organization, and Matt's gonna give us more details on what we're doing.
Thanks, Manesh. Good afternoon. There's so much to talk about on the journey. I obviously can't cover every single aspect, but as Manesh stated, we started with ZIA. This was several years ago. Like most companies, I think, ZIA. And in our case, we had a very, our system was set up with individual web filters at each location across the globe, which is at the time, well, between 60 and 70 locations. As you can imagine, when we needed to make a change, and it was a global change, it had to be made at 70 different places. Along came ZIA. It was a very easy decision when we compared them to other vendors, and it allowed us to free up just resources, an immense amount of resources. I can't even...
It was more the hours spent than anything else. Literally, we had 1 guy that was running the entire ZIA process for the entire globe. As that, as we continued down that same security transformation path, the cloud became this more involved thing, and everybody started working remotely. We started looking at our VPN solution, our architecture, and we realized it was not scalable. It was limited per box. Everybody's familiar with VPN boxes. It was limited per box, and we had, I believe, at 1 point, 13 of these distributed throughout the globe, and it just was not a sustainable process. That led us down the ZPA path.
We got into the ZPA realm. It really allowed us to give the users the flexibility they needed, the productivity they needed, we didn't lose any security that we wanted. That was a really key balance. Security is always known as the department of no, N-O. I've said this at other events. I wanted it to become the department of no, K-N-O-W, for our company. Zscaler made it really easy with the transition because it didn't impact the employees. When we were doing the communication and explaining what we were going to do, they understood it. It made for a really simple transition. Of course, you run into some hiccups here and there, but they were easily resolved.
To this day, we still have 1 primary support person for both ZIA and ZPA, 1 primary support, and then we have some administrators that help support some other things, but it really is 1 guy that's driving the entire transition across the organization. What we've really embraced is that Zscaler has not rested. I was just speaking with somebody in the back. They keep improving on everything they've done, and we are now at a point where we have 5 different Zscaler products that we now deploy in the company. After this conference, we'll be asking for 3 or 4 more. We'll see how that goes. It's just been really a great partnership.
The biggest thing has just been the ease of implementation. That has really been the key, is the ease of implementation. The ability to be able to do this with just a handful of people across an organization as vast as ours, with different needs at every facility, because we have so many different industries that we support, has just been immeasurable, and freed up a lot of crucial time to work on other projects instead of just day-to-day KTLO type information. I would also add, you know, one of the things it allowed us to do was... I've got some members on the team that are junior members.
They don't usually get to be involved in a lot of the strategic things we're doing, just because of skill set. Because of the ease of implementation of a lot of these products from Zscaler, we've been able to have them be involved with it. you know, we didn't just go through it, we were able to grow through it. The employees were able to get this training that they ordinarily, you know, we probably wouldn't provide, but they don't need to be experts because the tool really makes it easy. The various tools make it easy.
Wonderful. We'll take a few questions. Rob?
Thanks, Joel. Rob Owens from Piper. Can you double-click on implementation, how long it took for the various products, and then the extent you're willing to talk about it, what solutions were you able to get rid of because you implemented Zscaler?
Yeah, we're not gonna focus on any specific vendor specific, but let me give you a quick example.
In general.
Sure, in general. Sure, sure. At the beginning of the pandemic, March 2020, we all remember that, everything locked down worldwide. Up until that point, we had about 700 employees at any given point around the world working remotely using VPN. We were in the process of planning a rollout of ZPA, when the lockdown happened, we said: Well, let's accelerate that rollout of ZPA, and we're gonna need a lot more than 700. By within 4 weeks, middle of March, we locked down, middle of April, end of April, we were at 7,000 employees a day working remotely using ZPA. That's the pace at which we were able to roll out, and we were able to take out our legacy VPN solution. That's a good example.
Do you wanna comment on any other one?
I think a key thing to keep in mind here as well is we did this, we maintained Zero Trust. Anybody can turn on ZPA for 100,000 people today if you have an app segment that's star dot star. Everybody gets access to everything. We wanted to make sure that when we did this deployment, we maintained Zero Trust. We had already predefined some groups with the 700. We had predefined some groups, HR, finance, engineering, with specific app segments. We were able to take that base setup that we already had, and within 3-4 weeks, we had added. It eventually at one point reached roughly 10,000 people, all in their proper segments, we lost nothing on Zero Trust.
Hi, it's Joel Fishbein from Truist. Thanks for doing this. Just wanted to follow on to Rob's question in terms of you've probably seen a lot of new technology announcements today from Zscaler. You talked about ZIA and ZPA. Are there any other areas that you may be looking at, ZDX, maybe some of this, you know, Breach Predictor technology that they've? You know, I know it's early days they're announcing. In other words, are you thinking about going broader with Zscaler and going forward?
Yes, we are looking to broaden our profile with Zscaler. I think some of the more well-known products that have been around, we are actively looking at them. The new one that was just recently announced was Risk 360, and we're very excited about that product. Especially for CIOs such as myself, we're engaging with our business leadership, executives, with the board, and you know, that's always been a challenging arena, where improving the level of understanding at that level of security and how that ties to our business, and then having key metrics and real data behind it, is invaluable. I really see the Risk 360 product as enabling that conversation with, at the executive level.
Part of my challenge, I'll be very honest, is, when I engage with my executives and the board, and we say we're using Zscaler, and it's doing great things for us, there isn't much else to report. It just works. The level of visibility at that level is limited, so I think Risk 360 will raise that visibility, and I think, and that's a very valuable thing for us.
Great. One thing would be worth mentioning is, Matt, you had talked about your supplier and partner access, Zero Trust. That's not a common use case still out there. It may be worthwhile for you to share with this audience what you're doing with that, and how you had to do it before.
Sure. Our primary focus, of course, was our employees when we deployed ZPA. We very early on, looked at that and worked with our Zscaler representatives and realized we could use that same technology for the suppliers, the vendors, the people that had to provide support into the company. As with most companies. In fact, I spoke with a lot of them here that still do it. To have that access in the past, we had to give those people access to our identity platform. We had to create accounts for them on our systems. That presents some various problems, you know, when do we suspend it, when do we terminate it, et cetera. We realized, hey, if ZPA works for customers or works for employees, it'll work for customers and vendors and suppliers.
We used an IdP that was provided through Zscaler, and we were able to use the customer's own identity platforms, whatever it might be, Microsoft. And they came in through that way. In our case, we had them using browser access, but we could give them the ZCC client. We had them using browser access because we didn't want to tell a customer or vendor, supplier, "You have to go install this software." We were able to have them come in, access whatever they needed to access. We created a new group within our ZPA, and we provided new accounts for them. We had total control over their access. We could terminate it anytime we needed to terminate it.
Of course, it was fully secured because it was now over Zero Trust, so they weren't coming onto the network to provide support. We were making the app available to them to support. It's been a very positive experience for us because we no longer have to go to that identity management administrator and say, "Here, create these 50 accounts." We just send an email to these people that need to come in, and it's resolved. They have access instantaneously. Somebody had asked, just gonna add this on. We have ZDX. We do have Cloud Connectors. We've got IllusionBLACK, the deception technology.
But today, you had mentioned, you know, what other things, the emergency access for Zero Trust, for ZPA, was announced today, or was one of the things they had mentioned. That just, you know, is gonna be a real positive thing for any companies like ours that require external people to have support immediately, but we don't have the time to go find out their name, their email address, et cetera. We just need immediate access. Then all of the... I just came from it, so it's fresh in my brain, but all of the changes or additions that are being made to ZIA, that sounds just, I think it's gonna be quite positive. The ZIA with the DLP implementation, and DLP, in my worldview, has always been just a dirty word.
It's the thing that everybody talks about, the thing that nobody can do. Multi-Modal DLP, this sounds like a real evolution in basic DLP. Those are a couple of things that I'm really looking forward to from my perspective, moving forward.
you know, I think we could go on for much longer.
Okay.
This is a fascinating conversation. In due to time, we'll end it here, but hopefully, some of you will be able to engage Manesh and Matt, and I really wanna thank you for your partnership and your time.
No, thank you, everyone. Thanks.
Thank you. Thank you, Matt.
Welcome.
I appreciate it. Okay, next, we'll invite, our COO, Dali Rajic.
Where's the clicker? Thank you. I just wanted to take a moment, kind of go through market dynamics and our view and perspective. If you take a look at the macro, I don't need to describe it, but it is complex, getting more complex, and every company in every vertical is feeling it. At the same time, the dynamics of the pressure, I think are getting really increased by the fact that you're trying to respond to an increasing threat ecosystem that's building across the globe, while at the same time, having pricing, budgeting, resourcing pressures. What it means is that cyber still is the number 1 topic and the number 1 discussion, and the rethinking of cyber is accelerating from what I'm seeing in my meetings with senior executives.
You can imagine that, we've had the same discussions with many of our potential customers and partners around really just an evolution of how you think about security, how you think about the legacy vendors and what they're packaging up as new and what they're packaging up as business impacting. Those conversations are much more open and accelerating today, driven by the macro than what we saw before. The reason why we actually believe some of these trends and some of these new threat vectors are supporting our story is because of the uniqueness of our platform. It's not just the uniqueness and capability, but what outcomes it really drives.
When we talk about driving outcomes, what we realized over the last 6, 7 months, we always had a very structured sales process, go-to-market model, that was based on discovery and being consultative to our customers. A lot of our customers were facing new pressures, and zero trust is this broad term that everybody talks about. The questions now are coming back of: What does this really mean? How is it differentiated in outcome you drive, not just feature functional capability that you have? When you have these conversations, you better be prepared, when you sit down with those individuals. For the last 6, 7 months, we've really invested heavily in just taking the training across our CFO-ready business cases and our business outcome modeling to another level.
The reason why is we have all these unique platform innovations and capabilities, and you have to really dissect what it can do for a customer across the entire journey and across multiple functional groups, whether it sits in-network or on the security side, or on the cloud side, or on the managed service side. It really became our responsibility to connect all those threads for our customers, multiple layers deep. Deal scrutiny is going up. That means your business case better be ready.
What we found is that engaging early in building it versus presenting it on the back end made a huge difference, 'cause a lot of the executives within our customer base are getting more scrutiny from their CFOs and CEOs on these business cases, 'cause they have to commit to what it delivers, not just hypothetically, but within whatever gets budgeted down the line. I'll talk about that in a little bit as well. What was really clear is that the pressures from the CTO and the office of the CEO on transforming, becoming more business agile, is really being hindered with legacy network-based security solutions, and it's really being slowed down. We talked about to go to know with a K versus no with an N-O.
That is absolutely the demand that's being made of CIO and lieutenants from CTO and on the CEO side. We've built a repeatable blueprint on how we engage, how we execute, the level of depth we go in our analysis before we ever present our technology. Over the last six months, we've really evolved and upleveled that expertise across all the ranks, and it's an integral part of our go-to-market model. I'll speak to this in a little bit, what we've also done is taken the end-to-end journey that you heard about with our customers to another level. It's not enough to just have a great plan. It's not enough to just, you know, deliver great solutions. You've got to map out the journey, the steps, the phases.
You've got to map out then how are you going to help with adoption, even once you leave, everything is deployed, and everybody's happy? 'Cause there's great capability in our solutions. How do you turn and evolve and twist your entire organization to really be maniacally focused on customer adoption and value realization? We've had it in place, and I'm very confident we took it to another level over the last really four or five months. If we also think about the kind of drive to modernize, what does that mean? Automation is critical everywhere. Why? You heard the customer talk about, we have one person that manages this. Probably wasn't the intent originally, but that is the capability we provide.
What I'm seeing and hearing with all customers today is everybody's pressed and stressed on resources for the volume of projects that they're having to manage, and the level of sophistication of what has to be done has gone up manyfold. How do you supplement that sort of environment? 'Cause we're not experts in everything. The way we do it is we automate current operations, we really drive consolidation, and we do it pretty simply for us. Not so simply, I think, for anybody else in the industry. I've spoken about our model for quite some time now, but I wanna just double-click on one point real shortly here.
When you build an entire go-to-market engine that is structured with each part, understanding what their role is and what they have to deliver, 'cause busy work is great, but it doesn't produce results all the time. When you build a go-to-market engine where every resource across the entire ecosystem knows what they're delivering, at which stage, and how, and you integrate all of those elements, what it means is you build a seamless engine that really allows you to go detailed and build business plans with your customers. I'll tell you right now, our competitors are not doing it, and this takes a while to build, and we've been building it for years. The reason this matters today is, and ROI is great, who on the customer side signed off on whatever it is that you have in there on changing their business around?
It better be some relevant people. Again, the discovery collaboration efforts that we have on the front end allow us to create comprehensive business plans on value we will drive with the backing from the individuals that matter in the organization and that validate what we have put in place. We map it to the MITRE framework. Why? 'Cause everybody wants to know: What vectors do you help me cover? What security threats from my adversaries can you help me cover? This is another element that's in there. Then we, with the customer, based on blueprints that we have, this is a repeatable process by vertical customer size, we map out the different phases of their evolution. The outcomes they have to drive and that they wanna drive, and the businesses they need to support.
There isn't a one conversation with a CIO that I'm having today, where they're not being asked to map to the transformative CTO and CEO vision that they've laid out for the next 5 years. To the earlier point, what information, what am I bringing back to the executive suite on acceleration and value I can provide? Building this, phasing it, having a deployment plan that drives ROI by each phase, and then a customer success team that continues the work after deployment leaves, that is part of our secret sauce in really amplifying the unique capabilities that our platform affords our customers. This is pretty much a must on anything that's a couple $100,000 deal and up, and the only difference is, you know, how deep do you go based on segmentation of customers?
This is also the discussion points that we're having with customers if something slows down or doesn't. I just met with CEO minus one of a very large global company, they bought based on the plan we had, comparing us to competitors and all the pricing gimmicks that they were going through. We were about a quarter in this purchase, we sat down, and we went through the plan and our progress to that plan. This is not a theoretical exercise. This becomes our mutual success North Star. Customers are appreciative, and we invest the time in doing it 'cause it's our responsibility. It's our responsibility because there are so many different disparate security solutions out there, and they're being asked, customers that is, to replace, to consolidate. If you don't, how are you gonna automate?
How are you gonna automate? By the way, as you're doing all this and you're driving an ROI, that's interesting, but what's your business impact? We talked earlier about my employees are gonna sit everywhere because I need to get to talent. We talked about third-party suppliers. We talked about M&A-related activities. We talked about any sort of cloud transformation that you're planning on, you have to understand what are you gonna do, not just from a user, but workload standpoint. What's my journey? How daring can I be? How quick can I be? What is the risk I think I'm taking versus Zscaler, the risk you can eliminate for me? By the way, can you do this quickly for me? We have the unique ability to deploy in short windows, and we make sure that we have plans on how to do that.
We've really centered in this fiscal year on not just the entire ROI practice, but also what is the business-enabling platform capability and acceleration that we can provide for our customers? Because we understand how this connects. It matters to one degree or another across any vertical. This has also allowed us to really become partners with our customers instead of just a vendor. It's also allowed us to have a much broader and more aggressive consolidation of solutions discussion because we have an end-to-end integrated plan. If you can deliver that, and you're not just selling solutions and hoping the customer figures it out on their own, that's pretty unique and it's part of our success and growth.
You've seen this before, I know at the beginning of the year, we restructured to kind of really align to our go-to-market model and really map closer to our partner community. This has worked really well so far. Up top, it's the largest of our large customers. We have very, very consultative scientific activity that we're driving, broad ecosystem, and that way, anybody who engages with us, you have access to many different experts and many different C-level executive practitioners. You get into the mid segment, depending on size, it's still very much the same model, just a little bit lighter. That's really it, and it's really helped us continue to drive acceleration, not just upmarket, but also mid-market.
In the commercial sector and below, we've really gotten close to our partners in many collaborative efforts, and Karl's gonna talk about it in a little bit, to drive that velocity. We've seen velocity upmarket, mid-market, and downmarket at a really satisfactory pace. What it validates is that our solution is relevant, and especially relevant if you go mid and downmarket, 'cause your resourcing is even lower than what it is when you go upmarket. Automation is even more critical. Low-touch to no-touch security is even more critical. The beauty here is, our partners usually have a managed service wrapper that they offer up for these customers, and that combination has worked really well, and it's an area of future investment for us.
Kind of in conclusion here on this, the organization has pivoted to really serve every segment, and we've really refined and upleveled what was already in place and what we've been building for years, in order to do it at a very different detail level on what we discover and uncover, and then how we build plans to deliver, and how we hold ourselves accountable to deliver. It's real ROI, it's real business value, and our customers are very appreciative on this approach, 'cause it is a unique approach, especially if you've grown up with legacy security appliance vendors, as your primary vendors back in the day. On the partner model, I'm gonna bring Karl up to kinda speak a little bit more detail on what we're doing and what we're looking for going forward.
All right. Thank you, Dali. Much appreciated. All right. Good afternoon, everybody. I've been on board a little over 90 days right now, and when I joined, the first thing I did was really go on a listening tour. To really understand where we needed to go and how we're going, spent a lot of time with the partners, trying to understand what's working, what's not, and what their needs are. Truly, before you can build the future, you need to understand the past in a way. The story I heard was really what I anticipated to hear in quite a few ways. For a company our size, and where we're going, the trajectory that we're trying to go after, we're right where we're supposed to be.
Right now, the sales process, historically, it felt somewhat reactive and opportunistic, meaning we'd have a big opportunity, we'd engage with partners, but we weren't really building a holistic strategy for long term. We weren't looking across the market that they go after and the customers they go after, and seeing how we can work together. It was a chance to kinda step back and say: Where do we wanna be in the future, and what's that need to look like? We measured partner success, someone on top of funnel. A lot of companies our size would. How many leads are they bringing? How can we actually bring them into the pipeline? How do we drive that? Early-stage opportunities, not integrating them through the sales process that Dali spoke about. Amazing opportunity and energy and appetite for them to do that.
You know, when we think about the partners that we manage, that we work with globally, the large GSIs, I think we did a good job managing them from a global basis, but there wasn't a lot of great theater interlock that we can actually work with and drive down to the specific regions. How could we actually get that tracking and moving quickly? Lastly, from when Jay founded this company, it's always been a partner-first mindset, like, "Let's get the partners engaged." There's always been a commitment level there, but there's never been a full infrastructure underneath it to really drive that process. What I'm really trying to do now is take a look at this and drive it through the maturity cycle.
What I'll show you next is really kind of how we're looking a little bit at segmentation, which maps a lot to what Dali talked about. How do we segment these partners? Because the needs are different. If I'm a GSI, my needs are different than if I'm a regional solution provider versus a service provider, and everyone's going through a bit of transformation right now themselves, with how they're going to market. They're evolving, so we need to be engaged and listening to what their needs are. Here's a good look at this. If we take a look and try to understand who really the global players are and how they work and how we can get scale, I'm here to tell you one thing: The appetite is there from our partners.
I mean, I think we anticipated when we had this event, we'd have about 150 partners show up. We have 300 partners that are here, and the energy is there. It's less about selling them on the virtues or values of the technology, it's much more about how to integrate and operate. I think that the sales process here is amazing, that we've developed. The interlock with the partner is gonna get there, and that's how we're gonna get scale and reach downmarket. Scale on the higher end, going wider and deeper within the Global 2000, the reach as you go downmarket into new customers. I've been amazingly surprised how well this brand translates downmarket to the commercial space, and I think our biggest competitor sometimes is awareness. How do we amplify the messaging?
How do we get it down through to the customer base? That's what we're gonna really do. When we think about this model and how we break it out, whether you're global or regional, what your play is, it's really also looking at what problem you're trying to solve and what the customer's needs are. It may be an interesting angle from a partner leader, but as we're building this strategy, we're literally looking at customer first. What's the customer's needs? How do we layer the partner into that to solve some of those needs? That's a handshake and complementary to what our sales process is. Again, looking at today versus tomorrow, natural transition of where we are today, that we grew so fast that things naturally had a few silos tied to them.
We managed the GSI team a bit different than the service provider team. We had these amazing alliance partnerships that were kind of siloed off, and they're all very successful standing up on their own. What if we unify them? What if we get them working together? What if we look at the message a little differently through an end user's eyes? Let's look at the Zscaler customer journey. It's not just about the acquisition of the technology, it's about the deployment of it, the consumption of it, how they're leveraging it. We heard from the customer a few minutes ago, how they actually can truly engage in the problems they're solving. Our partners are gonna be part of that journey. I think there's an amazing opportunity for our partner community to add advisory services. This is an architecture and a mindset.
The large consulting companies can actually drive that. Again, what I'm seeing right now is not a lack or lack of desire. It's awareness, it's enablement, and it's engagement. That's what we're gonna change. We're gonna invest in the coverage model, we're gonna invest in the alignment. We're really going to drive it. With that, Bill?
Okay, thank you. Karl has to leave early for his, he's hosting a partner program, we'll take a few questions just with Karl, then we'll bring up Jay to close.
Sure.
Questions?
This one right here.
Hi, Karl. Can you hear me?
Yes, I can.
Okay, great. Thank you so much, Karl, for that insight. You know, you did a great job.
Hold up.
Oh, here we go.
You did a great job, at Palo Alto Networks, creating the NextWave program to really enable the partner community to sell the broader platform vision.
Mm-hmm.
I'm curious, based on the discussions that you've had so far with the partner community, how do you plan to do that with Zscaler, which does have a lot of product to sell, but, you know, really selling that broader platform vision like you did, you know, at your predecessor?
Yeah, great question. I think it's less about selling a platform vision and more focusing on the use cases, 'cause those are the conversations we're having. I'm not having a lot of technology conversations right now. I'm talking a lot about the use cases and the problems we can solve, and they're board-level problems right now. If a partner truly wants to be seen as a valued consultant or advisor, those are the level of conversations they need to have. I think it's more about just truly aligning from that, and we'll see the scale. You know, it's interesting. There's not a partner conversation I've had yet where someone feels as though we're fairly saturated in how we're executing together. Everyone's conversation is the same. We're in the early innings. We've done a few big deals well together. How do we amplify it?
It's not an issue of having capped headroom or the fact that I need to go wider and deeper and sell more of the technology. It's more about amplifying the message to get more opportunities. It's exciting from that end. It's a bit different from that end. Great question.
Alex?
Yeah.
Oh, sorry.
Alex Henderson over at Needham. I'm interested in your view of why the street consistently gets the VAR channel information wrong, and why, you know, when you talk to all of these partners, you know, why is there such a disconnect between the read the street gets when they talk to VARs and the actual results, which obviously have been better than the VAR checks suggest?
I think transparently, in my opinion, I think it's sometimes speaking to the wrong VARs or the wrong people within the VARs who aren't connected, respectfully. I actually do think, Again, I'm gonna go back to how early we are in this process right now, in this journey with our partners. Partners have always been there, remember, I reflected back saying it was opportunistic. As we are strategic, as we have business plans, which the business plans we're rolling out, are actually 2-year business plans we're working with them on. It's not what we're gonna do over the next quarter or the next few months. It's what are we gonna do over the next couple of years to scale their business? The conversation I'm having with them is, it's less about me being relevant, you being relevant to me. How can I be relevant to you?
What do I need to do to be relevant to your business and the size and scale? Again, going back to that segmentation some of the conversations we're having. Please.
Hold on. Okay.
Hi, it's Tazeen Ahmad from Redburn Atlantic. Question on, now, one thing that we heard from management team and even like customers on Zscaler versus other security vendors, historically, was that it's a more evangelistic sale. It takes a long time to convince customers to move from their old network. Mm-hmm.
-security model to the Zscaler model, and that's why the channel mix was lower for Zscaler versus other security companies. Has that changed now in the last 2 to 4 years? I know Zero Trust has been around for quite some time. Customers get it now. When you speak to partners today, do you think that they have the ability to sell a Zscaler-like solution today more than, say, 3, 4 years ago?
I think it depends on the partner and where they are in the evolution with us. I think, the term Zero Trust has been around for a long, long time, but who can actually truly execute to Zero Trust? Is still to be determined. We believe we're the leader in there. I think that the sales cycle, partners are not afraid of, because if it's a longer sales cycle, it's usually a larger opportunity, and there's usually greater margin portfolio for, you know, for them. It shows that they are engaged, it's sticky, and they're having ownership over the customer long term. They want to have those type of relationships. This is not a commoditized technology. This is not about the volume of partners that we have.
It's about having trusted partners that we trust, that we work with, that they trust us, and most importantly, that the customers trust. That's really how we're holding ourselves accountable.
Okay. Thank you, Karl.
Thank you.
Appreciate it. All right. Why don't we move next to our final Q&A with management? I'll invite all the speakers up to the podium. Okay, who wants to start off the question here? At the back.
Thanks. Andrew Nowinski with Wells Fargo. Maybe a question for Dali. You talked about providing, and focusing on CFO-ready business cases and selling outcomes. I guess, are customers coming to you and asking you know, how they can roll out LLMs to their employees? Is that a high priority for them right now, and are you involved in those discussions? You know, and if so, why would Zscaler be better positioned to secure the, you know, the use of those models versus maybe alternatives from Palo Alto and others?
I'll go back to again, our approach is very integrated. I'll tell you right now, Palo Alto does not sell this way, and I've not seen it yet, and I won't see it. Why are we in a better position, and why are we in a better position even to step outside of kinda our some of our core capability? We have a really rich technology alliance ecosystem that is not just basic integrations, but it's deep engineering connections that provide a plus one value proposition. The credibility that we have, because not just our platform, not just the holistic approach that we take, the research that we put in, this is a lot of work that we do on behalf of the customer.
The tech alliances that we also integrate into the broader story, the partner community that we integrate into, how can this partner help you deliver? I'll go back to we're not selling features and functions. We're selling a paradigm shift, a transformational view with details on what we can do, with details on what we can do through our alliance ecosystem and our partners who we work closely with, and we then bring in to where we stop, they continue, and our partners who then also deliver an additional layer on top. It is a different sales approach. Why would we be better qualified? I can just say we're well qualified because of this approach that's very unique to provide a perspective and a very integrated, holistic point of view.
Not telling the customer this is the only absolute truth, but doing a lot of work to let them know what is possible, what the different permutation stages are, and then with that customer, crafting what this means, and bringing unbiased expertise on other technologies that they're either leveraging or thinking about leveraging. You become a trusted advisor when you do that, and I guess that's my answer. Again, we're not telling them what to do, nor are we proposing we're the only thing out there that they need to be looking at or having discussions on. We are the only entity that's bringing them a holistic, very detailed, well-researched view with other entities that we collaborate with that are sitting outside of Zscaler.
Okay, Adam.
Great. Do you hear me? Great. Adam Borg with Stifel. Thanks so much for the time and for taking the question. Maybe for Dali on the following up on the business value assessments as well. I'd love to hear more about where in the go-to-market pyramid, we talked about, you know, from majors all the way down, that you're seeing that these refined business value assessments, where you're seeing the most impact there, and maybe just any anecdotes you could share. Great, thanks.
Yeah. On the upper level, it's just, it happens on every engagement. It's not a discussion of. If you go into the mid-level, I'd say you're still doing it in 70%-80% of the cases at the level of depth that I described. We also have an automated solution in-house that does a lot of these things through really the field teams when you start going down market. We're still delivering ROIs. The entire services organization was pivoted to deliver a phased approach of value realization, and the customer success org is managed and measured on adoption-specific KPIs. Upmarket, it just becomes an amazing, beautiful discussion. You iterate, you're building business plans together. It's what makes the job fun.
I will tell you, it's so appreciated by those executives, 'cause again, it's not a standard approach in our industry. In the mid-market levels, it is also very much appreciated. We're just a little bit more efficient on how we do it because we have some automation, and some of those environments are not as complex, so it's a little easier to do it. It absolutely explains not just the possibility of the different impact areas, but also the how-to and by when. 'Cause I'm gonna go back to CFO-ready business case is not a tagline. Everybody's being asked to commit to cost reductions, and you have to. I'm dealing with a bank right now, and they have some of the competitive product in-house.
It's sitting there for free, and it doesn't matter, it's not free, because you still, in order to deploy at scale, there's a lot of things you've got to pay for and buy. When you do that kind of reverse ROI almost on what free really means, it's not. We haven't even talked about your security posture yet. The moment you go into those discussions with those companies, and this is 50,000 users, right? So kind of in that, in that upper mid spot. It is pretty interesting to see how quickly the customer actually pivots to wanting to know more and more and more on what else we can do together, 'cause they're presenting that back to their board. What we're building here is basically board-ready business cases and plans on how to achieve them. They're being used, repurposed, but used.
Okay, Brian? Can we swap the mic? There we go.
All right, thanks. Brian Essex from JPMorgan. love to keep the spotlight on Dali for a minute. you know, I really appreciate the blueprint framework that you framed out, and I know you commented, I think, a few times on bringing things to the next level over the past four to five months. I'd love your perspective on, you know, the friction that the company saw in its go-to-market strategy in the January timeframe. What have you seen the biggest impact with the changes that you've made, and how are things kind of now that we've put more kind of?
Yeah
... better procedures in place from a go-to-market perspective?
Listen, we're not immune to the macro, I hope that's not, you know, what people are taking away from this. We got hit just like everybody else, we analyzed why, 'cause this was already in place. What we realized is what we call stage 0 to 2. These are the initial discovery stages. What we realized is there was inconsistency in the depth of really the analysis that the teams were going into. The biggest change that we made from first half into second half of the year is really deep 0 to 2 training across all teams, not just sales, including pre-sales architects, on the level of discovery that we need to go into, so that you can really deliver very hard, unquestionable consolidation of technologies, ROIs, timelines you're confident with. People have contracts on their books.
What does that mean? Well, now you gotta come up with some flexible pricing and, you know, adoption models. We tweaked that a little bit as well. It was the approach, and then what we delivered and how we allowed customers to step into it. That was really the biggest change from first half to second half, and kind of the level of detail and sophistication on what we adjusted. 'Cause the macro is still the macro. We saw with bigger deals is instead of. You know, our sales cycle is about 9-12 months, and what we saw is, you know, a couple of years ago, you were on the lower end of that range. What we saw first half of the years, got pushed to the upper end of that range.
How do you still control that so it doesn't slip outside of that? Kind of what I described is what we did.
If I may add, the same question was asked many times during our earnings call. I essentially said the same thing, that we had to go deeper and more granular, better discovery on what's there, what can be in place, better job in doing more granular ROI plan, where even annual return wasn't good enough. Give me on a quarterly view of what can be done and whatnot type of stuff. Better execution by learning. Man, I also said that, we have to work harder and smarter now than we had two year ago. Okay. Madeline?
Hi, Madeline Brooks from Bank of America. Thanks for taking my question. Two, one for you, Dali, and then I'll take the spotlight off of you. You know, first one is on just pricing and competitive natures in this market. You know, free in this market is a very attractive word. Have you seen any more additional scrutiny around, like, pricing for your products, especially, you know, as other platforms, not just legacy guys, but newer guys are starting to give away products for free? If anyone can comment on just, you know, Zscaler's exposure, thoughts on the recent cyberattack on our government agencies, that would be great.
Yeah. Here's what I'd tell you. We see the same competitors, you know, I take it a bit of as a badge if we're doing things right, if they're compelled to offer things for free. I don't know about you, I've never gone into a store, gotten anything that mattered for free. The question then is, how do you articulate that to a customer based on use cases that drive outcomes and results? I know I'm harping on this, but there's a reason for it. It's not free. It's not free. It might look free.
It becomes a question of, "I hear you, and I agree with you, Zscaler, how can you help me with some creative financial and packaging machinations?" That's really where, with Steve and his team on some of the packaging, flex packaging that we've come up with, 'cause everybody steps into it a little bit differently. If you can then make sure that you help them on how they step in without eroding your pricing and opportunity down the line, that's a win-win all around. It comes back to even if it's free, does the customer have the responsibility to investigate? Of course, you do.
If you focus on use cases, outcomes, ROIs, what you consolidate, and what requirements you're solving for, and then you take it a step further, not just about right now, but map out what matters next year and the year after, and the question of how are you gonna solve for that, and how much is that gonna cost? Which is why the reverse ROIs, I called it, which is, If you were to pick something else, what is your real cost? What's your vulnerability and security threat exposure still at that point? If you map it out, if you prove it out during the proof of values that we do, and if you prove out scalability and reliability and automation and integrated components with other vendors they have in their environment...
We don't talk about these tech alliances enough, in my opinion, 'cause they are absolutely critical and drive real competitive differentiation. When you do that, any business person is gonna.
It's not free. Puppy's not free, even if you walk out of the store with them. That's, you know, the oldest analogy in the book, but it's true. Can you quantify it, is the question, and we really refined how we do that and how we educate and partner with our customers.
If I can take the second part of your question, the headline security breach, the MOVEit vulnerability that is out in the news today with hundreds of companies or organizations being compromised. Our team was already tracking this. If you search Zscaler and then MOVEit, you'll see the first link is our threat labs research team, six days ago, posted a full dissection of the threat, the vulnerability, and we also announced coverage six days ago that we deployed a couple of protection techniques for all of our existing ZPA customers. We're well on top of it, and we've had protection in place for over six days now.
Great. Shaul?
Thank you. Shaul Eyal with TD Cowen, Jay, one for you. I wanna double-click back on the appliance. You know, typically, appliances, they come in families. What's the thinking on that front? At least one of my takeaways from the past day and a half, today, is you guys listen to your customers, and you wanna delight them, and it's great. Assuming within the next 18, 24 months, once the strategy, I wouldn't call it strategy, but that takes off, will you be adding more appliances? Will you be even going higher?
No. It's essentially a basic commodity in the branch office, like the relay to send traffic to us. The thinner, the better, okay? If the customer has already some box sitting there, and they can put our software on it, we'll say, "Run with it." We're not trying to build an appliance business. We're trying to make it easier for a customer to really send traffic our way reliably and easily without having the lateral movement. You won't see us talking about doing X% of sales coming from these boxes.
Okay.
All right.
Okay, we'll take one last question here from Peter.
Guys, Peter Levine with Evercore. Maybe to switch topics here. You introduced Identity Threat Detection. Maybe just talk about the depth of the product today, like the use case, you know. Also, is, like, the plan to kind of build out, like, a full-fledged identity, PAM, IGA, customer workforce, meaning, like, competing with the Okta of the world?
Stephen.
Yeah, we announced the Identity Threat Detection and Response today. Our first foray into it isn't gonna do PAM and IGA, but that is something we're considering for a future roadmap item. We think what we are releasing, we've gotten great feedback from our early access customers, that it's solving a problem and not something they're doing today very much, and that it's a natural fit with what we already do, combined with some of the other threat detection technologies like deception and isolation, et cetera.
Yeah, if I may say, we're pretty thoughtful of what to do, what not to do. There are lots of good discussions about we're not doing this, we're doing this. I mean take a few years ago, our customer said, "You've got a Client Connector sitting there. Why don't you do posture check?" Some people said: "Oh, EDR does posture check." The customer said: "Yeah, you can do it too, add it on." We added our posture check. Now, we give a choice to customers. You want to do posture check from our agent? Have it. If you like CrowdStrike or Defender to do it, have at it. Like to give choices because some of these add-on features are not necessarily the core of our business. They actually help rounding it out and adding more value.
Doing identity threat detection protection was natural. In fact, we're sitting there with deception box out there or on the endpoint, we are adding thing. Doesn't need to mean that we need to go all the way in, we'll let the market and timing decide how far we go.
Okay, I want to thank all the executives, and we'll invite Jay to lead us in closing.
Good. Thank you. Look, I think you got pretty good understanding of our message, but overall, if to summarize in 2, 3 areas, right? We pioneered Zero Trust before Zero Trust became fashionable. It become the largest cloud out there. The cloud effect is making a big difference. I think you're going to hear more and more about the resilience of the platform becoming more and more important. You heard about AWS issue, was it yesterday or day before yesterday? An Azure one on the weekend. These things will become very, very mission-critical for us. I have had customers who said: "Jay, Zscaler is more mission critical than Microsoft 365." It makes sense. We are the switchboard. We are the first one that launched disaster recovery service. The copycats probably haven't even thought about it.
They're trying to do the basic stuff. As it becomes more and more mission-critical, customers are leaning towards people who have been there, who have done it. This will be bigger and bigger play. The platform expansion. You saw during the conference, our team innovates at a very rapid pace, and it's not that because we only we have the best people. It's because when you got a platform that can really be extended, you can add innovation more easily.
When we added sandboxing to our platform, literally, if we had to do 100 units of work, we only did about 25 because the 75 units are already part of the platform, how to take traffic, how to authenticate, the policy engine, opening up the file, and we simply had to send it to the sandbox, which did run it and return the verdict. Those are the great things we're building upon. I think multitenant architecture will play a bigger and bigger role, especially when you're sitting in the traffic path, and that's a big barrier to entry. Go-to-market and execution. I think we've done a good job. You've seen our numbers. We keep on refining, aligning more and more large customers, especially... I mean, they see us at mission-critical.
Many of our customers, we are the only mission-critical cyber, and now, sometimes they call us networking vendor, which I don't like to be called, 'cause we are not a networking vendor. We eliminate the network, but it's a great position. As I mentioned early on, keep on expanding and growing the team, not only at just the leadership level, at the next level, the next level is our big focus. My number 1 priority is always keep on making sure the team is getting stronger and stronger. With that, I want to thank you for your time. I thank you for your interest in Zscaler, and we'll keep on delivering.
One announcement, we will have these slides available on the website shortly. For those in the room, if you want to pick up a copy of the CXO Architect book, those are in the back. Thank you.