All right, thank you. Good morning. We'll go ahead and get started if we can close the door at the back. Thank you very much. Gabriela Borges, I lead the emerging software vertical here at Goldman. I'm delighted to have on stage with me, Jay Chaudhry, CEO and Founder of Zscaler, and Remo Canessa, CFO. Thank you for your time this morning.
Thank you.
Thank you.
Jay, one of our observations watching Zscaler evolve over the past 7-10 years has been your evolution into a multi-product company, building off of the success you've had with Zscaler Internet Access. When you think about the decisions that you made very early on in the company, architecturally, what are the one or two decisions that stand out to you as being really important with the power of hindsight, to empowering the product portfolio that you have today?
Yeah. So I think the, the biggest thing we did when I started Zscaler was to say, reimagine network, reimagine security for this new world of cloud and mobility. So what was the reimagining? We said, "We're not going to be the next or next, next in firewall or VPN. We want to build a switchboard. A switchboard where you connect, and the switchboard, based on the policy, decides if you will be connected to a given application or service." It's fundamentally opposite of traditional network security. Traditional says you are in or you are out. We are a door. We say, "We're not a door. There's no such thing as you're inside, you're always outside." That's really what started with secure web access, then Private Access.
But this switchboard doesn't care about if you're a user or a workload, so we could really adapt the same technology to do Zscaler for Workloads. IoT, OT devices want to communicate too. They go through a same switchboard. Your B2B customers and suppliers want to talk as well. Same core technology has been elegantly used in all areas. That's when people say, "Oh, how do you compare with this firewall vendor?" I'd say, "Man, we haven't been able to communicate the message.
So it leads to a question on how to think about greenfield versus brownfield TAM. If I think about the categories that Zscaler has consistently displaced, things like Secure Web Gateway, CASB, the number of TAMs that you are able to consolidate now versus five years ago, is evolving.
Yep.
How do you think about greenfield versus brownfield, and where do you think you are on the brownfield piece of displacement?
So I think that the traditional categories of security market segment are fundamentally going through big changes. The market and investors always like to fall back on, this is a known segment. The segments are being disrupted, and they should be disrupted because the underlying security model is fundamentally changing. So if you really look at what are we doing, we are fundamentally replacing what's known as DMZ in an enterprise. So DMZ, this techie term for demilitarized zone. When you go outside the data center, you go through a check-off boxes. When you come in, you go through a check of boxes. It's almost like, you know, the castle and moat model. When you go in the castle, they're going to check your badge, what luggage are you taking with you, and all that kind of stuff.
When you leave the castle, they're going to check if you're stealing anything, going out with you. It's the same kind of concept the network security did inside and outside. So with Zscaler, ZIA, ZPA, the whole notion of DMZ goes away, okay? And then there used to be DMZ here or there. So that's one big piece. The SSE that Gartner has coined has essentially evolved to become the replacement of DMZ. That's one big piece. Then the data at rest became a second big piece. Consolidating these point products that came under the CASB is a feature. Then SaaS security, posture management, one more segment became the feature. Supply chain of SaaS security, a new area. So there are some older markets, some newer markets, they are all coming together. I don't really look at older versus newer markets.
I look at what problem do we need to solve? CASB, about 10, 12 years old, a problem is being solved. SaaS security posture is a relatively young problem. Supply chain of SaaS, my Salesforce is connecting with 10 other SaaS applications. Salesforce is trustworthy, but do I trust those other 10 applications of SaaS? I don't. So there are a bunch of new areas evolving. I think the TAM of cybersecurity is underappreciated. It, it will be a lot bigger. I mean, take ZPA. We started with ZPA. Customers said: "Oh, it's VPN replacement." Nothing is farther from the truth. That's a small piece. If you do ZPA right, this whole inside security in the data center here, they will eventually go away. The segmentation piece gets done with ZPA technology, right, because it says, I connect party A to party B.
So we are excited to keep on expanding this platform. In terms of numbers and all, you know, we don't even try to look at external numbers. When we did market sizing, we started with number of users. What are we getting paid for product A, B, C? Then we did roll up. And that's when we came up with about $72 billion TAM, which is what we covered during our last Analyst Day, a couple of years ago.
We see this dynamic across security, across technology, where you have an industry pioneer, and then you have fast followers. As the TAM becomes more validated and the TAM evolves, how do you think about the risk of commoditization at the low end and the mid-market? You're continuing to push the envelope with your R&D roadmap. How do you balance-
Yeah.
the risk of commoditization at the low end, with continuing to drive the industry forward and the concepts, the architectural concepts forward at the high end?
That's a very good question, and we give a lot of thought to it. I think the point you made, commoditization, fast follow, innovative. It depends upon the market segment, the problem you're solving. Take a basic networking stuff. Networking's job is to get traffic from point A to point B, easily, at a fast speed, and reliably. That thing, once gets done, there's not a new innovation happening every year, every six months, every twelve months. Cyber is one of the unique areas, where cyber, your job is never done. It's a race with bad guys. And that's sometimes what frustrates me, is the hackers move faster than our large company, CISOs and their teams. They are slow, and they need to move faster, to catch up with the technologies we are building.
I think cyber, with so much focus, so much at risk, our customers are telling us, especially large enterprises. A small business, they barely understand cyber. They'll do whatever they need to do to move with it. But the largest customers, they won't compromise for cyber. They won't say, "Good enough is good enough." When it comes to probably a SaaS application, good enough is good enough. So here you need the best security. Now, you would think best security will be probably best of breed point products. Not true. If you go back to 9/11, CIA had lots of information, probably FBI has a bunch of information, and others, if they could correlate the so many telltale signs. So with the platform approach, when you consolidate point products and are able to correlate pieces of information you're getting, your security is far better than point product security.
So we—that's why we are driving towards the platform, but a meaningful platform. The word platform has been abused today. Somebody goes and buys an endpoint company and say, "We are a platform between firewall and endpoints." Come on, what's common between the two? Not a whole lot. That's not platform. So we believe that the whole issue of lots and lots of security vendors is gonna go away, buw that doesn't mean the startup scene will go away. There will be lots of security startups, but there won't be room for them to be an independent company for too long. They'll get picked up. If the technology is good, they'll get consolidated into the platform. But I don't see a single, call it god security platform, that does everything. I think a platform in certain areas.
Just like you're never going to see a single SaaS company. What do you mean single SaaS company for all applications? It'll be hard, but I think you'll find four or five pockets of security where consolidation will happen, and we are confident that we'll be one of those platforms.
Where do you think Microsoft fits within the four or five pockets? You made some interesting comments last night on the technical barrier at the high end and the enterprise, the potential for an impact at the low end. Would love to elaborate a little bit.
Yeah. Look, Microsoft is a company we respect, we have worked with closely. They have expanded the security platform, but we all hear about $20 billion number of Microsoft. If you start dissecting it from real, real standalone products point of view, it's natural for them to do endpoint security. They own Windows platform. It's natural for them to do identity. They own Active Directory for years and years, okay? It's natural for them to do the data lake stuff at Sentinel, because hyperscalers are good about data lake. So we have integrated with them in all these areas. The new announcement they made about Entra and SSE. Entra piece has to do a lot more expanding identity part, which is natural for them, and what made some waves was the entry into SSE. That's a brand-new area for them.
Being in line, inspecting traffic at high speed, any kind of traffic, is not where Microsoft traditionally comes from. Also, the traffic is going to Microsoft, Azure, AWS; it's going to 1,000 SaaS applications and a million other websites that have nothing to do with Microsoft. Customers would rather have a company like Zscaler, as a trusted brand, that's really making sure we have secure and fast access to all those areas and locations. So I believe in the large enterprise space, we'll keep on doing very well, the way we have done it. I mean, you're seeing CrowdStrike do quite well on the high end, on the other side as well. It'll take some time for anyone to enter in the space, and the space that has to be the full platform, the capabilities we built over the past 12-plus years....
So I think on the lower end, they probably will do fine just because the lower end bundling works. Even today, when I see lod end of the market, I see Cisco bundle with network and security happening from time to time. On the high end, I think we are feeling comfortable. We'll keep on innovating and driving, and we've seen other markets, too, out there.
I think there's a natural evolution between some of what you're doing on the network side and some of what you're now doing on the cloud side. I would love to hear a little more about your strategy of expanding into cloud security with Zscaler for Workloads. As a customer, we've had this decision process before, where I can choose to work with someone like a Palo Alto on the network and Palo Alto on the cloud, or I could choose to work with Zscaler for the network and Zscaler for the cloud. So help us think through how customers are making that decision.
Yeah. So cloud, securing the cloud is what you're talking about, securing workloads. So there's no one single market natural for cloud, securing a cloud. So customers look at what problem do I need to solve? Do I have a meaningful platform provider that can solve all of my problems or some of my problems? That's how the customer look at it. So let's talk about the securing the cloud workload market in a couple of buckets. One, the pretty well understood market is my workloads need to talk to other workloads, my workload need to talk to internet. How have they done it the old way in the data center? With firewalls and the like. So there's a bunch of lift and shift that has been happening, where let me shift my firewalls and buy them as virtual firewalls in the cloud.
That's the market we are disrupting with Zscaler's ZIA for workloads and ZPA for workloads. This is. This business is taking off very nicely. The deal sizes are still small in that space, but they. It's, it's moving up very well. The only competition we have there is legacy firewalls. We think we are well positioned in that part of the securing your cloud workload communication. The other part, which is not about communication, but about checking the posture and and really posture-related stuff, and you can even put that in two buckets. One is almost taking EDR, your technology from workloads, from forum, from endpoint to running that thing on cloud workloads. CrowdStrike has been doing it fairly well with AWS. In Azure, Microsoft wants to run its own Windows Defender or whatever they're calling it, for Workload Defender. So that's, that's the second area.
The third is where you hear a lot of noise because there have been 100-plus companies in the past 2 years. This is where Wiz and Oracle and Lacework have been making a lot of noise. This is about CSPM, CIEM, security posture, and the like. I think this market has been evolving, but I, I look at this CSPM, CNAPP. Gartner keeps on changing the meaning and definition of all these things based on where the market goes. It's kind of fascinating. They kind of point, then they see the market, and they change it to make it fit. But either way, I think the CNAPP will become like CASB itself. It's not a market on its own. It is an important feature set that needs to be part of cloud security, workload security.
Our strategy is we come from workload communication with Zero Trust side, where we are differentiated, our customers understand the stuff, and essentially combine it with CNAPP and sell it as a bundled stuff. That's how we're going to market. We're getting good reception. We're closing good, good deals. I mentioned about some of those deals during the earnings call. That's how I see the market evolving.
The one other market that appears to be going through a little bit of an inflection in time is Data Loss Prevention. Your DLP products, you've had DLP products from very early on in the company.
Mm-hmm.
Last night, the scope of DLP and the types of DLP functionality that you're consolidating seem like they're going through an inflection. Would love for you to comment a little bit on what you're seeing in that market and how the TAM is evolving?
So DLP is an important part of cyber. At the end of the day, the bad guys want to come in, steal your data, and ask for either ransomware or steal it for IP and the like. We started out as secure web gateway with big focus on cyber protection. So every customer of Zscaler, ZIA, has pretty strong cyber protection. DLP has been a market which has been hard to deploy with false positives. Many CISOs I talk to would tell me, "I don't want to touch my Symantec one, too. It took me three years to deploy it, okay, and I'm okay with it." "And three years with Zscaler, your functionality is good, but not good enough for me to replace my Symantec." Okay. So but we have been gradually growing it about three, four years ago when we decided to enter into CASB market.
And then we said: We're going to make sure every function that Symantec has is done, and done in a better way in the cloud with workflow, automation, and all those things. That's what we built over the past 2, 3, 4 years to the degree now, we have been replacing Symantec's DLP product in some of the largest companies, which are very complex. So, so with that, about 18 months ago, I put a tiger team in place for DLP. Your job is go and really sell DLP, and that we sold actually in Zscaler installed base, okay? And that's really what the results you're seeing is, the result of a focused, natural effort. Also, DLP is becoming a bigger and bigger issue out there. We wanted to take advantage of that, that. And that's really what we've done.
It's a big opportunity, we still need to learn how to get more money out of our sales than we do. When I talk to a Fortune 500 company, CISO, I mean, they are still spending about $6-$10 million per year on maintenance of Symantec site. It's like, wow, that's a big opportunity! So I think you will not see another vendor coming in Zscaler install base. They got ZI and say, "I want a different security, DLP vendor." It just doesn't make sense. When traffic is going through you, you're inspecting, SSL and the like, you need to be the natural DLP provider, and that's what we are taking advantage of.
I appreciate your comment on a takeoff team within the sales force. I know you just had your sales kickoff late in August. What are some of the incremental changes that you're making to the sales force, whether it's takeoff teams, whether it's incentives on product market bundling? Would love to hear how you're thinking about priorities for sales force for fiscal 2024.
I can start, Remo if you want to.
Yeah.
There are no significant changes being made to go-to-market overall. One big thing is we have a lot more focus on channel. We are. Remember 5 years ago, I was saying we are getting very little lift from channel because channel love their boxes, okay? It is changing. We are getting more and more lift every year, but still a lot more lift needs to be done. So we hired, Karl, our new channel chief, about, he came on 3 or 4 months ago. He's taking more refinement, taking channel relation to the next level. We had just shy of 200 channel partners who attended our sales kickoff, which is supposed to be an internal event for the company. This is a big push. A number of new products.
So I kind of look at our offerings like the pharma company looks at its, its products, right? There's a cash cow product that's selling. There's a new one that just came out of the testing that I had to go to market, and the new in R&D being done. That's really how we look at our product offering. And we do a few tiger teams whose focus is to make sure the new area happens well, because you can't leave it with a big sales team without focus out there. So we don't do lots and lots of tiger teams, but data protection is one of the areas, cloud workload security, another area.
From an overall company perspective, our focus is growth. The market that we have is, as Jay mentioned, a $72 billion-plus, you know, market. This is very early stage. What I can say also, the momentum that we have going into fiscal 2024 is strong. Our pipeline is very strong. Our execution was also strong in Q4. The capacity, sales capacity that we have going into fiscal 2024 is stronger than the sales capacity that we had going into fiscal 2023. So what we're seeing is, we're seeing momentum, you know, currently related to basically the acceptance of, you know, Zero Trust in the market. And so it was a great sales kickoff.
From an incentive perspective, as Jay mentioned, you know, no real significant or any increase, any increased incentives for the sales organization, but for the takeoff team and also PM to drive these new emerging products, there are incentives that we have.
Raymond, your comment that the sales capacity is stronger into fiscal 2024 than it was into fiscal 2023, is that simply a function of the company being bigger and having more boots on the ground?
No, it's our focus, basically. You know, from my perspective, when we went into fiscal 2023, you know, our sales capacity, we felt, was in good position for fiscal 2023. As we've gone through fiscal 2024 and we're looking at the market, we felt that basically increasing that sales capacity, and we plan to keep on doing that as we go forward. Again, the key focus for Zscaler is driving growth. If you take a look at our operating profitability that we had in the fourth quarter, it was 18.8%. I mean, from my perspective, that's too high. I mean, for when we're a growth company, basically 18.8% at this stage, we need to focus more on growth.
The focus, basically, in the second half of fiscal 2023, we went through restructuring in mid-year, but we took out basically areas that we thought weren't efficient. But our focus still was basically to add sales capacity and really, you know, try to drive the growth of the company. As I mentioned, I think we're in great position, you know, to go forward. And again, from my perspective, what I've talked about, when you take a look at a SaaS model and you have high growth margins at 80%, you know, it just, even though your growth for new ACV growth percent decreases because you are, you know, getting bigger. That's a hockey stick, you know, type, you know, impact that you have basically on the growth of the company related to your ARR.
We're at that point, we're at that curve where, you know, we're seeing that hockey stick starting to increase. So from my perspective, invest in growth, manage the, you know, bottom line, manage, you know, our free cash flow. Our stated long-term range for operating profitability is 22%. And as I mentioned, we did 18.8% in Q4. Stated range for free cash flow is, you know, several points above operating profitability. We do have a headwind with free cash flow in fiscal 2024. We're significantly going to invest in our cloud infrastructure. The reason for that is for the demand that we're seeing, and we like to be ahead. In the last few years, our CapEx has been running at around 6% of revenue.
We expect it to be, you know, in the high single digit in fiscal 2024. I don't see that being the case in fiscal 2025. I see this as pretty much a one-time, you know, blip that we're gonna see in our CapEx. The headwind we're seeing in our CapEx in fiscal 2024 is 3%-4%, based on the increased investments that we're making in our cloud infrastructure.
Well, let me ask you this: at any given time in Zscaler's history, you'll have had emerging products that are ramping.
Mm-hmm.
What is different about this year that is driving an uptick in CapEx versus other years where you've had cloud infrastructure products ramping?
Yeah, we just took a, you know. Again, we're in good shape in prior years. We felt that basically with the increased AI, you know, capabilities, we felt that to get in front of it, you know, in fiscal 2024 is the right thing to do, and that's really the reason also to build for the increased demand that we're seeing.
What is an example of AI capabilities that-
Yeah.
Okay.
We, we got zillions and zillions of logs out there. Data is the new currency when it comes to AI, ML. Being able to leverage them, AI, ML, gives us a lot of capabilities to do so, okay? Those are the kind of factors we are putting in. And also from cloud growth point of view, I tell my cloud infrastructure team there should never be any capacity issues in my data center. "Go and invest whatever you need to invest." So that's why if you, even if you look at, Remo has always said our CapEx will be in the high single digits, but it has never been high single digits, okay? So we are, we are planning conservatively. We may be somewhat higher up, but don't really think that it could end up being way higher than you would think.
I'd rather say prudent than conservative. Okay. So, but, no, I mean, if you take a look at our history, basically, in guiding, we try to, we try to, you know, be very prudent with our guidance. I made a comment on the call that we expect our, you know, free cash flow to be above 20% in fiscal 2024. I expect it to be above what it was in fiscal 2023. And again, I feel that's prudent guidance. Not using the word conservative, just prudent guidance. But, you know, we are well positioned to go forward and certainly to meet our, you know, operating profitability, free cash flow goals. And really, when you take a look at the leverage, you know, you know, where's the leverage in the model?
If you take a look at R&D, we're gonna run it in the 14%-15% range. The reason we're able to do it at that level is because a significant portion, the majority of our R&D staff is in India, much lower cost. If you take a look at G&A, we're running about 6%. Not many companies our size are running 6%. How do we do that? Well, I can tell you from the finance perspective, 80% of our staff is in India, so we run finance at 2.3%, which is probably the lowest in you know in the industry. That's why we're able to keep... So where does the leverage come? As long as you keep your up, as long as you keep your gross margin at that 80% range- Yeah.
If you take a look at Zscaler, 320 billion transactions. When I started 6 years ago, or 6.5 years ago, you know, how is it gonna scale? You know, is it gonna hit basically a roadblock? Yeah. Is there gonna be pressure on the gross margin? I can tell you there's not. Right. We've constantly been running our gross margin at that 80% range. Stated range, 78%-82%. The, when the emerging products, because we focus getting the emerging products into the market and focusing on features, basically that's in public cloud, which carries lower gross margin. We can move those products onto our cloud. We can do software optimization, but that focuses R&D efforts in an area that we feel is not necessary. Get the product out, build the features, and build our market share.
If we see our gross margins starting to decline at all, and we, we monitor our gross margins to review them on a monthly basis, we'll adjust. So again, stated range, 78%-82%. As long as we stay in that range, we're good. And again, the scale of the cloud at 320 billion transactions, 10x of where it was when I started. 10x of where it was when I started, and still we're not seeing the effect. That is basically the value of the technology and the platform that we created, that we feel nobody in the world has.
I want to stay on this idea of conservatism and thoughtfulness in the guide. You have this slide in your earnings presentation showing the macro and then what you've done to navigate the macro, things like CFO-ready business use cases.
Mm-hmm.
And so if I look back at your track record over the past year, and even as a public company... You've been very consistent in outperforming.
Mm-hmm.
Even in a year when macro has been volatile. And so as we think through where you've set the bar for fiscal 2024, is there any reason why you wouldn't be able to outperform to the same degree as you have in the past, given that you've already worked to put in place processes to navigate a more challenging macro?
The numbers are getting bigger. So when you get numbers bigger-
Fair, yeah.
Yeah. I mean, just scale. You know, we're a $2 billion revenue company. That's our projections for fiscal 2024. Never say never, right? But, you know, again, our view is we want to be prudent with our guidance. You know, we go through a very thorough review, you know, how we do our guidance on a quarterly, annual basis. I, you know, Gabriela, let's just see where the market takes us. You know, let's see where it goes. What I can say also, you know, one of the areas that we... I don't think we talked about on the earnings call, but federal could be a very large market for us. We're in 12 of the 15 cabinet agencies currently. It is very early stage.
Not only federal, but also just government, whether it's SLED or international. Our certifications are, you know, there's a handful of companies that have the type of certifications that we have. Not security companies, just, you know, technology companies. So we're well-positioned. Let's let things play through. I wouldn't expect large beats because the numbers are getting bigger. But as I mentioned, we're well positioned going into fiscal 2024. The backdrop, you know, cautionary backdrop, it's the global macro environment. Who knows? Things can change. You know, it changed last year, you know, in our first quarter or October quarter, January quarter. It changed for all technology companies. Everybody saw it. So that's the one wild card that, you know, we can only can't control what we can control.
What we can control is basically our execution, our development, and basically driving value for our shareholders. How things play through with the global macro, those are gonna be, you know, swings that may happen. We can't call it. That's the only cautionary. Pipeline's strong, execution is strong, we're well positioned. We have more capacity going into fiscal 2024, but we'll see how things play through. We feel in good position.
Yeah, one comment I'll make here is the following. When we have internal discussions, okay, my mindset is, I look at the results and man, wonderful, we went from $1 billion ARR to $2 billion in seven quarters. Why can't we double it again in the next seven quarters? And my statements go to market and say, "Hold on, there's bigger numbers." Okay. But the market is there, we can execute. So we are focused on growth. Foundational fundamentals are good, so we're pretty bullish about it. Regarding economy, I mean, none of us have a crystal ball, but with hundreds and hundreds of calls I have with CXOs, I am clearly sensing slightly reduced focus on this scrutiny for deals, okay? It's getting... I'm not ready to declare it good, but it's feeling directionally better.
That there's a fair amount of optimism that we see, and maybe it's from our customers, because our customers want cyber, our customers want cost savings, and we've shown that. We are one of the very few cyber companies that actually save money. We take out a number of products. That's really what gives us a lot of confidence, and we'll keep on executing with focus. The market is growing, expanding. The other thing that surprises me is the brand has gotten so strong in the past, especially in the past two, three years. I saw a big change when we went public, and then it getting better, but now it's just amazing.
Where I go to some of these conferences, 3, 4 years ago, I would seek out people, and now they want to seek out and talk to us, whether it's customers or whatever the case may be. And I think it has also to do with the customer satisfaction is so good. I went through some numbers. I found that there are about 200 CXOs who actually gone from job A to job B and recommended Zscaler. The number—It's impressive. These are large company. I'm not talking about small company. Then I said, "Let's look at how many of them have taken us to three companies." Okay, that number sat around in the high 80s. This was my own connection, things I know, and this data may not be complete. Then I look at how many have taken us to more than 4 companies.
The number was about 40 of them, okay? It tells you that customers like our stuff, it is got good. That's why our, our churn is so small. Happy, great customers, great platform, opportunity to do upsell is there, and when they go to new places, they, they call us. This is what makes me feel good.
Fantastic. Thank you both for your time. We'll leave it here.
Thank you.
Thank you. Appreciate the opportunity.
Great.