Zscaler Earnings Review

In case you missed it from this earnings season:

And my updated portfolio, as well as performance vs. the S&P 500.

a. Zscaler 101
b. A Quick Reminder & Key Points
c. Demand
d. Profits & Margins
e. Balance Sheet
f. Guidance & Valuation
g. Call & Release
h. Take

a. Zscaler 101

Zscaler is a large player in network security. It competes with Palo Alto’s next-gen suite, Cloudflare and many others. Zscaler’s Zero Trust Exchange (ZTE) is its overarching, cloud-native security platform. It blazes a trail between users, apps and devices across eligible networks, while securing data at rest and in motion. Zero Trust is exactly what it sounds like: never trusting a device or end user. The exchange vets and verifies all traffic as it moves within a company’s perimeter. It doesn’t allow bad actors to breach infrastructure weak spots and gain free access to everything else thereafter. That’s called “lateral threat movement.” It never trusts (as the name indicates) and constantly verifies. Zscaler uses risk scores to assess needed levels of security for requests. That makes sure it’s only creating user friction when there’s actual security concern. This Zero Trust approach routinely cuts infrastructure costs for customers by shrinking the attack surface down to grant more granular permission.

ZTE replaces an antiquated firewall and virtual private network (VPN) setup in which fixed rules determine entry into the firewall-protected environment. Once that entry is granted, every device & user within a perimeter gets perpetual and unconditional access. I think it’s clear to see how that could be more problematic than ZTE’s approach.

Zscaler Network Security Products:

Zscaler Internet Access (ZIA) protects internet connections. It’s the middleman between a user and a network that ensures proper authorization & access.
- ZIA routinely displaces legacy secure web gateways (SWGs) and firewalls.
Zscaler Private Access (ZPA) offers remote access to internal apps. This upgrades VPN utility by “connecting directly to required resources without public exposure,” per Zscaler filings.
Zscaler Digital Experience (ZDX) ensures high quality and always-on performance of cloud apps. It sifts through networks to identify sources holding back productivity to be fixed.
- This includes application performance monitoring, some endpoint monitoring tools and more.
Zscaler for Users is the firm’s bundle that combines ZIA, ZPA and ZDX.

For newer network products, Zero Trust Segmentation localizes and separates networks. This treats individual stores/factories/buildings as secure islands to prevent open sharing across locations. Branch security treats every single company location as its own Island or network to shrink the attack surface. These “islands” are connected only when needed. Both branch security and segmentation work very closely together to lower the risk of lateral threat movement.

Key Zscaler Network Performance Products:

Virtual Desktop Infrastructure (VDI): Allows software to be accessed on remote devices. ZTE ensures this is done safely and securely.
Software-Defined Wide Area Networks (SD-Wan): Digital manager of network connectivity. It splits network hardware and software-based control. This cuts hardware and network costs, streamlines management & augments protection. This replaces Multiprotocol Label Switching (MPLS).
- ZS’s SD-Wan offering is zero trust-based.
- Software-based management paired with Zscaler’s Zero Trust approach allows for seamless connection to remote branches, contractors and data centers.
Virtual Private Cloud (VPC): These are subsections of public cloud environments. They offer users more autonomy with their network and apps. They also allow for secure connections between cloud and self-hosted (on-premise) environments with no public network exposure. This is especially key for highly regulated industries.

Network Security + Network Performance:

Secure Access Service Edge (SASE) provides an overarching, bundled suite of network security and performance tools. Secure Service Edge (SSE) is the security component of SASE.

Security Operations (SecOps) & IT Operations (ITOps) Products:

Unified Vulnerability Management (UVM). This offers a birds-eye view to tag, assess and remediate vulnerabilities across all cloud environments and assets. It ranks all issues, prioritizes pressing items and offers the best course of action for remediation.
- Part of SecOps
Risk360 flags vulnerabilities and offers end-to-end risk quantification with intuitive next steps for remediation.
- Part of SecOps
Business Insights: Broad visibility into app usage, costs, needs and engagement. This helps minimize unneeded apps and licenses.
- Part of SecOps
ZDX Copilot is its GenAI assistant designed to detect and resolve network performance issues on its own.
- Part of ITOps.

Pure Cloud Security Offerings (could call most of its product suite “cloud security”):

Zscaler also offers configuration analysis and cloud workload protection products.

Key Zscaler Data Products:

Data security posture management (DSPM) granularly tags, organizes and protects cloud-native data.
Data Loss Prevention (DLP) guards clients against data leakage or theft. This works for email, cloud, web, endpoints and more.
Data Fabric for security is how Zscaler collects and combines needed context from 1st and 3rd party sources. This improves overarching security visibility to ensure proper hygiene, strong risk management and timely remediation.
Its unified suite of data products is called Zscaler Data Everywhere.

Zscaler offers data security across endpoints, email, web, GenAI apps, legacy software and so much more. This is an important newer company priority. If it’s already protecting so much of the world’s network traffic… and if it already collects and leverages all of this data (structured and unstructured) in its massive, scalable security data lake… that gives it a head start on using this lucrative insight to offer more products.

Tying it all together:

Zero Trust Everywhere is the latest and greatest iteration and branding of its Zero Trust Exchange. It includes all products within ZScaler for Users, all cloud security offerings and the Zero Trust Branch product. It features a communicative focus on holistic, complete coverage. Like Palo Alto with “Platformization,” as well as CrowdStrike and most cybersecurity firms in various parts of the sector, Zscaler is reorganizing its offering to drive easier platform-level adoption. In turn, that means better data sharing, better outcomes, lower costs and loyal customers more reliant on your bundle.

b. A Quick Reminder & Key Points

As discussed for the last 9 months, Zscaler signs 3-year contracts with customers. Macro headwinds during this past cycle were strongest over the first half of 2022 and the first half of 2023. Meaning? That weakness was reflected in its scheduled, contracted billings growth during Q1 and Q2. Macro headwinds abated during the second halves of both 2022 and 2023, which is why it guided to 7% billings growth during the first half of this year and 23% growth during the second half. As you’ll see below, it executed. And? That shouldn’t be a surprise. It’s always uncomfortable to bank on future accelerations to meet guidance. In this case, however, its forecast was not related to optimism or aggression, but observed data. Zscaler’s billings contracts are non-cancelable; it rightfully based its second half optimism on already signed business and pipeline conversion strength.

c. Demand

Beat revenue estimate by 1.7% & beat guidance by 1.8%.
Beat billings estimate by 3.1%.
Beat $1M+ ARR customer estimate by 0.3% (642 vs. 640 expected).
Missed $100,000+ ARR customer estimate by 1% (3,363 vs. 3,410 expected).
ARR rose 23% Y/Y to roughly $2.9B.
Beat remaining performance obligation (RPO) estimate by 4.1%.
Net revenue retention (NRR) missed 115% estimates by a point. This was related to landing larger initial deals with customers. Great reason for a miss.

Demand performance was rightfully praised by analysts on the call. Sales productivity continued to rise, as Zscaler’s selling changes have worked more expediently than for others like SentinelOne. Bookings crossed $1B for Q3 for the very first time and new client momentum resulted in phenomenal 40% Y/Y annual contract value (ACV) growth. And as leadership told us to expect all year, scheduled billings growth recovered to the low-20% range. Additionally, outperforming unscheduled billings growth came in at 28% Y/Y.

d. Profits & Margins

Met GPM estimate.
Beat EBIT estimate by 3.7% & beat guidance by 4.0%.
Beat EPS estimate by $0.08 & beat guidance by $0.085.
Beat -$0.14 GAAP EPS estimate by $0.11.
Beat FCF estimate by 3.5%.

Zscaler’s team has been clearly communicating their present focus on pace of product introduction. They are not prioritizing margin optimization for all of these new offerings, and are confident they can do that work over time.

e. Balance Sheet

$3B in cash & equivalents.
0.5% Y/Y share dilution.
No traditional debt.
$1.15B in convertible senior notes.

f. Guidance & Valuation

Raised annual billings guidance by 0.8%. The amount of the annual raise was $2.3M larger than the Q3 beat, implying improved Q4 expectations.
Slightly raised Q4 revenue guidance by 0.1%, which slightly missed estimates by 0.1%. Rounding errors.
Raised Q4 EBIT guidance by 1.1%, which slightly beat estimates by 0.3%.
Raised $0.76 Q4 EPS guidance by $0.025, which beat estimates by $0.015.
Reiterated at least $3B in ARR for the year.

g. Call & Release

M&A, an Expanding Platform & the Security Operations Center (SOC):

Zscaler is buying Red Canary for $675M in cash and some equity compensation. Estimates for the overall deal value range from $800M to $1B. Red Canary is a well-established managed detection and response (MDR) vendor. This means it handles vulnerability and breach detection, as well as helping with remediation. The company deploys a blend of security analysts and AI to accomplish this as a needed way for clients with finite security budgets to be covered without exploding costs. With the deal, Zscaler also gets an injection of threat intelligence talent and what it calls “sophisticated agentic AI tech for reasoning and workflows.” Red Canary is an MDR leader per Forrester and has lofty Gartner peer review scores.

Perhaps most importantly, MDR gives Zscaler a vital missing ingredient it thinks it needs to be a client’s Security Operations Center (SOC). SEC is essentially an aggregated hub of security coverage for all needed assets in one place. It relies heavily on 3 things. The first two are great security software, which ZTE provides, and scalable, organized, non-siloed access to information, which its data lake provides.

IT operations (ZDX Copilot) paired with SecOps (Risk360, Business Insights and UVM) is the third ingredient. ZScaler already had some offerings here, but it was missing MDR. Red Canary’s MDR product is the final piece of the SecOps puzzle, as it removes the talent bottleneck that countless Zscaler clients face when trying to fully cover their enterprises. With Red Canary, ZS will “accelerate time to having a comprehensive SOC solution by 12-18 months.” And fortunately (not coincidentally), Red Canary also has a veteran go-to-market team that “knows SOC buyer personas and can act as a specialist team to partner closely with the larger go-to-market engine.” In my opinion, this is an excellent purchase. Winning that SOC status with customers means heavier reliance on Zscaler, more product uptake, higher retention rates and faster growth. It’s important.

And while Zscaler still needs to integrate Red Canary to have the holistic SOC offering it desires, SecOps momentum is already strong. Annual contract value (ACV) for the bucket rose by more than 120% Y/Y.

“By combining Zscaler’s high-volume and high-quality data with Red Canary's domain expertise in MDR, Zscaler will accelerate its vision to deliver AI-powered security operations.”resentation

More on Platform-Wide Adoption:

Zero Trust Everywhere customers rose 60% Q/Q to 210, as momentum for this product messaging is quite strong early on. This continues to deliver a 200% return on investment (ROI) for a subset of customers and displace the need for several legacy network tools. Simply put, ZTE is a powerful vendor consolidator, a capable cross-selling tool, an impactful retention tool, and, more generally speaking, an instrumental piece of platform-wide product adoption.

For signs of new product momentum, its 3 emerging growth categories crossed $1B in annual recurring revenue (about 35% of total) and comfortably outpaced overall company growth. As a reminder, these three categories are:

Zero Trust Everywhere.
Data Security Everywhere (unified suite of its data products)
Agentic Operations, which include all SecOps and ITOps products.

Within Zero Trust Everywhere, Zero Trust Branch was purchased by 59% of new customers, showing how quickly it can turn launches into revenue. Most of these logos are starting small and offer large upsell opportunities.

“Frankly, the degree of interest the customers have taken in this area has exceeded my expectations.” – Founder/CEO Jay Chaudhry

For security and IT operations, UVM + Data Fabric management won them a 7-figure deal for 400,000 client assets. ZDX Copilot has also fostered 70% growth in ZDX Advanced Plus bookings since its launch 13 months ago.

Pertaining to data, its Data Fabric suite was a key contributor for a Fortune 100 new logo and a Fortune 50 upsell, which raised annual spend for a large automaker by 50% Y/Y (well into 8 figures). They now use 6 of ZS’s 8 data modules. Its GenAI data security product netted a global 2,000 company, a leading fleet management firm and a federal customer. To keep momentum revving, it is expanding its GenAI public app product to private apps and adding malicious prompt injection (intentionally giving models bad info) coverage.

Platforms Win the Big Boys:

Evidence of being a true platform can be seen in large client momentum. Aside from the $1M+ ARR client beat, 45% of Fortune 500 members are ZS customers vs. about 40% Y/Y. T-Mobile was a key win during the quarter, as it’s modernizing its entire ecosystem with the help of ZTE. Other notable wins this quarter included a 7-figure big bank deal. The client displaced several legacy vendors with Zero Trust for Users and cloud workload protection after initially trusting Zscaler to secure its apps. I guess they were pleased.

“While legacy vendors are attempting to cobble together disjointed point products and calling it a platform, we are constantly expanding our core Zero Trust Exchange by integrating new functionality to solve more and more of our customers' security concerns.” – Founder/CEO Jay Chaudhry

Why a Scaled Platform Creates Competitive Differentiation:

We talk about this all the time. Apps and models are only as good as the data they’re trained on. Zscaler sees 500B transactions and processes 20 petabytes of data per day. Great products got them here… and now this traction spins a compelling flywheel. Leading network and cloud security scale means leading access to data to keep driving more product improvements and new introductions. That process naturally attracts more customers, while a larger product suite means bigger, stickier contracts. In turn, this means even more data to keep the engine humming.

Tweaked Go-To-Market to Unleash More Platform-Wide Adoption:

Zscaler is tweaking go-to-market in the exact same way CrowdStrike did. They’re not even hiding it either, as they’re calling the new selling motion “Z-Flex.” CrowdStrike’s design is called Falcon Flex. And while I find this funny, I also think it’s a great decision. CrowdStrike has proven that Falcon Flex can be a powerful enabler of giant deals. It’s the right decision to emulate this approach.

Z-Flex enables flexible usage of contractual commitments, with an ability to front or back-load usage if needs change. It’s easy to swap which models a client is using, making it simple for them to experiment and learn about the other utility Zscaler’s platform provides. This can now happen without a formal procurement process every time a customer wants to change something. Z-Flex offers the same volume-based discounts that Falcon Flex does, as well as full-service deployment and support. It has already netted a $6M upsell to a $13M per year client, which expanded usage of 12 modules and added 8 more modules. This was one of two Fortune 500 wins for Z-Flex during the quarter, which, all in all, already has $65M in bookings just a few weeks into launching.

This is one of the reasons why billings disclosures will be replaced with annual recurring revenue (ARR) disclosures starting next year. Flex is changing billings patterns and making that a less reliable indicator for growth, as quarterly usage is less tied to annualized demand.

“So the Z-Flex program came out of our customers' desire to buy more, but not having to go through negotiations and procurement every time.” – Founder/CEO Jay Chaudhry

AWS:

Zscaler was added to AWS’s Marketplace for the U.S. Intelligence Community (ICMP). This unlocks access to significantly more public sector opportunities that funnel through AWS’s ecosystem.

Leadership:

Zscaler named Kevin Rubin as their new CFO. He’s a veteran executive who has been a CFO since 2005. He led companies to successful exits and, most notably, was Alteryx’s CFO for 9 years.

“I firmly believe his recent eight-year tenure as a CFO of a data analytics company will be crucial to Zscaler in our next phase of growth, which will be driven in large part by the combination of Zero Trust and AI security.” – Founder/CEO Jay Chaudhry

Zscaler also added Raj Judge to its board and named him as its new EVP of Corporate Strategy and Ventures. He was at Wilson, Sonsini, Goodrich & Rosati, a world-renowned law firm, for over 30 years.

Macro:

Zscaler did not see any demand softening in April like SentinelOne cited last night. Although they’re not direct competitors in most places, they do experience the same structural tailwinds. Zscaler’s relative resilience is a byproduct of excellent software that lowers total cost of ownership and thriving go-to-market. Both of those things are needed.

Zscaler has been quite proactive in focusing on cost reduction messaging for customers considering a migration. Cost reductions aren’t just popular in times of uncertainty… they’re especially popular. Customer deal scrutiny didn’t improve (or worsen) quarter over quarter, Zscaler simply overcame stable headwinds better than others could.

h. Take

Very good quarter. Everything here looks good and Zscaler is not seeing the same ramping macro headwinds SentinelOne cited last night. Simply put, I think that has a lot to do with better execution. Zscaler is driving impactful product innovation and effectively selling it. It’s greatly expanding its overall opportunity through ZTE extensions, cloud security, data security and its push to be a client’s core SOC. I don’t really worry about this holding often. It’s a wonderfully boring compounder in a wildly compelling space where it just keeps taking more market share. The multiple is getting a bit stretched, but I’m not quite ready to trim and take any profits at this stage. I’ll keep you posted in real-time, as always.

Zscaler has a product event next week and a few investor conference interviews. I’m excited to cover it all.