Table of Contents

• a. Zscaler 101

  • b. Demand

  • c. Profits & Margins

  • d. Guidance & Valuation

  • e. Call & Release

    • GenAI Opportunity – Securing AI Apps:

    • GenAI Opportunity – Its Own GenAI Products:

    • Data Security Product Updates:

    • Product Innovation Traction, Wins & Secular Tailwi …

    • Go-to-Market Overhaul Progress:

  • f. Take

a. Zscaler 101

Zscaler is a large player in network security. It competes with Palo Alto’s next-gen suite, Cloudflare and many others. Zscaler’s Zero Trust Exchange (ZTE) is its latest and greatest cloud security approach. It blazes a trail between users, apps and devices across eligible networks while securing data at rest and in motion. Zero Trust is exactly what it sounds like: never trusting a device or end user. The exchange vets and verifies all traffic as it moves within a company’s perimeter. It does not allow bad actors to breach the most vulnerable piece of infrastructure and freely move about it thereafter, without any subsequent verification. That’s called “lateral threat movement.” Zscaler uses risk scores to assess needed levels of security for requests. That makes sure it’s only creating user friction when there’s actual security concern.

This Zero Trust approach routinely cuts infrastructure costs for customers. How? By shrinking the attack surface down to grant permission to one app one user and one piece of traffic at a time. Permissions are based on client policy.

ZTE replaces an antiquated firewall and virtual private network (VPN) based philosophy in which every device & user within a perimeter gets perpetual and unconditional access. So? Zero Trust is safer, cheaper AND allows remote employees to responsibly work from anywhere.

Zscaler Network Security Definitions:

• Zscaler Internet Access (ZIA) (original product) protects internet connections. It’s the middleman between a user and a network that ensures proper authorization & access.

• Zscaler Private Access (ZPA) offers remote access to internal apps. This is an upgraded VPN by “connecting directly to required resources without public exposure,” per Zscaler filings.

• Zscaler Digital Experience (ZDX) (newest out of ZIA, ZPA and ZDX) ensures high quality and always-on performance of cloud apps. It sifts through networks to identify sources holding back performance to be fixed.

• Zscaler for Users is the firm’s platform bundle that combines ZIA, ZPA and ZDX.

  • It’s now repurposing these products to expand into Zscaler for Workloads, Zscaler for the Internet of Things (IoT) etc.

• Unified Vulnerability Management (from its Avalor purchase). This offers a birds-eye-view to tag, assess and remediate vulnerabilities across all cloud environments and assets. It prioritizes all vulnerabilities and offers best course of action for remediation.

• Zero Trust Segmentation localizes and separates networks. This treats individual stores/factories/buildings as secure islands to prevent open sharing across locations. That lowers the risk of lateral threat movement and is a key part of ZS’s branch security offering. To expand its presence here, it purchased Airgap Networks for its location-level network security tools.

Zscaler GenAI Product Definitions: 

• Risk360 flags vulnerabilities and offers end-to-end risk quantification with intuitive next steps for remediation.

• Business Insights: Broad visibility into app usage, costs, needs and engagement. This helps minimize unneeded apps and licenses.

• ZDX Copilot is its GenAI assistant designed to detect and resolve network performance issues on its own.

Zscaler Data Product Definitions:

• Data security posture management (DSPM) is its tool for granularly tagging, organizing and protecting cloud-native data. 

• Data Loss Prevention (DLP) is its tool for guarding clients against data leakage or theft. This works for email, cloud, web, endpoints and more.

• Zscaler’s “emerging products” are all products outside of the Zscaler for Users umbrella.

More Sector-level Definitions:

• Secure Access Service Edge (SASE) provides an overarching suite of network security tools. Zscaler’s ZTE is considered a SASE-based platform. It provides access to users regardless of where they’re working.

• Virtual Private Cloud (VPC): These are subsections of public cloud environments. They offer users more autonomy with their network and apps. They also allow for secure connections between cloud and self-hosted (on-premise) environments with no public network exposure. This is especially key for highly regulated industries.

• Virtual Desktop Infrastructure (VDI): Allows software to be accessed on remote devices. Zscaler’s Zero Trust Exchange ensures this is done safely and securely.

• Software-Defined Wide Area Networks (SD-Wan): Digital manager of network connectivity. It splits network hardware and software-based control. This cuts hardware and network costs, streamlines management & augments protection. This replaces Multiprotocol Label Switching (MPLS).

  • Software-based management paired with Zscaler’s Zero Trust approach allows for seamless connection to remote branches, contractors and data centers.

• Firewall is a legacy form of network security that uses a fixed set of rules to authorize outbound and inbound traffic.

b. Demand

• Beat revenue estimates by 3.5% & beat guidance by 3.8%.

• Beat billings estimates by 2.5% & beat growth guidance.

• Slightly missed 115% net revenue retention (NRR) estimates with 114% NRR. Zscaler is landing larger with non-public sector clients, which is continuing to hold back this metric. Landing larger means fewer up-selling opportunities down the road.

• Slightly missed $1 million+ annual recurring revenue (ARR) client estimates by 0.3%. On the call, leadership told us to expect strong $1 million and $5 million customer growth over the coming quarters.

As discussed last quarter, Zscaler signs 3-year contracts with customers. Macro headwinds during this past cycle were strongest over the first half of 2022 and the first half of 2023. Meaning? That weakness is currently being reflected in its scheduled, contracted billings growth. Macro headwinds abated during the second halves of both 2022 and 2023, which is why it guided to 7% billings growth during the first half of this year and 23% growth during the second half. Based on this context, 13% Y/Y growth was strong and better than sell-side expectations. This was related to outperformance in non-scheduled billings.

It’s always uncomfortable to bank on future accelerations to meet guidance. In this case, however, its forecast is not related to optimism or aggression, but observed data. Zscaler’s billings contracts are non-cancelable; it’s basing its second half optimism on already scheduled and signed business and pipeline conversion strength. For more optimism surrounding forward-looking demand, bookings rose faster than 30% Y/Y.

c. Profits & Margins

• Beat 80.6% gross profit margin (GPM) estimates by 40 basis points (bps; 1 basis point = 0.01%) and beat guidance by 60 bps.

• Beat FCF estimates by 44%.

• Beat EBIT estimates by 15% & beat guidance by 16.6%.

  • Operating expenses (OpEx) rose by 19% Y/Y vs. 26% Y/Y growth last quarter.

• Beat -$36 million GAAP EBIT estimates by $5.3 million

• Beat $0.64 EPS estimates by $0.13 & beat guidance by $0.14.

In the midst of rolling out several new products, Zscaler is optimizing for time-to-market and innovation, rather than input costs. This is leading to GPM headwinds, which will persist for the time being. It will eventually revisit all of this work to extract as much gross margin from the revenue as it can. Current headwind… future tailwind.

d. Guidance & Valuation

Subscribe to our premium content to read the rest.