Investing analysis of the software companies that power next generation digital businesses

Zscaler (ZS) Q4 FY2022 Earnings Report

Zscaler delivered an impressive earnings report to cap off their fiscal year, demonstrating their ability to capitalize on strong demand for their leading Zero Trust solution. Coming into the report, investors were concerned about decelerating billings, worsening operating leverage and the need to provide an out of cycle fiscal year guide. Additionally, competitors like Palo Alto and Cloudflare had been increasingly vocal about customer wins. None of these factors appeared to impact the Q4 report, however, with Zscaler re-accelerating billings growth and highlighting several enormous enterprise and federal customer lands.

I had shared similar concerns and gradually reduced my allocation to Zscaler stock over the course of this year. Based on the Q4 results, this move appears to have been premature. While I still wonder about the longer term play for Zscaler, in the immediate term, they are feasting on the heightened demand environment for Zero Trust, as large enterprises and government agencies scramble to upgrade their network security. In this post, I’ll dig into the details from Zscaler’s quarter, revisit their product strategy and consider the path forward.

Audio Version
View all Podcast Episodes and Subscribe

First, let’s step back to review the situation coming into the Q4 report (July 31st end). I had outlined a few concerns regarding Zscaler’s performance this year. In my review of Zscaler’s Q3 earnings, I had shared “Zscaler delivered a strong Q3 report in late May, but a couple of trends surfaced that give me concern about the durability of their growth going into the next year.” These revolved around the trend of billings, the need to provide next fiscal year guidance in an off-calendar cycle, operating leverage and potential competition. The first three of these concerns reversed or didn’t surface in the Q4 report.

For the fourth, while competition is increasing, it doesn’t appear to be affecting Zscaler’s results at this point. This could be a case of a strong demand environment favoring all participants (the rising tide metaphor). Both Palo Alto and Cloudflare reported strong demand for Zero Trust solutions as well. In any case, Zscaler is clearly capitalizing on the current environment and their position in the market. As I will discuss later, I still don’t see a broader product vision that will sustain their elevated growth when the metaphorical tide recedes, but that may be irrelevant for several years to come.

Billings

Going back to Zscaler’s Q3 report, they delivered another quarter of strong annual revenue growth at 63%, but the rate of calculated billings growth was decelerating. Yet, management continued to highlight billings as the primary indicator for future revenue growth (fast forward to Q4 and we now see why). The annual growth rate in billings had been dropping since Q1 (Oct 2021 end), when it was 71%. In Q2, the growth rate decreased to 59% and then 54% in Q3. From Q2 to Q3, the total billings dollar amount declined sequentially by 6%. For the full year, the calculated billings estimate was for 52.8% growth, which implied the Q4 billings growth rate would drop further.

Zscaler Q3 FY2022 Investor Presentation

This trend was offset in Q3 by strong RPO growth of 83% and deferred revenue up 65%, which were both higher than revenue growth. While management doesn’t favor these metrics as much as billings, they provided support for the revenue outperformance in Q4.

Off-Cycle Full Year Estimate

Given the softer billings trend and management’s insistence to use that as a primary future growth indicator, I thought Zscaler had a risky set-up for their Q4 report (July end). Because they have an off-cycle fiscal year, they were in the unique position of having to forecast next fiscal year’s revenue in what is now a difficult environment. Based on the trajectory of billings growth and likely conservatism, I worried the preliminary revenue growth target could drop into the 30% range.

Operating Leverage

The other issue that surfaced over the prior few quarters was a stalling of Zscaler’s continued improvement of operating margin and FCF margin. Non-GAAP operating margin was 9% in Q3, which was down from 13% in the prior year. FCF margin was 15%, down from 32% in the prior year. There are some explanations for this behavior, but the trend generated at least one analyst question on the Q3 call. Also, operating expenses grew by 71% year/year in Q3, which was faster than revenue growth at 63%, implying further deterioration in operating leverage. As I’ll discuss, in the actual Q4 report, that trend reversed, propelling Zscaler far above the coveted “Rule of 40”.

Competition

While these factors could be construed as nit-picks on otherwise strong financials, my larger concern was around emerging competition and Zscaler’s pace of product innovation. They enjoy a defensible position in SSE (Zero Trust/SASE networks) for now, but I don’t see evidence of other product markets for expansion from here. While this is easy to discount today, expansion into adjacent product markets often becomes a critical driver to maintain high growth in the future.

For several years, Zscaler was the only provider in Gartner’s Leader’s quadrant for Secure Web Gateway. Now, Gartner has redefined Zscaler’s category as Security Service Edge (SSE) to more accurately reflect the latest expectations for a network-based Zero Trust solution that includes secure web gateway (SWG), cloud access security broker (CASB) and Zero Trust network access (ZTNA).

With the new definition, published in February 2022, Zscaler now shares the leader’s quadrant with Netskope and McAfee. Palo Alto Networks is also close on the Ability to Execute axis. This represents a pretty large shift in the competitive landscape. While Gartner did combine some categories, it highlights the encroachment from competitors. If anything, customers have more options to consider. Zscaler is still winning large deals as we heard in the Q4 report, but it’s likely that they will have to compete more frequently going forward. As I will discuss later, Palo Alto’s CEO made some aggressive predictions in their quarterly report about their intent to actively compete for more deals with Zscaler in Zero Trust over the next year.

With that review of conditions prior to the quarterly report, let’s see how Zscaler actually performed in Q4.

Growth Metrics

Q4 revenue was $318.1M, up 61.4% y/y and 10.9% sequentially. This beat analyst expectations for $305.5M or 55.1% annual growth by 630 bps. It also surpassed the company’s own guidance from Q3 for $304M-$306M (or 54.7% annual and 6.3% sequential growth), by about $13M at the midpoint. The Q4 growth rate is down slightly from Q3’s 63.1% annual and 12.2% sequential growth.

Zscaler IR Presentation, September 2022

For the next quarter (Q1 FY2023), Zscaler estimates revenue of $339M-$341M, which would represent annual growth of 47.2% at the midpoint or 6.9% sequentially. For Q4, Zscaler beat their prior estimate by $13M or 6.7% of annual growth. This implies that Q1 annual growth will land around 53%-54%, assuming the same relative beat. Sequential growth would hit about 11%. Going back to Q1 FY2022, Zscaler estimated $211M in revenue and delivered $231M, for an enormous beat of about 15% of annual revenue. So, greater outperformance is possible, but if we assume the current pace of beats, then Q1 could represent about 7% of annual growth deceleration.

As part of this report, Zscaler set annual revenue guidance for the next fiscal year (FY2023). Their preliminary estimate is for $1.49B-$1.50B, or 37.2% y/y growth. On the surface, that would represent significant deceleration from the annual growth rate in FY2022 of 62.1%. However, we need to keep in mind that in Q4 FY2021, Zscaler set a preliminary annual growth target for FY2022 of $945M at the midpoint for 40.4% annual growth. Through subsequent beat and raise cadence, they outperformed their estimate by 21.7%. This implies that FY2023 could end as high as 58.9% growth.

This puts investors in an interesting quandary. If Zscaler delivers the same beat and raise cadence in FY2023, then growth linearity looks great. Billings, deferred revenue and RPO provide some input. For Q4, billings jumped significantly to $520M, squashing concerns about billings growth deceleration. This increased an amazing 50% sequentially and 57% annually. Deferred revenue was $1.02B as of July 31, 2022, representing an increase of 62% y/y. RPO grew 68% year/year to $2.607 billion. Current RPO is 49% of total RPO or $1.28B. This means Zscaler already has commitments for 86% of their revenue target for FY2023. It seems that they should be able to generate an additional $215M+ in revenue from new sales this year to close and then pass the preliminary annual revenue estimate.

Zscaler IR Presentation, September 2022

For the full year, calculated billings is estimated to be $1.92B to $1.94B, which represents growth of 30.3% y/y. While this sounds low, if we go back to Q4FY2021, the initial guide for billings in FY2022 was $1.24B or 32.8% growth. The actual value was $1.481B, representing 59% growth. With the same outperformance this year, billings growth could reach 56% as the year progresses. Again, this assumes that the outperformance pace each quarter last year will be repeated this year. On the earnings call, management did discuss how they are purposely conservative because enterprise customers haven’t set their FY2023 IT budgets yet.


Cestrian Capital Research provides extensive investor education content, including a free stocks board focused on helping people become better investors, webinars covering market direction and deep dives on individual stocks in order to teach financial and technical analysis.

The Cestrian Tech Select newsletter delivers professional investment research on the technology sector, presented in an easy-to-use, down-to-earth style. Sign-up for the basic newsletter is free, with an option to subscribe for deeper coverage.

Software Stack Investing members can subscribe to the premium version of the newsletter with a 33% discount.

Cestrian Capital Research’s services are a great complement to Software Stack Investing, as they offer investor education and financial analysis that go beyond the scope of this blog. The Tech Select newsletter covers a broad range of technology companies with a deep focus on financial and chart analysis.


Profitability Measures

With higher than expected revenue performance, Zscaler was able to show strong operating leverage. Non-GAAP gross margin increased by 2% year/year reaching 82% in Q2, versus 80% a year ago and 81% in Q1. Because of this improvement, gross profit grew 62.2% y/y, slightly higher than revenue growth. Leadership attributed the increase in gross margins to efficiencies created in their software platform and lower costs for bandwidth, colocations and depreciation benefits. They did reiterate the long term gross margin target of 78%-82%.

On a GAAP basis, operating expenses grew 51.7% y/y in Q4, which was less than revenue growth. This is a marked improvement over Q3, where expenses increased by 70.6% y/y. This drove an improvement in operating margin. On a Non-GAAP basis, Zscaler generated $38.1M of operating income for an operating margin of 12.0%. This is higher than a year ago, where operating income was $20.6M for an operating margin of 10.4%. In Q3, these metrics stepped backwards with 9.5% of operating margin versus 13.0% in the prior year.

Cash flows improved as well in Q4. Zscaler generated $74.8M of free cash flow for a FCF margin of 23.5%. This compares to $27.7M of free cash flow a year ago and 14.0% FCF margin. In Q3, FCF margin dropped to 15% versus 32% in the prior year. Using FCF margin, Zscaler surpassed 80 on a Rule of 40 basis in Q4, which is best in class for their run rate.

Looking at allocations by department, Zscaler’s spend on S&M in Q4 was 2.7x greater than that on R&D on a GAAP basis. This trend has been fairly consistent in Zscaler’s history. Most comparable software infrastructure and security companies maintain this ratio at about 1.5 (S&M is 1.5x greater than R&D). Datadog is the exception, where this ratio is far below 1.0, because they can spend more on R&D than S&M.

Zscaler IR Presentation, September 2022

So, why does Zscaler spend almost 3x more on S&M than R&D? Based on the slide above, it appears that they are investing heavily in building the sales team and ramping up marketing efforts. They intend to invest more heavily on R&D in the future to enhance product functionality. The CFO did discuss this during the recent Goldman Sachs analyst conference. He said that Zscaler has four R&D centers in India and points out that labor costs there are lower than in the U.S. This lower cost allows for more investment in S&M and explains the large relative difference in spend.

I have worked with development teams out of India and agree that the labor costs are generally 30-40% lower. I have also found that productivity levels can vary, but gaps are usually attributable to language and time differences. Having a full R&D center in country can make up for some of these challenges. This dependency on India for R&D does represent a concentration risk, though, versus other software companies that maintain multiple R&D centers across several different countries (Europe, South America, Asia, etc.) or fully distributed global workforce.

As a comparison, Zoom had their R&D concentrated in China for a while and similarly enjoyed lower costs for R&D. They claimed that the lower R&D costs represented a competitive advantage. Generally, I am skeptical of these assertions, as single country R&D concentration can limit the talent pool and potentially stifle innovation, but this seems to be working for Zscaler for now.

Customer Activity

Large customer activity was strong in the quarter. Zscaler is demonstrating that they can land outsized deals, highlighting the current demand environment and value of the service they provide. Zscaler’s focus has traditionally been on selling to the largest enterprise customers. This effort has paid off, as they enjoy customer relationships with 40% of the Fortune 500 and 30% of the Global 2000. This has been a sound strategy, as their core Zero Trust services are priced on a per employee basis. Naturally, they would realize the most sales efficiency from selling into enterprises with 40k-100k (or more) employees.

Zscaler IR Presentation, September 2022

As Zscaler will likely saturate this tier (the Majors) of companies soon, Zscaler has been expanding to sell into smaller enterprises. To do this efficiently, they are employing channel partners and inside sales personnel. These sales cycles can be shorter and require less direct involvement from Zscaler employees than selling into the Majors.

Gauging their progress on total customers can be a little tricky, as Zscaler doesn’t consistently present customer growth metrics in their investor presentations. Leadership primarily uses the prepared remarks on earnings calls to update investors on customer counts, and this is usually on an annual basis. At the end of Q4, they reported having over 6,700 customers and servicing 34M users. A year ago, they reported 5,600 total customers, meaning they added 1,100 customers during FY2022 for a growth rate of 19.6%. This customer count and growth rate are lower than some of their peers in the security space, but Zscaler’s focus is on the largest enterprises, so each customer land makes a meaningful contribution to targeted spend and users.

Total customer count was 4,500 at the end of FY2020. They are adding a consistent 1,100 customers a year. As the numbers have increased, the rate is slowing, as FY2021 customer growth was 24.4%. Since Zscaler doesn’t report the customer count each quarter, we can’t determine if the customer addition rate is accelerating as a result of the focus on smaller enterprises. Some of the small customer growth might also be obfuscated by partner relationships.

Zscaler does provide metrics for growth in their largest customer cohorts regularly. For Q4, they reported adding 198 customers paying more than $100k annually, ending the year at 2,089 of these sized customers. That represents sequential growth of 10.5% and annual growth of 41.1%. In Q3, they added 140 customers paying more than $100k annually, ending the quarter at 1,891 such customers, for a sequential growth rate of 8.0%. In the prior year (FY2021), the growth of $100k+ ARR customers was 52.1%, so we are seeing some slowing on an annual basis, with a slight uptick in Q4.

Zscaler IR Presentation, September 2022

Zscaler reported higher growth in $1M+ ARR customers, with 320 customers of this size, up 62% y/y, adding 32 of these sized customers in Q4. For Q3, they reported adding 37 of these customers, bringing the total to 288 customers exceeding $1M in ARR, an increase of 77% year over year. At the end of FY2021, they reported 202 customers with ARR greater than $1M, which was up 87% from 108 in the prior year.

To highlight the potential size of the largest customer deals, they also disclosed having more than 20 customers with ARR exceeding $5M. Zscaler doesn’t report this level of customer spend regularly, but the scale is impressive.

For Q4, Zscaler reported a dollar-based net retention rate (DBNRR) over 125%, which they highlighted has been the case for the last 7 quarters. Interestingly, a year ago, they reported the exact values for DBNRR. Those were 128% in Q4, compared to 126% in Q3 and 120% for Q4 the year prior. It’s hard to interpret the decision to switch to a threshold of 125% for reporting in FY2022, as we now can’t track the linearity of the metric. Management did share that about 60% of their new revenue in Q4 was generated from existing customers.

Customer Wins

In the earnings call prepared remarks, the CEO highlighted a number of customer wins. What struck me about these is the large scope, with several spanning tens of thousands of employees and thousands of workloads. One of the new logo wins was a Fortune 50 company which purchased ZIA, ZPA and ZDX for 145k employees. This represented a replacement for an incumbent next-gen firewall vendor who could not reference a customer of similar scale on their cloud VPN product. The customer understands that a VPN architecture does not provide a true Zero Trust solution.

Additionally, the customer purchased Zscaler for Workloads to protect 10,000 workloads. All total, this deal spans three years and is worth 8 figures ($10M+). To top it all off, the deal came through the AWS marketplace, which is emerging as a significant source of business for Zscaler. As AWS doesn’t offer a competitive solution to Zscaler’s Zero Trust product, it makes sense for AWS to promote Zscaler in their marketplace. These marketplace relationships are convenient for the customer as well, because they can usually allocate budget from their hyperscaler commitment to the marketplace vendor.

Another one of their largest deals in the quarter was an expansion with a Fortune 500 customer. The company deployed all three Zscaler for Users products, including ZIA, ZPA and ZDX. The customer doubled their seats to 120k users and extended the commitment for another 3 years. They started working with Zscaler through a small M&A IT integration use case, which quickly expanded over the subsequent two years. During that short time, the customer’s annual spend grew 13x to well over $10M. To have a single Fortune 500 spend more than $10M a year highlights the size of the opportunity for Zscaler.

Moving beyond their core business in ZIA and ZPA, Zscaler is experiencing strong demand from their newer products. ZDX was a critical component of a 7-figure ACV win with an Australian government agency, where ZDX was considered a must-have and represented about $1M of the contract. They also highlighted a Fortune 50 insurance company win that included Zscaler Deception, which sets up traps for hackers trying to infiltrate the network and move laterally.

A large global financial services customer in APJ purchased Zscaler for Workloads to protect 36,000 workloads, complementing their purchase of ZIA and ZPA for their users. The customer has many applications running in AWS and Azure. The Zscaler solution eliminated the need for virtual firewalls and site-to-site VPN networks.

Finally, leadership highlighted their substantial traction with U.S. government agencies. With FedRAMP High authorization for ZIA and ZPA, Zscaler is the only Zero Trust provider with the highest level of FedRAMP certification. This is in addition to DoD IL5, which enables work with the Department of Defense and other agencies with the highest security requirements.

In Q4, Zscaler added over 25 new Federal customers, with over half of them purchasing ZIA and ZPA together. At this point, Zscaler has landed 10 of the 15 Cabinet-level agencies as customers. They still have a large amount of upsell with these large organizations. The Federal business update was capped off with the announcement of a 5 year, $46M contract with a large Cabinet level agency that has over 100k users. The contract value will be granted over time, based on individual deployments. As such, it hasn’t been included in revenue estimates or RPO.

These examples go to show the magnitude of the opportunity for Zscaler with large enterprises and federal customers. They have set a long term goal of getting 200M users on the platform, which offers a 6x increase from current levels. Once a customer has migrated to Zscaler, the solution is pretty sticky, as switching costs for network connectivity can be high. Additionally, with their Workloads product, Zscaler is demonstrating the ability to cross-sell from user to application protection.

Product Positioning

Zscaler’s product offering is called the Zero Trust Exchange. It is an integrated platform of services that acts as an intelligent switchboard to secure three types of communications – user-to-app, app-to-app and machine-to-machine. This works globally across any network and from any location. The Zero Trust Exchange operates through 150 data centers, generally co-located in proximity to the cloud providers and SaaS application onramps that enterprise users are accessing, such as Microsoft 365 and AWS.

Zscaler is able to stop threats and prevent data loss by terminating each connection for these communications. They often use the metaphor of a switchboard, controlling every connection between two endpoints (users, apps, machines). By operating inline, Zscaler can conduct deep packet inspection of the content and verify access rights based on identity and context. This inline posture requires enormous scale, high throughput and extreme expectations for uptime. It has the benefit of generating a large amount of data that can feed further threat detection. It also creates a competitive moat, as switching costs are high and other parties can’t access the rich usage data collected.

At their annual user conference in June, Zscaler unveiled a number of product enhancements, demonstrating why they are still the leader in Security Service Edge. They continue to expand the capabilities of their core Zero Trust platform, extending secure connectivity for enterprise users into application workloads and now IoT devices. They also introduced several AI-enabled features to streamline threat identification and resolution. 

Initially, Zscaler built the Zero Trust Exchange platform for enterprise employee usage. This involved securing access from users to the Internet and third-party SaaS applications through Zscaler’s Internet Access (ZIA) product. The complementary product to ZIA is Zscaler Private Access (ZPA), which offers secure access to private applications, services and OT devices.

Controlling user access to enterprise resources creates an expectation that Zscaler has insight into any usability issues. If a user can’t access their Zoom meeting, Zscaler would probably be blamed first. To offer IT personnel visibility into user access issues, Zscaler offers Zscaler Digital Experience (ZDX). This system monitors connectivity and user experience quality for issues, allowing IT help desk personnel to troubleshoot service problems.

Zscaler Zenith Live Conference, June 2022

More recently, Zscaler realized that the same secure access controls for users could be applied to cloud workloads. Zscaler for Workloads allows enterprises to secure cloud-based applications. When these applications need to connect to another application over a secure channel, Zscaler provides workload-to-workload communication. As part of the Zenith Live announcements, they introduced a new capability called Posture Control to ensure the workloads themselves are free of issues that might lead to a breach. Those could be misconfigurations, unnecessary user entitlements and software vulnerabilities.

Beyond workloads, Zscaler is expanding into other applications of their Zero Trust Exchange technology. Another new development from Zenith Live was in the area of protecting IoT communications and providing privileged access to Operational Technology assets, including industrial devices like valves, engines, conveyors and other machines.

Zscaler Zenith Live Keynote, June 2022

Several of the big announcements at Zenith Live revolved around the application of AI/ML to streamline operations by making the platform more intelligent. With those data volumes, it would be difficult for human security operators to keep up with all the risk factors. New machine learning and AI capabilities allow Zscaler to generate risk profiles for every user, application and workload. The risk profiles are then applied to access policy decisions about whether to establish a connection. As behavioral data changes, the automated policy decisions adjust in real-time.

This background provides the baseline for what was announced at Zenith Live. Zscaler is leveraging their platform to expand into new use cases relevant for Zero Trust, including workloads and IoT. This represents a smart strategy, as growth in workload and IoT security will likely scale faster at enterprises than the number of employees.

This product strategy drives the large business opportunity for Zscaler in their current market. Management sizes their addressable market by making assumptions about the full value of each user and workload within an enterprise. For users, they can sell ZIA (plus various add-ons), ZPA and ZDX. All in, these would bring the total spend to $145 per user per year. For workload protection, they offer CSPM, segmentation and communications between workloads. The full bundle of these services costs $155 per workload per year.

Using these numbers, Zscaler generated estimates for their addressable market. Leadership projects that they could address 150M workloads and 335M users total. At Zscaler’s current prices, this results in a total annual revenue target of $72B. Finishing this year with just over $1B in revenue, Zscaler serves just 1-2% of the market currently.

In the way of these targets stands some competition. For Zero Trust, leading competitors are Palo Alto Networks, Netskope and McAfee. Cloudflare also has a growing presence in this market. Zscaler has been considered the leader in this market for some time. For several years, they were the only provider in the Leader’s quadrant (for Secure Web Gateway). Now, Gartner has redefined Zscaler’s category as SSE to more accurately reflect the latest expectations for a network-based Zero Trust solution that includes secure web gateway (SWG), cloud access security broker (CASB) and Zero Trust network access (ZTNA).

With the new definition, published in February 2022, Zscaler now shares the leader’s quadrant with Netskope and McAfee. Palo Alto Networks is also close on the Ability to Execute axis. This represents a pretty large shift in the competitive landscape. While Gartner did combine some categories, it highlights the encroachment from competitors. If anything, customers have more options to consider. Zscaler is still winning deals, but it’s likely that they have to compete more actively than they did previously.

As part of Palo Alto Network’s recent earnings report from August 22nd, they commented on their ability to win more deals from Zscaler. While they didn’t name Zscaler specifically, they referred to them as the other large player in the Zero Trust space. Over the next year, they intend to compete in all large enterprise Zero Trust deals and “win half” of them. This commentary was provided two weeks before Zscaler’s Q4 earnings report.

If you look at historically, until about three years ago, we didn’t have a SASE product that we could actually go head-to-head with the industry leader. What has happened in the last year-and-a-half or two, we’ve become a force to reckon with. I’d say in the most, the largest enterprise deal is head-to-head with two vendors. Very rarely do we see a third. It doesn’t take a lot to guess who the second vendor is. And three years ago we’re not showing up at the party. Two years ago we’re getting 1 or 2 deals out of 10. Now we think we’re in 5 to 6 out of 10 deals. And our aspiration is next year to be in 10 out of 10 deals. You know what, hopefully if we can win half the deals that we’re in, we’ll be growing at big numbers like we did this year.

Palo Alto Networks ceo, q4 FY 2022 earnings call, August 2022

Palo Alto has been rapidly re-inventing themselves and expanding their product footprint to address multiple categories of enterprise security, spanning Network Security (includes SASE), Cloud Security and Security Operations. They make an argument that enterprises prefer a broader platform solution, which spans multiple spend categories. This offers CIOs and CISOs an opportunity to lower costs by consolidating spend onto the Palo Alto platform.

Palo Alto Networks, Q4 FY2022 Earnings Presentation

On the other hand, Zscaler remains focused on the same product set and market as they have for the past couple of years. While they had a number of product announcements at Zenith Live, these were largely extensions of existing product offerings. Posture Control was probably the most significant addition, but remains within the scope of workload protection.

Nothing introduced would provide a foothold for entering a new adjacent market. As an annual conference, I thought there would be more. I contrast this with Snowflake Summit, where several new product lines were introduced. Snowflake doesn’t even try to define the addressable market for the Data Cloud at this point. To be fair, Zscaler management has estimated their SAM to be $72B and only sell into 1-2% of that currently, so winning significant share of this market will provide cash flows for investment into the next big opportunity. And they likely have something else brewing behind the curtain.

Personally, I favor companies with an audacious vision and the demonstrated product development cadence to get there. I like to see companies that rapidly enter adjacent markets with new products, even if some efforts fail to reach critical mass. I think that kind of experimentation and disruption ultimately creates the future market leaders. With that said, I see the counter-argument that lots of small bets can distract focus and hamper profitability. If nothing else, Zscaler is laser focused on their current market opportunity and demonstrating strong execution as they pursue it.

Investor Take-aways

Admittedly, I underestimated the customer demand trends behind Zero Trust and the rush to upgrade network security by both enterprises and government agencies. While I still think this represents a “catch up” period that will moderate towards slower growth down the road, that inflection is unlikely to occur for the remainder of this year or even next. I have to give Zscaler credit for being perfectly positioned both in terms of their enterprise go-to-market motion and level of security certifications (FedRamp) to capitalize on these demand trends.

In their Q4 report, Zscaler addressed all of my prior concerns regarding billings growth, revenue durability for the next fiscal year and operating leverage. I still do not have a clear idea of what market Zscaler could pursue next and think their platform capabilities focused on being a secure “switchboard” could ultimately limit their growth. With that said, they have plenty of TAM to chase for several years and may very well be working on the next big expansion of their product offering.

For now, I am still biasing my investments towards those companies that I think have larger long term market potential with more product optionality as a consequence of their broader vision and fast product development cycles. These include Snowflake, Datadog and Cloudflare. I think Cloudflare still has a good chance to win meaningful share in Zero Trust and network security. For the SASE market, I like the fact that they own and operate all aspects of their infrastructure, versus relying on the hyperscalers for parts of it. Over time, I think that will allow them to deliver better performance at a lower price. Additionally, Cloudflare can create many product extensions by leveraging their additional platform capabilities in data storage and a programmable runtime. Developer-led customer organizations may find the greater control and customization appealing.

With that said, Zscaler is absorbing a lot of Zero Trust / SSE business in the present and I acknowledge their momentum. Investors who held ZS through Q4’s earnings have been rewarded with a nice bump in share price recently, bringing ZS down only 47% YTD versus 50%+ for some other infrastructure and security providers. Looking forward, I think Zscaler can maintain their growth for the next fiscal year. At some point, I anticipate their growth slowing as the Zero Trust market becomes more competitive and the current rush by enterprises to upgrade their network security moderates. That risk would be countered by any new product directions for Zscaler.

For my portfolio, I plan maintain a larger allocation to Cloudflare for now. However, I can’t ignore Zscaler’s momentum in the near term. I would consider re-opening a position, if the stock fades back into the pre-earnings range around $155. Investors can consider their path based on their investment style and what factors they weigh in an investment decision. My general approach of favoring TAM and product development cadence could be misguided. In the current market environment, there is a clear bias towards more demonstrable financial measures.

Further Reading

  • Peer analyst Muji over at Hhhypergrowth has published several articles on Zscaler recently, including a review of Q4 earnings and broader themes in next-gen security. He has also been all over trends in the Federal market and the heightened demand for security solutions this year.
  • For more background on Zscaler product directions, I recommend watching the Zenith Live presentations, particularly the 4 keynotes.

NOTE: This article does not represent investment advice and is solely the author’s opinion for managing his own investment portfolio. Readers are expected to perform their own due diligence before making investment decisions. Please see the Disclaimer for more detail.

8 Comments

  1. Ram

    Another thorough review! I am wondering if you know their architecture enough to gauge their big data capabilities and spinning it as its own product. One of the big things to come out of their annual conference is using AI/ML and at this scale, they must be using some sort of warehouse/data lake. I wonder if it’s home grown or off the shelf from other vendors. We have seen this with Sentinel One (Dataset) and Crowdstrike (Humio). Is it possible Zscaler may be in a position to productize this?

    I am also curious about your personal take on top-down vs bottom-up sales approach. Zscaler’s CEO is without a doubt their biggest salesperson and seems to have the ear of CIOs. In the current environment, this seems to be favored. It looks to be easier for a CIOs to rally around platform companies instead of point product and having their ear seems to be a competitive advantage for Zscaler especially closing bigger deals. Not sure if developers and dev teams are going to care enough considering a lot of jobs are on the line to pitch their favorite product up the chain. what are your thoughts on this as a CIO?

    • poffringa

      Thanks, Ram. I don’t know enough about the underlying data processing engine to speculate. I suspect it’s home grown, since the the platform was built over 10 years ago. It would be an interesting product extension if they tried to package their engine into data processing as a service.

      On the sales approach, I think it depends on the product. For services that are closer to the developer’s personal sphere (observability, dev tools, databases, APIs), then developer influence is really important (bottoms up). Also, this can apply to functions where you could have more than one solution in a large organization. At the other extreme, where the product is used by the entire organization (even outside of dev) and the users are less hands-on with the tool, then I think top-down is more effective. For Zero Trust, top-down is likely the more effective sales motion because the solution generally applies to the whole organization and developers are only indirectly affected. With that said, as multiple Zero Trust vendors reach basic feature parity in the market, then I think offering incremental capabilities that facilitate other workflows or capabilities for developers and/or customization will provide extra credit. This broadly applies to other technologies as they mature and basic features become table stakes.

  2. Michael Orwin

    Thanks for yet another informative and very reasonable article.

  3. Giri

    Hi Peter, Thank you for the fantastic writeup. Your articles helps us a lot. Really really appreciated.

    It would be greatly appreciated if you answer below questions

    1. NET and ZS both have pretty much same products like SASE Network, Zero trust, edge network. Could you please help me understand how NET is better than ZS?

    2. Since you have position in MDB, just wanted to check your thoughts on that ‘SNOW and Databricks are building transactional SQL and NOSQL DBs’ and these two companies are better positioned for data warehousing and data science as well. How will MDB compete with these two companies with transactional NOSQL DB space?

    • poffringa

      Thanks for the feedback. I can provide some brief comments on each question.

      1. While both companies offer similar products, I feel that NET has a better architecture and higher scale that will ultimately deliver more effective SASE solutions. I went into more details in a prior post: https://softwarestackinvesting.com/zscaler-zenith-live-conference-2022/. Here are some of the reasons:
      – NET has more data centers (almost 2x) and broader global distribution. ZS data centers are primarily in the US and EU, while Cloudflare’s are distributed globally. This results in a better user experience, as customers would generally reach a Cloudflare data center sooner. Then their traffic is intelligently routed over Cloudflare’s network from there.
      – Because of Cloudflare’s many consumer products and free tier, they handle much more Internet activity than Zscaler. Here are some stats for daily traffic: trillions of DNS queries, route multiple petabytes of traffic to customer networks and proxy trillions of HTTP requests destined for customer applications. Zscaler on the other hand is processing about 1/10 the number of transactions per day: https://trust.zscaler.com/zscaler.net. The higher traffic allows Cloudflare to mine for more security insights and threat activity.
      – Cloudflare owns and operates their data centers and network routing. They don’t rely on hyperscalers for parts of their infrastructure. I think this allows them to drive better performance and ultimately offer lower cost. For a network service, I think there are benefits to running your own infrastructure, as opposed to other application services where it makes sense to use the hyperscalers.
      – Cloudflare provides a broader set of services, which provides bundling opportunities. For example, DDOS and WAF could be free with Zero Trust.
      – Cloudflare is a true programmable platform. They provide a compute solution (Workers) and multiple data storage options (R2, KV, D1, etc.). These capabilities allow customers to customize Zero Trust functionality or build new internal applications on top of it.

      2. The transactional database capabilities being offered by Snowflake and Databricks would not be appropriate for high scale, low latency applications. Snowflake for example is targeting 10ms response times, which sounds fast, but would not scale for a popular consumer application that is handling thousands of requests a second. It is, however, fine for low to medium volume data-rich applications that are primarily oriented around read traffic (not heavy writes). With that said, I imagine Snowflake and Databricks will keep evolving their database solutions, so this could represent an encroachment over time.

      • Giri

        Thank you so much for detailed information. Appreciated a lot.

  4. Hims

    Hi Peter,

    Do you think President Sinha leaving ZS is a negative ? Or is today a good chance to top up some more shares ?

    Thanks

    • poffringa

      Hi – it’s hard to say. On one hand, he has been with the company for 12 years, so it is fair to expect a transition at some point. His reason appears sound – he would like to be a CEO and doesn’t have that path at Zscaler, as I doubt Jay has plans to leave. On the other hand, he was the original CTO and had a lot of oversight to the technology. So, likely a gap, but they also have a deep bench. All in all, likely near term churn, but long term will not have much effect.