Zscaler (ZS) is an innovative cloud security company that is growing gangbusters and achieved (ever so small) profitability a year ahead of schedule (although that's not going to last this year).
There is a lot to say for the company but as the shares are still very expensive, we can only go as far as to say buy on dips, given the climate on the markets for high valued stocks like this at the moment.
With the advent of cloud computing, apps and mobile, old centralized security approaches have their limits. Zscaler (ZS) is one of the companies that have developed a new security structure.
We already described Zscaler's approach and for those wanting more detail, the company has a handy ebook (Pdf) from the company itself so we will be brief here. One of the main differences is captured in the concept of 'Local Internet Breakout' (from 1310nm.net):
Local Internet Breakout provides access to the Internet close to the user at each site. The previous centralised internet breakout model was different. In the past, maintaining corporate security used larger centralised gateways to the Internet. These central portals provided not only firewalls but proxy servers, antivirus and other functions. As the volume of Internet sourced/destined traffic increases, it’s no longer viable to support carrying this across the corporate network. Instead, you should remove it from the business network as close to the user as possible. Removing traffic from the network core is what Local Internet Breakout delivers.
They have to basic services:
- ZIA (Zscaler Internet Access), which is sold in different bundles Professional, Business and Transformation.
- ZPA (Zscaler Private Access), connecting a specific user to a specific application, based on business policy. This is still small but growing rapidly, nearly doubling over the year.
From the Q1CC:
While ZIA provides secure and fast access to Internet and SaaS, ZPA will do the same for the internal applications some of which are in the data center while others are moving to Azure and AWS.
On November 26, 2018, Zscaler was named a leader in Gartner Secure Web Gateways Magic Quadrant for the 8th year in a row. ZPA became the first zero trust architecture to achieve Amazon Web Service (AWS) Security Competency status.
Management argues that developments are still in the first innings and the company has a very large market opportunity, which is why they are maximizing growth and margin considerations come second.
But the company does have a longer term model where operating margins reach 20%-22%, but this will kick in when revenues are in the $800M-$1B ballpark, which is still a couple of years off, at the minimum.
The company sells the majority inits Business Bundle, but the most sophisticated bundle, Transformation is experiencing an increasing interest, both from new and existing clients (up-sell). Transformation adds a cloud firewall and cloud sandboxing modules to the Business Bundle.
This development will optically depress their net dollar retention rate as it reduces the up-sell opportunities, but this rate still stands at a very high 118%, up even from the 117% in Q4.
What management sees at the moment is more customers upgrading sooner, so expect the net retention rate to stay elevated until the up-selling opportunities start to diminish a bit. Keep in mind that there are also further up-selling opportunities:
- Selling separate modules like DLP (data loss prevention).
- Adding seats.
About DLP (Q1CC):
When customers do local Internet breakout, data leakage becomes a major risk and they need a cloud-based DLP solution to secure sensitive information at any location.
Adding seats is especially important for ZPA (ZIA is usually bought for everyone), which usually engages only a part of clients employees, but this number is moving up, from Q1CC:
we’re probably approximately half the deal of ZPA are coming as brand new customers who have never bought from Zscaler before and the other are coming with ZIA as an upsell... But I would say that in a majority of those cases, ZPA is bought for a subset of users, not for all users. As we have said before, when ZIA is bought, it is bought to protect all users from all locations, essentially every employee in the company. When ZPA is bought, it’s largely driven by business application needs. And typically in an enterprise, the number of ZPA users may be somewhere from 40% to 80% of the total users.
But overall, the dollar net retention rate is probably going to lose some importance as a metric, but stuff like ARR (average recurring revenue) could replace it.
The company is selling through SISPs (large system integrators and global service providers), providing over 50% of revenue and the fastest growing channel.
The company is also selling through VARs (value added resellers) and this is an important channel generating 40% of revenues (although we suspect at least some overlap with SISPs). They also sell through partnerships with telecom companies in a mutually beneficial operation (Q1CC):
So all large telcos – in fact if I would say that the top 10 largest telcos in the world, they all do business with us; some of them a lot more than others. So our goal is to make sure we work more closely with them. And they see it as a joint opportunity. They want to see the customer moving to a new network that’s still managed by them. So they are managing the network, they are managing Zscaler security service for the customer. So it’s a good win-win proposition
But the company is also investing in its own sales channel, hiring some new top personnel like a new CMO and a new SVP and hired 40 new people in S&M overall in Q1.
From the 8-K :
On a non-GAAP basis the company even produced a small profit ($2.0M or $0.01 per share), one year ahead of schedule.
The 59% revenue growth (y/y) also enabled the company to reap really substantial operational leverage, with operating cost rising just ** and operating margin improving by 20 percentage points to 2%.
Cash provided by operations was $11.0M (17% of revenue) up from a negative $4.4M a year ago. Positive free cash flow was $5.2M (8% of revenue), up from a negative $8.9M a year ago.
Cash, cash equivalents and short-term investments were $314.0M at the end of Q1, an increase of $15.5M from the previous quarter. The company has no debt.
For Q2 (from the 8-K):
- Total revenue of $65 to $67 million
- Non-GAAP loss from operations of $1 to $3 million
- Pro forma non-GAAP net loss per share of $0.00 to $0.02, assuming approximately 122 to 123 million common shares outstanding
- Total revenue of $268 to $272 million
- Non-GAAP loss from operations of $4 to $6 million
- Pro forma non-GAAP net loss per share of $0.01 to $0.03, assuming approximately 124 million common shares outstanding
The company became well know as it's the company that identified the Russian hacking of the Democratic National Committee servers. It uses AI to offer cloud-based protection that helps clients detect possible threats before a breach occurs.
We're not qualified to assess the relative capabilities (for all we know, they could even be more complementary than competing). In any case, Gartner (CrowdStrike website):
has positioned CrowdStrike as the highest in ability to execute and furthest in completeness of vision. Read this highly anticipated report to learn how CrowdStrike believes it has differentiated in the market.
Zscaler didn't even make this Gartner report because it's not considered a so called endpoint security company, it has its own approach falling under 'Secure Web Gateways.' The field for that is as follows (from Gartner):
As you can see, this narrows it down quite a bit but we fear this might offer a too limited view of the market. In the end, what companies want is data protection, by what approach that is achieved is of secondary importance.
What is clear though is that Zscaler has a lot going for it, from Gartner:
Zscaler continues to be one of the fastest-growing and most innovative vendors in this market. It has the largest installed base of customers of any of the cloud-based SWG providers. The Zscaler Internet Access (ZIA) service includes NGFW, sandboxing, bandwidth control, DLP and other features. Zscaler Private Access is a software-defined perimeter (SDP) offering, that Zscaler positions as a VPN replacement solution. ZIA directly peers with most of the popular SaaS providers, including Office 365.
As a result of its initial public offering (IPO), Zscaler became a publicly traded company in March 2018. In August 2018, Zscaler acquired AI and machine learning technology and the development team of TrustPath. Zscaler will apply TrustPath’s analytical techniques to its log data to improve Zscaler’s threat prevention. Zscaler is a strong choice for enterprises seeking a cloud SWG service.
Letting AI lose on threat prevention, that sounds like CrowdStrike (and we suppose a good many others). What's also clear is that there are trade-offs, simply because there are so many vendors. The market hasn't sorted out the winner, but Zscaler's installed base and growth rate does speak of competitive strength.
Valuation is slightly less extreme than the last time we wrote about the company, but at over 20x sales it's still hefty, even for a backwards looking figure.
At present, it certainly looks like the company is one of the big winners from the shift to the cloud and the increasing security issues that have proliferated as a result of the waning of the old centralized corporate network architecture.
It's valuation is still pretty exorbitant, but it certainly looks at the moment that we have one of the corporate security market winners. On the other hand, there is a great deal of potential operational leverage even now when the company is still in the land-grab phase.
The main risks for such a high valuation stock is a sudden turn of market sentiment or a slightly disappointing quarter. The other risk is the emerging of a competing approach that outperforms those of Zscaler.
Which leads us to our verdict, which is buy on dips.
Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.