Zscaler, Inc. (NASDAQ:ZS) The Truist Securities Technology, Internet & Services Conference March 9, 2021 1:00 PM ET
Jay Chaudhry - Chief Executive Officer
Remo Canessa - Chief Financial Officer
Bill Choi - Senior Vice President-Investor Relations and Strategic Finance
Conference Call Participants
Joel Fishbein - Truist Securities
Good morning and good afternoon, everybody. My name is Joel Fishbein from Truist Securities. I want to welcome you to our Truist Tech Conference 2021.
I have to read a disclaimer before we get started. So I need to read this. This call is arranged by Truist Securities Research for use by institutional investors and issuer clients as defined by FINRA. If you are not an institutional investor or issuer, please disconnect at this time. For required disclosures, please see our website at truistsecurities.com or our equity research library.
On today's call, I'm very pleased to have Jay Chaudhry, CEO of Zscaler and Remo Canessa, CFO; and also Bill Choi.
Jay is the CEO of Zscaler, which a firm he founded in 2008. It went public in 2018. Jay is experienced and accomplished entrepreneur having founded a series of successful companies, including AirDefense, CipherTrust, CoreHarbor and Secure IT.
He's got over 25 years of security industry experience and -- including sales engineering, sales marketing and management experience and leading organizations such as IBM, NCR and Unisys. He's got a quite unique background. And the one part that I would like to share with you is, Jay actually bootstrapped Zscaler and it was a long time before he took money to scale the business.
That being said, the company is firing on all cylinders coming off a great quarter with revenues growing 55%, calculated billings growing 71%, deferred revenues growing 60%, ending RPO over $1 billion growing 68% and the dollar-based net retention rate, which actually accelerated to 120% -- 127%, excuse me.
Zscaler has over 5,000 customers including several of the Global 2000 and I'm really happy to have the team here to talk to you about what the unique things are going on at Zscaler. So with that Jay and Remo and Bill, thank you again for joining us. Jay I'm going to start with you.
Q - Joel Fishbein
You know, you talk a lot about the Zero Trust Exchange and a lot of people are talking about Zero Trust Security. Can you really inform us about what Zero Trust Security is? And what Zero Trust Exchange does? And how it's unique in the marketplace?
Joel, thank you. Thank you for the opportunity. In fact I'll pull up a slide to contrast that two architectures. What you see on this slide on the left-side is called Network-Centric Security. Its perimeter based. It's -- we like to call it castle and moat.
Your castle is your data center and your moat is the security appliances out there. If you're in the castle on the company network you're safe. If you're outside on the untrusted network, you're not safe. So the goal of the left-side is keeping the bad guys out of your castle.
Now if you really look at today's world, on the right, I show applications everywhere. You got Office 365, you go to every day. You've got Google. You've got Facebook. You've got Maps. Then you've got AWS and Azure like your destination, your own data center. These things are out there somewhere. They're not in your castle and your employees are everywhere.
So you could try to extend your corporate network and try to connect those multiple castles and try to keep them secured. It doesn't work. That's why we won’t had to go away from network-based security, security that depends on firewall to Zero Trust. In a simple way, think of Zero Trust like an exchange maybe in layman's terminology think of it as an intelligent switchboard.
A user comes to a switchboard, and say, I need to talk to this application. The switchboard verifies using identity who you are then connects to the right person or right application. You're never put on the corporate network. You really don't have to worry about network security because there's no in and out all users are untrusted.
So two big pieces of Zero Trust, identity to understand who you are and exchange that connects you to the right party. So we work with all ID providers. So we are sitting at the right place to help companies transform their old security to the new world based on Zero Trust. And Zero Trust also eliminates lateral movement.
If you look at the castle and moat model. Once you got in the castle, you can move around quite a bit. In the same way a bad user gets in the company network they can cause lots of damage. With Zscaler approach to zero trust, you minimize the lateral movement, because you connect a user to a particular application only. Joel, did it make sense?
Yes, sir. And I have a couple of follow-ups. I think one of the misunderstanding about zero trust is that people think it's just about the cloud, right? That zero trust is just about the cloud but that is inherently not true. So, can you tell me – tell us about zero trust as it relates to the entire enterprise ecosystem and then how Zscaler plays in that market?
Yeah. So you should think about, AWS a destination of application. Your data center is one more destination of applications. Office 365 one more. So there are applications out to users. So it doesn't really matter, if it's cloud or just data center. Now think of this way. In your data center, you've got lots of servers, lots of applications. They need to be really zero trust enabled. That means, you should have your users come and connect to certain applications in your data center, just like, you want to do the same thing in the cloud. So the notion that zero trust is needed for cloud and not the data center is not right. Data center should be viewed as one destiny and more destination and you implement zero trust by doing something like Zscaler Private Access, combined with a strong identity, and connect users to only application A or B or C, but not to the network.
Okay. So a follow-up to that is, and I think you've alluded to this there is no silver bullet in zero trust. It's really going to come down to partnerships. That's number one. And you've partnered with like you said all the identity players. The second piece of it is one vendor can handle your on-prem and your cloud security, right? And I think that's one of the unique propositions to zero trust, where you don't need separate vendors to do both is that correct?
Yes. That is correct. So if you look at solutions like Zscaler, they're not designed for cloud-only or data center-only. If you start looking at data center, a collection of applications and Azure a collection of applications, our solutions work equally across data centers and cloud applications. So that's a beauty supporting, even multi-cloud and hybrid environment is very good. And what's needed as you said is no single vendor will be able to offer all pieces of security.
Market is consolidating around specific platforms. We are a platform for zero trust where we are sitting in line and whatever needs to be done to check policy and force policy we do well, then we integrate with identity vendors like Microsoft Azure, AD and Okta. We integrate with endpoint vendors such as CrowdStrike. So that's the approach. So customers can go away from 100 security vendors down to a handful of best-of-breed platforms, and we are viewed as one of those best-of-breed platforms.
That's great. So you touched on the identity thing and – a piece of it, and I just want to hit on that. Identity people think about as individuals but identity is really expanded, right? It's also devices and things and whatever. Can you just give us a sense on that?
Yeah. So, in fact everything is evolving. Identity started with the users. User identity is pretty well-known, and the directories in an enterprise keep track of it. What's changing for users it just because you are Joel, you don't have access to everything. The notion of conditional access is coming around. So you may be, yes, the right person belong to the right group, but what device are you on? What location are you coming from? What application should you be able to access? All those pieces are becoming part of conditional access and we integrated identity vendors, so we can enforce some of those things.
Now that's the user side of it. Now application – sorry, now application identity and device identity are pretty different things. People have tried to use certificates on machines to identify what machines and what servers are, even they're not good enough anymore. Because in today's world of cloud, you may be running in a VM on a container, there are multiple containers running on a single hardware machine. So when we decided to enter the space of cloud workload segmentation we are – already, we have the core technology that connects an application to application. We needed more granular identity.
So we did an acquisition of a company last year called Edgewise Network. That automatically creates software identities for each workload. And it uses the machine, the VM or container and the binary; all those things get used to create a unique identity. Once you have the identity, you can set up a policy and say this group of workloads can talk to this group of workloads and the like.
So that's a very young market. We are pioneering it. That doesn't mean we are trying to compete in the identity space. That means, in the new area of workload segmentation, if I need to figure out identities, I will and then evolve it and grow it from there.
Okay. Thank you for that. So one of the questions I get asked the most, you do too and I'm -- and one of our frustrations, and you and I've shared this before is that, everybody copies everybody's marketing message, right? So I think you've distinguished yourself from your growth rate and your scale of your business. But I do want to talk about what the barriers to entry are, right?
And I'm going to ask from this perspective. You've pioneered a lot of terms that Gartner has picked up in terms of CASB and SASE and some of those other terms or whatever. Just talk about what the barriers to entry are? We know the scale of the business, but what are some of the other barriers to entry that Zscaler has around their business?
Yes. If you look at some of the key technologies, they're very hard to build in a distributed world where you're sitting in traffic path. You need to enforce, you need to inspect. Imagine an airport, needs to have millions and millions of users to go through. It must do proper inspection of the person, the luggage and everything without slowing things down, right? That's not a trivial task.
So doing things that scale the inspection is hard. You do proper inspection. When traffic goes to Internet, you got to be a proxy architecture, which says, slow down, I'm going to open you up, check it and let you go. Contrast that with firewalls. They are pass-through architecture.
Pass-through remains pass-through. You get something, you don't get something. That's why firewalls have never been traditionally used for protecting users going to the Internet. It's a proxy architecture from vendors like Blue Coat, Websense and others. So we have a big advantage of having a proxy that scales. The name Zscaler stands the Zenith of scalability.
Then having the proxy alone is not good. It must be multi-tenant. Otherwise, think of Blue Coat, had a very good proxy architecture. It had 85% market share in Fortune 500 companies. And they declared they had a cloud too eight years ago. It just didn't work, because it was a multi-tenant.
So we have proxy architecture. We've got multi-tenant technology. Then for Zero Trust for ZPA, we built everything from clean slate, where we don't allow outside-in connection, only inside-out connection is allowed. And there's some big advantages that ZPA offers over others.
So we don't only have a deep and good technology in a given area. By the time you look at ZIA, which actually is a collection of about 20 different products. I mean -- so not a collection to -- it's subsume and eliminates the need for those products.
ZPA is not just a VPN replacement. It starts at load balancing, DDoS protection, firewall, IPS, all those products. So the platform is wide, platform is deep. And as customers are looking for consolidation, they're not really trying to compare product A versus B.
They're saying, help me, I want to have few reliable vendors who I can trust or who I can hold accountable, who help me consolidate, eliminate complexity and save cost and increase security. And that's what we deliver.
Thank you. That's a great segue for me to ask Remo a question or two. So Remo, as part of my thesis when I initiated coverage on the company was, a little bit of what Jay said is that I viewed you as a major vendor consolidator, right, in certain areas of the space. And initially investors looked at you as anywhere between a $15 and $20 per seat company and then multiply that by the number of potential people out there.
Steadily as you guys have introduced more products and your customers have adopted more products that ASP per seat has gone up pretty dramatically in some instances. I know that the overall still stay the same.
And then the biggest takeaway from the last call that I had is, you had customers that are paying over $100 per seat by taking multiple products. And one taking all four products and paying $145 a seat. Can you talk about the economics of the vision that Jay just outlined from an economic perspective?
Yes. That's a great question, Joel. We talked about on our Analyst Call, we had a meeting in December or January is that, if you take a look at our user protection, there's really four things that we're selling in the major categories.
One is ZIA. And if you're buying ZIA at the transformation bundle, it's $45 per user and this is the user protection piece. ZIA add-ons is -- and this is for companies of 5,000 users. For the add-ons, it's the browser isolation DLP and CASB out-of-band. ZPA has similar pricing to ZIA. So another $45 and ZDX has $25 per user. ZDX is very early stage.
But as Joel mentioned, we are seeing customers who are buying the full suite to be -- for companies of 5,000 users to be in this $145 range ARPU. The current ARPU that we have is currently in the high $20s. So there's a lot of room to grow into getting to this type of pricing.
For me the key thing is as you take a look at where the market was before and you take a look at the traditional firewall security market with all the appliances, it's probably a $20 billion, $25 billion market. We did a bottoms-up analysis related to our serviceable market. And our serviceable market is for employees of greater than 2,000 or companies with employees greater than 2,000.
And in this market segment, there are 335 million servable users. So the SAM, if you take the 335 million servable users and multiply it by $145 is a $49 billion market opportunity. And you step back and you start thinking well how can that be? How can the market be so much bigger? That's a serviceable market. That doesn't include smaller companies in the SMB or less than 2,000 employees, which we see has been also a significant portion of the market.
The reason is that when you take a look at the savings that Zscaler has and how the markets evolve. What Jay talked about was, if you look at the market if you take the horse and buggy at the end of the century in the 1900s and try to extrapolate that to the automotive market, you would have been grossly underestimated the size of the automotive market.
Similar when you have applications moving to the cloud and you've got users that are mobile, it's changed the market completely. And savings that the companies are receiving, it's a much more efficient process using a multi-tenant architecture where you put the user closest to the application you put security in between. And that's what Zscaler has done. And so the expansion of the market as well as the ability to monitor it and the savings that companies are getting through MPLS savings is very significant.
So the market size, again, we did a bottoms-up for the SAM. The workload protection, we did a similar analysis third-party, and we focused in on the large public companies like the Googles, the Azures, the AWS'. The $150 million serviceable workloads, and so if you do the math basically of what our workload is for -- Bill, if you can go back to the prior slide? The prior slide.
The one you had before. Yes. If you could just stay here, Bill. So, if you take a look at the workload protection the CSPM and this is for companies of 5,000 users in that range, or -- not users, but large workloads CSPM is $40 per workload, workload segmentation is $60 per workload, and workload communication is $55 per workload. So, $155 per workload.
And as I mentioned third-party 150 million workloads at $155 is a $23 billion market opportunity. So our SAM is the $49 billion plus the $23 billion, $72 billion. So with what's happened basically is the world's changed. And with the world changing, it's broadened the market. And additional services are required in order to run your networks, both for users and for workload protection, which has really expanded the market.
And so, if you look at the savings that companies have related to cost and maintaining these markets or maintaining the infrastructure, you take a look at the cost savings related to as I mentioned, MPLS, you take a look at the cost savings of buying additional equipment that's required, you don't need as much network and equipment. That's the reason that we're seeing basically this market opportunity being so big.
That's really helpful. I really appreciate that. Another one for you Remo. You and I go way back, and I've been through dozens and dozens of these earnings calls with you. The thing that stood out to me second, most other than the price that you were getting was the guidance that you gave. The guidance to me was well above at least my expectations or whatever. That to me shows a very significant confidence in the business. And I know you have a large recurring nature of the business. Can you just go through like what's driving your confidence?
Yes. I mean, if you look at – from my perspective, there's no company in this particular market position like Zscaler. And I take a look at what point we are in this market and we're in the early innings. You take a look at ZIA penetration. There are 20,000 companies with greater than 2,000 employees. We have about 2,000. So there's 10% penetration in ZIA.
Then you look at ZDX and ZDX of our Global 2000, we have about – less than 40% – not ZDX – ZPA have 40%, ZPA penetration. So there's – and ZPA represents about 14% of our revenue. So large market opportunity with ZPA. The add-ons are relatively new. The browser isolation, the DLP and CASB out-of-band, so there's – we're very early stages with that.
ZDX with network you're monitoring is just – it's a new market and it's pretty early stage for us. Then what you do then you add the workload protection and CSPM relatively new for us. More of an established market but relatively new for us. Workload segmentation, definitely early stages. Workload communication, the extension of our ZPA, very early stages.
And so – and then I take a look at internally related to the speed we have to develop products or services. When you build the platform and you use the strategy that we use related to targeted acquisitions, related to smaller companies for technology. And you can see with the acquisitions that we've done we've done four in the Appsulate with the browser isolation, Cloudneeti with CSPM, TrustPath with – I'm sorry TrustPath with MI/ML and Appsulate with browser isolation.
We've been able to put these products on our platform quickly. That's the advantage. When you build the platform correctly, you have the ability to put services onto your platform. So our target related to buying smaller companies and integrating them into our platform, I think gives us a huge advantage.
So when I look at ZDX, that was – that's a major development. And that was developed internally. ZPA, I know it's been around for a while, but that's a major development. And that was all developed internally which flows into W – the workload protection with the workload communication.
It's – we just – we're in the early innings. We are incredibly well positioned. We have scale in our business as well as in our platform. We have the ability to add additional services onto our platform. And I really feel that when I take a look at the world and take a look at the risk out there and how we're positioned, I just don't see a company better positioned than Zscaler. And that's what gives me the confidence because we've developed the engine internally to go to market. We've developed the engine internally to scale the platform. We've developed the engine internally and also through small acquisitions to expand our platform. And I look at where we are in this market; we're in the very early stages of this market. So that's what gives me the confidence.
Thank you for that. That's really helpful. Hey, Jay, shifting back to you. Good transition here. Go-to-market right? You hired Dali. There's two things that happened. You needed to build out the enterprise sales force, but also, you know, I talked about several years ago how this went from being an evangelical sale to be more mainstream. And you are right about that as well, right that crossed that chasm. Now Zscaler's are brand name throughout enterprise and to comment back on Remo's comments, you have a lot in your pipeline to sell right? So it's not about that and it's at -- so just talk to us a little bit about go-to-market where you were maybe a year ago, where are you now? And where are you going?
Yes. I've been sharing over the past four quarters that we needed to build a stronger foundation of the sales execution to go from a few hundred million to a few billion dollars. When you build a house, you're building a two-storey house like a startup, your foundation is only so deep. You want to build a 50-storey building, the foundation needs to be looked at different.
So we put a lot of pieces in place at the foundation for go-to-market engine starting from proper systematic sales enablement, proper hiring all the right leaders, training them even training on how to hire sales rep, what do we look for? Having dashboard, having leading indicators, I think we did a good job. And quarter-after-quarter we have proven that all those things are delivering results.
And our numbers are based on leading indicators we're able to see what's going on. So sales machine is doing extremely well, very proud of it. Now when I talk to Dali and say it's getting easier. Yes, but the numbers are getting bigger. Yes, that's how it's supposed to be. So we are hiring and training but that machine is working very well.
The areas where we still have a lot of room for leverage, I'll highlight two areas. One is on the marketing side. Sitting at 12, 15 months ago, we had sales and marketing aligned to some degree and we pumped lots of investment sales and moved it up here -- sorry, sales. And marketing has room to get aligned with sales as well. So we've got a CMO, new CMO in place about -- joined about three months ago and we are investing quite a bit in many sales aspects ranging from demand generation, ranging from better CXO engagements and the like. So we'd expect more leverage from it.
And second big leverageable area is channel. We are talking on multiple channels. One area, which was slow in embracing cloud and embracing our services, was traditional bar channel. I mean after hoping that they're able to sell and deploy boxes forever, the smart ones figured out that the world is changing for good and there's money to be made in doing transformational services that Zscaler requires rather than professional services for box deployment.
So now we are getting more and more inbound calls. A couple of quarters ago, we put a program in place and start putting more channel resources in place to build and grow a channel. And early results are pretty good, but that should give us leverage for the next several years.
That's great. So again another go-to-market question and this is a little different. You and I have talked about the average large enterprise having hundreds and hundreds of vendor’s right? So -- and you're clearly in a position to replace them, but historically these guys have just layered more vendors on right -- your existing vendors. From a budget perspective, are you new budget? Are you replacement budget? Is it a little bit of mix? And then where do you see that going over time?
Our sales never starts with let me take on these boxes. Our sales starts with the CIO. If CIO is driving application transformation, the next thing he needs to do is make sure user experience is good, make sure its network can deliver the stuff. That leads to network transformation discussion. So the Head of Infrastructure Networking gets in a loop. And there the issue in not I replaced this private or that private norm.
It's basically Internet becoming your wide area network, your cost savings, your complexity reduction and then that leads to security discussion as well.
Now we really show the strategy of moving from this old world to the new world in phases. When the customer starts with ZIA, the goal is not to have anything sitting between the user and the Internet. Now typically since they all understand that proxy is needed for inspection. It starts at Blue Coat or Websense replacement. Then they add on everything else. You say, I need to what a DLP, this that. So that's why we're selling bigger and bigger bundles like transformation or the like.
And now more and more they say okay with ZIA, I can go safely to Internet, open my internal applications when I'm sitting in home especially. So it sounds ZPA and say okay, VPN replacement. How about my zero trust? Now it starts becoming the bigger bundle of Zscaler Private Access. And then comes the fact that, I must measure and understand my user experience. So ZDX comes in. So we think most of our customers will buy ZIA, ZPA and ZDX for every user because once you have those three things you're basically fully covered.
That's great. So just to follow up on that. Obviously, I'm not asking the customer's name, but I know that there are customers that have gone all in and re-architected on Zscaler. Can you give an example or use case where Zscaler become the predominant -- one of the predominant security vendors in an organization and how that's transformed their business?
Yes. So in fact, our customers are so proud of it. They speak at our conferences. So think of this way, security lots of layers, my data center, my here and here I have more and more customers who are actually becoming what they call firewall-free enterprises, okay? Now the data center may have a lot of old stuff. And we don't really need to go to the data center and fight to replace that legacy stuff because the traffic is shifting away from the data center. So data center and whether it's security boxes or routers and switches or firewall they'll go away over time.
But when they go to cloud, our goal is to make sure they don't have to buy any legacy security products, okay? And I have so many customers who are actually moving in that direction as we deploy more and more are cloud workload communications and CSPM out-of-world. I think you're basically rounding out the old world going away from all appliances. Well depending upon the best we are left with three or four key things.
Zscaler as the exchange, identity vendor to provide identity, endpoint vendor to provide endpoint management and security and some security analytics vendors to provide kind of logging and analytics kind of stuff. That's the world our customers are moving into fairly rapidly.
That's great. So all right. So last one from me. Talk about what's in-store for 2021 and beyond? And what are the milestones that investors should look at to measure your success other than obviously your outstanding growth rate in numbers?
Right. So yes. So numbers is one thing. Outside numbers, if you look at what's my focus, I bring it down to three simple things. I want to keep on innovating at a fast pace to increase the gap. Number two is, marketing and selling. And number three is, making sure our customers are happy. They're taken care off from support point of view. We are so proud of our NPS score of 76, while an average SaaS company sits around 30. So, lots of innovations. We announced a number of things, at Zenith Live last month -- no in December.
We got our next virtual Zenith Live coming in January. You can expect us to make a number of new announcements in many new technology areas, because it's a lot of opportunity in the cloud area. The market just starting out, that's a brand-new area for us. 5G is going to upset many things. It's not just a fast transport. It'll change the way some of the things are done. So we are busy innovating.
All right, it looks like I have another minute, so I'm going to ask you one more. And that is, an important question across all of technology. You're growing at such a fast pace. And you're clearly looking for good talent.
Talking about the talent pool that you're able to get into Zscaler right now and is it up to the standards that you're historically -- the high standard that you usually keep? And where are you getting the talent from?
Yeah. Good question -- excuse me -- sorry. Thank you. So, I would say we have tried to be selective, all along, but our talent standard has gone up. The biggest change in going up is that we have to do less un-training because the talent, we're looking at we want to shape them the way we want.
So, first of all, our brand has gone up quite a bit. Our customers talk about it positively. I talked to a couple of salespeople, in the past month, who said, oh, this customer CIO suggested that I should talk to Zscaler, because they're very happy about it.
It becomes wonderful as the word spreads out. So we have become a destination for top talent. So, getting talent has become a lot easier. It's a competitive market. We're really filling our recs hiring. We are tracking very well, okay? That's point number one I would make.
Point number two, we are -- we are hiring from more of a software and SaaS type of companies and some of the early stage people who don't need to be untrained. We try not to hire salespeople, who have been selling boxes for too long, because there's a more lot of un-training involved.
But our SCs and architects do come with a deep, networking and security background. Pleased, with the progress we've made the systems and processes, we have put in place to hire good talent.
That's fantastic. Well, thank you so much, gentlemen for your day and good luck. And talk to you soon.
Thank you so much.
Thank you, Joel. Bye.