ZS - Sequential vs YoY growth

Someone asked me this off board and I thought I should answer for everyone.

So obviously YoY is really important and in this case Zscaler was able to increase their YoY to 63% but their sequential growth was a dramatic slowdown from 16 to 10 or so. I noticed most stocks discussed on the board have 10-20% QoQ growth with varying levels of YoY, in general when does a slowdown QoQ result in loss in confidence?

That’s an example of what I was talking about above in over worrying about one statistic instead of how the whole company is doing. Their quarterly revenue growth yoy was the highest in three years. It was 63% up from 55% a year ago, up 8 points, while Crowdstrike, in the same field, was 63%, down from 86%!!! Down 23 points!

Their RPO grew 90% for god’s sake to $1.95 billion. That’s business already contracted for but not yet recognized. It’s almost eight times this quarter’s revenue !!! That’s Remaining Performance Obligation !!!

And sequential growth seems to always be lower in the January quarter.


**2019               9** 
**2020   7   9  14  13**
**2021  10  12  12  17**
**2022  11** 

Look at it. It’s always lower than the quarter before AND the quarter after.

And with this invasion going on by a company that has continually sponsored breaches on our companies and government, don’t you think that our government is telling every department “Enough stalling around! It’s time to get zero-trust in place!” And every large US company as well! What a tailwind!

But if you think you should sell out because of one weak sequential gain, go ahead. Each person has to make their own decisions. I’m just telling you how I see the numbers.

Best,

Saul

182 Likes

And with this invasion going on by a company that has continually sponsored breaches on our companies and government, don’t you think that our government is telling every department “Enough stalling around! It’s time to get zero-trust in place!” And every large US company as well! What a tailwind!


the famous hacker collective Anonymous declared it is going after Russia:
https://www.infosecurity-magazine.com/news/anonymous-hacking…

bunch of article/news stories on web and tv about potential cyber conflict ramifications of Ukraine invasion, too:
https://finance.yahoo.com/news/russia-may-be-primied-to-hack…

https://fortune.com/2022/02/24/what-if-russian-cyber-attacks…

this is all after Russia was already known or expected to be the culprit behind massive attacks, per Microsoft:
https://www.voanews.com/a/alleged-russian-hacks-of-microsoft…

I have no idea the actual role Zscaler plays in which types of cyber attacks, but in general you would expect any new news that pops up around cyber to further rally security stocks, much as CRWD received a boost from their role in investigating the DNC cyber attack in 2016, which was blamed on…you guessed it…the Russians:
https://www.crowdstrike.com/blog/bears-midst-intrusion-democ…

I question the gains some of the growth stocks received in 2020 and 2021, which were beyond the growth rates achieved during that period (Zoom being a glaring exception). So I don’t think we should be shocked when some stocks go down in 2022, even after good reports.

Having said that, ZS drop seems overkill, particularly in the short-term and barring any further market collapse (which would bring all stocks down, not just ZS), so I picked up shares today.

Dreamer

28 Likes

Hi Saul,

Management has stated that billings (not RPO) should be used as the main indicator of future revenue growth. The RPO numbers are too sensitive to timing/lumpiness from large deals. The billings had a drop from low 70%s the past 4 quarters to 59% this Q and the market is not having it. There were a lot of questions about it on the call. Management mentioned some Federal govt business slipped during the Q due to budget constraints causing the shortfall, but that they are confident in the future of their Federal business growth. So I think the billings growth should stabilize, but it is something to keep an eye on. They mentioned short term billings grew 61% YoY.

CC commentary when an analyst asked what is the best way to look at future revenue trends and if it should converge to RPO trends over time:

“Yeah, that’s a great question. And if you take a look at our RPO growth year-over-year, it was about 90% and CRPO growth was 79%. What we’ve always called out when the RPO growth rates and CRPO growth rates are going just triple digit, we brought back investors and said billings is the best way to look at our business. And when you take a look at RPO and CRPO, they’re more sensitive to the timing of large deals, the timing of renewals, contract durations and other specific terms. It’s for these reasons that we want – we feel the people should be looking at billings versus RPO or CRPO. Also our – especially when we’re in the range of 10 to 14 months. So – and both in the quarter, our duration was right in the middle of the range of 10 to 14 months. One thing I’ll also call out that investors probably look at is short-term billings growth. Our short-term billings growth was 61%. So I would look at everything as an investor but from a Zscaler perspective it’s really billings. And if we’re in that range 12 to 14 months it kind of bounces and then also short-term billings growth. Those are the key metrics. That takes all the noise level all the things going on with RPO and CRPO out of the equation.”

60 Likes

I have no idea the actual role Zscaler plays in which types of cyber attacks

In general, Zero Trust says “trust nothing and no one without verifying access and authentication”. Which is to say, it greatly limits what you can to or what a program can do. For instance, in the Colonial pipeline ransomware situation, some employee clicked on an email link that activated a ransomware attack. This encrypted his/her computer and then spread to all the computers on the network. If Zscaler had been running, the one computer would have been encrypted, but when the program tried to spread, Zero Trust would have said “Hey, this executable (ransomware) is not allowed to run on this server”,or “hey, this user is not granted permission to access this server nor run an executable on this server” and the attack would have ended.

So everything a user or program tries to do has to be approved by Zero Trust, based on restrictions applied and authorizations confirmed.

Hope this little example helps a bit.

Pete

49 Likes

What I did:
I sold a 4% position in MongoDB I bought two days ago to buy 50% more Zs after hours following the CC.

Why I did it:
When I saw accelerating Revenue Growth 63% YoY while going up against a difficult compare Q2 last year…and then in answer to why Claculated Billings was only +59%, Romeo Cannesa, said, Federal was low single digit of our new and upsell business. Now why is that? It’s just the budget constraints basically. I figure Federal not having kicked in yet will accelerate the business more when it does. I’m investing today based on how I see Zscaler performing in the future. With little to no Federal growth and still Zscaler reported nearly the highest revenue growth YoY for 10 quarters, Wow!. And to be honest, it was the disconnected market reaction to this report that got me to defiantly add so much. I mean, despite my having a 17% position in Cloudflare now- Zscalers’ direct competitor, I had to take advantage of this.

I’ll likely reverse this trade when I see another catalyst line up for MongoDB to further the recognition of their dominance in that market. I think the odds are in my favor that I’ll make a bit on Zscaler in the next 3-6 months, allowing me to get more shares of MongoDB when I do.

Managing a concentrated portfolio allows me to understand these companies well enough that I feel confident when I do step out of my usual more disciplined approach to investing. And if I don’t see an opportunity to get back into Mongo, I’m happy to own a 10% position in Zscaler for the next 1-3 years.

As a habit, when I make investing decisions I’m thinking out 1-3 years. When I do make a short term decision, it’s almost alway based on an obvious market disconnect between how the companies were performing and a share price over reaction based on something outside of what the companies were doing.

Best,

Jason

35 Likes

in the Colonial pipeline ransomware situation, some employee clicked on an email link that activated a ransomware attack

According to Bloomberg (https://www.vox.com/recode/22428774/ransomeware-pipeline-col… ), the attack was actually started via a VPN account whose username/password were known to the hackers. I’ve seen nothing about email.

In general, Zero Trust says “trust nothing and no one without verifying access and authentication”.

To understand Zero Trust it helps to understand the most used model, which is “perimeter security.” Which is like going through a metal detector to get into a building or airport. Once you’re inside, the security is pretty light, based on the assumption that nothing got through the perimeter and that you trust the people who went through to not actively do something bad, even without guns. Corporations that have internal networks use this principle, and once you’re on a corporate network, the security for what you can do is relatively light since corporations trust their employees.

Note that a VPN, virtual private network, is what corporations with perimeter security use when they have remote employees. A VPN essentially provides a “perimeter authentication” before the computer the person is logging in from gains access to the corporation’s internal network. In the case of Colonial, VPN access was not “Two Factor,” and so anyone/anything with a valid username & password could get into the corporate network and then run programs.

One important aspect of Zero Trust is that it doesn’t trust users. Instead, it looks at what the user is trying to do and grants or denies access based on that. In terms of trust, it doesn’t matter if the CEO or a mailroom assistant wants to run a program. Only pre-approved programs are allowed to run. The typical authentication safeguards for who is allowed to what remain in a Zero Trust environment, but that’s not the sole security enforcement any more.

But, for things like email, even good people don’t make for good security, since the contents of email messages they receive may have viruses or links to hacked web sites, and even well-intentioned employees may click on a link if it’s presented as being something other than what it is. One of ZScaler’s main products literally scans the contents of every email being sent to and within the company to look for bad content and remove it before forwarding the email on. ZScaler’s services can be used for far more than just email - all traffic to and from can be sent through ZScaler’s servers. So now employees can use DropBox or whatever since all traffic to/from the corporation is scanned for harmful content.

One can even take the concept of Zero Trust so far as to completely eliminate the internal corporate network (GE did this a few years ago). Every server and employee computer needs to run a ZScaler client to funnel all traffic in and out through ZScaler’s own cloud to scan for malicious content. You still have authentication and authorization controls on who can do what, but now you know that no-one is intentionally or accidentally running a virus. Since the corporation’s servers only accept traffic from ZScaler, this can even help with DDOS (Distributed Denial of Service) attacks.

70 Likes

Hi SaulR80683,

“And sequential growth seems to always be lower in the January quarter.”

Not a big surprise.

Implementing a large software change in November or December can cost many companies a lot of money during their most important business months.

If an install takes a system down or changes things where employees need to “hunt” or ask for a supervisor for help it can be costly.

Most retailers, shippers, suppliers, etc all shun system changes starting as early as September through New Year.

Does that help you?

Gene
All holdings and some statistics on my Fool profile page
http://my.fool.com/profile/gdett2/info.aspx

6 Likes