Zscaler - A Deep Dive into my notes Part 1

A deep-dive of a sort on Zscaler: At least, all you’d ever want to read about it. These are my own notes on Zscaler, in which I edited, shortened, and paraphrased any articles I quoted to make them more readable for myself (shorter is easier to read). Then I cut the length of the whole thing in half again for this post, but it’s still a long read. I hope you will find it useful. I’ve had to divide it into two parts.

There’s been a lot of recent discussion on Zscaler, and I’ve been shocked to discover that a lot of people (even people who invest in Cyber-security) don’t know anything about Zscaler, and actually think of it as just another Cyber-security company!

I’ll start with a capsule summary:
Zscaler has been around for more than 10 years, but just IPO’ed a year ago in March 2018 at $16, and closed the day at $33. I bought it in June at about $36 and it closed Friday at about $63, up 75% for me in nine and a half months.

Zscaler has an interesting, innovative, and revolutionary idea in Internet security (and insecurity). They feel that putting a hardware firewall around a company doesn’t work anymore, now that the enterprise company is partly in the cloud, and that people can sign in from anywhere, and sign on to other outside programs from within the enterprise. Zscaler provides a pure software, native cloud-based security, and as far as I can tell they are far and way the leader in this, if not the only player who has what they have to offer. They have 100-plus data centers all around the world, which would be difficult for most potential competitors to replicate. Zscaler has been operating them for ten years.

When they IPOed a year ago they were a tiny company, which few people had heard of, and had revenue of just $126 million in the last fiscal year (July). Of course, you might think that big companies would be loathe to trust their security, their family jewels to a company that small. Well now their run rate is $300 million, and their revenue and billings rates are accelerating as they get larger, they have become profitable and free cash flow positive.

Well, that’s strange, you’ll say, accelerating rates of growth off a bigger base? Why is that? Easy question. The answer is that they are bigger, and they have more very large enterprises as customers, and being larger, with lots more very large customers, makes other very large enterprises more likely to trust them with the family jewels. They seem to have passed an inflection point and are taking off.

Its customer list includes names like United Airlines, NBC, GE, Nestlé, the United States Marines, NATO, the FCC, and the National Health Services of the UK. And this is still a small company with just $74 million in revenue last quarter, and just $45 million the year before that.

Read on through my own notes which I’ve edited a bit for you.

June 2018 – Results of April quarter (The first after the IPO)
• Revenue Up 49% to $49 million

• Calculated billings up 73% to $55 million

• Deferred revenue up 61% to $125 million

• Raised $205 million in IPO.
• Adjusted operating loss was $2.9 million, or 6% of revenue, improved from a loss of $5.0 million or 15% of revenue.

• Adj net loss was $2.6 million, or 5% of revenue, improved from a loss of $5.0 million or 15% of revenue
• Adj net loss per share was 2 cents, improved from a loss of 5 cents.

• Op cash flow was $8.1 million, up from $0.2 million
• Free cash flow was $3.7 million, or 7% of revenue, compared to negative $1.8 million, or 5% of revenue, a year ago.
• Cash was $288 million.
We are also very pleased to generate positive free cash flow for the quarter.

Conference Call
Our operating margins improved 9 percentage points, yoy.

Cloud transformation is breaking the traditional perimeter-based security appliance oriented approach. In the traditional architecture, organizations built hub and spoke network to backhaul branch office traffic over dedicated wide area networks to the data center in order to apply security checks and access and ports. Then, they built a mode of security appliances that established a perimeter around the corporate network to secure the network. That’s why we call it network security.

In the cloud world, where the perimeter has disappeared and the internet is becoming the corporate network, where would you deploy security appliances? Our cloud platform eliminates the need for traditional on-prem security appliances that are difficult to maintain and require compromises between security, cost and user experience. Zscaler security cloud is a purpose-built, multi-tenant platform deployed across 100 plus data centers globally that secures access for users and devices to applications and services, regardless of their locations.

Zscaler delivers advanced security and policy enforcements, no matter where the users are, connecting users to the nearest Zscaler data center, hence taking the shortest path to the application.

Compute, storage and applications are moving to the cloud, which requires a fundamental change to the network architecture and security. In a cloud and mobile first world where applications are in the cloud and users are everywhere, security needs to be done in the cloud. We have the opportunity to replace the inbound and outbound gateways of a traditional castle and moat security.

We believe we are the solution to secure the cloud first mobile first world. We have 10 years of operational experience running our security cloud at scale. We process in excess of 45 billion internet requests per day during our peak periods. Each day, we detect and block over 100 million threats and perform more than 120,000 unique security updates. This cloud effect delivers far superior security than traditional appliances for all of our customers.

In Q3, we saw strong growth in our platform adoption. Broadly speaking, Zscaler platform offers two complementary services. First, Zscaler Internet Access or ZIA for secure and fast access to SaaS applications and the internet. ZIA is designed to ensure malware doesn’t reach the user and valuable corporate data does not leak out. Second, we have Zscaler Private Access or ZPA for secure access to internal applications in enterprise data centers or the public cloud. ZPA connects a specific user to a specific application based on business policy, without bringing the user on the network, resulting in better security while delivering the best user experience. This is how enterprises want to access applications on the public cloud without having to go through their data center.

M&A is an elegant use case for ZPA. Rather than connecting to complex networks together, which can take 9 to 12 months or more, ZPA can provide secure application access, based on business policy across both companies in days. A European global bank purchased business bundle with SSL Inspection and DLP for over 70,000 users, driven by the business moving to Office 365. The customer needed a modern cloud security platform that included a best-in-class DLP. We work closely with the service provider partner who will manage the Zscaler service for this customer and enable the customer to have a compliant solution for the stringent EU data privacy requirements.

Now, I want to share an example of a deal where the customers simply wanted to replace an existing on-premise web proxy due to budget constraints. This is a global 500 IT services and products company in Asia that purchased our entry level professional bundle for 10,000 users in Q2. In Q3, they expanded the same bundle for over 130,000 users domestically. Recognizing that threats often hide behind SSL, they also purchased SSL Inspection functionality.

Our dollar based net retention rate in Q3 was 120% and was driven by upsell activity for our high-end transformation bundle, which includes the Cloud Firewall and Sandbox functionality.

Our strong customer retention and ability to upsell have resulted in a consistently high dollar based net retention rate, which is 120% for the trailing 12 months ending April 30, 2018. This compares to 115% a year ago and 122% last quarter. We expect, it will vary quarter-to-quarter, depending on the timing and size of upsells and new customer additions.

We feel the world is coming towards us. I will highlight three key trends.
An increasing adoption of SaaS applications, and Microsoft Office 365 in particular;
SDRAM projects that transform the legacy hub and spoke network;
Application migration to public cloud using AWS, Azure and Google.

A strategic advantage for us is the channel partnerships with large SIs and global SPs. We will continue to train and enable our partners to create leverage and accelerate our sales. I mentioned that I also visited our India office on my trip last month where we have one-third of our employees. Our talented staff in India keeps our business running smoothly for 24 by 7 coverage for customer support, cloud operations and development.

Total gross margin was 81%, up 2% compared to Q3 last year and flat sequentially.

Total operating expenses grew 9% sequentially and 38% year-over-year to $42.8 million. We believe our large market opportunity justifies investments that we are making. S&M increased 9% sequentially and 43% year-over-year to $28.4 million. We’ve been building our sales team to drive growth.

We incur significant S&M costs initially to sell our products. But after the first year, our S&M costs decline significantly, as our commissions and marketing efforts are concentrated on initial sale. R&D increased 3% sequentially and 20% year-over-year to $8.9 million as we continue to invest to enhance product functionality and to offer new products.

G&A increased 27% sequentially and 50% year-over-year to $5.5 million. These expenses exclude $2.8 million in litigation related expenses. The growth in G&A includes investments of headcount, consulting and other expenses that we have made as we became a public company.

Q - I’m particularly interested in the opportunity to displace firewalls. Is that now a meaningful opportunity?

A Good question, Melissa. As we said, we really don’t lead in with displacing either web security gateway or replacing firewall. Our number one focus is lead the transformation. When you lead the transformation, it’s a holistic approach. It is true that in a lot of those approaches, secure web gateway is often the first party that gets removed, because they’re looking for internet bound traffic.

On the firewall side, we are selling a number of transformation bundles, which include Cloud Firewall as well as Cloud Sandbox. Now, we don’t go in and say let’s replace the firewalls. What happens is, typically customers have firewall sitting in the main data center and a couple or three, four regional data centers. And believe me, majority of enterprises still have different branches coming back to the data center. So, when we do these transformation bundles, there is no firewall, there is no egress point, there is no gateway in most of these branches. It is Greenfield, it is add on opportunities.

Now, when we replace those, we do end up taking whatever outbound gateway boxes they have in the data center. But, we aren’t really going in to say let’s remove this. But generally, the field is clearly wide open for us and we’re going as Greenfield add-on in most of the cases.

So, our concerns aren’t getting to profitability or free cash flow or sustaining that on a long-term basis. Our focus is going to be to invest in our business and to grow our business on the top-line in a prudent manner. One of the things we’ve talked about before is that we plan to have sustained positive free cash flow and also positive operating profitability on an an adjusted basis, sometime in fiscal ‘20. So we’re going to keep on running the business with that in mind because of the large opportunity we see in front of us.

ZPA is the fastest growing new product in Zscaler’s history. And also, we’re pleased we had our first 7-figure annualized revenue deal from ZPA this past quarter.

Q - You’ve got this major conference coming up, what’s the size and scale of it? We’ve been surprised the amount of people signing up to come into the conference.

So, our target is about 400 to 450 total people. About 25% of them are expected to be C level or VP level people. And we got some great keynote speakers as well. So, we got Scott Guthrie of Microsoft coming as a keynote along with Satya doing a video message. We’ve got Pat Gelsinger, CEO of VMware as a keynote and we got Michael Dell delivering a video message. And we got some great customer keynote as well, the CTO of General Electric, will be there in person; and the Head of Global Infrastructure for Siemens will be there as well.

Q - For a company of your size, you have pretty pronounced international presence. So, I’m curious to get your perspective on some of the demand drivers and distribution leverage that you have.

A Yes, we do have strong international presence. And that is attributed to a couple of things. One, I have got the same sized team outside the U.S. that I have got in the U.S. when I started the company. And two, Zscaler was architected with data privacy in mind. So, we are probably the most the data privacy friendly security company out there, because we are the only company that doesn’t write logs in every location where traffic is processed.

All these appliance guys, whether they put a VM in the cloud or whatever they do, wherever they’re going to spend of a VM, the logs will be sitting there. They’ll be figuring out, how to do a batch push of those logs. In our case, the logs only go to one place, and that is in EU. So, that’s why some of the biggest European companies have embraced us.

June 2018 – article by Sramama Mitra shortened and paraphrased.
Zscaler’s Journey - San Jose-based Zscaler was founded by serial entrepreneur Jay Chaudhury in 2008. Jay already had seen a lot of cloud-based companies and realized that security also could be offered through the cloud. He wanted to offer web security in the cloud that would be able to cater to the rapidly growing mobile world. He did not want to rely on the old-school security model of having physical devices installed at corporate locations. Instead, he wanted to build a network of checkpoints within data centers so that traffic could get directed to the nearest data center for inspection and security.

Soon, Zscaler had launched its Security-as-a-Service platform to deploy security into the Internet backbone. Today it delivers unified, carrier-grade internet security, next generation firewall, web security, sandboxing/advanced persistent threat protection, data loss prevention, SSL inspection, traffic shaping, policy management and threat intelligence to more than 15 million users across 5,000 organizations globally, including 50 of the Fortune 500. Zscaler reportedly spurned a buyout bid from Cisco before its IPO.

Zscaler’s Offerings - Zscaler today has a highly scalable, multi-tenant, globally distributed cloud capable of providing inline inspection that offers a full range of enterprise network security services. It has designed a purpose-built three-tier architecture starting with its core operating system and adding layers of security and networking innovations over time. Its cloud platform is protected by more than 100 issued and pending patents.
It generates revenue primarily from sales of subscriptions to access its cloud platform, together with related support services. Its subscription pricing is calculated on a per-user basis. Subscription and support revenue is calculated ratably over the life of the contract, which is generally one to three years. It has more than 2,800 customers across the world in every major industry including government agencies and more than 200 of the Forbes Global 2000. It has lots of competitors but none who offer the same thing.

Excellent Article by Stockholders Unite (shortened and paraphrased)
“Our cloud platform eliminates the need for traditional on-prem security appliances that are difficult to maintain and require compromises between security, cost and user experience.
Zscaler security cloud is a purpose-built, multi-tenant platform deployed across 100 plus data centers globally that secures access for users and devices to applications and services, regardless of their locations… We have the opportunity to replace the inbound and outbound gateways of a traditional castle and moat security. Deploying Zscaler results in reduced spend on bandwidth and network equipment costs.”

Zscaler offers three packages of cloud security solutions and two complementary services.
The three packages are:
• Professional (about 10% of sales).
• Business (about 70% of sales) and 1.5x the price of professional.
• Transformation (about 20% of sales) and 3x the price of professional.

The two complementary services are:

• ZIA or Zscaler Internet Access "for secure and fast access to SaaS applications and the internet. ZIA is designed to ensure malware doesn’t reach the user and valuable corporate data does not leak out.

• ZPA or Zscaler Private Access “for secure access to internal applications in enterprise data centers or the public cloud. ZPA connects a specific user to a specific application based on business policy, without bringing the user on the network, resulting in better security while delivering the best user experience.”

ZPA is still a tiny fraction of sales (about 5%), but it’s rapidly growing. Demand for ZPA comes from two motives:
• To access public cloud platforms like AWS and Azure.
• To act as a VPN replacement.
As a VPN replacement, it does have competition of course. Not only from traditional VPN providers but also from newer solutions like Akemai and Cloudplayer and some newer ones. According to management:
“Traditional VPN products don’t fit well when you need to access applications in public cloud. So, we are driving that push. We aren’t seeing a whole lot of competition there yet.”

Be that as it may, Zscalar’s transformational package has no real substitute, and demand for ZPA is rising rapidly, so at this stage there don’t seem to be too many worries about competition.

While management is prioritizing top-line growth, and rightly so, given the fact that the field still seems to be wide open to their solutions, margins are actually already expanding.

That is very encouraging for investors. Zscalar enjoys a really high 81% gross margin (up from 79% yoy).
But it’s operating margin that already shows substantial leverage, improving by an impressive 9% to negative 6%. Despite still negative operating margin, the company produced positive free cash flow of $3.7M.

We see little reason why growth will not continue
The company has quite a few levers:
• New accounts, we’re still in the first innings and the company is running wild here.
• Expanding usage of existing accounts, companies can (and do) buy additional seats.
• Developing (or acquiring) additional applications, like ZPA.
• Up-sell and cross-sell, which we already mentioned above.
• International expansion. The company already has a significant international footprint, especially in the EU where all its logs are housed (compliant with the latest EU data protection regulation).
• Expanding gross margin (although we assume there is little room left for this as margins are already very high).
• Operational leverage, this is ongoing even as the company prioritizes revenue growth.
• Cash generation, the company seems to be close to that, or it might already have arrived.

The main risk seems competition. While management argues that their transformation package especially has no real equivalent in the market place, this can change.
We’re looking at companies that have a worldwide network of servers like Zscaler has, companies like Akamai which already offer a host of cloud security solutions. Existing internet security players like Palo Alto will also have taken note of this new kid on the block.
Don’t expect a security market analysis here, there are people much more qualified for that. However, given the enormous demand for the company’s services from people who do know and have a stake in the evaluation of competing offers, competition doesn’t seem to be a prime worry at this juncture.
Conclusion - The shares are going parabolic. As we wrap up this article, they’ve just closed above $40. Undoubtedly the IPO of the year, given the fact that they went to the market at $16 less than three months ago.

The enthusiasm of their shareholders isn’t surprising, and it seems to mirror the enthusiasm of their customers. But at 14x next year’s sales while still loss making, an awful lot is already priced in.

June 2018 - Zscaler announces integration with Microsoft Cloud App Security
Interoperability between Zscaler and Microsoft Cloud App Security enables secure and seamless adoption of SaaS services for enterprise customers.

The combination provides a streamlined service that allows enterprises to securely embrace the cloud. With this new Zscaler closed-loop integration, joint customers can now control cloud applications regardless of location or connection. The new integration helps customers perform comprehensive risk assessments of all their cloud services, enforce application control policies, and define risk profiles around key initiatives like GDPR compliance and data protection.

“This is the type of solution needed to help customers discover and control cloud applications as they are introduced to the enterprise,” said Microsoft’s Director of Security Product Marketing. “Because anyone can sign up and start using new apps in the cloud very quickly, it’s essential for companies to be able to enforce policies in real time to maintain security.”

Zscaler further expands its Partner ecosystem to fuel Cloud-First and Mobile-First enterprises
Zscaler increases partnerships to accelerate network and security transformation for enterprises worldwide It has broadened its partner ecosystem to include new SD-WAN and security partners, arming customers with integrated solutions to drive secure cloud transformation. It also announced new and enhanced integrations from current and new partners.

June 2018 – Bert’s Deep Dive - Z-Scaler, can it scale the heights of its valuation? (Saul: This is extensively shortened and paraphrased).

Z-Scaler is a relatively new IPO in the cyber-security space. Its valuation looks extreme…until one considers the disruptive nature of its technology.

It has developed a proprietary paradigm, protected by 100 patents and applications, that can replace the traditional network security architecture of firewall and VPN.

It is seeing rapid adoption of its technology with bookings growth of 73% last quarter, a rather substantial growth acceleration, and significant adoption of what it calls “transformation bundles” that do not rely on firewall technology.

While Z-Scaler is not on the lips of every investor, it is quite well known in the IT world, both as a company with a set of disruptive technologies, but also as a “shooting star” stock.

The fact is that last quarter billings rose by 73% (or 60% when adjusted for billings of multi-year deals), and mainly because of the strong growth in billings, and the concomitant growth in deferred revenues, operating cash flow flipped from a positive to a negative in the quarter and for the year to date.

Management, in its guidance, is attempting to keep a tight rein on investor expectations, a difficult undertaking given the opportunities it also has spelled out.

Why is Z-Scaler experiencing hyper-growth and can it continue? Let’s take it as a given that the investors in Z-Scaler are neither stupid or ignorant. Almost certainly, most of them are professionals with many years of investing in technology shares.

For many years, cyber-security has been about building firewalls and establishing end-point security. Some relatively large companies have been built on that foundation. For some years now, Palo Alto has been considered to be the clear leader in the space. The firewall space has been around for 30 years or so, and while there have been many technological improvements, the basic concept of a firewall, even when it is called “next generation” is still more or less the same.

Along the way, several things happened. One considerable change relates to data types. Much of the data that has to be protected these days is delivered from or read to mobile devices. In addition, much data is now crossing the web, to and from data centers. This shift in the data transport paradigm requires new kinds of protection.

But perhaps more important is the replacement of a firewall paradigm with something else. Cyber-security has been based on establishing a protected castle with a variety of gateways that must cross over moats. One of the problems is that the approach was never supposed to have all of the gateways it now has across the moats, and in turn, this has meant the necessity that users have to buy new specific-purpose appliances to protect the new gateways. This can play havoc with network performance similar to the way that toll barriers used to slow down traffic before the advent of cashless tolling.

Another approach has been that of what is called a hub and spoke configuration, somewhat similar to the way airlines run their networks. This is facilitated by what are called virtual private networks (VPNs) which provide “as needed” connections. This, in turn, leads to massive sprawl and complexity, an environment which is fertile soil for hackers.

Along the way, Microsoft Office 365 has come to replace previous on-premise ways of creating and using data in most large enterprises. This kind of traffic can overwhelm legacy data protection strategies. And finally, lots of work is now done on a mobile basis. Needless to say, it has proven more than a little difficult to protect data that crosses the internet to and from mobile devices, and yet that is the data type whose use is growing the most rapidly.

Zscaler set out to create a different paradigm to improve the user experience and improve data security.

The Zscaler Internet Access solution or ZIA securely connects users to externally managed applications, that is to say modern SaaS applications. Zscaler also offers ZPA which allows users specific access to specific applications without the “untidiness” of the current VPN offerings. (Being able to retire VPN’s is a major benefit for many users).

There are a variety of benefits from the Zscaler approach. One benefit is that because of the architecture of ZIA, the users have a much shorter path of their destination and this improves response time. Again, self evidently, having a large purpose-built data centers (Z-Scaler has over 100 at the moment) is almost certainly going to be more efficient in terms of minimizing processing overhead, further reducing latency.

ZS says that its approach eliminates certain network security costs and, almost for sure, it is much simpler than what most large users have today, which can result in improving the productivity of network administrators and security personnel.

Over time, many companies are going to build networks based on receiving data from the IoT. As traffic from IoT applications balloons, some appropriate means needs to be deployed to secure that traffic, the opportunities for mischief within the IoT dwarf what we have seen to date. Does anyone want to come home to either an ice-cold home or an overdone roast or be held to ransom by someone who captures that access?

Zscaler’s approach is also quite unique, bolstered as it is by 100 issued and pending patents. These most notably include a proprietary TCP/IP stack and its multi-tenant distributed cloud security platform. You don’t need to have a complete grounding in network security to understand that this approach is new, more efficient, provides a better user experience most of the time and seems to be proprietary.

I am sure some readers will dismiss Z-Scaler as hype or impossible to achieve or capable of replication through other paradigms. However it seems quite far removed from what has been considered the standard approach to network security in the past.

The replacement of Firewalls and competitive scenarios. At this point, it is not focused on replacing firewalls as a specific sales strategy, although that does happen when its sells what it describes as “transformation bundles” that include a Cloud Firewall as well as a Cloud Sandbox. Most of what Z-Scaler sells are greenfield opportunities and that will probably remain its leading sales tactic into the future although the CEO mentioned that some retail applications have resulted in a “fair amount of replacement of firewalls in some local branches.”

The theme that is marketed by Z-Scaler these days is “transformation” in which firewalls, as they have been known and deployed for 25 years, are no longer present (or relevant). Much of the new paradigm includes what is called a proxy architecture and is based on virtualized technology. The security solutions that are offered by ZS are designed to be incorporated into SDN’s, which is the world into which essentially all larger enterprises are moving.

Earlier, I mentioned ZPA, or Zscaler Private Access, as one of the important offerings. ZPA, and the architecture it supports is really the future direction of this company, although it is still less than 5% of revenues. That said, the opportunities to replace both firewalls and web security gateways is obviously enormous.

The replacement of firewalls, whether it is their sales tactic or not, is going to happen, and ZS is likely to get a noticeable share of that pie. The value of the installed base of firewalls is enormous. As use cases expand where the objective of the project was achieved by supplanting firewalls with this technology, and as cloud security becomes more of a focus on the part of users, it seems more or less inevitable that the security paradigm will shift in Z-Scaler’s direction.

From my perspective, which is more financial and sales than technology, the fact that so much of its business is long-term is telling. At this point, more than 75% of the deals Z-Scaler is signing are for three years or more. That is a pretty substantial commitment.

It would be mistaken to imagine that Z-Scaler’s progress and potential have gone unnoticed by competitors. I personally believe that Palo Alto sees Z-Scaler as a significant threat and has appointed a new CEO who can help that company find competitive offerings through acquisitions. Z-Scaler has a very experienced and well-recognized CEO in Jay Chaudry, who has shepherded a bunch of cyber-security start-ups to a favorable end from the point of view of investors.

Symantec has patent litigation pending against Zscaler with regards to its ZPA technology. I assume part of the litigation is because of the competitive inroads that ZS has made. I imagine like many other IP lawsuits in this business, it will ultimately be settled without material consequence to the defendant.

But there is no one offering a comparable architecture and the CEO called out a large ZS win at a Fortune 500 medical device company that was won without any competitive bake-offs or best and final submissions. I find this to be a very telling win, in that it suggests both the capacity of what Z-Scaler sells and that fact that at the moment, competition for the particular architecture that is offered is not present. The CIO of the client had determined that he was done with appliances and a hybrid approach, and in turn that led to the ZS procurement. I doubt that happens often, but I can well imagine that CIO’s who have to manage complex networks with spaghetti-like connections have some degree of unease with a strategy that requires procuring and managing multiple appliances, often from different vendors and of different kinds and protocols to guard each gateway.

I try to find names that I think will be category leaders for years to come. Many readers will find the valuation hurdle just too great for them at current valuations. But that will probably be true in 3 or 6 months as growth most likely accelerates and doesn’t compress. I have established a starter position in my portfolio, and I will be planning to scale into this name opportunistically.

Z-Scaler has the opportunity to dramatically disrupt the cyber-security space as it has been, and to become one of the leading vendors. That kind of expectation can indeed support a premium valuation, although I understand that there will be bumps in the road.

July 2018 – Excellent short article by Investing City Greatly shortened and paraphrased
Impressive But Expensive Series: Zscaler
Investment Thesis
It is disrupting the firewall as we know it
Billings accelerated last quarter
It has visionary management
But the valuation is still high.

Disrupting the Firewall - Zscaler, at its core, is a cybersecurity company, but it has set out to simplify cybersecurity. Enterprises usually use the castle-and-moat method of setting up internet gateways with firewalls to establish a secure perimeter. Then, to cut costs, they employ a hub-and-spoke model. Instead of buying a ton of security appliances, they set up a few gateways and then route internet traffic through WANs (wide area networks) and VPNs (virtual private networks). However, this increases complexity and worsens user internet experience.

Zscaler’s solution is to route internet traffic through its security cloud, distributed across 100 data centers, so users can directly connect to any application regardless of location, network or device.

Visionary Management - The CEO and founder, Jay Chaudhry, has started four companies and sold each of them so he certainly knows what he is doing. He also owns about 25% of shares outstanding, worth about $1 billion today. And the Chaudhry trust owns another 28%. So in essence, Mr. Chaudhry owns more than half of this company. His incentives are definitely aligned with investors.

Conclusion - I bought a tiny starter position in my own portfolio after researching this one. I’m not saying it’s cheap. It’s not. But I certainly have more respect for the technology and its results in the real-world. I have missed out too many times on so-called “expensive” stocks. Therefore, to remedy this, I buy a small position to learn more about it. Expensive usually is a sign of quality.

Aug 2018 – Federal Gov’t Authorization
Zscaler Private Access-Government (ZPA-Government), meets the Federal Risk and Authorization Management Program (FedRAMP) moderate security requirements and was granted Authority to Operate by the Federal Communications Commission (FCC).

It is the first Zero Trust remote access platform that has received FedRAMP approval. This authorization enables Zscaler to expand its sales pursuit of the Federal market, and it can market and sell its cloud service to government agencies wanting to access sensitive applications and data from anywhere on any device.

Aug 2018 – Zscaler acquires the development team and tech of AI and machine learning company TrustPath for undisclosed terms. TrustPath develops AI-based algorithms to identify new threats, enhancing efficacy and incident response times.

Aug 2018 – Post by Imyoung (Shortened and paraphrased)
ZS is first mover in the disruptive cloud security market. Its architecture is cloud-based, there is no hardware, no need for VPN (virtual private network) and Zscaler currently defines the market it leads. There are many indications that with growing adoption there will be a shift away from appliance-based choices. As leader, ZS is a highly strategic acquisition target for the legacy companies.

Zscaler is significantly cheaper to implement than the security stalwarts mentioned above.

Increased adoption of common enterprise cloud applications such as Microsoft Office 365 will strain network capacity. MSO 365 Outlook alone increases a company’s network traffic by 28%. Zscaler can reduce network strain and reduce infrastructure cost as the FCC’s switchover to ZS showed, saving the agency 70% in security costs. Other companies showed similar high savings.

Acquisition of stealth security startup, TrustPath, including their development team and their market-leading artificial intelligence (AI) and machine learning (ML), allowing ZS to analyze their own 50 billion transactions processed daily at peak periods by its cloud. AI and ML will allow the company to “identify anomalous traffic, build user behavioral profiles, compute enterprise risk posture, and detect sophisticated targeted attacks as they emerge.”

To me there is no question that ZS will do well but you have to find your own level of comfort with the ratios and numbers. They will without doubt improve and that includes EV/S.


great summary, Saul!

I noted this segment for two reasons:
“A - Yes, we do have strong international presence. And that is attributed to a couple of things. One, I have got the same sized team outside the U.S. that I have got in the U.S. when I started the company. And two, Zscaler was architected with data privacy in mind. So, we are probably the most the data privacy friendly security company out there, because we are the only company that doesn’t write logs in every location where traffic is processed.”

Ability to grow international business and a focus on data privacy are smack in the wheelhouse of topics hitting the newswires today on a daily basis. Great to see that ZS (or at least in their CEO’s opinion) is well-positioned on both those fronts.



We incur significant S&M costs initially to sell our products. But after the first year, our S&M costs decline significantly, as our commissions and marketing efforts are concentrated on initial sale. R&D increased 3% sequentially and 20% year-over-year to $8.9 million as we continue to invest to enhance product functionality and to offer new products.

I make no guarantee of what I will or will not do in the future but presently Zscaler is more than 50% of my holdings. This resulted from a one time very large purchase I made in the midst of the last market crash. I seem to have got all the Zscaler I can hold at near its bottom. If you read what I have wrote about Zscaler here and on NPI there are multiple aspects about it that caused me to be so invested (again, I make no guarantee of what I will or won’t do in the future) but the above reason that Saul cited in his notes is one that is under appreciated.

Zscaler is likely to have little churn. A new customer is a customer for life. We are talking 5, 10, 20, 30 years (depending on what “life” means these days in a commercial setting like this). Zscaler’s expense for each new customer dramatically falls in year 2. There are very little in regards to variable costs for maintaining each new customer. There will be some customer service issues, and some of these will be handled by third party system integrators, but some by Zscaler. Maintaining top notch customer service is critical in this market.

The costs that Zscaler will have are fixed costs. And like with Amazon and Azure and the titans, the larger Zscaler gets the more it can expense fixed costs to more and more customers thus reducing fixed costs per customer the more Zscaler grows.

Zscaler is one central product that is distributed decentrally. Thus very little marginal costs for each new customer from year 2 onward, and declining fixed costs per customer as they scale every year, for a customer based with an extremely low churn rate. A customer base that will grow as their employees grow (or the opposite perhaps in a recession), and that can be upsold current and future products.

Now how much is each new customer worth!?! The lifetime value of each new customer to Zscaler is about as large as you will find in industry today.




Who I am to give advice? But I would definitely add this post to your letter to your daughter. It shows the level of attention and detail that you put into each and every one of your investments.

Thank you!


I would definitely add this post to your letter to your daughter. It shows the level of attention and detail that you put into each and every one of your investments. Thank you!

Thanks Natasha, that’s very nice of you.


I’ve added Tinker’s post #54847 to my own notes on Zscaler, and recommend that you at least read it.