ZScaler regarding Cloudflare at Jan 12 Needham Conference

https://wsw.com/webcast/needham128/zs/1916841

What do we think? Cloudflare too much of a promotional company and excessive talk filled with hot air?

Recent Cloudflare press release claiming their faster speed than Zscaler: https://blog.cloudflare.com/network-performance-update-cio-edition/

Analyst:
So Cloudflare has put out a lot of press suggesting they are much nicer than Zscaler. And to be fair, Cloudflare’s focus as a cross WAN Internet accelerator does give them some advantages in rapid communication across the WAN. When I hear that, my response to it is that, okay, but the comparison is between Cloudflare and Zscaler, it’s a comparison between Cloudflare, Zscaler and hairpinning of the traffic back to their data center and a difference of a couple of milliseconds 1 way or the other when you’re doing 3 ops instead of 30 ops, is it meaningful? So it’s really a functionality problem. So can you look at that…

ZS CEO:

I think these guys make a lot of nonsense noise. Even last year, once they told investors, we replaced Zscaler at a very large oil company, really? And they named the company, you kind of said, because I know them well. So I called the CIO and say, what are they talking about? Do you have them? They said we – in 1 of our business units, I am using CDN. That’s it. Now that funky little thing became, we replace their guys, okay? Some companies like to stretch, some companies grow too far beyond stretching. That’s one. I had one other conversation with someone and they said, "Wow, these guys have lots of experience in selling large enterprise. I said, do the following, rather then all of this debate, ask them, show me 10 large enterprise customers that are actually using, okay? I bet you’ll struggle to find even one.

So it’s easy to make a lot of noise. So you’re putting in all that stuff. They’re trying to bait us to respond and get into – they want credibility. They want some coverage. We’re not going to get into that stuff, leave it alone. It’s sometimes I think they’re trying to do, they have the lots and lots of little, little things in it. But everything is 2 inches deep.

Analyst:

Right. So it’s – from a feature parity perspective, it’s nowhere near there. Even if there’s some speed advantage, that’s the – measuring the wrong thing, right?

ZS CEO:

So okay, not even quite a bit. Okay, when can they have the speed advantage. If the traffic, say, coming from Singapore to New York needs to come on a wide data network, yes, they can do acceleration. But our goal is not to backhaul traffic. The goal is that applications are getting set up everywhere. Why is Microsoft putting its data centers in every part of the world? So no backhauling is needed. So the advantage of doing some funky test to show that I can bring on my backbone to do something is not a real thing. My traffic, my customer’s traffic in Singapore goes through Singapore data center. Then it gets on Microsoft network to get to wherever Microsoft is. If Microsoft in Singapore, it’s one hop away from me. So all these papers are trying to get attention. We would rather focus on our customers. So do you think I even worry about Cloudflare or thing? Not really. My worry is to make sure we keep on executing with our focus, our sales team fully enabled, and we don’t get complacent. We don’t let success go to our head, and with that, we are focused on customer obsession. That’s why our NPS is sitting way up it’s sitting. That’s why our score, promoter score is sitting very good, over 125% net retention rate. We are proud of those numbers, and we keep on driving.

Thanks for posting. This is interesting! I’ve the spent whole week digging into Zscaler and Cloudflare, analyzing the updates and trying make sense of ZScaler’s architecture. Especially trying to find any form of comparison from ZScaler’s side.

In my opinion, this little piece of Q&A itself shows the exact opposite, and it tells you more about ZScaler than Cloudflare. Cloudflare’s putting out deeply technical thorough articles, adding features at an astounding pace, and what we get here from ZScaler is fuzzy non-answers and defensive talk. Bashing and dismissing the competition, and not really telling you anything.

I don’t know, it might sit well with analysts etc, but it simply doesn’t hold up.

ZS CEO:

So okay, not even quite a bit. Okay, when can they have the speed advantage. If the traffic, say, coming from Singapore to New York needs to come on a wide data network, yes, they can do acceleration. But our goal is not to backhaul traffic. The goal is that applications are getting set up everywhere. Why is Microsoft putting its data centers in every part of the world? So no backhauling is needed. So the advantage of doing some funky test to show that I can bring on my backbone to do something is not a real thing.

Here’s the thing. Cloudflare showed that ZScaler’s servers are slow. From Cloudflare’s comparison, emphasis mine:

Proxy Latency is the amount of time a user request spends on a Zscaler machine before being sent to its destination and back to the user. This number completely excludes the time it takes a user to reach Zscaler, and the time it takes Zscaler to reach the destination and restricts measurement to the milliseconds Zscaler spends processing requests.

In other words, your performance is bogged down by time spent on ZScaler’s servers. It doesn’t matter if you’re in Singapore or as close to a ZScaler data center as physically possible. This kind of latency is like adding a 100ms delay in your connection to the internet. Zero Trust inherently comes with a performance penalty, and Cloudflare is demonstrating that their Zero Trust solution is faster.

ZS CEO:

I think these guys make a lot of nonsense noise. Even last year, once they told investors, we replaced Zscaler at a very large oil company, really? And they named the company, you kind of said, because I know them well. So I called the CIO and say, what are they talking about? Do you have them? They said we – in 1 of our business units, I am using CDN. That’s it. Now that funky little thing became, we replace their guys, okay?

Not sure what CIO call anecdote is referred to or why it’s relevant to the analyst’s question, but Cloudflare did publish a nice blog post this week.

An American energy company attempted to deploy Zscaler, but became frustrated after spending eight months attempting to integrate and maintain systems that slowed down their users. This organization already observed Cloudflare’s ability to accelerate their traffic with our network-layer DDoS protection product and ran a pilot with Cloudflare One. Following an exhaustive test, the team observed significant performance improvements, particularly with Cloudflare’s isolated browser product, and decided to rip out Zscaler and consolidate around Cloudflare.

(Disclosure: I’ve previously stated having a outsized position in NET and a tiny position in ZS. I sold my position in ZS before/during/after last earnings call. Nothing against ZS - just want to be transparent about potential bias.)

image1792×1064 272 KB

image1769×665 163 KB

According to this anecdote from a senior director at GE, they chose ZScaler over Cloudflare for zero trust. ZScaler was seamlessly fast.

Cloudflare was too slow (worse than Akamai) and not currently suited for scaling up to serve large enterprises.

Well in the last month,

Cloudflare got approved for FedRamp Moderate

Cloudflare won a CISA contract for Registry and Authoritative Domain Name System (DNS) services: Has been awarded a contract from CISA to provide Registry and Authoritative DNS services to the .gov Top Level Domain (TLD). They also mentioned that they provide security, performance, and reliability services through their global network to over 40 United States Federal Government agencies (that was apparently without yet getting approved for FedRamp Moderate).

And now they deepened their partnership with Microsoft Azure. From Finally Foolin’s post:

Cloudflare and Microsoft Azure Active Directory (Azure AD) customers can now:

• Deploy Zero Trust Security without changing one line of code: Now joint customers can choose to define specific rules in either Azure AD or in Cloudflare Access i.e. which users can access specific applications based on various factors such as user risk level, device platform, location, etc. and enforce across both products without changing a line of code.
• Isolate high-risk users automatically with industry leading browser isolation technology: By integrating Cloudflare’s Remote Browser Isolation with Azure AD, high-risk users, such as temporary employees, are contained proactively in a remote browser session for added security.
• Save IT teams hundreds of hours of manual work: Cloudflare Access will use the System for Cross-Domain Identity Management (SCIM) to directly integrate with Azure AD. Groups are automatically synced across Cloudflare and Azure Active Directory platforms and groups, saving hundreds of hours of manual work from IT teams.
• Keep sensitive Government data off of the public Internet: By connecting Azure Government Cloud to Cloudflare’s global network via the Secure Hybrid Access (SHA) program, Government customers (‘GCC’) will be able to keep sensitive traffic secure by staying off of the public Internet. Additionally, Government customers (‘GCC’) will be able to define and enforce granular rules defining who can access what using the joint solution from the dashboard without any code changes.

It does sound as if Zscaler is a little scared, to spend so much effort in attacking, using an analyst’s powder puff question.

John,

I think it’s less important to focus too much on the noise these two founders are making on each other via Twitter & these conferences and more to focus on the numbers coming out from the companies over the next few Qs.

The single antidote from the GE exec is good to note as a NET shareholder, but it is just that (a single antidote). Cloudflare ZT products are brand new so the scale might not be there yet as the exec says. That’s fixable with time, and Cloudflar as a company is scalable by nature. Need to keep in mind ZS is probably the incumbent here & I would not be surprised if there was some bias.

Bnh

Cloudflare’s product strategy has been to incorporate the basic functionality necessary for the product to be serviceable. They do not strive for perfection, at least not on the initial release. They have a substantial number of customers who obtain access to Cloudflare s/w for free or nearly so. I don’t know exactly how their pricing works, but I do know they have a large tier customers at the entry level which is no/low cost.

In any case, once a product is released, they solicit and pay close attention to customer feedback. Their products are continuously iterated, improved and enhanced over time. It’s possible that they might be somewhat more rigorous with cybersecurity products, I don’t know for certain. There are highly knowledgeable folks on this board who can speak to these issues. I am not one of them, so I can only speak in generalities. But, the point is Cloudflare is relatively new to the zero-trust game. As such, it is to be expected that their initial releases do not fully address the issues encountered by a large enterprise. General Electric most likely is better served by Z-Scaler at this point in time. But that may not be the case a year from now.

From my perspective, it appears that the Z-Scaler executive being interviewed here perceives Cloudflare as a genuine competitive threat. The language is just so defensive. It does not reflect high confidence in the superiority of Z-Scaler products. I am certain he (or she) is aware of the way Cloudflare operates. I am certain that the Z-Scaler executive is acutely aware that the zero-trust product that Cloudflare has made available to the market at this time is not the same product that they will have on the market in 12 months.

It is common knowledge that Z-Scaler is difficult and time consuming to implement. When Cloudflare headlines a release with “Deploy Zero Trust Security without changing one line of code” it must be unnerving for Jay Chaudry and his C-Suite.

Full disclosure, I am long NET and hold 0 ZS shares.

Similar to brittlerock, this thread leaves me thinking there are probably just elements of truth on both sides. Zscaler certainly has a more mature zero trust product. We know it’s been called clunky and slow to use. But as the GE person says, maybe it scales “seamlessly” to a giant org, so that it is the same clunky but extremely mature and functional product no matter what size company deploys it.

Cloudflare on the other hand is the challenger in zero trust (a fairly new product — one of many of theirs), so of course they’re going to highlight any win they get against the incumbent. Maybe there aren’t too many wins so far…but it certainly seems promising. But frankly I wonder how much zero trust is even moving the needle for NET so far. From the perspective of their total revenue, it may be just another one of their many innovative add-ons that they hope will become more and more adopted.

Since zero trust is only a fraction of Cloudflare’s revenue, they clearly haven’t put a huge dent in Zscaler’s stride. It’s something to watch for ZS, but I would imagine it’s true that ZS doesn’t see NET in many discussions with potential customers…yet.

Anyone see it differently?

Bear

Hi Bear, I don’t know anything about the tech but I’d say that Microsoft choosing to partner with Cloudflare is more important than any one customer (and more scary to Zscaler, as Microsoft has tens, maybe hundreds, of thousands of customers).

Cloudflare and Microsoft Azure Active Directory (Azure AD) customers can now:

• Deploy Zero Trust Security without changing one line of code:

Saul

I guess I take that with a grain of salt, Saul. Is this “Zero Trust Security” the same as ZPA? Probably it’s just a tiny part of what Zscaler can do. I know zero trust can mean many different things. But maybe someone more tech-savvy can weigh in.

Also, good to remember that Zscaler also partners with Microsoft, and much more visibly so far: https://www.microsoft.com/en-us/azuremarketplacepartners/zscaler You can find some Cloudflare offerings on Microsoft marketplace now too, but not nearly as many.

Personally I worry that Zscaler is the big slow dinosaur in the Zero Trust space, and seems like they won’t grow nearly as fast as they used to (billings has slowed down to sub-40% growth and I’m worried they’ll miss their guide which they didn’t raise last quarter), which is why I don’t own the stock. But that doesn’t mean Cloudflare, which I do own, is anywhere close to competing with them in Zero Trust. Maybe Cloudflare’s zero trust offerings can be as comprehensive as Zscaler’s someday, but I don’t know…we have to remember they sort of do it “part time.” But again, I’m happy to be corrected by someone who understands the tech better.

I guess for Zscaler it depends how much growth there will be in Zero Trust writ large. Maybe the slow down is temporary. Could be that sub-40% growth is inevitable, but perhaps they will have durability at 30%+. Problem for me is that I just have no idea, but I think it would be good to discuss further for @jonwayne235 and any other Zscaler holders, because that is the x-factor that will either make it a very good investment, or not so much.

I don’t know that it affects Cloudflare too much…zero trust should be an interesting growth vector for them, but most of their revenue comes from other things, I believe.

Bear

Here’s a little from my notes from Muji and then Cloudflare.

Muji-
9/20/22 15% attach rate for ZeroTrust in July (23,000 customers 64% increase in 7 months)

Cloudflare’s CASB and DLP is now Generally Available. IMO, this is going get Gartner and Forrester to include Cloudflare in their rankings and therefore into a much improved position in how customers make their choices in which Zero Trust solution to go with.

Mathew Prince, CaeO/Founder of Cloudflare
“It’s more important than ever that CISOs have control over who can access specific applications or data. In the past 90 days, Cloudflare CASB has already helped early adopters detect more than five million instances of potential data oversharing and unapproved shadow IT, making sure these issues didn’t turn into incidents for those organizations,” said Matthew Prince, co-founder and CEO of Cloudflare. “Legacy solutions often require clunky point solutions that slow networks and employees down. However, because Cloudflare’s CASB and DLP services are built directly into our Zero Trust platform and are part of our global network, we are able to not only protect critical data and applications but also accelerate network traffic as well.”

Best

Jason

PeterO in Muji Podcast: “Yeah, going back to your point relative to, where is a lot of this growth coming from, I guess we did get one other data point in that Protocol article, where they mentioned that, what was it, 15% of their customers now, as of, I think it was June 30th are using a Zero Trust product. And that was above the 10% that they talked about at investor day, which was as of December 31st, 2021. So effectively in six months, they increased the number of customers using Zero Trust products by 50% thought. That was also a pretty strong signal that they’re getting some traction in Zero Trust. Because if you obviously take 150,000 customers and take 15% of that on Zero Trust, that’s, over.

So as of June, 22. According to Peter,

It’s really the rate of increase that gets me to be more heavily invested in Cloudflare, over Zscaler.

I feel we’ve been paying a lot of attention to a tweet that has very little context. On the surface, that tweet of a partial conversation makes it sound like this is about the current state of things. I’d caution against trying to reach conclusions from something presented like this, because there’s a lot that’s left up to one’s imagination.

Going by an e-book published by ZScaler in 2019 (available here), GE began replacing VPN long before Cloudflare or the other vendors even had a zero trust solution.

As a result, we don’t run traditional VPN inside GE anymore. We have a custom-built application, which is built on top of some of the Zscaler connectivity that runs on every device. When you connect to any network anywhere in the world, it determines a) are you on something we control or not and b) does your PC have the level of controls on it that we need to protect our data?

In this context ZScaler was “fast”, able to scale, a stand out, and so on. The conversation makes perfect sense if you were evaluating vendors years ago. There’s a past tense to it.

I’ve held off from posting the above to avoid adding noise, but the whole thing seems to have taken off, so I finally decided to check out the full interview. The executive is employed by GE Healthcare.

Analyst 00:04:28
Okay. Can you share with us what some of the primary tools are and the more important tools and vendors that make up this stack of seven or eight vendors?

Expert 00:04:40
Yeah. I have CrowdStrike as the endpoint detection and response vendor. I have Zscaler for the zero-trust network access replacing the VPN aspect of it. It facilitates the work from anywhere. I also have Zscaler for my cloud workload protection standpoint. I have a log system from IBM and Splunk and then I have the routers and switches, etc., for the networking aspect and the security aspect from Gigamon and Cisco. I have, what we call for containers, virtual machines and container security, I have another vendor called Orca.

Ok, so we now know that GE, or at least a part of GE, currently uses CrowdStrike, ZScaler, IBM and Splunk (i.e. no Datadog), Gigamon, Cisco, and Orca.

Analyst 00:05:29
Great. That’s very helpful. Thank you. At least Orca, you must have been responsible for because it might not have existed six years ago.

Expert 00:05:43
Yes, absolutely right. When we embarked on zero trust in 2015, I was also one of the principal people involved. I have experience in both onboarding Zscaler and Orca, to be honest.

And there you have it. GE - or part of GE - embarked on this ages ago. After spending all this time trying to modernize their infrastructure they’re not gonna start over and rip out ZS for NET anytime soon.

Analyst 00:22:11
Do you attribute that to anything? The only thing I can think of is Cloudflare is, I believe, architected more for smaller organizations. Although, I think they’re trying very hard to scale up.

Expert 00:22:29
You hit the nail on the head. You’re absolutely right.

Analyst 00:22:30
Lastly on Cloudflare, I think one thing that people use it for is it has a lot of additional functionality that the others don’t have. Did you observe that? Do you think that’s true and perhaps you just weren’t interested in that functionality?

Expert 00:22:55
No. As I said, we were looking at the functionality that would facilitate the zero-trust network access. At that point in time, I don’t think [they] even had that feature in place, to be honest. Their zero trust came up right around 2019 or 2020 timeframe only.

And here’s the needed context, in the follow-up question conveniently left out from the tweeted snippets. Sorry this long post, but it needs to be pointed out that this is about the past. If we’re gonna discuss product maturity, feature parity, performance etc we need to base it on the present and look to the future.

Perhaps this performance thing detracts from all the other highlights released last week? Cloudflare is fast, and that’s hardly surprising. The importance of their comparison is that it was timed with the announcement of Digital Experience Monitoring. From their blog:

According to Gartner®, “by 2026 at least 60% of I&O leaders will use Digital Experience Monitoring (DEM) to measure application, services and endpoint performance from the user’s viewpoint, up from less than 20% in 2021.” The items at the top of our roadmap will be just the beginning to Cloudflare’s approach to bringing our intelligence into your Zero Trust deployments.

Perhaps what we’re most excited about with this product is that users on all Zero Trust plans will be able to get started at no additional cost and then upgrade their plans for more advanced features and usage moving forward

ZScaler has ZIA, ZPA and ZDX (digital experience monitoring). Cloudflare showed that ZS gives you a poor digital experience to begin with, while simultaneously announcing their own offering. They even used ZScaler’s ZDX to measure the performance and told you “You can even see those metrics in Zscaler’s Digital Experience to measure for yourself.”