Zscaler, Inc. (ZS) CEO Jay Chaudhry on Investor Innovations Briefing – Zenith Live 2022 Conference (Transcript)

Zscaler, Inc. (NASDAQ:ZS) Investor Innovations Briefing – Zenith Live 2022 Conference Call June 22, 2022 2:30 PM ET

Company Participants

Bill Choi – Head of Investor Relations

Jay Chaudhry – President, Chief Executive Officer & Chairman

Amit Sinha – President & Director

Dali Rajic – Chief Operating Officer

Remo Canessa – Chief Financial Officer

Alex Philips – Chief Information Officer, NOV Inc.

Conference Call Participants

Brad Zelnick – Deutsche Bank

Alex Henderson – Needham

Josh Tilton – Wolfe Research

Fatima Boolani – Citi

Adam Borg – Stifel

Roger Boyd – UBS

Joel Fishbein – Truist

Angie Song – Morgan Stanley

Chelsea Liu – Goldman Sachs

Ashish Bhandari – Ashler Capital

Bill Choi

Okay. Good morning, everyone in the room and good morning and good afternoon to those who are joining us on the webcast. My name is Bill Choi. I’m Head of Investor Relations at Zscaler. It’s a true pleasure to actually welcome you in person. I think the last Zenith Live that we did in person was close to three years ago. So welcome.

Today, we had the start of day one of our conference. And for those of you who were here, we had Keynotes talking a lot about new innovations, customers on their Zero Trust journey with Zscaler and more. What we want to do with this briefing is really focus on innovations, right? What’s new on the platform? How customers would leverage it and how we would sell it. And so it’s innovations centric. We do want to make this interactive. For those in the room, we will have a mic since it is being webcasted, I’d appreciate if you could wait until the mic gets to you. Also it would be helpful if you would identify yourself before asking your question.

Our presentation today will contain forward-looking statements that is based on information we have available today. If you want to quickly take a look at the safe harbor statement and then we could get started.

So, now I’ll hand over to our Founder, Chairman and CEO, Jay Chaudhry.

Jay Chaudhry

All right. Bill, thank you. Great. How is the morning? All of you attended, I suppose. If we did a good job, do we need to do any more discussion? So we’ll largely make it Q&A centric. I’ll go through a few slides simply just to set the stage a reminder about a couple of things we did not cover. Let’s see. I think the key point I want to make here was building a product is one thing, building a platform and platform that works in the cloud is another thing.

I knew when I started Zscaler that building this highly scalable, high-performance platform that takes all traffic in line opens SSL, inspect every bite for cyber and DLP will be hard because you have to do it without slowing down. I did e-mail security company before, it was so forgiving. You could take a minute or two, it didn’t really matter. You could have all e-mail processing happen in three data centers, nobody cared about it. But for this thing, it’s a big deal for us to do that. But then I learned that building a cloud and running and managing a cloud is probably 10x harder. You don’t control lots of stuff. Where is traffic coming from? Where is it going? What’s going on?

The customer expects that you take care of those issues. So being able to run a cloud with operational experience is probably one of the biggest learnings we have had. And I think if it take so much to figure out where there are architects that are highly optimized. Imagine if you’re trying to spin up some stuff or trying to build new stuff. It’s not trivial. We think our barrier to entry is significant.

And then, building up the platform was a big deal for us, platform that’s extensible. Hopefully, you got a feel today that we’re no longer randomly taking products here and there and calling it a platform. The core technology which is maybe for simplicity, call it, the switchboard, connecting users to applications, connecting workloads to workload, workload to Internet. It just is the same core competency we are building it with which is very, very important. We covered all three areas of — you’re seeing our positioning rather than clearing all these three letter acronyms which I hate. Okay. Moving because as we’re coming out with so many products, we’ll need some kind of cheat sheet to figure out all these acronyms. So I’m trying to eliminate all the acronyms, if I can. So there’s no explanation needed.

Zero trust for users. Essentially, you saw a Zscaler for users, essentially all user stuff, workloads and IoT, OT. And this diagram is showing two things, one, there’s in-line security piece of it. You must be in line to do that. And second is kind of data at rest piece of it. Where your traffic — your data could be sitting in SaaS application, in public cloud and the like, being able to understand that from API point of view becomes important. So our goal is to do everything that needs to be done to understand the risk and data protection overall. Sometimes people confuse and someone said, are you a networking company. I said, why would you say that, right? He said, well, do we sell any networking products?

We don’t. We do eliminate the network. If that’s how you want to call us a networking company, then we are a network in a company. But we aren’t. It’s all about protecting your data, it’s about user experience and the like. This is an eye chart. But the idea is to share with you, Amit, Patrick and team are busy innovating like a startup. We kept the pace. We kept the intensity. And it’s an interesting learning. How do you keep on building and growing without slowing things down, lots of innovations. ZIA is not a product. It has so many important products that are brought together in a nice way. The beauty for us was, if you build a right platform and if you make sure the things you’re building are synergistic, as expanding concentric circle, life gets easier.

Building our workload communication to take the core ZIA, ZPA switching technology and applying to workload, I thought it was brilliant for us to do. Someone else to build this stuff. The switchboard is not simple. There’s a policy engine. There’s inspection, there’s logging, there’s reporting, all that stuff goes with it. And we leverage what we’ve built and expand in a meaningful way. That’s why we’ve not been kind of keen to jump on to some of the new and the latest and hottest trend out there. Some of these end up being fab, they come and go. We are pretty disciplined about what we want to do right now.

Better security, make your business run faster. This is Charles Schwab CISO. You’ll hear him present, I think, tomorrow. If you have better understanding of it, you can do transformation securely. It’s a good competitive business advantage. And we gave you some reading material as you fly back. This is to try to dispel all the misunderstandings that legacy vendors are trying to spread because they’re so afraid of getting disrupted. It actually walks you through in a meaningful way. It’s meant for architects, a little bit deeper. And some of the guides I see you guys write are so deep. I thought you — some of you certainly will enjoy it.

So with that, Amit, should be next.

Amit Sinha

Thanks, Jay. It feels a bit like showing you the movie and then showing you a trailer. But we’ll make it more interactive, right? It’s a smaller group. So look, our core DNA has been sitting in line, right, sitting between users and destinations. As I’ve always said, we’ve solved a physics problem, an engineering problem and a security problem, right? We built 150 data centers, so we can be as close as possible to the source as well as the destination. Then you get all the traffic. It’s an engineering problem to be able to run it at scale. And then, of course, you want the latest and greatest security intel being applied and you’re doing all of this to provide security.

So we’ve done that exceptionally well for users and workload communication is bringing ZIA and ZPA to workloads, right? What we launched today is Posture Control. So while workload communication is essential, right? You want to make sure that if there’s a workload, nothing bad is coming in, data is not leaking out. Workloads are talking to other workloads using zero trust principles that we’ve talked about quite often and it’s there in the book.

You want to take it and shift left, right? You want to make sure that workloads, when they are — when cloud native environments are being spun up, they are secured by design, by posture, right? And so what are some of the things that we talk about. Let’s say you have an AWS EC2 instance, right? What’s the overall posture associated with that? Who has access to it? What is its configuration, right? A lot of this infrastructure is now written as code, right? So you want to make sure that you are actually looking at those templates and fixing any issues that could lead you to instantiate in secure cloud-native environments, right?

So that’s kind of the configuration scanning piece where you’re looking at who has access to it, what are the configurations, are my template secure? And then you start looking at these workloads from an exposure perspective, right? I have an Amazon S3 bucket. Is it exposed to the Internet? I might have a compute instance. Is it accessible from the Internet? What software is running on that compute? Does it have known vulnerabilities? Does that resource have access to sensitive data. All of these are things that come under posture. And there are a lot of point products for each of those areas. One of the biggest challenges I see is the ability to provide that holistic end-to-end view all the way from building cloud-native environments to running them and being able to correlate all of these threats which is what we were trying to demonstrate in our innovations keynote this morning.

So I’ll just share one slide which was kind of the key message that we were trying to drive through the demo that Rich was doing was — and you can see how individual point products have emerged around cloud native environments. So here, you have an EC2, it’s an Amazon compute instance. And you can see that your SOC might have gotten an alert that says, hey, a malicious IP seems to have connected to this compute instance, right? How do you stitch together what has happened? And more importantly, how do you make sure that, that doesn’t happen by design.

So what has happened here is John who is a user might be part of a security group that has excessive permissions. And without realizing, they went ahead and changed a security group setting which is mapped to that compute instance that all of a sudden is now allowing Internet access to that compute instance, right? So that’s how it got triggered.

Now, when you — now the next question is, okay, it’s exposed to the Internet. Is it vulnerable? Maybe it’s running a vulnerable Log4j Apache code in it, right? Maybe it has other Linux vulnerabilities that haven’t been patched. So step one, is it exposed? Step 2, if it’s exposed, what is it running? Is that vulnerable, right? Then you — if you see malicious activity, you want to start correlating. Is someone exploiting that vulnerability, right? And that’s where you start getting into threat correlation. And then finally, what’s the end game? Why is someone trying to get into an asset. It is simply to gain access to data or maybe do a ransomware extortion attempt. I mean that’s really the end goal, right?

So what ends up happening is in most legacy security environments, you have five or six of these products that are — it’s kind of like five blind men feeling an elephant, right? They all get different views of it and it’s very, very hard to get a good holistic correlated cloud threat view of your cloud-native environments, right? And that’s what we have done. And you probably have seen companies do CIEM. What is CIEM, these are all Gartner acronyms. I think Jay mentioned it. There’s one analyst per acronym. So there’s some value in creating acronyms.

CIEM, cloud identity and entitlement management. It is a complicated beast. Why? Because in the — in your directory world, you generally have users. But when you get to cloud native environments, you have machine identities and groups and they get mapped in funky ways. And you might have 5,000 employees but you might have 100,000 combinations of entitlements in your environment.

CSPM, that stands for cloud security posture management, that is generally looking at your configurations. Are these configurations compliant with a standard that you might have to comply with. You might have to produce auditor report, right and you want to run your configurations against that — those controls to be able to produce that report?

DLP, data loss prevention, right? There are companies that focus just on that. So what we’re trying to do is two things, a holistic view of end-to-end workload security, particularly for cloud native environments. And the big new addition that we are doing is posture control that is bringing together all of these individual point products that lock down your configuration, make you compliant, make sure you don’t have excessive privileges, make sure things that you’re running are scanned for proper vulnerabilities.

And then more importantly, use that along with all the core communication benefits that we’ve had through ZIA and ZPA to essentially have that zero trust-based fabric for communicating and make sure that nothing bad is coming in and nothing good is leaking out. So being able to do that holistically on one platform, has tremendous benefits. You get very high signal-to-noise ratio when it comes to detecting threats and taking actions on it.

Bill Choi

Okay. I’d like to invite Patrick Foxhoven, our Chief Innovation Officer, to also join us in this Q&A for technology and innovation.

Question-and-Answer Session

A – Bill Choi

Okay. We’ll have the first question here. Sure. I’m going to stand up. Just give Patrick a chance to come on up.

Brad Zelnick

Brad Zelnick with Deutsche Bank. Thanks again for a great event, even though it’s been 2.5, 3 years in the making. Really interesting announcements around posture control, poster management today. And for me, the light bulb went off. When I think about that space as being kind of noisy. And I think about Zscaler’s right to win there and why you guys deserve to win combining it with workload communication, like is what really, for me at least, makes it very clear. But when I think about protecting workloads versus users and applications, workloads are especially today, far more fine-grained, far more ephemeral, when you’re thinking about containers, infrastructure as code. So there’s always going to be some design trade-offs.

So the two questions I have are, one, around policy, how can you evolve policy fast enough to keep up with that dynamic nature of infrastructure and workloads today? And then — well, maybe we’ll start there with the positive perspective but then just even the performance trade-offs. Even if we’re talking milliseconds, having two workloads directly connected in physical proximity is naturally going to be different. So if you can address those two questions. I appreciate it.

Amit Sinha

Maybe I can start of, Jay and then. So if you look at a core Zscaler policy, right? It’s generally a criteria and a set of actions, right? Security policies are pretty obvious. You don’t want anything bad, right? So there’s no complexity around it. When you start getting into access policies, what is — what are you allowed to communicate with? I would argue that user policies are more complicated than workload policy. Why? Because if I have, say, a Red Hat server as a workload, right, or maybe even a lambda function, ephemeral workload. I kind of know by design what this workload needs to talk to right? So the kind of the policy there is pretty straightforward. You’re allowed to download software updates from here. You are allowed to talk to these API endpoints and that’s it, right? So policy definition for access control I would argue is simpler than it is for user.

Jay Chaudhry

And so generally, they don’t move frequently. Location part doesn’t come in. The device part doesn’t come in and on here and here. So it is simpler.

Amit Sinha

It is simpler. Now the third aspect of policy is data loss prevention, data protection. What do you want? Do you want to make sure things are — again, that stuff is simpler. The way we have designed our policies, it’s a very flexible framework, right? It has identity, identity for users is well understood. Identity for workloads is evolving but we have very flexible ways to define that identity. We have flexible ways to define risk associated with that identity. And we have flexible ways to define context around that identity. For a user, it might be location, department, group. For a workload, it might be what VPC you belong to, what application segment you’re part of. And these constructs have been designed in a well thought of way. So I don’t see that writing policies for workloads is going to be very complicated.

The other thing I’d add and we’ll show that tomorrow is the bigger challenge for enterprises in workloads is their internal workloads are not named properly. It’s a big giant confusing mess. And a key thing that we are announcing tomorrow is the ability to use machine learning and AI on our ZPA logs to naturally group your internal workloads into meaningful policy objects, right? You don’t want 50,000 IPs to become 50,000 identities that you’re trying to manage. What you want is the ability to say, this is a group of applications. This group of workloads is called — is SAP. This group of workloads is my directory. This group of workloads is something else. And meaningful groups of users or meaningful groups of workloads just talking to each other will be an AI recommended policy that the platform spits out.

So, we’ve thought quite a bit about keeping policies simple and flexible but also making policy management easier for organizations.

Jay Chaudhry

I might add a short point but we’ll keep our answers short. Otherwise, we’ll only take three questions. Okay. because once you know so much, you want to keep on explaining. The second part of your question was time, okay? Workloads sitting within a VPC. Generally, they are. Yes, they need to talk to it quite often. That’s why they’re sitting there. VPC A, VPC B, VPC C. And then that’s one part. So you can say within a VPC, with across VPCs, then you could say across regions and availability zones. That’s how you should think about it. So I mean, what the world is doing today for communication, they’re extending your data center to every region. It’s a mesh point-to-point network because workloads are all on the network. They can traverse, they can find each other. That’s where the lateral track movement issue comes in.

So what we’re basically saying you hear across regions. You don’t need to go through an extended lateral network, routable network. So you can go through our public clouds. If you are sitting in within a given availability zone or a region, we actually bring our switchboard within that. It’s running there. You don’t go out for latency.

The communication, VPC A wants to talk to VPC B. You go through a switchboard. Now then you start getting to granular level, process level. That’s where micro segmentation comes in. That’s where our offering that we acquired from Edgewise is built in. So a segmentation what I learn what people are trying to do is really all messed up. They’re all trying to do process level segmentation on tons of workloads. They can barely do any segmentation. They haven’t even done user-to-app segmentation which is starting point number one, use it as the weakest link. Then being able to say, VPC, group of VPC XYZ, can only talk to A, B and C. It’s a trivial thing in ZPA. We think we have a systematic approach to get to a meaningful segmentation rather than trying to do process and micro for everything that shouldn’t be done.

Alex Henderson

Yes, Alex Henderson of Needham. One of the things that I was very happy to see in the stuff that you’ve announced is the automatic feedback to the coder on how to fix issues that arise in your posture management. That’s great news. But I didn’t see anything talking to how do you address the policy at the DevOps level. And it seems that, that’s the logical next step to tie into a sneak, to tie into some of the people who are in the predeployed phase. Can you talk a little bit about what you plan to do and what you don’t do? Or this is one of the things that you stresses here. Your skill set is we know what we do and we know what we don’t do. Is that the threshold where you stop doing and start partnering.

Amit Sinha

So the quick answer, what we showed this morning around infrastructure as code scanning and getting embedded in GitHub and getting embedded in IDEs for developers. We were kind of showing you the developer view but it has a full policy that you define in our posture control product. To give you a simple example, your security department might come up with a policy that says all DevOps can use the AWS EBS volume as long as encryption is enabled on it. That policy is defined in the posture-controlled product. And the plug-ins that you — that the developers are using is automatically enforcing that policy right in the template itself. So when they did the get pull request in the example, it’s just the enforcement is happening there but the policy is being defined. So what we want our customers to do is their security groups or their engineering groups or their developer groups can have a clear sort of a sandbox in terms of policy, what’s allowed and what’s not allowed and then shifted all the way to infrastructure as code. So when they’re building up that cloud-native environment, it’s secured by design.

Now how far we go left, right? That’s kind of looking too far ahead but I think we feel pretty comfortable with being able to define those policies and have it enforced with developers and DevOps in their build environments.

Bill Choi

Question on the left side.

Josh Tilton

Josh Tilton, Wolfe Research. Simple one for me. Can you guys just clarify what in posture control is new versus repackage functionality that you guys already had?

Amit Sinha

Okay. Yes. So we did acquire two companies, a CSPM company called Cloudneeti, right and a CIEM company called Trustdome, right? So you saw the diagram I showed, there was kind of two aspects of it. But these were, again, stand-alone point products, right? So what we have done is we’ve leveraged some of that CIEM expertise and some of the CSPM expertise. And this is built from the ground up brand-new posture control offering. It starts with a common data — a common data warehouse where all of these — the logs and identities are being collected. And the correlation is very important. What are the new things we’ve added? We’ve added infrastructure as code scanning. We’ve added vulnerability scanning. We’ve added container repo scanning. So there’s a whole bunch of posture things that we have done on top of some IP that we acquired through these acquisitions. And it’s on an integrated platform. And by the way, that platform now very nicely works with the core ZIA, ZPA.

So one of the things that I talked about was how — where does posture end and where do you start doing communication in DLP scanning. Great. I have an S3 bucket and I locked it but don’t you want to know what’s on it, right? And don’t you want to run the same data protection engines that were running in line. So we’re bringing all of those things together. So it truly is an integrated offering with some DNA from the acquisitions that we made.

Fatima Boolani

Fatima Boolani from Citi. Amit, a question for you. One of the standout architectural attributes of posture control, is that it’s 100% agentless. So I was hoping you can kind of talk us through the merits of kind of the agentless versus agent-based approach. And I can fully appreciate there’s services and functions in the cloud and certainly more in the future that are just not going to be instrumentable. So outside of that sort of obvious reason as to why agentless is kind of the approach here, why kind of go this route?

Amit Sinha

Yes. So agentless, very simple to deploy, right? I’d say cloud native environments have rich logs, right? I do agree it’s a lower barrier to entry. Anyone can access that logs. That’s why I don’t think that just CSPM, CIEM point products are lasting stand-alone product…

Jay Chaudhry

With even the posture control is [indiscernible]. It is the smaller barrier to entry than the workload communication side. To me, sometimes posture control reminds me a little bit like the CASB type of extension. API calls go and do this stuff.

Amit Sinha

Yes. And your question on what do you give up, right, by not having an agent? I think the way we have architected the platform with workload communication and workload posture is really the best of both words, giving you the frictionless deployment that without agents but without sacrificing sort of the in-line controls that traditional agents bring, right? So if you look at one of the acquisitions we did was Edgewise, Edgewise uses an agent. So it’s a kernel agent that sits on every server and it’s trying to enforce traffic flow as part of the agent.

The challenge, of course, in — it is effective but then how do you deploy it? How do you manage it? It may take a little longer to get deployed with, say, 5,000 workloads? How do you deploy an agent on a lambda function. There is no server to install it. So we’ve kept our posture control agentless to — for rapid deployment but we have not given up any of the controls because all traffic, all communication is going through ZIA and ZPA which gives you all the in-line controls that a traditional agent could — some of those could be provided through the agent, right, like blocking in line and things like that.

Jay Chaudhry

Okay. We’re going to move to the next on the agenda. One more question? Okay. One last one.

Adam Borg

Great. Adam Borg with Stifel. Maybe just on the pricing front, how is this priced and compare pricing for Poster Control relative to workload communication?

Jay Chaudhry

I think probably that’s a longer answer. And honestly, we are also early stage, we figure or refine the price as we go along. But overall, it’s based on — simplest way, based on number of workloads, is the simpler way to do it. There are certain areas in communication we use, look at the traffic volume as well.

Bill Choi

Next, we are pleased to have one of our long-time customers. Alex Philips, who spoke at the keynote this morning but he’s the CIO of NOV. Alex?

Jay Chaudhry

So here to, Alex, they saw your movie. It’s probably more about Q&A but it’s…

Alex Philips

Okay. Well, great to see everyone. As you know, I have no shame. And I show all my mistakes if anybody saw my keynote. So we’re good-sized company and all over the world. And as I shared in the keynote, the challenge that we had was pain, how do we transform? We couldn’t keep doing the same thing. And so — we’re down to 27,000 employees. We think that’s changing. We’re hiring all the time now. Thank goodness. You guys all enjoyed cheap energy prices for seven years and things are looking a little different now. So we are excited about the future. Zscaler was a big bet for us in 2015-2016 timeframe. And I was a brand-new CIO at that time. Before that, I was the CISO. And so what’s interesting is when you’re the CISO and you go through a lot of challenges with the security, nation states attacking you, you gain a lot of trust.

And so when I became CIO, I had that native trust already built. But then I took a gamble on Zscaler. Was it going to destroy the trust? And I’m happy to say, no, it didn’t. And so we’ve continued that journey. We’ve pushed them along the way. And they’ve helped expand our thinking of how we go forward, what can we transform next. And it’s been a great partnership and more than happy to share any details on that or answer any questions that you should have.

Roger Boyd

Roger Boyd with UBS. Alex, nice to see you again. Could you just talk about your journey of Zscaler. I think it started very early on with kind of doing Internet breakouts to get rid of MPLS and move to SD-WAN. How do you think about that going forward? Is there a room in your strategy to go more branch light? And how do you think about the longevity of SD-WAN going forward?

Alex Philips

Yes, great question. So I believe SD-WAN is a transitionary technology. I believe that it helped us achieve massive cost savings by using the Internet as our network. But as we move forward, our goal is to destroy our network. We do not want a network. As you heard earlier, most of the problems come from users. As much as we train them, as much as we put layer after layer after layer in place, most of the problems that we face come from users. And so our goal going forward as we analyze our estate, we believe that 80% of our facilities will have no routable network and so it will just be isolated, like an Internet cafe. And our view of it is our endpoints are hardened. And so we are going to have one network. Users will be on that network. There will be customers, there will be vendors. There might be competitors, right? But it’s a small, isolated island just like when you guys are at Starbucks or at Hilton, you’re there with everyone else. It could be competitors. Our offices will be the same thing.

The big challenge that they’re finally solving I’m so excited about is the IoT. So I’m a user and I’m in an ERP system which a lot of our users are and they need to print something to a printer in the office. There’s no network. How does it print? And so that’s the beauty of Zero Trust Exchange that Zscaler is creating. So we’re super excited about that. And the beauty of it is it’s not a big bank. It is a — as we need to, right? We just focus on one facility, get them defined in the Zero Trust Exchange, all the different communication elements. And I don’t have to worry about things that have identity. If you’re a user on a notebook, you already have identity. It’s all those things that don’t have identity.

Joel Fishbein

Joel Fishbein from Truist. Just can you go in a little bit more detail about the branch office that you talked about in the keynote and what you’re using, how you’re doing it and what you’re replacing at the branch office?

Alex Philips

Okay, sure. So today, we have a branch office. It’s normally anywhere from a few handful of employees up to 10 or 20 employees. That’s 80% of our 500-plus facilities. And so when you look at that, we have an Internet circuit, that Internet circuit hopefully is as fast as possible, right? We all want fast Internet. And then you have a dedicated SD-WAN appliance there. The vendor we chose, it can run on an x86 type box. And so you’ve got this device and there’s all the routing and stuff happens there. We route all Internet traffic to Zscaler and then we have that IPSec big, broad network. So the goal is that we will have a virtual machine to begin with, that will live there in place of the SD box and it will route all traffic to Zscaler, internal or external. But there is no IP forwarding. There’s no IP routes. So if a bad actor gets in that network and they do a scan, the only thing they can scan is local. They can’t scan remote. And so that’s kind of the process.

Did I fully answer your question?

Joel Fishbein

Yes. I’m just trying to understand if you’re replacing and what the cost savings looks like [indiscernible].

Alex Philips

It’s significant. SD-WAN is not inexpensive but it’s not outrageously expensive. You’ve got hardware that you’re having to manage. So there’s people involved as well. And then you run into, okay, how do we gather all the security logs? How do we gather the access logs. And I think one of the huge things that people don’t realize is you’ve got these three components, you’ve got the CIO who’s worried about the business function, how do we make things work. You’ve got your security team that’s 100% concerned about all the traffic flowing. How do they get the logs from all this? Where is their evil? And then you have the infrastructure team. And the infrastructure team is who we all blame when things don’t work, right? And we’re having to make all of them work together in a cohesive manner and that’s what Zscaler allows us to do.

Jay Chaudhry

Alex, one point I’ll add is what I hear from customers, when you’re managing routes for every branch office there’s a fair amount of operational overhead. In this model, it goes away. Your branch office overhead is just like overhead of one household. You have 80,000 households being managed through ZPA, same kind of overhead.

Alex Philips

Yes. So it will allow us also to have one central control plane. We define all of the objects in the control plane that don’t have identity and we say where it can talk to. So if an ERP system in the cloud or in one of our data centers needs to print to a local printer, that’s the only thing it can communicate with. It can’t just communicate with anything. From an enterprise standpoint, it is a little more challenging for people that are just trying to deploy things, right? Oh, we’re just going to throw our printer here. It’s not going to work unless we define it which is from the security standpoint, genius. And the centralized logging is the huge part. It is dealing with logs and trying to sort through literally billions of logs, trying to find that needle in a haystack of evil is difficult.

Unidentified Analyst

Alex, just to belabor this conversation a little bit further. When I picture like, to your point, like your future network which is no network, there’s no routable IP addresses. There’s no routers at all. Like would that have to then be on a 5G network? Because I’m trying to like — like how would you have WiFi access points that don’t — if it’s not 5G and its WiFi, like how do you have access points that aren’t on some sort of network, right?

Alex Philips

There is a network, right? So it’s a local network, just like your house, sorry, just like your house. And then all you have is an Internet circuit. But so you’re going to have access points, you’re going to have switches and you’re going to have users and devices and they’re all going to be in this happy little isolated network. But when they try and communicate with the outside world, it will go to the Zscaler virtual machine locally at that office. And all that traffic will route through the Zero Trust Exchange. And then up there, we do policy decisions, right? We don’t do routes, we do policy decision. Who are you? What are you? Where are you trying to go? And then, we can apply more security policies or internal routing of that traffic; and it’s all DNS-based, not IP-based.

Jay Chaudhry

And let me add, the Salesforce Head of Security said, think of each location like an island. Our branch is an island. Today, everything is interconnected. You go through a switchboard, island A to island B and there is a local area network in a given branch office to connect the local stuff. There’s an access point. There’s a router to send traffic but they’re not connected with a routable network.

Alex Philips

Same thing at Starbucks. Starbucks has WiFi but it’s not on your network, right? You’ve got to launch a VPN or a zero-trust access to your remote apps.

Unidentified Analyst

So the Zscaler virtual machine would basically be — would that be — would that compute be installed like with the Internet circuit? Is that how to think about it? Like there’s still a thing there, right?

Alex Philips

Today, yes. There’s still a thing there. My dream world, right, the thing I keep pushing them on is, I just want to build a tunnel to you. So just like ZIA, we build an IPSec tunnel to Zscaler and that’s my dreamworld. I want to build a tunnel to Zscaler. I still am going to have to have something there, some sort of device and just route all the traffic to them. Today, to do that, I’ve got to have a virtual machine. But the same thing with SD-WAN. So I’ve got all these x86 boxes at all my branches and I just need to put a different image on them.

Jay Chaudhry

Yes. We love customers like Alex, who challenge us. He kind of said, hey, take everything away. So you’ll hear in coming months and quarters to say, how your branch router can simply point a tunnel to us, nothing need in the branch besides a basic route.

Bill Choi

Okay. Thank you, Alex. Appreciate you being here. All right. Next on our agenda. We’ll invite Dali Rajic, who is our COO.

Dali Rajic

Hi, everybody and thank you for being here. So I just want to walk through a couple of data points and just give a little bit of perspective on numbers, operating model and momentum. If you look at kind of the chart because everybody is here to understand how we equip to sell all these new technologies, emerging technologies and how we’re able to continue to maintain momentum. If we take a look at these numbers, they tell a pretty good picture. The question always is how do you get there? And how we got there is really satisfying for all of us. You have to look at the different geos, the different investments we’ve made over the last 12 to 18 months. You have to look at the different sales segments and the investments that we’ve made. The whole objective is really to build a predictable, repeatable, scalable go-to-market model, build an ecosystem that supports that model that then simply allows us to add new technologies in a seamless way and continue increasing the TAM per account.

As we’ve mapped out more sophisticated ways to really track our TAM by account, by vertical, by all these different elements across the different geos, what it’s allowed us to do is to understand not just how to tweak our go-to-market motions but also how to maximize in, I’m going to call it the most expedited way, the initial land. Knowing that we have a platform and an architecture that’s essentially one code based is what Amit is striving for and executing on, it’s really simple to have these conversations with customers on why to use us for their zero-trust platform transformation, cloud migration and transformation, network transformation. I mean you list it all off, the entry points sometimes really don’t matter. What matters is which group has the highest pain or the highest willingness to change.

What it’s allowed us to do is really look at our customers from a life cycle standpoint. That means it’s not a transaction. It’s not a deal. These are relationships and we’ve built an organization to support those relationships and to support the progression of those customers with us. Very guided, very programmatic, very structured and always, always focused on driving value and outcomes that are quantifiable with these customers. So when I look at this data and we dissected in many, many more layers, we’re quite satisfied with the momentum across the different sales cohorts and across the different geos.

Now as we’re broadening our portfolio and since we are traveling at quite the pace in hyper growth, I can never add the right expertise to somebody who’s been on the job four months. We have tremendous enablement, tremendous training and I’ll touch on that in a little bit. It’s very structured and guided. Having said that, we’re going to encounter accounts and/or specific resources and/or partners who maybe don’t have all the competence at the layers that we need quite yet, so we can maintain pace. So what we’ve essentially done is added another ecosystem element to our go-to-market motions and that’s specialization because they’re not overlays. This is specialization. Another layer of technical depth.

What we’ve also done is started segmenting out systems engineers to really focus in on a discipline at a whole different layer than just being a generalist systems engineer. And we’ve done it in a very structured framework and ratio-based way that allows us to be predictable in when we want to inject these resources with what motions and then what the outcome is that we’re anticipating. So these are going to be resources that we’re going to continue to scale but at a very measured pace because our SC community is quite talented. The objective and the goal is not to keep adding people and then have just a bunch of generalists and a bunch of specialists. That doesn’t scale very well. However, in order to continue scaling at pace, given how many people we’re adding, this is going to make sure we don’t lose momentum and velocity.

In order to tie all this together, you’ve heard me speak about this before. We’ve built an enablement engine that I believe is world-class and we’ve built it in a very integrated fashion. What this means is that from partners to internal resources, to customers, we’re speaking the same language. We understand the same architectures. We understand the same progression of how we need to travel. And we also understand at which point throughout your life cycle of maturity you should be considering what technologies based on what we’ve mapped out together as your road map.

Now the way we’ve scaled out through our partner community is by making sure that they’re participating in this enablement. We scale this out in March when we officially launched an automated way to provide all this out to our partner community with channel academy and the uptake has been tremendous. If I even just look at the certifications over the last 12 months of these partners, not just wanting to participate but wanting to be experts, it’s pretty tremendous. I think Accenture, they spoke this morning. Last year, they had about 120-ish or so architect certified. Today, they’re at 630 and growing; that’s just one partner.

The goal really is to understand the practices and the offerings of our partners drive a common language, a common mindset and framework of what the journey needs to look like and the true definitions of zero trust and the elements of it. And when you can do that, you can scale out your motions because you don’t depend on superheroes that know it better than somebody else over here to the left or to the right. And the goal really is to do this programmatically. I keep using the word because we are tracking who’s progressing how, how many people. These are immersive training sessions, labs, guided training, persona-based, live ad hoc trainings. And all of this is connected back into how we then tie this into our value delivery model? What does that mean?

We’ve spoken about this before. We have a very involved element of how we deliver our value vision and phases to our customers and it’s accompanied by a quantifiable value prop tied to those phases and tied to specific use cases and tied to how we do it different. Now, wouldn’t it be great if we can teach partners how to do the same thing. Isn’t that a great way to potentially move them out of, this is how I did it yesterday and move them out of kind of the standard motions. So all of what we are teaching our people internal is how we’re starting to enable partners as well to have communications, drive campaigns, quantify the value of those campaigns and start listening to their customers on how to really work with Zscaler and them as a partnership that’s well defined on all levels.

If I take a look at any other products, anything else we want to add in the future, we just click it into this factory. That’s it. And you just make sure you disseminate it out via the exact same channels that you’ve already built that you’re tracking are proven. If something looks like it’s suboptimized or inefficient because we understand the metrics of progression because if I’m liking something, if I’m seeing that it’s resonating with my customers, I’m going to want — customers that want Series 2, 3, 4 and 5. If I stop at Series 2, that means whatever you’re giving me Zscaler is not sufficient enough.

So being able to adjust this as we’re getting direct feedback via interaction with our partners and seeing the certifications really going through the roof along with additional requests for demand has us feeling pretty confident that we’re on the right track to really not just bring new products in but to continue accelerating our motions with partners without having to do on dues and reduce. So this is at the heart on disseminating and not, quite frankly, needing to add 1,000 people for each new product that we roll out and simply putting it into the factory and making sure employees, customers and partners partake in the education process.

So that was all that I had. And I think we’ll probably go to Q&A now?

Bill Choi

Yes. So I’ll invite all the executives up and we could take any of your questions for today.

Angie Song

This is Angie Song from Morgan Stanley. So we have a question from Hamza Fodderwala, who is my analyst. How are you enabling — and this is for Dali, how are you enabling the sales organization to sell the broader portfolio? And is the buyer of new offerings in ZCP fundamentally different from buyers of ZIA versus ZPA?

Dali Rajic

If you think about how our entire go-to-market motion was constructed, it’s outcome and result space. So it’s value-based. What this means is we’re having platform discussions out of the gate with our customers. We’re not feature function flinging on a specific use case but it’s really having the dialog around platform, around transform and the different paths you can take to do that. So the go-to-market motions are not going to change from that standpoint. All we’re doing is expanding the use cases in areas where we can look for value.

And all we’re expanding is the different ways to articulate it at a layer of depth with some of the specialization. But when you’re outcome-based and you sell high and you talk to CXOs, they’re not interested in a very narrow point. They want to know what can you do for me holistically? Can you help me tools consolidate? Can you help me vendor consolidate? What’s the ROI you’re going to provide?

Jay Chaudhry

I’ll add a couple of more quick points. Dali only alluded to it. When you sell at CIO, CISO level, they actually take your overall responsibility. A CISO has accountability not for users but also for workloads. So it’s the same buyer. The second part of the question was different personas. It is true that for workloads, yes, the DevSecOps is playing a role. And — but CISO still has overall accountability. So we start with our relationship at the CISO level, then expand to the DevSec level.

Dali Rajic

Yes. And just all of our training is persona use case outcome-based — that’s our entire go-to-market engine which is why it’s so fundamentally different from all of our competitors and what some of the legacy vendors are doing in this space.

Fatima Boolani

Fatima Boolani from Citi. Dali, for you, I’m going to ask a similar question but with a slightly different angle. When you came on board in 2020 or 2019, the portfolio was half its size. I think ZPA was barely 10% of revenue. So you’ve had a massive expansion in sort of the product footprint that an average salesperson can sell. So what I’m curious about and I’d love to get some granular perspective on this, how do you manage the sales cycle process where you have so many tips of the spear, if you will, where a salesperson in theory, you can kind of have conversations on conversations. So how do you sort of mitigate that potential for elongation because there’s so much in the bag?

Dali Rajic

Yes. It’s a very disciplined, well-defined land-and-expand process. Instead of trying to do the whole thing out of the gate, 3, 4, 5 phases, it’s just not our model. It’s, you go where the value is, you go where you think the customer can digest because you’ve got to remember, our customers are dealing with either staffing shortages, too many projects, turnover, whatever it is. So teaching really how to segment this out into most critical in the most critical phase into a value-based cover the entire account go-to-market model, then having metrics to track progress at the leadership level, where you understand, listen, I understand what my rep in Des Moines is doing, compared to the rep in Tokyo, compared to the rep in London. It doesn’t matter where they sit. The metrics that we track to understand progression conversions and to understand quality off, allow us to course correct if I have a new rep that maybe doesn’t know any better yet, right?

But when you go through a series, series of these trainings, all of our instincts are to look for a platform, phase it, understand initial area of value, go in, prove it out and expand. And our numbers are showing that it’s working as we’re expanding and it was September 2020.

Jay Chaudhry

Correct. If I may add a little color to it, the linking of the products. When you sell individual products and you try to expand, it gets much harder. When we started out with ZIA, it was to replace the entire outbound DMZ, it probably — you could have — you could count 10, 12, 15 different products but we never went that way. We said, we’ll make sure users have secure and fast access to Internet and SaaS, that’s what we sold. We sold at the C level.

Then adding access to internal applications was natural, then adding user experience was natural. When you — when we’re dealing with three key leaders, CIO, CISO and Head of Infrastructure, all these products that make most of our revenue today, ZIA, ZPA, ZDX, they’re sold under one solution, more and more. So that’s why it’s Zscaler for users. We when show how we can take care of all three areas becomes powerful and the same way we go and expand. So literally, you could say, customer, here is what we’re selling you. You don’t need to link into each one product. 1/3 of the products need to go away.

So it’s working well. And the focus of CIOs to eliminate point products, the complexity and cost. And now, probably more scrutiny is expected as some of the recession, worries are coming up, CFOs looking for more cost reduction. I think it plays well for us.

Alex Henderson

So Alex Henderson again, over at Needham. I can’t let Remo get away without having some questions here. So clearly, conditions continue to be changing pretty rapidly. Europe under a lot of duress. We’ve seen the interest rates rise. Any change in any of the key parameters like pipeline or rapidity to close deals or deal sizes or alternatively, are you seeing benefit from that as a result of your ability to improve user access, user experience and productivity and all of other transformation benefits. And then you do sell in dollars globally which is a great thing, given what’s been going on. And I think you’ve been hedging some of the OpEx cost. Can you talk a little bit about if the exchange rate is having an impact.

Remo Canessa

A lot of questions there. I know — the global economic situation is clear for everybody. It’s impacted the commercial and consumer side of businesses. Not so much large enterprises but if it continues, I do see an impact, from my perspective. It just makes sense for all the reasons you mentioned Alex, related to interest rate hikes.

Alex Henderson

[Indiscernible].

Remo Canessa

Yes, I have not seen it yet in inflation. From an FX perspective, you’re absolutely correct. We sell in U.S. dollars. We do hedge our balance sheet and P&L. So we do forward contracts both on balance sheet and P&L. So we’ve minimized the risk, basically the FX movements. The dollar strengthened significantly. So we are getting into basically a [indiscernible] each quarter, four quarters out basically hedging our foreign currency exposure.

Alex Henderson

And the OpEx size is protected?

Remo Canessa

OpEx size is protected, yes.

Jay Chaudhry

Remo, can I just add one more point to what Remo said, I know we keep talking about value and outcome based. It’s enough fancy words. We create CFO-ready business cases. We consolidate cost across multiple dimensions. This has been our focus. So this is going to continue being our focus. So as far as I’m concerned and to Remo’s point, I think what we do and how we do it, whether or not the market is good or not so good, there’s a quantifiable outcome that we drive. And I don’t see that changing yet.

Brad Zelnick

Remo, it’s Brad. Just a follow-up to Alex’s questions. Can you remind us the extent to which the newer products are expected to impact the P&L embedded in your guidance, if at all? Obviously, you have expense associated with a lot of the investments that have been made and the go-to-market investments, I imagine, are made as well specialized to some of the newer offerings. But what are your expectations in terms of when they should really start to generate revenue impact for top line?

Remo Canessa

Yes. I mean they’re doing well currently. And we talked about that for ZDX and ZCP, we’ve been low teens of new and upsell business and that’s what we’re tracking to for this year. Going forward, we do expect emerging products to contribute. And as we go forward, they’re going to contribute significantly. From a profitability perspective, the gross margins for the products, similar to the gross margins that we have. The advantage that Zscaler has is the — and I made the comment before, we have a lot of levers that we can pull. And what I meant by that is that when you’re in a ratable model with 80% gross margin, with that ARR gives you a lot of runway basically to change your business. That’s one. And two is basically our contribution margin. So first year contribution margin is negative, then years two and three and thereafter it’s 60%. Those are the levers that you can pull. And from that, how do you influence it? You can influence it by head count, right?

So, the comment that we’ve made is that we’re going to continue to aggressively invest in the business for growth and nothing has changed on that.

Chelsea Liu

Chelsea Liu from Goldman Sachs. I have a question from Brianna [ph]. Understanding we’re still in the early stages. Can you help us understand what you’re seeing competitively in the cloud native application protection platform market? Are you seeing platform vendors such as Palo Alto that have already begun penetrating the market, new vendors like CYSTIG, penetrating with the best-of-breed market — best-of-breed technology or is most of it greenfield?

Amit Sinha

So as we said, the posture control market doesn’t have a huge barrier to entry. Everyone gets access to the same cloud trail logs, right? The key is the integration of posture with communication and being able to provide the holistic end-to-end security from build time all the way to run time, right? You do — if you search for CSPM and CIEM, you’re going to find many point product vendors, right? They’re all looking at it from a little bit of a lens and nobody has that holistic view. So couple of competitors you mentioned, did acquire a few point product companies in CSPM, CIEM. One of the things that I’ve learned through the process is each of these 70%, 80% of the functions are common and it’s wasted. Really what you’re looking for is the holistic integrated platform that can provide the view of correlated threats from every vantage point. Otherwise, you’re just adding too much operational cost. You’re hunting down alerts and it isn’t an effective security solution.

Jay Chaudhry

If I may add, I think CSPM, CIEM, kind of stuff, what we call posture control or what Gartner is calling CNAPP now, cloud-native application protection platform. Yes, they can find that, I guess. That area with smaller barrier to entry, you’ll see a lot more players coming in. You can — I can probably count 100-plus vendors in there. A few — till a few months ago, literally a new vendor will enter every couple of weeks. Now that’s slowing down, obviously. It is — I don’t think it’s a room for stand-alone companies to do just posture control, okay? Integrated, it has to come together.

So we did the smart job, bought two companies but fully integrated them to have a very good product. But I think what’s our sustainable advantage is not posture control. It is workload communication which is implementing zero trust for workload to work on communication workload to Internet. What is our competition in that space. It’s all legacy virtual firewall, period. So we think our entry point is that, then we expand to posture control, the two together becomes a very compelling story.

Angie Song

Angie Song from Morgan Stanley again. So we have a question on federal. Could you give us an update on the pipeline there? And what do you — what are the typical deal sizes that you’re seeing today versus a few years ago or maybe a few quarters ago?

Remo Canessa

We’ve invested significantly in federal over the last several years. Our certifications for ZIA and ZPA that we’ve talked about. ZPA is FedRAMP high. And ZIA is basically FedRAMP high-ready. We see the federal market being a big market for us. It was mid-single digit of our new and upsell last quarter. I don’t want to give exact percentages but we’re well positioned in federal to move forward.

Gray Powell

Gray Powell, BTIG. From the keynote this morning, it looks like Zscaler is taking some initial steps to develop its own SD-WAN product. I just want to make sure I was interpreting that correctly or just make sure I fully understand what you’re doing there? And then if so, like what do you see as the opportunity?

Jay Chaudhry

So we aren’t building an SD-WAN product, okay? We don’t really believe in WAN which is routable networks. What we’re doing is we do want to eliminate routable networks, okay? So you need a router in every — or router connect things to things. So whether no matter what you do, you need a router in every branch office. We are not getting that space. But router, all SD-WAN device can create a tunnel Zscaler and connect with us and we’ll take care of the rest. So it is not trying to be an SD-WAN company but minimizing the need to create a WAN, call it SD-WAN without a WAN.

Amit Sinha

Anybody else not get that? Okay. Let me give you some color. You probably have your home network, okay? You have devices in your home network, you have your PC. Let’s say if maybe you have an Alexa device, right? Let’s say, if Amazon came in and said, hey, for your Alexa device to work, you need to have an SD-WAN box and set up a full flat network, so routable network. So all of Amazon services, your home network and one million other home networks were all on a good routable IP network.

Would that be a good design? Absolutely not. First, Amazon would never allow you to do that, right? Look at how simple your home network is. You have a router and the router says, I’m not going to — hopefully, that’s true for you. But the router says, I’m not going to allow any inbound connections at all, right? And your devices inside do outbound connections to the Internet. And that’s just — your attack surface is very minimal. Nothing is exposed, right?

What happens in branches is that’s not the case. When you start deploying SD-WAN, you have a device that is taking the network in your house, spewing it out and it’s extending, connecting all of these things onto this big, flat routable mesh network. And that was…

Jay Chaudhry

Because they probably want to find each other.

Amit Sinha

They want to find each other. If I want to be able to reach this printer, I want to go here, I want to go there. And that creates a lot of the lateral propagation risk that Alex has talked about and pretty much every exploit that you have heard about or significant breach has had that as the root cause, right? An initial — an infected machine came in and it spread. We want to avoid that. And so you might be thinking, hey, there’s an SD-WAN box and Zscaler is saying a VM, maybe that VM moves to the cloud. But it’s the architecture that is fundamentally different.

There is no IP routable network, right? It’s a — if you want to connect to something, you come to that, it just forwards traffic to our exchange and it’s a policy-based decision of this user is going to this application, right? That’s fundamentally what we’re trying to do. So it doesn’t do traditional networking. It doesn’t do BGP, it doesn’t do — it’s not looking at it as layer three, right? It’s just assuming there is some Internet transport but I’m going to make pragmatic zero trust policy decisions saying this user, this app is allowed to talk to this destination. That’s what we’re trying to.

Jay Chaudhry

So just adding one more point. I think SD-WAN box is a wonderful next-gen router, they’re cloud managed, they’re simple. So I think the future belongs to SD-WAN box as router, so to speak. But creating a routable network that where you can move around is the problem, is the security. That configuration changes. We bring in zero trust to SD-WAN devices. That’s how we look at it. That’s why we won’t get into routing business. That’s a basic networking business.

Fatima Boolani

Coming back for seconds. Remo, I wanted to revisit some of your big carry aspirational goals with respect $5 billion ARR target. So just in the context of a lot of the innovations that’s — and it’s been very hard at work with respect to the ZCP portfolio. Is there an aspirational mix that you see? And maybe to add kind of layer to it, the velocity with which you get to $5 billion in ARR, is that going to be from accelerated disruption in some of your core markets? Because I can appreciate ZCP sort of has almost an evangelical element to it because you can only run as fast as your customers are running. So if you can kind of help us put some contours on that $5 billion ARR target?

Remo Canessa

Yes. I mean the $5 billion market that we’ve got with their existing customer base, if they bought everything that we have for ZIA and ZPA, there’s a 6x opportunity offer, $1 billion ARR. So significant just for ZIA and ZPA. We do put together — we do have a five year plan which is a detailed plan related to by product segment, by geography, by channel, related to where we expect things to be over the next five years. What I can say is that we do expect the emerging products to be a significant portion of that. So we’ll see, they’ll grow at a faster pace than ZIA and ZPA. But our main products are still going to be ZIA and ZPA for a while because they’re so big and so much momentum.

Ashish Bhandari

Ashish Bhandari with Ashler Capital. Just had one other quick follow-up to the competitive landscape. And specifically, it sounds like you’re really entering into the CNAPP space. But CrowdStrike also has capabilities that they offer as part of their Falcon platform. And of course, you have a strong partnership with CrowdStrike. Curious how you view kind of the differentiation between your two platforms for that — those specific capabilities? And then, I just had a question for Remo or Dali just — we’re hearing a lot about headcount reductions or slowdown in hiring, specifically in tech but — and with the recession looming, you can kind of anticipate that moving to other sectors as well. Curious how you think about kind of the ZIA/ZPA expansion motion? And how you’re kind of preparing for maybe what’s looming, maybe not today but a year or 18 months.

Jay Chaudhry

I’ll take the first part. Yes. So almost every vendor is kind of looking at what can be done in the cloud. So CSPM is what CrowdStrike acquired. So obviously, they’re looking at the posture kind of stuff. Every vendor will have CSPM kind of stuff. Now where they expand, where do they go? That remains to be seen. But the second part of the question is partnership versus overlap. As companies succeed, they naturally expand and there’s bound to be some degree of overlap. Just because there’s a little bit of overlap here, that doesn’t stop us from working with this so much of synergy between our companies. That’s how I look at CrowdStrike. I look at Microsoft the same way, right?

But the first overlap we had with Microsoft was CASB. They’ve MCAS, we developed CASB, it’s very understandable. There’s a little bit of overlap here and there. And there may be some here and there as well. So I think you look at strategic partners where the core business is complementary to you then you work with them. And it’s working out very well; none of that is stopping us.

Remo Canessa

We’re not looking to slow down at all at this point. Again, we’ll monitor the business conditions as we go forward. And as I talked about, if a recession does come and hits basically large enterprises, we’ll adjust to it. Now having said that, the comment I made about the levers that we have in the business which is basically the ratable 80% gross margin. And you have a large ARR balance, you’re going to get significant revenue from that in the following years. So that gives us a good runway. And in addition with that, the contribution margin. So if the business were to slow down, the contribution margins in year two and three are over 60%. But right now, we are not looking to slow down. We see this as a huge market opportunity. We think we’re well positioned. We’re going to go after it. We’re not saying we won’t. But at this point here, there’s no thoughts about slowing down.

Jay Chaudhry

So we aren’t slowing down any investments.

Adam Borg

Adam Borg again, Stifel. Maybe just for Dali. So obviously, still really early days for ZPA and even ZIA arguably. And a lot of focus at this event is on the workload segmentation, right? On the workload front. So kind of what needs to happen to really accelerate customer adoption admittedly that the products [ph], we have a lot of announcements today but what needs to happen to help to evolve these customers on the journey like we heard from the speaker earlier today.

Jay Chaudhry

Yes, can I make one comment please. And by the way today’s focus was workload. Tomorrow is users. Yes — so, don’t miss session two.

Dali Rajic

So, I go back to — if you look at the last 18 months and what we’ve developed as far as the true life cycle engagement model with our customers. Different customers, different stage in their maturity curve and experience. So if you don’t have an integrated model built from the moment you presell to the post sale with services and partners and customer success and architects and thought leaders, such as our CXO teams that we have working with us to provide thought leadership, visionary brainstorming with customers. You got to have that integrated framework built and then you got to have a really tight control mechanism in place because you got to nudge it along sometimes, right? Because at some point, customers have to take what they perceive to be risks. And we have to explain why they’re not and show them a path that’s specific, not a few general slides and hoping that they get it.

So having built that and we’ve been building it over time now, that is how we’re guiding customers along. So when I use words like we’re doing this together and it’s a true partnership. It is because we’re engaged throughout the number of meetings that we have in these accounts. give or take a few by account but it’s a lot compared to anybody else out there. It’s because we’re doing forensic work in discovery and then coming back with ideas that are holistic across the entire team, not just reaping [ph] a C and hoping they figure it out on their own. So that’s how you make sure that the adoption is there. We track adoption, we track users, we track bandwidth. I mean you name it and we’ve built models for everything from a risk profile, acceleration profile and we apply them to all of our customers by different cohorts because everybody travels differently based on where you are size-wise. So it’s a scientific formulaic approach and we’re continuing to tweak it as we keep learning more from customers but it’s been working pretty effectively for us.

Jay Chaudhry

Dali is more analytical go to market leader than I have ever met anybody.

Unidentified Analyst

Just coming back to the conversation that Gray sparked a few minutes ago. When we talk about like VPNs and firewalls being a part of the problem. They create attack surfaces. Is it really that BGP is the problem by advertising? Like how should I — like when you talk about like the virtual machine or whatever sort of this future state is, like, is it the fact — is part — is a big part of it that you’re taking away the self-advertising part of the — where the Internet connects to this local area network?

Amit Sinha

Let me take that example a little further so you can understand. Let’s say, I have a house and I have a small network and it’s a self-contained island and I have the same Alexa device. Now I visit my friend, I go to your house. If I need to access my device, the VPN firewall mindset would say, my house network and your house network should be connected over a VPN, right? And now imagine extending that to a complex organization with hundreds of thousands of employees in so many different locations. That’s the exploding attack surface.

Now the problem is in that simple example, my house, your house, I’m in your house now, both the networks are connected. If there’s any threat actor or anything bad that is happening, they can just discover because the way firewall VPN, so it just says, hey, these ports allowed, right? So you’re going to run a simple scan and just discover it. If you look at how modern applications behave, how does the iPhone talk to your Alexa device. It’s agnostic of any network. It could — you could be in 5G, you can be in your friend’s WiFi, you can be anywhere. You’re not trying to say, before I have access to any — this application, I need to be on a consolidated routable network, no, right?

Your phone talks to Amazon, you authenticate, Zero Trust, you authenticate who you are, your device talks to that cloud service. And then based on policy and everything, the connection is stitched. It just works.

Jay Chaudhry

And in that case, Amazon is acting like a switchboard.

Amit Sinha

Exactly.

Jay Chaudhry

Party A goes to switchboard, party B talks to switchboard. That’s how communication happened. There’s no routable path between the two switchboards, it says, stop. The way Alex explained to me the other day, he said, when I explain this thing, I say a firewall is like a bridge. You made the connection, you can go across from here to there. But the true zero trust is a switchboard, you can go from A to B. So there are two pieces of problem, lateral movement. Once you get on it, you’re there, almost like our highway system, you’re here, you go everywhere. there’s not a single light. It’s wonderful.

Now if you are to introduce lights, kind of said, could I create all these, what you call them, chargeable tolls. Can you go in, where do you get on? Where do you get off? You know what’s that? That’s my segmentation, microsegmentation. Imagine trying to create tolls on American highway system and who can go and where who can. It’s a problem. That’s why. So lateral movement is trying to be solved by micro segmentation and it creates bigger problems. The goal is not to really get people on the network. That’s point number one. Point number two is also your attack surface. Today is motion, the way things is broadcast, tell people, I am here, please connect with me. What does VPN gateway does? Says, I am here, you scan the Internet, you find VP on every VPN server out there. If they are not passed, if they’re vulnerable, you can get on them and you could try to create compromise.

In our world, for example, maybe I’ll use the switchboard analogy. In the old world, you publish your phone numbers. If someone needs to find you, they dial your number, they get to you, right? So every phone number is discoverable, right? Because it’s published. In the same way, all IP addresses opened to the Internet are published. They can be discovered, they can be exploited and they can definitely be DDOSed. The newer analogy would be you hire a switching service. You don’t publish a phone number anywhere at all. You gave a list to the switching switchboard service there. These 15 people can talk to me, period. And you don’t even give them your phone address. Person calls, he is in approved list, they check the list. They connect you no matter where you are without sharing your information where you are, what your phone number is. All other parties simply gets denied. That is really how you’re hiding your attack surface by sitting behind the switchboard service.

We are that switchboard service that connects right party to the right party. Your applications are hidden behind us. Now the question is, are you an attack surface? Yes, we are an attack surface. But that’s how we have built in 150 locations, all kind of stuff to make sure, I am the switchboard, I connect the right party. Firewalls will never do that. When you hear about the cloud service of these firewall guys who try to — you go to their website, the word firewall disappears, VPN disappears, all cloud-based, zero trust service. It’s the same thing underneath. When you deploy that cloud solution, every branch office has a network and mapping and all extended to every Google or AWS region. It’s the network that’s messy. It’s really crazy. I just wonder sometimes how could you consciously sell that kind of solution to your customers? When you know it’s bad. You are being kind of creating a false sense of security. It’s not good for the country. It’s not good for the economy and our companies.

Amit Sinha

Just think of the simple example I gave about your home and imagine if all your friends’ houses have to be on the network just so you can do the basic stuff. And unfortunately, that’s how a lot of enterprise networks…

Jay Chaudhry

That’s how networking — IP-based networking works and the firewalls were created to be little bridges in between. But if you need to talk, the bridge has to open up. That’s a problem. Then there’s a connection setting out.

Unidentified Analyst

So, I guess the way the Internet was designed, it’s no longer really suits for the complexity…

Jay Chaudhry

It’s IP-based network Think of Internet as best niche. Internet is fine if you treat it as the transport and plumbing.

Unidentified Analyst

I like the found directory analogy. That was helpful.

Angie Song

Angie Song from Morgan Stanley again. So as you mentioned — this is a question for Remo. You mentioned that you aren’t really seeing a macro slowdown but you’re really mindful of the recession risk. So as you’re thinking about the fiscal year ’23 guidance a couple of months from now, is recession a scenario that you’re considering reflecting on the outlook?

Remo Canessa

Not at this time. We’re not looking at that. Yes. I mean, well, as I mentioned, as we go forward, if we see things, we can adjust. But right now, we’re not putting that into our planning process.

Bill Choi

All right. I guess that’s all the questions. Back to you, Jay, for any…

Jay Chaudhry

I think it’s good. We appreciate your time. And we appreciate your interest in Zscaler. Ashwin and Bill are always available to answer any questions. And I hope this session is worthwhile. Any feedback about this session or the session this morning. We always like to get feedback and always learn and get better. So the morning, the demos and all are pretty clear and easy to follow.

Unidentified Analyst

I think your analogies are [indiscernible].

Jay Chaudhry

Analogies on. They help, I tell you, it’s hard, just like Sasha from Salesforce [ph], hello, I did my VP and I connected. I connected with Zscaler. It’s the same. It really isn’t, right? It’s so — the — it starts getting interesting, then we start showing demos. For example, you do — it gets a little [indiscernible]. There’s a command called end map. It means network map. You type and say, show me what’s on this network. You type in and map. And generally, if you do VPN from your home and type in and map, you’ll see hundreds and hundreds of things out there because with VPN, you’re logically sitting in the office, okay?

PC is logically connected there because you’re extending the corporate network to your home. See hundreds — everything — you’ll see — everything you’ll see from the office. You do with ZPA, you type in the same network map, shows nothing. Nothing because it doesn’t go anywhere. It’s not on the network. And it’s — even more interesting. VPN you say which IP address am I connecting to? You actually see a real IP address, 191-whatever-whatever. You say what is Zscaler connecting me to because it’s some made-up numbers. You don’t even know what IP address you’re connecting to. That’s really — it’s hiding behind. It’s a new approach, see 30 years ago, when networking was created as IP network is an amazingly wonderful thing because the previous architecture was IBM SNA network. Totally proprietary. IBM dominated every enterprise.

And IP-based networking with TCP and all standard, got created, so everything could talk to everything. When it was created, security was never a concern. It was all, can I reach, can I talk? So that’s basically said, if a user connects to a network, an application connects to the network, they’ll find each other, they’ll connect. That’s — that was the biggest and the best invention. It’s just that the security risks are kind of making a problem. Security was never considered into this. So it’s really first, real architectural change in networking since late ’80s, early ’90s, the early ’90s network made Cisco what it is. Because at that time, you needed all those wonderful routers and switches.

And then, firewalls were brought in because if you go on the highway, sorry, let’s put some tollways out there, right? And that tollways are no longer working in today’s mobile and cloud world. And that’s where we are needed. And I think you’ll see a bunch of noise out there. When Siebel and Salesforce had a fight for a while, I used to watch it because I was in an early stage of Zscaler. I used to talk to people. How are you competing? I’d talk to my friends in Oracle who’re selling Siebel, I talked to some people who’re Salesforce to learn how that backlog is going because it felt like Siebel dominated everything. Salesforce was tiny. The right architecture made a difference, we think this right architecture will win for us as well.

With that, thank you for your time.