Skip to main content

Baird Global Consumer, Technology & Services Conference in New York

Zscaler, Inc. (ZS)

Conference Call date: 2026-06-02 Concluded
Share

Transcript

· tap a word to jump the audio 30:36 Audio
Operator

Great. Good afternoon, everybody, and thanks a lot for joining us. It was the pleasure of hosting CFO of Zscaler, Kevin Rubin. Really appreciate you joining us today. To begin, I just love that we'll take questions in the room as we come, so feel free to send it or email. It's going to be a fireside chat format. So just to jump in, right, I wanted to, just for audience, are not as familiar with the Zscaler story or maybe still sort of know you as the original SAS seed and module story? Or the most important, I would say, conceptual takeaway from the last quarter was increasingly becoming a control plane, not just for the users and applications, but getting more agents and workloads. So just how should investors really

think about zscaler as a platform identity sure and thank you for having us so zscaler started as a zero trust platform for users that included internet access and then shortly thereafter private application access and have since expanded into cloud so being able to provide zero trust for workloads and devices sitting in branch locations and then more more recently we're going to be announcing zero trust for agents so providing the zero the same principles that we applied for users devices workloads also providing it for agent to agent and machine to meet machine communication we have our user conference next week in Vegas Zenith live and you'll hear a lot more about AI, Agentic, and our integrated SecOps product next week. So we'll be talking more about it. But essentially, if you think about zero trust, provide the least permissioning to solve a particular ask or use. Don't give access to somebody to jump on a corporate network and potentially have lateral movement access to do bad things and so we've applied those principles through our zero trust exchange to really provide one-to-one communication paths between users applications between workload and workload between devices and devices and so just a very differentiated approach to network security we're very helpful just on the

Operator

the topic of AI, there's been sort of brought a debate around frontier models and AI-native startups, especially post the meet-throughs announcement by Anthropic. Just to kind of elaborate, as AI traffic sort of expands, as more and more agents are coming online, and even the attackers are moving at machine speed, how does that really expand the need for what you offer, which is like an in-line enforcement layer? and how does that opportunity multiply in the enchanted era as we go out?

Yeah, so as METHOS and other similar frontier models demonstrate an ability to identify vulnerabilities at a rate and pace that far exceeds what we've seen today, we believe the best security and the best response to that is hide your applications and limit your lateral movement. So ultimately, your blast radius can go down to one infected device and one only. It doesn't have an opportunity to permeate the rest of your network. If you look at large organizations today, they already have a backlog of patches for existing known vulnerabilities that they are incapable of handling in any reasonable period of time. So they go through a process of prioritizing which patches I'm going to apply when and, you know, attempt to do that without disrupting their organizations and their business. What Mythos and other models similarly are identifying is a volume of vulnerabilities that already exceed what they can handle today. you're just piling on top a order of magnitude more set of vulnerabilities and ultimate patches that would need to get run and it's just incredibly overwhelming and so you know our approach and our answer to that is if you adopt Zscaler zero trust approach you end up hiding all of your public facing applications so they cannot be seen if you cannot reach the application you cannot breach it and so hide it and then only apply only allow those sessions to be activated based on lease permissioning and so those are the conversations that we are having with our customers and prospects today in response to just an unprecedented level of identification of vulnerabilities it's very very

Operator

helpful Kevin and I know you you did highlight the customer conversations with CISOs and CIOs, how that's really shifted post-Methos. But just in terms of big picture, right, what are you seeing as the budget trends for broader cybersecurity, right, in light of Methos? Are you seeing CIOs starting to expand and unlock more budgets because of the extra risk or additional risk that AI is driving? And I was seeing, especially to your point around the exposure risk, and recently there was findings of almost 10,000 high critical vulnerabilities. How is all of that kind of changing the budget landscape for you?

Look, it's incredibly challenging for a CIO who has largely lived within a fixed budget domain for a long period of time, and all of a sudden there's two fundamental dynamics. You've got a need for their organizations to deploy AI and to do so quickly. I don't think I've met a CEO who has told an organization to slow down and go forward with AI slowly. It's let's get it deployed through the organization and take advantage of it as quick as possible. And so they're reacting to a desire by their business to deploy AI. And at the same time, they have to then understand, how do I protect this AI use in a way that protects my organization? And what we've seen is that companies have rushed to be able to deploy AI technologies within their organizations, and then they're coming back behind that to actually provide security for the ultimate use. And so we are working with customers via our AI Protect suite of products to be able to provide protection for AI use. So we offer the ability to first identify and find all of the AI assets that are being used within the organization. Not just the obvious ones that you're intentionally deploying, but applications that are leveraging AI in the background to be able to do more work within those applications. So we're able to identify the landscape of threat that you may have within your organization as it relates to AI. The second step then is to be able to actually protect the communication path going back and forth between AI. What data do you want to share? What data do you not want to share? And so we have an AI guardrails capability that will allow you to monitor and inspect that communication in real time to be able to ensure that sensitive data is not being exposed to models when it shouldn't be and responses back from those models are business appropriate for for your particular use and then finally we have a AI red teaming solution that allows you to continually monitor those models and understand how those models may change evolve and drift over time fairly new products we announced those as a as a collective suite of products at the end of January of this year. But they're actually doing quite well, and there's a lot of interest around just generally being able to protect AI.

Operator

Great. Really helpful. And mention about the incremental AI security demand in reaction to deploying AI, as you said, sense of urgency, deploy across enterprises. We've also heard from some of the travel partners, some of the customers out there that people are closely looking at sort of longer duration, architectural re-evaluation as well, right? So does Frontier AI ultimately also, and is it getting evident in your conversation, accelerate this migration away from, and as you guys have talked about, it's a lot of these zero-trust, the SaaS founders talked about, from perimeter-based or firewall

appliance-based approach? I suspect that as we kind of play this forward and organizations recognize the exposure that exists with traditional hardware approaches, network security approaches to AI, and what they will have to do to be able to patch and protect their environments, it's only going to increase the validation of moving to a solution like Zscaler we already have an incredible ROI for customers that choose to adopt Zscaler in lieu of traditional network-based security and as the burden and overhead of continuing to manage that you called it perimeter base I just used the term network Security, I think it's just going to make it that much more compelling. And we have had significant inbound conversations as this mythos and mythos-like exposure has been identified because companies are realizing that there's got to be a better way for us to protect our environments without constantly having to chase our tails and continually patch and chase these vulnerabilities. So we do think that it is a significant tailwind and opportunity for our business

Operator

Great very helpful and just on a high level The impacts on your revenue model, right? I mean we all understand like the seed model Of course will take a sort of backseat as we go into this agentic era and you have talked about how as you said, right the the AI traffic the workloads the agents all those interactions are likely to act rate materially like just how should we and investors think about this model holistically evolving from this human seed base towards more sort of non-seat machine agent based so we've

actually been exposing some additional color into the texture of our new ACV in a given quarter, specifically to give insights into how much of that ACB is coming through traditional seat-based pricing versus more metered pricing. And it increased in this last quarter to about 30 percent. So we are seeing a continued increase in non-seat-based priced products in the market. The AI and agentic technologies that I mentioned earlier are not seat-based oriented products by the nature of those products. So they are much more aligned to consumption and how much traffic is actually being exchanged. For AI, it likely is tokens, right? That will be the unit of value that gets monetized. For some of our other products, it may be just traffic and consumption. For our branch device, by way of example, that starts to look at assets and assets communicating back to other applications and company resources. So we have continued to see a just continued distribution of our business away from seat-based pricing. And when it comes to agent-to-agent, we think that that traffic will be significantly greater than what we've seen with user traffic, and we expect to monetize that through tokens and consumption as well.

Operator

Great, thanks for laying that out for us, and just I wanted to get back to this setup into physical 20-sun, because as you know, the market reaction intensely seemed to focus on the guide part, the early look, as you said. When you think about that prudent 20-sun framing, can you just help us unpack how you're thinking about the execution piece right which is kind of tied to the go-to-market transition versus like there are a lot of moving pieces as you sat around of sec ops how they're looking at the budgets the deployment velocity and and then of course the agentic and the I monetization if we can help us unpack

things yes so I thought it was important in this last call that we provide an early look as to what we were seeing and and giving you perspective on growth rates into fiscal 27 we wanted to make sure that you were aligned with us in terms of how we saw our business against that backdrop I provided two fundamental factors that were affecting how I looked at this early look into 27 one was we are replacing two senior sales leaders within Mike's organization you may recall Mike joined us a couple two and a half years ago this is his second full year running our go-to-market strategy soup to nuts one of his leaders got an opportunity with a AI pre IPO startup and you know chose to pursue it after spending I think almost a decade with us so very long-term tenured senior leader and so he has moved on and another leader that was a direct report to Mike is also departing the organization and so we will be welcoming two new leaders into the organization one is an internal promotion into this new role the other will likely be an outside hire and given that and given that these are you know two senior individuals I just took a cautious approach to what that would imply for fiscal 27 these are not the only directs to Mike but he doesn't have you know a large set of directs as well so just in the interest of being prudent we we took a cautious approach the other dynamic affecting our perspective on 27 growth is the pace of uptake of the integrated SecOps offering that you'll hear more about next week at Zenith live but if but fundamentally we will be coming to market with an integrated SecOps solution that will leverage our existing technology from a data fabric perspective as well as our very high fidelity rich data set and that will be the migration from the old Red Canary product into our integrated solution and what I don't know and what I'm again taking just a cautious view is what is the pace of that uptake look like going into next year. So those are the two fundamental dynamics as I looked at fiscal 27 growth. Now, aside from that, we have a significant number of opportunities that could build momentum and we're very excited about. We've talked about AI and just the opportunity that exists, whether it's a catalyst to folks choosing to adopt zero trust or it's actual providing security for AI which again is products that we just recently put into market so they're they're young but you know obviously high-growing products so but that's the tension and balance that we had to strike as we thought about the

Operator

early look we provided. Yeah no clearly as you said like the the headline early look seems to obscure how the healthy or sort of underlying signs and signals you just talked about and especially around the the health of the upsell pipeline the the AI pipeline and the non-seed business so just I know historically you guys have often guided prudently I remember the times around the branch connector launch around the cloud before they they showed that sort of inflection point right so should investors think about central monetization of AI Protect, SecOps, a generating exchange, like you have all of those stacked together in a similar way where like you have the architecture, you have the demand already there and just it's a matter of like timing and scale of monetization. Just curious, how would you?

I mean, I think the answer is a little bit different depending on the suite of products. AI is very dynamic. It's changing frequently as you know. We are very confident in how we're approaching AI both in terms of securing it as well as you know partnering with with the large frontier model companies. We are part of Glasswing and Daybreak and so that does give us a good perspective into what is coming and how we should think about releases like that. So we're very bullish about the AI opportunity but it does take time to build products and market are fairly early I think as we think about the SecOps product to me it's really a pace of uptake question right we we know we have customers that are on the existing product we know that there's incredible amount of value and insight we can provide so you know how that rolls out and what that uptake looks like to me is kind of the measure of success going forward and then not to mention you know cloud and branch I mean those are two very well performing products that kind of build out the suite of zero trust everywhere right moving from users to those two particular products and then soon we'll have agents so I think there's a lot of opportunity for us to see building a

Operator

momentum going into next year so interesting you mentioned about the the project last-wing partnership and the potential for commercialization and monetization a couple of partners some of your larger peers have talked about some of the frameworks around that can you just kind of at a very high level sort of laid out, like how do you plan to utilize and leverage this partnership to kind of drive the commercialization, and what does that look like as a monetization model? Yeah, I mean,

it's a little premature for me to do that here. You'll hear a little bit more from us at Zenith Live next week, you know, but we have had access to these models. We are, you know, part of these programs we've been able to run them against our environments and you know use those as well as you know have meaningful conversations with customers as to how you know these models may affect them and and where there's opportunities so you'll hear more from us going forward. Got it and and just to

Operator

double click a little bit on the agentic exchange because the reason I brought because you and Jay, I mean, sounded, and for the right reasons, as the biggest long-term sort of opportunity, right? And I'm pretty sure we're going to hear more about that in Zenit Lab. But just as a quick preview, right? I mean, if there is a kind of traffic-based monetization opportunity there, you talked about tokens, you talked about sort of transaction processing layer. It seems like the AI traffic has already kind of exploded, and as you see, like, a lot of numbers and metrics. how should we think about like monetizing that right I know we are or you are kind of still figure out and trying to settle in a more stable model more durable model but just kind of any any sense of how to think about that

monetization yeah I mean just to level set the agentic exchange is not actually in market yet the principles of how we will apply it are very similar to what you've seen us do with other zero trust approaches and again you will hear more but the concept is simple you know we have over 50 million users today that we apply zero trust to through the zero trust exchange I would expect that number of agents and and machine to machine connectivity is gonna be orders of magnitude greater than that and so the ability to be able to broker those communications inspect that traffic and provide protection is going to be very similar to what we've been able to do with the other forms of communication and it just it represents an opportunity very likely greater than we've seen thus far with with users branches and devices so very excited about the potential and I feel like we've got a scaled track record of providing the zero-trust approach to other forms of communication very helpful and I will

Operator

definitely wait till the end of life for understanding how that agenda traffic translates into kind of more more modernizable metrics but before that like AI product as you started off it already is achieving scale right I mean it's already at hundred million bookings still relatively early compared to all of other opportunities, just wanted to understand, I mean, you gave us a good kind of sense of like what's resonating, but like across AI Protect, right, there are a bunch of different components and you have guardrails and you have ways to protect like the prompt and which is starting to become more significant or are there multiple levers right now already showing growth just from a perspective of AI Protect?

So the Guardrail product has been in market longest. I think we're actually probably just coming up on a year that that has been in market. The asset management and the red teaming are newer. Red teaming was part of the SPLX acquisition that we completed a couple quarters ago. and the AI asset management we rolled out, I believe, in January as part of that announcement. So, you know, each of those components have had, you know, a different shelf life so far, but collectively we were very excited about the proposition of all of them and think that, you know, they do form the basis for what companies need to be able to protect their AI use.

Operator

Just a quick follow-up. Is AI Protect eventually, even like early signs, are you seeing that becoming a stronger landing motion? Because I know you are focusing on new logos. You have been talking about all the adjustments you made in terms of prioritization of go-to-market. Is that going to be one of your big focus areas? And I believe you mentioned you're already seeing some traction there.

Yeah, so the AI suite of products do not require the Zero Trust Exchange or ZIA ZPA specifically. So it is an opportunity for us to land and have conversation with customers. And we are having traction in those conversations. Some of the other products are more tightly embedded with ZIA ZPA. So it would be natural that that would be the landing point for those products. But the AI products do give us an alternative kind of side door, if you will, into introducing Zscaler to prospects.

Operator

Got it. And you did announce an acquisition, Symmetry, very recently. Seems to be very much strategically aligned with your authentic exchange sort of framework. Of course, the way you describe and characterize enabling agents, kind of enforcing policy around it. And it seems it's an innovative way of orchestrating the context and identity. Can you just outline how that's differentiated from a lot of these authentic identity methods and sort of paradigms out there?

Well, I'll answer as a finance guy. It's a fairly technical question. So Symmetry has built an access graph that allows us to understand and infer permissions that may have been inherited to an agent through its need to do work. And so it just provides us yet another differentiated way to be able to understand identity and understand permissioning so that as we are providing in-line policy enforcement, we can ensure that the agents are only accessing permissible assets and or applications. So it's just another piece of the agentic exchange puzzle.

Operator

Got it. And I'm presuming we'll hear more on the monetization model and adapt strategy at the end. Just in terms of ZFlex, right? And this was one of the, I would say, marquee quarters for you guys. We closed $480 million worth of DCV this quarter. And that was one of the big, I would say, inflection I've seen over the last year. So I know you've underscored that it's about flexibility and broader platform adoption. As other kind of larger players out there, like, I mean, you know, I'm ruffering, have been leveraging this strategy. Can you just talk a little bit about, like, what has now resonated this quarter, especially, which is driving these sort of big kind of uptake of very, very large deals and anything particular that stands out in terms of underlying driver?

Yeah, so ZFlex is our approach to providing customers that are looking to make large commitments over a long period of time to us the flexibility to not have to identify each piece of technology and specific counts of everything up front today, right? Right. So if somebody knows that they are a long-standing Zscaler customer or intend to use our technology over a long period of time, it allows them to have flexibility for the different capabilities that they can deploy over a period of time. If they want to be able to swap into other pieces of technology or flex into other pieces of technology, it provides the vehicle to do that. It gives them fixed pricing across all of our portfolio of products. In most cases, in some cases, we only give them a menu of lesser product, but by and large, it gives them fixed pricing that they've already pre-negotiated so they don't have to go through another procurement cycle a year and a half into a contract to procure more. It's already been baked into that contract, and it allows them to make those commitments with the understanding that they've got protection if they want to use different combinations of product or they want to be able to try something else that maybe they didn't anticipate at the time they made the commitment. So it's a very flexible way for customers to consume Zscaler. And for us, it gives us certainty. It gives us that commitment. And so we're happy to provide that flexibility as well in that relationship. And we did cross a billion dollars in booking this last quarter as a result of the strong Zflex bookings in the quarter.

Operator

I have a quick follow-up. I think in the interest of time there's a question which came up so you do and you mentioned about your M&A strategy as well you have over say 3.5 billion cash and the platform it's definitely mature and as you said like across across the board how do you think about the capital allocation right here I mean I know you've been doing a bunch of like tucking M&A's mostly it's still organic execution are there categories where like a larger sort of more could make sense I mean a lot of your peers have done very big at least compared to their standards is there something that you have in mind or looking at it closely

so we have really focused on teams and technology that we feel are highly complementary to the zscaler platform that we have today we have not sought to expand into adjacencies or by populations of customers we've really been very focused on how do we bring complementary technologies to market faster and that's how i would expect us to continue to operate at least in the near to midway.

Operator

That's all the time we had. Really appreciate you joining us, Kevin. And thanks a lot for being in the room.