2023-03-31 12:53:17 ET
Summary
- Softer demand is undermining growth, and as a premium solution, Zscaler appears to be facing pricing pressure.
- While Zscaler has a large lead in cloud-based network security, the quantity and quality of competitors is increasing.
- Zscaler’s valuation has collapsed over the past 18 months, despite robust growth over this period. Absent a deep recession, it seems likely the stock is near the bottom.
Zscaler's (ZS) stock remains near recent lows, despite improving profit margins and less concern regarding the future path of interest rates. This is primarily the result of weak demand and uncertainty regarding Zscaler's near term growth. I believe this is short-sighted though, given how much the cloud security and SASE markets are likely to grow in coming years.
Market
Cybersecurity is a critical capability, meaning that spending can be delayed, but it cannot be eliminated. Based on conversations with IT executives, Zscaler believes that cybersecurity remains the top priority for most IT organizations. While Zscaler offers a premium solution, the company pitches its ability to consolidate vendors and reduce TCO, which should be supportive of demand. Zscaler's management has stated that they have a record pipeline, and that demand is robust. Despite this, it appears that deals are getting harder to close due to increased scrutiny. Macro conditions appear to be impacting larger deals in particular, with Zscaler stating that the lower end of its market is holding up better. Some organizations have also increased their focus on pricing, although this hasn't been significant in general.
Zscaler
Servers and data centers have traditionally been protected by firewalls. When users have needed to access applications, protection has traditionally been provided using a proxy architecture from companies like Blue Coat, McAfee and Cisco (CSCO). Zscaler started in user protection with its ZIA product, before offering internal application and service access control with its ZPA product.
ZIA is the majority of Zscaler's business, but there is still a large opportunity to replace legacy secure web gateways. Blue Coat reportedly had around 20,000 customers at its peak and 85% of Fortune 500 companies as customers. Zscaler's large ZIA deals are 80% Blue Coat replacements, with some also coming from McAfee and Cisco.
With the role of firewalls potentially being threatened, firewall vendors have developed solutions to compete with Zscaler. Zscaler doesn't believe their solutions are viable though, as they don't utilize a "switchboard" with a proxy architecture. With software defined access, one-to-one connections are formed over the network, similar to a switchboard connecting telephone lines. Zscaler spends significant time discussing the benefits of its architecture and how it faces limited competition because of this. Whether customers ultimately agree will only be proven out in the market over time though.
A cloud proxy functions like a reverse proxy in many ways, but because it resides in the cloud, it isn't confined to data center hardware like a conventional appliance-based proxy. Problems with traditional reverse proxy servers include:
- Latency
- Compatibility
- Cost
- Caching
An effective cloud-based proxy architecture can offer:
- Universal application awareness, with fewer compatibility issues
- Global scale
- Lower TCO
- Reduced latency
- No outside visibility into the server
Many services falling within SASE require a proxy model to secure access. Legacy network and firewall vendors lack the expertise to build distributed proxies at scale, which could result in high costs and / or poor performance.
Zscaler replaces the functionality of dozens of legacy hardware boxes, with endpoint security and identity the only other solutions required.
- Zscaler can also provide savings on:
- Networking
- Network performance monitoring tools
- Proxies
- DLP
- Firewalls
Zscaler is now applying its technology to protect servers and workloads, with revenue from this solution roughly doubling YoY. Workload protection secures communications between workloads. It is interrelated with cloud workload security and mitigates vulnerabilities caused by issues like misconfigurations. Rather than focusing on network paths, Zscaler concentrates on the verified identity of applications.
Data protection is another nascent market, although Zscaler believes its product is strong . Zscaler's management has suggested that a significant number of customers want to replace Symantec. Zscaler's DLP solution offers on and off network protection along with data discovery. This solution is built on Zscaler's scale, which allows machine learning to classify data and risky behaviors. Features include:
- UEBA (user entity and behavior analytics)
- EDM (exact data match)
- IDM (indexed document matching)
- OCR (optical character recognition)
- Workflow automation
Zscaler acquired Appsulate for its browser isolation technology. Browser isolation renders content on the endpoint as images, providing isolation against potential threats. Browser isolation and CASB are key components of data protection. CASBs are policy and governance solutions that provide visibility and control over user activities and sensitive data. Zscaler offers CASB with out-of-band scanning functionality that protects data, blocks threats, provides visibility, and assures compliance.
Zscaler recently acquired Canonic Security to strengthen its data protection services. Canonic Security is a supply chain security company, which protects customer data that is accessed through third-party applications and integrations. This data may include intellectual property, personal identifiable information, healthcare information, business, and financial data. This solution will support Zscaler's inline DLP, browser isolation, out-of-band CASB and SSPM to provide data visibility and protection. It is supposed to protect organizations from the growing risk of SaaS supply chain attacks by providing visibility into ungoverned surface areas and streamlining SaaS application governance and enforcement.
Zscaler's digital experience product is another potential growth area where management believe they have limited competition. Cloudflare ( NET ) has launched a product in this space though. While it is unclear how the products compare, Zscaler seem to be universally dismissive of competition, even when there are comparable solutions on the market.
Zscaler also has a new CNAPP solution that was launched in June 2022 and is generating significant customer interest. Zscaler's CNAPP solution correlates vulnerabilities and risks across CSPM, CIEM, and Infrastructure-as-Code scanning. These emerging products are expected to contribute at least a high-teens percentage of new business this year.
There is a real convergence in cloud security between networking, endpoint, observability and developer platform vendors, creating stiff competition. Zscaler's management maintain that their win rate is extremely high at the high end of the market with sophisticated customers who understand what they are purchasing. Zscaler has also suggested that they have no real competitors on large deals, although this seems like hyperbole. While it is not clear how much traction Cloudflare is getting amongst larger customers, Palo Alto ( PANW ) is targeting large organizations and their management team has suggested that their win rates are high. Moving down market, Zscaler has suggested that there is more competition, particularly from networking companies that are bundling things like routers, switches, firewalls etc. Zscaler is expanding its presence within this market segment.
SASE is mission critical, which makes it less likely that customers will implement immature offerings from unproven vendors. This is probably a headwind for Cloudflare at the moment, as indicated by management's commentary around their go-to-market motion.
Zscaler has also stated that it is starting to win customers who had previously purchased single tenant SASE solutions from incumbent firewall vendors, which subsequently underperformed expectations. This appears to be a relatively recent development, with Zscaler giving a large retailer as an example on the second quarter earnings call.
Zscaler believes that this is because a single-tenant architecture (appliances or VMs in the cloud) does not allow organizations to fully realize the benefits of cloud-delivered network security. Zscaler's multi-tenant cloud architecture provides scalability and delivers business agility.
Zscaler processes over 270 billion transactions daily through its Zero Trust exchange, and its deployed on millions of clients. This potentially gives Zscaler an advantage when analyzing data at scale. With an appliance-based architecture, data would need to be transferred to a central location for analysis in a batch fashion. While ML can be applied to this data, it is not the same as analyzing data in real-time.
Zscaler has been working on FedRAMP and StateRAMP certification for a number of years, which has given the company a strong position from which to sell into this segment. Zscaler has the most certifications at the highest level, compared to any other security vendor. The Fed business was softer in the most recent quarter though.
Financial Analysis
Billings have been impacted by customers being more cautious regarding large purchases at the start of the year. Zscaler believes that these deals have not gone away though, rather just pushing out slightly. Zscaler continues to offer larger customers the option of ramping into commitments to help try and get deals signed, which is also dragging on billings.
Zscaler has also expanded its business value team to convince customers of the economics of implementing a zero trust architecture with Zscaler. This team collaborates with customers to create business cases demonstrating ROIs, which help deals gain approval.
Revenue growth is expected to be approximately 39% YoY in the third quarter, indicating further deterioration going forward.
Job openings mentioning Zscaler in the job requirements continue to be quite strong, which could be indicative of underlying demand. In comparison, many SaaS companies have seen job openings fall significantly from their peaks.
While the evidence points towards underlying demand being fairly robust, it also appears that Zscaler is now facing some pricing pressure. Management has suggested that some organizations are focused on pricing and search interest for "Zscaler Pricing" is increased at the same time that planned future technology spending is decreasing.
This is likely more of an acquisition than a retention issue though. Zscaler's gross retention rate remains stable in the high 90% range and the company's NPS now exceeds 80.
Zscaler's gross margin also ticked lower in the most recent quarter, which may indicate pricing pressure. This is not clear though as there are a range of factors on the cost side that could contribute to this (network utilization, bandwidth costs, etc).
Zscaler is making steady progress on operating profit margins though, as the pace of growth investments moderates. Much of this is coming due to a reduced burden from sales and marketing and R&D expenses. It should also be noted that roughly a third of Zscaler's operating expenses come in the form of stock-based compensation, and while this is a genuine cost, it comes in the form of dilution. The impact of SBC on the income statement will decline over time as the impact of stock issued at pandemic era highs wanes.
Zscaler recently announced a 3% RIF (approximately 200 employees), which management attributed to over expansion over the past 18 months. Product development and core sales are not being impacted though. The layoffs appear to be more targeted at general and administrative personnel, like HR. Despite these layoffs, Zscaler continue to hire at a moderate pace and expect headcount to be higher by the end of the year.
Valuation
Zscaler now appears fairly priced based on its current growth and profitability, but this ignores the company's competitive position and long-term market opportunity. While Zscaler's performance may remain pressured in the short run, the company still has a long growth runway once macro conditions improve. The cloud security and SASE markets are still developing rapidly, making it difficult to pick winners, but Zscaler appears as well positioned as anyone.
For further details see:
Zscaler: Facing Pricing Pressure