Zscaler’s (NASDAQ:ZS) stock has performed extremely well over the past few months as the risk appetite of investors has increased. While Zscaler is a leader within one of the strongest cybersecurity market segments, the demand environment remains soft. A higher valuation combined with deteriorating performance increases downside risk if the macro environment doesn’t improve in the second half of the year.
Market
Zscaler has a record pipeline, but is having difficulty closing some deals in a timely manner. A number of deals fell out of the second quarter after Zscaler was unable to complete the business value justification in time. The company has been refining its go-to-market process to combat this, with a focus on early engagement with executives and clearly presenting the ROI of its platform.
Despite increased deal scrutiny, Zscaler’s management team believes that cybersecurity remains the number one priority of most IT organizations, based on conversations with IT executives.
Zscaler’s focus on larger organizations is probably protecting it from market weakness somewhat and the government business should continue to be a source of strength. The Federal Government is dictating that a Zero Trust approach to security must be taken going forward. Zscaler has stated that it is closing larger deals with its Federal Government customers as deployments move beyond initial land deals.
Competition
While there has been discussion around the pricing environment and Zscaler’s competitive position, management has stated that there has been no change in the competitive environment.
Zero Trust has become the preferred approach to network security, but there remain differences in how vendors implement Zero Trust. Zscaler believes that a hardware focused approach to network security cannot protect enterprises in modern environments. Zscaler also believes that SD-WAN is a transitional technology and goes against the Zero Trust ideology.
In Zscaler’s opinion the four key principles of Zero Trust connectivity are:
- Apps are destinations not network resources
- Networks are transport, security is decoupled
- Connect to specific apps, not networks
- Connections are non-routable
If Zscaler’s approach is optimal, the importance of hardware should be expected to decline over time. For example, Zscaler’s ZPA product replaces the entire inbound DMZ and is often purchased for all employees. Over half of Zscaler’s ZPA customers have purchased ZPA services for all employees. Palo Alto Networks (PANW) has witnessed a sharp shift in demand towards software recently. Palo Alto is a leading NGFW vendor, so this may be indicative of a broad reduction in demand for hardware. The true state of hardware demand likely won’t be apparent until COVID backlogs are exhausted though.
Zscaler’s primary competitors are probably Fortinet (FTNT), Netskope, Palo Alto Networks and Cloudflare (NET). Zscaler is a leader in the market, but has been criticized for a lack of innovation.
Zscaler
Zscaler recently dropped in Gartner’s SASE market assessment, but Zscaler does not appear phased by this. The company believes that this assessment does not reflect the opinion of customers and is a result of it having less of a focus on CASB and DLP. CASB restricts data sharing from cloud applications and is an important service, but Zscaler believes it is just a feature and not a stand-alone product.
CASB can be considered a subset of DLP, and while Zscaler has less of a focus on DLP, it believes the simple fact that its platform sits in line means it is already performing DLP. Despite this, Zscaler has been improving the strength of its DLP offering through acquisitions. Zscaler is also leveraging AI to strengthen its DLP products. The company launched a product in October 2022 that leverages AI to classify unstructured documents for policy enforcement. Zscaler is also utilizing policy-based access controls to ensure that customers are using AI applications like ChatGPT safely. If an employee submits sensitive data to ChatGPT like applications, Zscaler’s DLP technology detects and blocks it.
Figure 1: Zscaler Data Protection (source: Zscaler)
Zscaler’s growing product portfolio and the importance of network security are allowing it to capitalize on customer demand for consolidation. The company is leaning into this with Zscaler for users, which bundles ZIA, ZPA and ZDX and is exceeding the company’s expectations.
Figure 2: Zscaler’s Zero Trust Exchange Platform (source: Zscaler)
AI
Zscaler has begun to tout its AI capabilities in recent months, with recent innovations including:
- Data Protection for AI – Zscaler Data DLP prevents potential data leakage when using AI applications
- AITotal – is a risk scoring system for AI applications
- AI Visibility and Access Control – monitors AI application usage and allows organizations to set policies for different user groups. Zscaler also implements cloud-based remote browser isolation to provide an additional layer of security.
Zscaler also has a pipeline of products leveraging generative AI:
- Security Autopilot with breach prediction – utilizes AI to recommend policies and perform impact analysis. Security Autopilot aims to improve the productivity of security operations and improve security posture.
- Zscaler Navigator – provides a natural language interface to interact with Zscaler products.
- Multi-Modal DLP – leverages generative AI and multi-modal capabilities to prevent data loss across file types, including video and audio.
All modern cybersecurity vendors are machine learning companies to some extent, and these types of efforts shouldn’t be viewed as a source of competitive advantage. If Zscaler has any advantage in this area, it is likely to be from scale and access to data, but Zscaler, Fortinet and Cloudflare all have large footprints as well.
Branch Connectivity
Zscaler recently introduced a Branch Connectivity product, which aims to address issues specific to protecting some sites. Branches and sites can have a large amount of diversity and as a result different needs.
Figure 3: Different Types of Branches (source: Zscaler)
SD-WANs typically use site-to-site VPNs over the internet to create virtual private networks. This facilitates connectivity but can create security challenges. SD-WAN appliances must have a public IP address, opening up an attack surface that can be easily discovered. If a breach occurs, it is also easier for an attacker to move laterally through the network. Addressing these risks then requires measures like firewalls, intrusion detection and prevention, malware protection, etc.
Zscaler uses session-based encrypted tunnels to provide secure connections. This requires software on the endpoint though, which is often not possible for devices like servers, printers, and IoT/OT devices. Zscaler has developed the Branch Connector, which manages all traffic forwarding for the branch location, using any router to relay traffic over the internet to the Zero Trust Exchange. The Branch Connector is deployed on-prem as either a virtual machine or an appliance. This is somewhat unusual though as it seems to undermine the company’s position that hardware isn’t important. Despite using an appliance in some cases, this product still uses the same approach to Zero Trust as Zscaler’s other products.
Zero Trust Branch Connectivity delivers three key benefits:
- Reduces the attack surface and removes the threat of lateral movement
- Reducing cost by removing the need to maintain complex routable networks
- Makes it easier to add new branch sites
Figure 4: Problems with Existing Branch Connection Solutions (source: Zscaler)
Financial Analysis
Zscaler’s revenue growth was approximately 46% YoY in the third quarter, decelerating roughly 6% from the previous quarter. ZPA product revenue was approximately 20% of total revenue, growing 66% year-over-year. Revenue growth is expected to be 35-36% YoY in the fourth quarter, although this estimate may be conservative.
Figure 5: Zscaler Revenue Growth (source: Created by author using data from Zscaler)
Zscaler’s new business increased significantly across industry verticals in the third quarter. Customer additions appear to be slowing rapidly though, which points toward a further moderation in growth going forward. This appears to be a result of the macro environment rather than competition though. Zscaler’s net retention rate is still over 125% and the company has a Net Promoter Score in excess of 70. Gross retention rates are also still in the high 90s.
While customer additions are currently low, expansion within the existing customer base may prevent growth from decelerating too much. Only something like 25% of Zscaler’s customers have bought ZIA, ZPA and ZDX, providing significant potential upside from consolidation. Zscaler continues to believe it has a 6x upsell opportunity within its existing customers for protecting their users.
Figure 6: Zscaler Net New Customers (source: Created by author using data from Zscaler)
The number of job openings mentioning Zscaler in the job requirements has been fairly flat in recent months, which also points towards a softer demand environment.
Figure 7: Job Openings Mentioning Zscaler in the Job Requirements (source: Revealera.com)
While gross profit margins are still high, they have moderated somewhat over the past few years. Zscaler has suggested that higher public-cloud usage for emerging products is responsible for this.
Operating profit margins continue to improve rapidly though on the back of optimization efforts. In particular, the burden of sales and marketing and general and administrative expenses has declined significantly over the past year. Job openings at Zscaler remain depressed, which suggests further margin gains going forward, provided that growth remains solid.
Figure 8: Zscaler Profit Margins (source: Created by author using data from Zscaler)
Figure 9: Zscaler Operating Expenses (source: Created by author using data from Zscaler)
Figure 10: Zscaler Job Openings (source: Revealera.com)
Conclusion
Zscaler’s relatively stable growth and rapidly improving margins have allowed ZS stock to capitalize on increased investor risk appetite. The demand environment remains soft though and Zscaler’s valuation is beginning to look stretched. Zscaler’s valuation isn’t as egregious as many companies, so there could still be further upside, but the easy gains have already been made.
Figure 11: Zscaler EV/S Multiple (source: Seeking Alpha)
Read the full article here