Zscaler is a cloud security company that replaces traditional firewalls and VPNs with a globally distributed "Zero Trust Exchange" — a cloud-native proxy network that inspects all internet traffic, connects users directly to specific applications (never to the corporate network), and sells this as a subscription service to enterprises.
Zscaler's platform — the Zero Trust Exchange — sits between users/devices and the internet/private applications. Every request passes through Zscaler's cloud before reaching its destination. Think of it as a security checkpoint through which all traffic must flow, regardless of where the user is or what application they're accessing.
The platform has four main product areas:
| Product | What It Does | Legacy Equivalent It Replaces |
|---|---|---|
| ZIA (Internet Access) | Secures outbound internet access. Inspects web traffic, blocks threats, prevents data leaks. | Secure web gateways, on-prem proxies |
| ZPA (Private Access) | Connects users to private/internal applications without ever putting them on the corporate network. | VPNs, network access control |
| Zero Trust Branch | Secures branch office connectivity. Each branch becomes an "island" — like connecting from a coffee shop. | Branch firewalls, SD-WAN, MPLS |
| Zero Trust Cloud | Secures workload-to-workload communication within and across clouds. | Virtual firewalls, cloud security groups |
| ZDX (Digital Experience) | Monitors end-to-end user experience and application performance. | Network monitoring tools |
| AI Protect | Discovers shadow AI usage, inspects AI prompts/responses in real time, red-teams AI applications. | Nothing — new category |
| Data Security | Data loss prevention (DLP) across email, endpoints, inline traffic, and SaaS. | Standalone DLP vendors |
| Risk360 | Aggregates security data from hundreds of sources for exposure and risk analytics. | SIEM/SOAR platforms |
Who uses it: ~9,400 customers across 185+ countries, including >40% of the Fortune 500 and >30% of the Forbes Global 2000. Enterprise customers are those with 2,000+ users — ~4,500 of these. Their largest customers span financial services, healthcare, federal government, technology, automotive, and manufacturing.
Revenue model: Subscription SaaS. ~98% of revenue comes from subscriptions and support. Customers pay annually for access to Zscaler's cloud platform. Pricing is per-user, per-year, with tiered bundles based on product modules.
Key financial metrics (Q3 FY2026, ended April 30, 2026):
| Metric | Value | YoY Growth |
|---|---|---|
| Total ARR | $3.53 billion | +25% |
| Organic ARR (excl. Red Canary) | ~$3.40 billion | +21% |
| Revenue (quarter) | $850 million | +25% |
| Non-GAAP Gross Margin | 80.7% | +40 bps |
| Non-GAAP Operating Margin | 23.0% | +140 bps (record) |
| Free Cash Flow Margin (YTD) | 29% | — |
| RPO (remaining performance obligations) | $6.5 billion | +30% |
Revenue geography split (Q3): Americas 56%, EMEA 28%, APJ 16%, Other 3%.
Sales channels: ~85% through channel partners (resellers, system integrators), ~15% direct. Cloud marketplace transactions doubled YoY to ~$900M TCV year-to-date. Zscaler is deepening partnerships with Global System Integrators (GSIs) to reach large enterprises.
Contract structure innovation — Z-Flex: Multi-year committed contracts (average 4-year term) that let customers activate or swap modules without starting a new procurement cycle. Z-Flex generated over $480M in TCV in Q3 alone, >$1B over the last 12 months. This creates long-duration visibility and makes upsells frictionless.
Revenue concentration: No single customer represents >10% of revenue. 748 customers generate >$1M ARR (up 18% YoY). 4,000 customers exceed $100K ARR (up 19% YoY).
Data center infrastructure: Zscaler runs its own points of presence (160+ globally) rather than relying on hyperscalers. They buy servers, storage, networking gear. Rising memory/storage/processor prices (driven by AI data center buildout) are a meaningful cost headwind — CapEx expected to go from mid-single-digits to high-single-digits as % of revenue in FY26, with another 200 bps increase in FY27.
Talent: Cloud security engineers, AI/ML researchers, sales force. Stock-based compensation is significant — $205M in Q3 alone (24% of GAAP revenue). That's how they compete for talent against FAANG companies.
Threat intelligence partnerships: Partnerships with Anthropic (Project Glasswing) and OpenAI (Daybreak/TAC program) give Zscaler access to frontier AI models to harden their systems.
Architecture design: The Zero Trust Exchange is purpose-built as a cloud-native proxy, not a virtualized firewall. This is the core intellectual property — apps are hidden from the internet, and users are connected on a per-session, per-app basis with no network-level access. No other security vendor has this exact architecture at this scale.
Inline inspection at scale: 500+ billion transactions per day flow through Zscaler's cloud. TLS/SSL inspection, threat detection, data loss prevention, and policy enforcement happen inline — in the flow of traffic — not through logs or agents. This "inline position" is technically difficult to replicate.
AI-driven telemetry: The massive data lake from 500B+ daily transactions feeds AI models for threat detection, exposure management, and security operations. No other cybersecurity vendor has comparable fidelity and breadth of telemetry data because none sit inline with such a broad traffic footprint.
Large enterprises (primary target): 2,000+ seat organizations. They buy Zscaler to modernize infrastructure — rip out VPNs, firewalls, and MPLS — while improving security posture. Zscaler counts ~4,500 of the ~20,000 potential enterprise targets, implying ~23% penetration and a large runway.
Federal government: FedRAMP High authorization is a regulatory barrier to entry that most competitors don't have. Federal deals are large and lumpy — an 8-figure federal upsell was called out in Q3.
Mid-market (emerging focus): 2,000–10,000 user organizations. Zscaler has historically under-covered this segment. New sales capacity, VAR channel incentives, and specific new logo programs are being built to address this.
Why they buy: The core value proposition is architectural, not feature-level. Customers choose Zscaler because (a) it hides their attack surface from the internet, (b) it eliminates lateral movement (the vector for ransomware), (c) it consolidates 5–10 point products into one platform, and (d) it reduces cost — often at roughly half the cost of legacy firewall/VPN/MPLS stacks.
What's a "unit"? A subscription seat for a user, plus bolt-on modules. An enterprise deployment typically starts with ZIA (internet access) for all users, then expands to ZPA (private access), then Zero Trust Branch, Zero Trust Cloud, data security, and AI Protect. The expansion path is the unit economics story.
Cost structure:
| Cost Category | Approximate Share | Nature |
|---|---|---|
| Data center & infrastructure | ~19% of revenue (implied from gross margin) | Partly fixed (POPs), partly variable (traffic growth) |
| Sales & marketing | ~40% of GAAP revenue | Heavily variable (S&M headcount); leverage improving |
| R&D | ~25% of GAAP revenue | Fixed-cost investment; SBC-heavy |
| G&A | ~10% of GAAP revenue | Mostly fixed |
| Stock-based compensation | ~24% of GAAP revenue | Non-cash; dilutive to shareholders |
Operating leverage: Gross margins are stable at ~80% (non-GAAP). The real operating leverage story is in sales and marketing — non-GAAP operating margin hit a record 23% in Q3, up 140 bps YoY, driven by S&M efficiency. Rule of 55 (26% revenue growth + 29% FCF margin) year-to-date is an impressive combination for a growth company.
Key economic characteristic: This is a subscription business with negative working capital. Customers pay upfront annually; Zscaler recognizes revenue ratably. Deferred revenue is $2.1B (current). Cash comes in before costs are incurred, creating a self-funding dynamic that's reflected in the 29% YTD free cash flow margin.
Net dollar retention: ~115% (stable last several quarters). For every $100 of ARR from existing customers, Zscaler retained $115 through upsells and module expansion. This is the core growth engine — more important than new logos for sustaining 20%+ revenue growth.
Channel-dependent distribution: 85% of revenue flows through channel partners and GSIs. Zscaler does not control the final customer relationship end-to-end. This creates both opportunity (partners drive reach) and risk (partners can be influenced by competitors with larger portfolios like Palo Alto Networks or Cisco).
CrowdStrike partnership (August 2025): Zscaler and CrowdStrike expanded their strategic partnership, integrating the Zero Trust Exchange with Falcon (endpoint) and Red Canary (MDR/SOC). CrowdStrike is now a "preferred partner" for endpoint in Zscaler's ecosystem. This is a cooperative relationship, not a competitive one — they complement each other across network and endpoint.
Hyperscaler relationships — complicated: Zscaler competes with Microsoft (Entra + Azure security bundling) while also partnering for identity. They compete with Cloudflare on Zero Trust while Cloudflare has a larger global network. They don't run on AWS/Azure/GCP — they built their own infrastructure. This independence is both a strength (no hyperscaler dependency) and a vulnerability (they lack the bundled distribution power that Microsoft has).
Platform risk: Zscaler is building a platform, but it's not an operating system like Windows or iOS. The "exchange" concept is closer to a security utility — indispensible when adopted, but potentially replaceable if a cheaper alternative meets the same needs. The Z-Flex program (locked-in multi-year commitments with flexible module swapping) is a direct response to this risk, increasing switching costs.
Zscaler is actively acquiring to expand its platform:
| Acquisition | Date | Price | What It Added |
|---|---|---|---|
| Red Canary | Aug 2025 | $651M | Agentic-AI managed detection & response (MDR/SOC) |
| SPLXAI | Oct 2025 | $41M | Early-stage AI technology |
| SquareX | Feb 2026 | $113M | Browser security technology |
| Symmetry Systems | Pending (May 2026) | $175M | Identity-to-data-source Access Graph for AI agent security |
This acquisition pace signals a move beyond core Zero Trust access into adjacent security operations, data governance, and AI-specific security products. Total acquisition spend over the last 12 months: ~$980M. All have been technology/talent acquisitions with immaterial standalone revenue — the thesis is integration into the Zero Trust Exchange platform rather than roll-up revenue growth.
Zscaler's moat comes from being the inline security checkpoint for enterprise traffic at massive scale, combined with the operational pain of ripping it out once deployed. This is not a moat based on network effects, patents, or brand — it's a positional + friction moat built on two reinforcing forces:
Inline proxy architecture: Zscaler sits in the data path. All user-to-internet, user-to-private-app, and increasingly workload-to-workload traffic flows through its cloud. No other cybersecurity vendor at comparable scale occupies this position. Competitors that use endpoint agents (CrowdStrike), cloud APIs (Wiz), or passthrough inspection (Palo Alto) don't have the same visibility or control.
Operational switching costs: Once an enterprise has migrated from firewalls/VPNs to Zscaler, reversed engineered their network architecture, rewritten security policies, and deployed agents across tens of thousands of devices, undoing that is a multi-year, multi-million-dollar project. As of Q3 FY2026, 85% of $1M+ ARR customers use 2+ modules and 65% use 3+. Every additional module deepens the switching cost trench.
Traditional security products inspect traffic by: - Endpoint agents (CrowdStrike, SentinelOne): See what happens on the device, not on the wire. Can miss network-level attacks. - API-based scanning (Wiz, Orca): Read configuration state from cloud APIs. See metadata, not actual traffic flows. - Log-based detection (Splunk, legacy SIEM): Inspect after the fact. Reactive, not preventive. - Passthrough/VPN inspection (Palo Alto Prisma Access, Cisco): Inspect traffic but users are still connected to a network segment, enabling lateral movement.
Zscaler's proxy architecture is different: it terminates every connection, inspects the traffic, and creates a new connection to the destination. The user never touches the corporate network. The application is invisible to the internet (no DNS resolution, no IP exposure). This is architecturally harder to build — it requires terminating millions of concurrent TLS connections and re-encrypting — but it's what enables true Zero Trust.
Processing 500 billion transactions per day across 160 data centers generates a telemetry advantage that compounds. AI models trained on this volume of real traffic data improve threat detection, reduce false positives, and provide exposure analytics that competitors with smaller footprints can't match. More traffic → better AI → better security → more customers → more traffic. It's a data flywheel, not a classic network effect, but it's real.
However: This is not an unassailable scale advantage. Hyperscalers (Microsoft, Google) could potentially absorb SSE workloads at near-zero incremental network cost. Cloudflare has a larger global network. The advantage is over smaller pure-play SSE vendors (Netskope, iboss) and firewall vendors trying to pivot (Palo Alto, Cisco), not over the trillion-dollar platforms.
Zscaler holds FedRAMP High authorization, the most stringent level for federal cloud security. This is a meaningful regulatory barrier — it takes years and millions to obtain, and it opens US federal contracts that comprise a material and growing revenue stream. Most competitors (Netskope, Cloudflare for Zero Trust) don't have this. Palo Alto Networks does. Microsoft does. It's a differentiator but not a monopoly.
Zscaler pushed through a price increase on branch appliances earlier in FY2026 with "no implications" — customers absorbed it. The ability to raise prices in a competitive cybersecurity market without meaningful pushback is a positive signal. However, Kevin Rubin (CFO) noted they review pricing "periodically" — this isn't Salesforce-style annual increases; it's opportunistic.
When Zscaler launched (2007–2015), firewall vendors couldn't follow them into the cloud without cannibalizing their appliance business. Palo Alto CEO Nikesh Arora famously admitted in 2017 that they "held back cloud rollout to avoid collapsing firewall revenue." That era is over. By ~2020, every major incumbent had built or acquired a cloud/SASE platform:
The "firewall vendors can't compete" narrative is no longer true. They can, and they are.
Microsoft bundling SSE capabilities with Azure/Entra/Office 365 is the single biggest long-term threat. If a CIO can get "good enough" Zero Trust from Microsoft at no additional cost (bundled with existing E5 licensing), Zscaler's value proposition requires explaining why "better" is worth the incremental cost. This is a slow-moving risk — enterprises don't move fast — but it's the terminal threat for any single-product security company.
The Q3 FY2026 call revealed concerning deceleration signals:
| Metric | Current | Trend |
|---|---|---|
| Total ARR growth | 25% YoY | Declining from higher levels |
| Organic ARR growth (excl. Red Canary) | 21% YoY | Down from ~26% in prior periods |
| Organic net new ARR growth | +14% YoY in Q3 | FY26 guidance implies ~9.5% for Q4 |
| FY27 early look (total ARR/revenue) | 16–17% | Significant deceleration |
| New logo performance | Weak | "Not performing as well as we would like" (CFO) |
| ZIA/ZPA core products | Mid-teens growth | Maturing — growth is coming from newer modules |
The core ZIA/ZPA business is growing mid-teens. The growth engine is shifting to newer, smaller products (Zero Trust Branch, AI Protect, data security). This may mean Zscaler's growth is becoming more dependent on expanding existing customers (upsells) rather than winning new ones — which is fine for retention but limiting for terminal growth.
The new logo problem: Kevin Rubin explicitly noted that new logo acquisition has been weak and he took a "tempered view" of new logo contributions in the FY27 early look. With 4,500 enterprises out of 20,000 potential targets (23% penetration), there's a large addressable market, but Zscaler isn't converting it fast enough. Two sales leaders departed in Q3 — the company is "taking a prudent approach to guidance during this transition" (CFO), suggesting execution risk.
Rising memory, storage, and processor prices — driven by AI data center buildout — are pushing CapEx from mid-single-digits to high-single-digits as % of revenue in FY26, with another 200 bps increase expected in FY27. This compresses free cash flow margins. The FCF margin guide for FY26 was cut from 26.5–27% to 22.8–23.3%. If hardware costs remain elevated, Zscaler's infrastructure-heavy model (owning 160+ data centers) becomes a liability rather than an advantage.
While 85% of large customers use 2+ modules, the trend toward modular adoption (mixing Zscaler with Microsoft Defender for endpoint, Cloudflare for some workloads) could weaken the "rip and replace" level of switching costs over time. Z-Flex is designed to combat this by making it easy to add modules within the Zscaler ecosystem, but it also means customers can theoretically "flex" modules out as alternatives emerge.
Assessment: Narrowing at the edges, with a widening core position.
Widening: AI tailwinds are accelerating the Zero Trust thesis. Frontier AI models finding vulnerabilities at machine speed make "hiding applications from attackers" and "eliminating lateral movement" more valuable than ever. The 700+ Zero Trust Everywhere enterprises (up from 550 in one quarter) suggest deep adoption is accelerating. AI Protect ($100M+ bookings in 12 months from a product launched in January) shows Zscaler can create new categories.
Narrowing: The core ZIA/ZPA business is decelerating to mid-teens growth. New logo acquisition is weak. Competitive intensity from Palo Alto, Microsoft, and Cloudflare is increasing. Hardware costs are compressing margins. Two sales leaders departing creates near-term execution risk.
Bottom line: Zscaler has a real moat — the inline proxy position and switching costs are genuine advantages that will protect the installed base. But it's not an unassailable fortress. The growth deceleration and competitive encroachment suggest the moat is more about defending existing territory than conquering new ground. The question is whether AI tailwinds (Zero Trust for AI agents, AI Protect) can open enough new territory to offset the slowing core.
Signals extracted from the Q3 FY2026 earnings call (May 26, 2026), the 10-Q filed the same day, and supplementary research.
Jay Chaudhry (CEO, Chairman, Founder): Confident and visionary — bordering on evangelical. He spent significant airtime on AI threats (frontier models, AI agents becoming the "weakest link") and positioned Zscaler as "the cybersecurity platform for the AI era." He framed the AI moment as a "firewall-like moment" where Zero Trust has never been more important. His tone suggests he genuinely believes Zscaler is uniquely positioned, not just selling a narrative.
Kevin Rubin (CFO): Guarded and disciplined. The FY27 early look of 16–17% growth is clearly below what analysts expected, and he knew it — the phrase "taking a prudent approach" appeared repeatedly. The subtext: "We want to set a floor, not a ceiling, but the reality is growth is slowing and sales disruption is real."
Combined read: The CEO is selling the vision (AI is a catalyst! This is a firewall moment!) while the CFO is managing the numbers down (growth decelerating, new logos weak, sales leaders left, CapEx going up). The tension is palpable. Vision versus execution — classic growth-company transition moment.
"AI is changing the nature of cybersecurity in real time. And Zscaler is the cybersecurity platform for the AI era." — Jay Chaudhry
"We expect AI and frontier models to be one of the strongest tailwinds our business has ever seen." — Jay Chaudhry
Implication: Chaudhry is going all-in on the AI narrative. This isn't a sideline — it's the core positioning now. The logic: frontier AI models (like Meta's) find vulnerabilities at machine speed, multiplying unremediated vulnerabilities 10x. Enterprises can't patch fast enough. The only defense is to hide the attack surface (Zscaler's ZIA) and eliminate lateral movement (Zscaler's ZPA). If this thesis is right, Zscaler's TAM expands dramatically. If it's wrong, they're left with a decelerating VPN replacement business.
"Today, users are the weakest link in cybersecurity. But soon, AI agents will be the weakest link. Because they operate at far greater speed and have far less oversight. Even a single compromised agent can move from access to data theft in minutes, inflicting catastrophic damage on enterprises." — Jay Chaudhry
Implication: This is Zscaler's forward thesis for why their platform remains relevant. If AI agents proliferate (as seems likely), they need the same Zero Trust controls as users — identity verification, per-session access, traffic inspection. The acquisition of Symmetry Systems (access graph mapping identities to data sources) is directly tied to this thesis. It's early and speculative, but if it pans out, it creates a new category that firewall-based SASE solutions can't address.
"This stands in stark contrast to competitors with firewall-based SASE architecture that connect users to the corporate network. And once a malicious actor gains a foothold on the network, it can roam freely and systematically attempt to compromise critical applications or steal data. This is how most ransomware attacks happen." — Jay Chaudhry
"It is pretty simple. If you care about real cyber protection, you know that you need zero trust architecture. Firewalls create a trusted network. Trusted networks enable lateral movement." — Jay Chaudhry
Implication: The architectural argument is clear, but Chaudhry's framing of competitors as inferior is increasingly challenged in the market. Palo Alto Networks has been winning enterprise SASE RFPs in 2024–2025. The question is whether Chaudhry's architectural purity argument holds as competitors improve their cloud offerings. His tone suggests confidence, but the competitive reality is getting harder.
"Sitting here today, our view is for total ARR and revenue growth for fiscal 2027 of 16% to 17%." — Kevin Rubin
"The area that we have not been performing as well as we would like is new logo. It certainly is a large priority for us, but I did take a tempered view of new logos going into 2027." — Kevin Rubin
"We delivered over $1 billion in Z-Flex TCV over the last 12 months in an average 4-year term, underscoring customers' long-term commitment to Zscaler." — Kevin Rubin
Implication: The FY27 guide of 16–17% represents a sharp deceleration from 25%+ growth. The bear read: core products are maturing, competition is winning new logos, and the company is getting bigger so the law of large numbers is biting. The bull read: the installed base is deeply committed (Z-Flex $1B+ TCV, 115% NRR), growth is shifting to higher-growth adjacent products (Branch, Cloud, AI Protect), and new logo weakness is fixable with sales investment. Rubin signaled both reads at once — acknowledging the deceleration while emphasizing the installed base strength.
"These two leaders were part of our CRO, Mike Rich's team. And it is true that Mike has built a strong bench. He has built a strong sales engine. We just want to improve on it, and as these changes are made, it could have impact in the short term, and that is what we are keeping in mind." — Jay Chaudhry
"It is just a reality when you have leaders that do depart, you may see some disruption, and so I am just taking a prudent approach to that potential disruption." — Kevin Rubin
Implication: The "we just want to improve on it" framing from Chaudhry suggests these were performance-related departures (voluntary or not). The CFO explicitly modeled disruption into guidance. Two simultaneous departures under the CRO in Q3, with one replacement already appointed internally and one "in late stages," suggests either a restructuring or a performance issue in specific theater/product segments. Q4 and FY27 guidance is being deliberately sandbagged around this uncertainty. The risk: if the sales leadership issue runs deeper than these two roles, the new logo problem could persist longer.
"To mitigate costs, we put through a price increase on our branch appliance earlier this calendar year... We are also being opportunistic in taking advantage of delivery of data center equipment where we can get it to lock in today's prices ahead of potential increases in the future. This is pulling forward some of the investments we expected to make in fiscal 27 into Q4." — Kevin Rubin
"Looking ahead to fiscal 27, based on higher prices we see in the market today, we expect CapEx as a percentage of revenue to increase up to 200 basis points compared to fiscal 26 levels." — Kevin Rubin
Implication: The AI data center buildout is creating a classic "picks and shovels" inflation problem that hits Zscaler as an infrastructure operator. They're responding by (a) raising prices on hardware they resell, (b) pulling forward purchases to lock in prices, and (c) warning that FY27 margins will be compressed. FCF margin guide cut from 26.5–27% to 22.8–23.3%. This is the downside of Zscaler's "own the infrastructure" model — they bear the hardware cost inflation directly, whereas a hyperscaler-hosted competitor might be more insulated.
"We exited Q3 with more than 700 Zero Trust Everywhere enterprises, versus over 550 in Q2." — Jay Chaudhry
"Data security, which crossed $500 million ARR, up over 30% year over year." — Jay Chaudhry
"AI Protect solution is resonating with customers, with bookings crossing $100 million over the past 12 months. We are seeing inbound requests from across our customer base, and our pipeline is robust and growing." — Jay Chaudhry
"Non-seat-based metered usage solutions delivered just over 30% of new ACV. And the ARR tied to those offerings grew more than 100% year over year." — Kevin Rubin
Implication: While the core ZIA/ZPA business is maturing, the expansion products are growing rapidly. Zero Trust Everywhere enterprises (full platform adoption) grew from 550 to 700 in a single quarter — that's 27% sequential growth. The non-seat-based (consumption) revenue growing >100% YoY is the most interesting signal for the future model. If AI agents and machine-to-machine interactions drive consumption-based pricing, Zscaler could evolve from a per-seat model to a hybrid model that scales with usage rather than headcount. This is speculative but potentially transformative.
The 10-Q confirms channel partner concentration risk: channel partners account for 85% of revenue. No single end customer >10% of revenue. But the channel dependency means Zscaler doesn't fully control final customer relationships.
SBC totaled $610.3M over the first 9 months of FY2026 — 24.9% of GAAP revenue. This is substantial and continues to be the primary driver of GAAP losses. R&D SBC is the largest and fastest-growing component ($243M vs. $183M YoY) — consistent with the expensive war for AI/security talent.
Total Q1–Q3 FY2026 acquisition consideration: ~$804M for Red Canary ($651M), SPLXAI ($41M), and SquareX ($113M). Plus pending Symmetry Systems at $175M. Total ~$980M in 12 months. All were technology/talent acquisitions with immaterial standalone revenue. Goodwill from these acquisitions: $677M. This is aggressive platform building — the bet is that integrating these technologies into the Zero Trust Exchange will drive organic growth, not that they'll contribute standalone revenue.
$1.725 billion in 0% convertible notes due 2028. Strike price $439.52, cap price $784.85. With the stock trading at ~$185 (transcript noted $184.69), these are deeply out of the money. The upside from capped calls is theoretical at current prices. The $1.7B debt sits on the balance sheet with no interest cost — effectively free financing for the acquisition spree. But if growth decelerates further and the stock stays low, the notes mature at par in July 2028, requiring refinancing or cash repayment.
Deferred revenue: $2.48B total ($2.10B current, $380M noncurrent). RPO: $6.5B, up 30% YoY. The gap between deferred revenue ($2.48B) and RPO ($6.5B) reflects unbilled contracted commitments — primarily Z-Flex multi-year deals. This is a strong leading indicator of future recognized revenue, but it also means Zscaler is increasingly dependent on multi-year commitments that give customers future optionality.
A $4.7M restructuring charge in Q1 FY2026 (severance and benefits) to "streamline operations." Not material, but it signals that Zscaler is managing costs. Combined with the sales leadership departures, it suggests the company is actively reshaping its go-to-market organization.
The 10-Q "Risk Factors" section has not been extracted in detail, but the earnings call highlighted several risks not fully addressed in the Q3 narrative: competitive intensity (Palo Alto, Microsoft, Cloudflare), sales force disruption, and hardware cost inflation. The one risk that does NOT appear prominently in the call but likely lives in the 10-K/10-Q: macro/sales cycle elongation risk — Zscaler's growth depends on enterprise IT spending cycles, and if AI-driven security concerns don't convert to faster budget allocation, the deceleration could be worse than the 16–17% guide.
| Theme | Question Focus | Management Response Signal |
|---|---|---|
| Sales leadership departures | Were they voluntary? How senior? What would guidance have been without them? | Defensive. Chaudhry: "we want to improve." Both emphasized "prudent" approach. Did not clarify voluntary vs. involuntary. |
| New logo weakness | Why tempered? What's the plan to fix it? | Rubin: not "tempering" but taking a "tempered approach to expectations." Chaudhry: 23% enterprise penetration = large runway. Fix: more coverage for 2K–10K seat segment, VAR channel incentives, GSI programs. |
| Growth deceleration | What's behind the FY27 16–17% guide? Core ZIA/ZPA assumptions? | Rubin: early to provide granularity. Three factors: (1) tempered new logo expectations, (2) slower Red Canary uptake, (3) sales leadership transition. Implied organic net new ARR roughly flat YoY in FY27. |
| Competitive differentiators | How does Zscaler stay ahead of firewall vendors? | Chaudhry: architectural difference, not features. "Firewalls create a trusted network. Trusted networks enable lateral movement." Binary framing. |
| AI tailwinds timing | When does the "freak-out" over frontier models hit the pipeline? | Chaudhry: "I have never seen so many inbound calls." But deliberately not rushing — consultative approach. No meaningful Q4 impact; expects impact in FY27. "Firewall-like moment." |
| EMEA slowdown | Why did Europe growth slow? | Chaudhry: "execution areas we need to improve." Confident of turning it around. Did not cite macro/competitive headwinds. |
| New logo fixes | GSI, channel, pricing — what's most incremental? | Chaudhry: specific 4-point plan — (1) add coverage in 2K–10K segment, (2) VAR programs with new logo incentives, (3) GSI partnerships, (4) major account team focus on new logos in addition to upsell. |
Bullish signals: 1. Zero Trust Everywhere enterprises growing fast (700 from 550, +27% QoQ) — deepening platform adoption 2. AI Protect $100M+ bookings in first 12 months — new product category validation 3. Non-seat-based revenue growing >100% — consumption model gaining traction 4. Z-Flex $1B+ TCV at 4-year average term — customers committing long-term 5. AI tailwinds creating "firewall moment" urgency — inbound customer demand 6. Data security crossing $500M ARR, +30% YoY — large adjacent market execution 7. Record $1M+ ACV deals for a Q3 — large deal momentum
Bearish signals: 1. FY27 growth guide of 16–17% — sharp deceleration from 25%+ 2. Organic net new ARR growth falling to ~9.5% in Q4 — near single digits 3. Two sales leaders departed, causing guidance disruption 4. New logo acquisition explicitly called out as weak 5. ZIA/ZPA core products growing mid-teens — maturation 6. CapEx inflation compressing FCF margins by 200+ bps 7. Hardware cost inflation likely structural (AI data center buildout) 8. EMEA execution issues — "we know some of the areas of execution we need to improve"
What to watch: - Next quarter's new logo performance — is this a temporary execution issue or a structural competitive problem? - FY27 actual guidance (full year) in September 2026 — did they sandbag or is 16–17% real? - Sales leadership replacement — who they hire and from where - AI Protect pipeline conversion — does the "firewall moment" narrative convert to revenue in FY27? - Competitive win/loss commentary — are they losing deals to Palo Alto/Netskope/Cloudflare, or is the new logo problem about sales coverage?