Zscaler: Navigating The Intersection Of Cybersecurity And AI For Investors (NASDAQ:ZS)
hapabapa
Cybersecurity company Zscaler, Inc. (NASDAQ:ZS) was doing well up until it reported its second quarter fiscal year (“FY”) 2024 earnings on February 29, 2024. Although the company exceeded analysts’ revenue and earnings estimates for the quarter, forward guidance unimpressed the market, and the stock dropped 20.6% in March in reaction to the results. Zscaler has underperformed the S&P 500 Index (SPX) and First Trust NASDAQ Cybersecurity ETF (CIBR) from the start of 2024 to the May 14 market close.
Despite the recent decline in stock price, the long-term prospects for the company remain as bright as ever. The company is one of the leaders of a secular trend in the cybersecurity industry towards merging networking and security functionality — a trend still in its early stages. Additionally, the company should benefit from the cybersecurity industry moving toward consolidation and incorporating artificial intelligence (“AI”) into security solutions. Zscaler has only penetrated 2.6% of its opportunity, estimated at $72 billion.
This article will untangle what Zscaler does in cybersecurity and hopefully make the company more understandable for the average investor. The article will also briefly discuss the company’s use of AI, review its fundamentals from the previous quarter, discuss its valuation and risks, and highlight why I believe the stock is a buy.
What Zscaler does
Suppose you are unfamiliar with the security and networking industry. In that case, it might be challenging to understand what Zscaler does and how it differs from traditional security and networking companies’ services. The simple version is that the founders of Zscaler purpose-built it in the cloud to solve cybersecurity issues in the cloud. The company’s 2023 10-K states:
We were incorporated in 2007, during the early stages of cloud adoption and mobility, based on a vision that the internet would become the new corporate network, as the cloud becomes the new data center. We predicted that with rapid cloud adoption and increasing workforce mobility, traditional perimeter security approaches would prove to be inadequate in protecting users and data and result in poor user experience. We pioneered a cloud platform, the Zscaler Zero Trust Exchange platform, which represents a fundamental shift in the architectural design and approach to networking and security. Enterprise applications are rapidly moving to the cloud to achieve greater IT agility, a faster pace of innovation and lower costs…We believe these trends are indicative of the broader digital transformation agenda, as businesses increasingly succeed or fail based on their IT outcomes. We believe that securing the [on-prem and branch] corporate network is becoming increasingly irrelevant in a cloud and mobile-first world where organizations depend on the internet, a network they do not control and cannot secure, to access critical applications that power their businesses.
Organizations increasingly adopting cloud computing have radically changed the approach of traditional firewall companies like Palo Alto Networks, Inc. (PANW) and Fortinet, Inc. (FTNT) towards expanding their offerings to provide users security when operating outside the firewall. In 2019, Gartner analysts invented the acronym SASE (Secure Access Service Edge) to describe companies that combine a networking technology called SD-WAN (WAN Edge) with cloud-based security services that Gartner analysts named Security Service Edge (“SSE”). SD-WAN technology uses software to manage traffic flow across local networks over long distances. SD-WAN software can connect on-premises servers, branch offices, public cloud applications and services, and more. The following image from Zscaler depicts SASE.
Zscaler
Many traditional players in security and firewalls are producing SASE products, which is the new buzzword in security. Zscaler Chief Executive Officer (“CEO”) Jay Chaudhry does not believe in the SASE products that many companies are putting on the market. During the Morgan Stanley Technology, Media & Telecom Conference, CEO Chaudhry said:
So, while the market throws acronyms like SASE out there, more investors talk about SASE than customers do, by the way, okay? Because it’s just the vendor stuff gets to investors, there’s more dialog with some of the terms between investors and vendors than actually with customers. Customers want to solve the cyber [security] issue and ransomware issue. If you can solve that and that’s where Zero Trust comes in, and you can save money at the same time. You get the deal done. Great cyber [security], no cost savings makes it hard [to get a deal done]. Great cyber [security], good cost savings make it easy. Since we [Zscaler] eliminated a number of point products, it becomes easier [to get a deal done]. I mean, look at the various products. Will firewall companies place firewalls to save money and sell SASE, not really. They want to add more stuff on top of that while trying to preserve what they have. What does EDR [Endpoint Detection and Response] replace? Symantec, McAfee, do they save money? Not really. Do you save money by buying identity? Active directory is free. When we go in, essentially most of the [unintelligible] goes away. We are able to save. So that’s the combination of best cyber with Zero Trust and saving money is what helps us.
The point CEO Chaudhry tries to convey in the comment above is that traditional security and firewall providers mainly sell SASE on top of their old business models of selling security software and firewalls, which only adds to costs without providing much additional benefit. His primary criticism of security companies offering SASE solutions is that some use the acronym to add on additional products that the customer may not need instead of consolidating solutions to reduce costs for the customer. One of Zscaler’s prime selling points is that it can provide solid security while lowering costs for the customer. During the Morgan Stanley Conference, Chaudhry also said:
Unfortunately, the word platform has been hijacked just like the word Zero Trust has been hijacked. Platform is supposed to be a common set of services on which you build application A, B and C. It’s not supposed to be a collection of acquisitions and label them under a bundle, okay? That platform is really nothing, but ELAs [Enterprise License Agreements] labeled as platform, which is becoming shelfware. If you ask me one of the feedback I’m getting from CIOs [Chief Information Officers] is, we [are] tired of ELAs because they essentially become shelfware, a lot of stuff that’s not very good, we don’t end up implementing it. Our philosophy has been a platform almost like to give you a good model. ServiceNow has built a good platform that works well together. How many vendors have tried to do a bunch of acquisitions they never came together. It’s supposed to be a platform. So, market wants best-of-breed platforms bringing security, they’ll probably bring it down to a handful of them.So, you’re bringing down 30, 40, 50 products down to a small set of vendors that work with each other.
I think the Zscaler CEO is saying in the above commentary that some companies are selling software and cloud services that the customer never uses, and eventually, security companies that sell useless cybersecurity software or cloud services will ultimately disappear, and in the end, only a small set of platforms that work well together will remain. He also implies that Zscaler will be one of those platforms left standing. The following image from Zscaler shows the hybrid legacy network connecting an on-prem data center to various SD-WAN networks and the cloud using Virtual Private Networks (“VPNs”). Firewalls exist between each connection between data centers, campuses, branches, sales offices, and the cloud.
Zscaler website
The issue that Zscaler has with the above network is that once an intruder can get over a firewall, an intruder has access to everything on that local network. For instance, if malware can get over the campus/factory firewall, it will have access to all the computers, printers, cameras, and apps on the local network.
Zscaler website
The following image shows Zscaler’s Zero Trust Exchange Platform, which operates like a switchboard that only allows a user, workload, or IoT device access to a specific resource in a cloud or data center. The blue Secure communications in the middle of the picture is that secure switchboard between users, workloads, Internet of Things (“IoT”) devices, customers, suppliers, and specific computing resources that a Systems Administrator or Network Administrator predesignates beforehand. In Zscaler’s system, no one theoretically can access the entire network.
Zscaler Second Quarter FY 2024 Earnings Presentation.
Zscaler claims at the bottom of the image that its platform eliminates the need for multiple security functionality or products that older cybersecurity companies like Symantec, Palo Alto Networks, and Fortinet, newer cybersecurity companies like CrowdStrike Holdings, Inc. (CRWD) and CDN (content delivery network) like Cloudflare, Inc. (NET) include with their SASE solutions. These products include firewalls, antivirus software, DDoS protection, load balancers, VPNs, endpoint monitoring tools, SD-WAN, and CASB (Cloud Access Security Broker), to name a few. Some of Zscaler’s competitors sell firewalls and other security software as their main products, and only cross-sell SASE and Zero Trust services to their customers.
Zero Trust will continually pop up if you listen to enough Zscaler earnings calls and analyst or investor conferences. The company describes Zero Trust on its website as “a model [that] puts aside the traditional ‘network perimeter’-inside of which all devices and users are trusted and given broad permissions-in favor of least-privileged access controls, granular microsegmentation, and multifactor authentication.” In short, Zero Trust network architecture trusts no one and requires users to identify themselves in several ways before allowing access to a computing resource. It also strictly limits users to the computing resources they need to fulfill a task. No roaming around a computer network is allowed.
If you believe Zscaler’s management, its cloud-based Zero Trust Exchange Platform provides clients the same or better security at a lower cost by eliminating the need to pay for services included as core functions or add-ons in some of its competitor’s solutions. CEO Chaudhry might be right in his assessments of competitors’ SASE and Zero Trust products if organizations continue relying less on on-prem data centers and more on cloud computing.
In my opinion, Chaudhry’s criticisms may only be partially valid. A person who listens to the earnings call of any cybersecurity company should understand that the management of these companies is speaking to investors and using the forum to market to potential customers. Denigrating competing companies’ approaches sometimes occurs. I am unsure if the use cases for traditional networking will entirely disappear any time soon. Suppose a company still has a significant portion of its computing assets on-prem. In that case, a firewall may still be necessary, especially if a company intends to maintain a private data center in addition to using the cloud. Even in a cloud and mobile-only world, there may also be legitimate use cases for tools like EDR (Endpoint Detection and Response), which is a service for detecting known and unknown threats on endpoints like mobile phones, personal computers, and IoT devices. However, as companies move more of their computing into the cloud, Chaudhry’s commentary may increasingly have more merit. If you believe cloud computing adoption is a strong secular trend, potential investors should strongly consider Zscaler for their buy list.
How Zscaler helps companies use AI
Zscaler is like a telephone switchboard, with 300 billion daily transactions flowing across that switchboard in June 2023. That number rose to 400 billion by March 2024 and is rapidly expanding. The company plans to scale the platform for ten times that number of daily transactions, from which it collects data about network traffic patterns, user activity, potential threats, and security incidents. Zscaler can use that data to improve the platform’s reliability at scale, increase real-time threat detection and response capabilities, and improve its infrastructure for users to train, operate, and manage large language models (“LLMs”).
Zenith Live 2023 Innovations Briefing
At the Zenith Live 2023 briefing, Chief Technology Officer Syam Nair said that one of the main areas where Zscaler can help customers with AI is preventing data leaks and data loss. Later, Chief Innovation Officer Patrick Foxhoven elaborated that fear of data loss, problems with Intellectual Property, and fake content could scare companies off from fully utilizing AI.
Zenith Live 2023 Innovations Briefing
Foxhoven discussed how Zscaler plans to help organizations overcome those risks. He said during the briefing:
We want to enable organizations to embrace this [AI] but in a safe way without putting themselves at risk. We see a lot of room to innovate and that could be enhancing what we do already, our existing offerings as well as bringing out new products to market. We also see there is a groundswell to do radical transformation. Just like you have seen chatbots for many, many years but obviously now with ChatGPT and large language model technology, it’s going to make revolutionary changes. We think we can do the same in our domain, particularly in a couple of areas. In the areas of security efficacy and operational insight.
Zenith Live 2023 Innovations Briefing.
The above information from the Zenith Live Innovations Briefing occurred almost a year ago, on June 15, 2023. Since the Zenith Live briefing, Zscaler has taken concrete steps toward its AI goals. On May 14, 2024, the company issued a press release announcing the launch of its first product directed explicitly towards assisting organizations utilizing AI, Zscaler AI Data Protection Platform, which contains features like real-time email data loss protection and generative AI app security. The company also posted a blog about the product and posted a link to sign up for several launch events, which take place in several different countries.
A brief review of the company’s fundamentals
Zscaler Second Quarter FY 2024 Earnings Call Presentation.
The good news is that Zscaler beat its guidance in the second quarter. The revenue and non-GAAP earnings-per-share (“EPS”) also exceeded analysts’ estimates. The company also recorded a solid dollar-based net retention rate (“DBNRR”) of 117%. Zscaler’s DBNRR shows how much of its annual recurring revenue (“ARR”) from existing customers has increased or decreased after churn, upgrades, and downgrades. This metric indicates that the company has retained its customers and succeeded in selling them additional services.
The following charts show customers with an ARR over $100,000 and +$1 million continuing to grow at a decent clip. Customers over $1 million rose 31%, and customers over $100,000 grew 21% in the second quarter. These numbers are significant because large customers are more stable than smaller customers and less likely to churn-a great attribute in an uncertain economy. Additionally, large customers have more money to buy additional services and raise the DBNRR.
Zscaler Second Quarter FY 2024 Earnings Call Presentation.
Customers with over $10 million are also starting to become relevant for Zscaler. CEO Jay Chaudhry said on the Zscaler second-quarter earnings call:
We now have a double-digit number of customers spending more than $10 million with us annually. With our expanded platform and these go-to-market initiatives, I believe we will see more and more of our large enterprise customers reach $10 million ARR levels over time.
Investors also liked to see the company showing the potential to become a cash flow machine. Zscaler’s cash flow from operations to sales has grown substantially since 2020 to reach 34.15%, which means that for every $1 in sales, the company converts $0.34 into cash flow from operations. The company also generated trailing 12-month (“TTM”) free cash flow (“FCF”) of $500.60 million, an FCF margin of around 26%.
Zscaler’s balance sheet is in excellent shape, with $2.46 billion in cash and short-term investments against $1.141 billion in convertible debt. Its quick ratio is 1.98, meaning it has enough liquid resources to pay down its short-term debt.
One issue the investors didn’t like about Zscaler’s second quarter FY 2024 report was that revenue growth continued its sharp downtrend from over 60% year-over-year in the middle of 2022 to 35.45%. Additionally, management’s guidance for the third quarter of FY 2024 implies a growth rate of 28%, and if the company hits its full-year guidance, it will only achieve 24% growth in the fourth quarter. Investors likely felt the company’s continued revenue growth rate decline did not justify its valuation before earnings, so they sold off the stock.
The company’s lack of GAAP profitability likely exacerbated investor’s adverse reaction to the declining revenue growth rate. Although its GAAP profitability has made significant progress over the last year and beat analysts’ GAAP earnings-per-share (“EPS) estimates by $0.08, investors may hold the fact that the company is unprofitable in a market with considerable competition against it, especially whenever the stock has a perception of overvaluation.
One reason Zscaler has struggled to achieve profitability is that it has the highest stock-based compensation (“SBC”) among several cybersecurity peers. The following table compares Zscaler’s SBC as a percentage of revenue to several popular cybersecurity companies.
| Company | SBC as a % of revenue | Trailing 12-month net income |
| Zscaler | 26.75% | -138.67 |
| CrowdStrike | 20.85% | 89.33 million |
| Palo Alto Networks | 13.77% | $2277 million |
| Fortinet | 4.60% | $1199 million |
At the beginning of 2022, Zscaler’s SBC as a percentage of revenue was several points above 35%. In an inflationary, rising interest rate environment, a high SBC can hurt a company’s stock price, and it is an expense that can reduce GAAP net income. Some investors may not like the combination of a relatively high SBC and the company producing a net loss.
Zscaler is supposed to release its third-quarter FY 2024 earnings report on May 30. Investors will likely closely examine this report for any revenue growth or profitability improvement.
Risks
When Palo Alto Networks reported its second quarter FY 2024 earnings on February 20, Palo Alto CEO Nikesh Arora talked about how some security vendors have resorted to “uneconomic pricing” to gain customers on the earnings call. To combat the fierce competition taking place in the cybersecurity industry, Arora later said on the earnings call (emphasis added):
We believe we can build customer confidence in our platforms by approaching them well before their point product contracts expire. After we gain their contractual commitment, we have offered an extended rollout period where we can demonstrate our ability to deliver these platform benefits. Customers can then start paying us after the obligation of legacy vendors ends.
Some might interpret Palo Alto’s free incentive program as part of a price war in the cybersecurity industry. When investors see Zscaler’s revenue growth decline, they may put two and two together and assume competition negatively impacts results, and the sentiment surrounding the company turns sour.
The company also has much more competition than it might acknowledge in earnings calls. Gartner, Inc. (IT) has placed Zscaler in the SSE market, and until around 2020, it was the only company that Gartner rated as a leader in SSE. That is no longer the case. In the 2024 Magic Quadrant™ for SSE, Gartner rates Palo Alto Networks and a company named Netskope ahead of Zscaler in the leadership quadrant. So, although you may see Zscaler sometimes disparage Palo Alto’s strategy of still selling hardware firewalls alongside SASE products, an independent third party, Gartner rates Palo Alto Networks ahead of Zscaler in “its ability to execute and completeness of vision.” Additionally, although investors rarely mention Netskope because it is a private company, Gartner ranks it over Palo Alto and Zscaler.
Another issue that popped up recently is that news broke that a hacker named IntelBroker may have breached Zscaler. Some news outlets say there is uncertainty around Zscaler, while others praise its response to the alleged breach. Even if the alleged infringement was minor, the market often doesn’t treat security companies kindly that have uncertainty about a breach in the air, at least in the short term. If further news appears that the alleged infringement was worse than the company has let on initially, the stock may drop in the future.
Valuation
Because Zscaler is currently an unprofitable business, one of the best ways to value it is through its price-to-sales (P/S) ratio. The following charts show that although Zscaler’s quarterly revenue growth rate is the fastest among its peer cybersecurity companies, it has the second-lowest P/S ratio. The company’s current unprofitability might explain some of that difference compared to most other companies on the chart being profitable, except Cloudflare, which produced a similar net income loss in its latest quarter. If you value Zscaler at a similar P/S ratio as Cloudflare’s 17.70, its stock price would be $228.50, which is 26% above Zscaler’s May 15 closing stock price of $181.13.
The company’s P/S ratio also trades below its five-year median of 22.99. Suppose Zscaler traded at its five-year median; the stock price would be $296.80, which is 64% above its May 15 closing price.
Zscaler’s price-to-FCF is 51.95, which, as you can see on the chart below, is near the lowest it has traded at over the last year, signaling the stock’s potential undervaluation.
A second way to consider it is in comparison to CrowdStrike, which currently has a higher price-to-FCF. Although Zscaler has a slightly higher revenue growth rate, investors are likely dinging it for its lack of profitability. Until Zscaler becomes profitable, it may continue to lag CrowdStrike’s valuation on a price-to-FCF basis in a higher interest rate environment.
Let’s look at what the current price implies regarding Zscaler’s FCF growth over the next ten years using a reverse discounted cash flow (“DCF”) analysis.
Reverse DCF
|
The second quarter of FY 2024 reported Free Cash Flow TTM (Trailing 12 months in millions) |
$501 |
| Terminal growth rate | 3% |
| Discount Rate | 10% |
| Years 1-10 growth rate | 20.6% |
| Stock Price (May 15, 2024, closing price) | $181.13 |
| Terminal FCF value | $3.359 billion |
| Discounted Terminal Value | $18.498 billion |
| FCF margin | 26.40% |
Three analysts expect Zscaler’s non-GAAP EPS to grow at a compound annual growth rate (“CAGR”) of 31.17% over the next three years, and one analyst expects the company to increase its non-GAAP EPS at a 30.40% CAGR over the next ten years. The following tables show analysts’ non-GAAP EPS and FCF projections for FY 2024 and FY 2025.
| Company name | Analysts expected FY 2024 EPS growth rate | Analysts expected FY 2025 EPS growth rate |
| Zscaler | 54.30% | 16.62% |
| Company name | Expected FY 2024 FCF growth rate | Expected FY 2025 FCF growth rate |
| Zscaler | 47% | 31% |
Although EPS growth rates don’t directly translate to FCF growth rates, I believe that if Zscaler can grow its non-GAAP EPS by 30% over the next ten years, it should be able to grow its FCF by at least 20% over the next ten years, justifying the May 15 closing stock price. If I conservatively estimate that Zscaler can grow it can grow its FCF at 23% over the next ten years, my fair value price for the stock would be $215.35, which is around 19% above the May 15 closing stock price.
Considering buying if the stock retreats
Zscaler is a high-quality company suited for organizations that plan to do most of their computing in the public cloud. Although Zscaler is technically a competitor with companies like Palo Alto Networks and Fortinet, those companies are more suited for organizations that want to continue running large private data centers in a hybrid cloud environment. There is room for both Zscaler and traditional firewall companies to grow and succeed.
If you are a growth investor looking for a stock that should benefit from growing AI adoption that isn’t wildly overpriced based on speculation over generative AI, do your due diligence and consider buying it. I rate Zscaler as a buy.
