Source: Company S-1
Zscaler’s platform is distributed across 100+ data centers globally and each day processes almost 40 billion internet requests, blocks 100M+ threats and performs over 120,000 unique security updates. The company has more than 100 issued and pending patents for their technology. Their customers also see the benefit of Zscaler’s large and growing customer base — once a new threat is detected it can be blocked for users across their entire customer base.
Zscaler is growing fast and at scale — they did $84.8M of revenue in the first 6 months of their fiscal year which ends Jul. 31, up 51% YoY. 98–99% of their revenue is subscription and they are at $176M of implied ARR (annual recurring revenue), also up 51% YoY. Zscaler is losing money but margins are improving — in the most recent quarter they had a $(6.4)M operating loss, a (14)% margin. That is up from a $(9.3)M operating loss and (32)% margin in the prior year. The company has ~950 FTEs and is based in San Jose, CA.
While Zscaler has a wide range of security products; they offer two main cloud services (i) Zscaler Internet Access, or ZIA and (ii) Zscaler Private Access, or ZPA.
Zscaler Internet Access securely connects externally managed applications regardless of device, location or network. It becomes the choke-point for all internet traffic and ensures malware doesn’t come in and internal data doesn’t get out. It does this through a variety of products like access control, threat prevention and data protection. Zscaler’s second main service, Private Access, secures internally managed applications hosted on premise or on private or public clouds. Its functionality falls into 3 main areas which include secure application access, application segmentation, and application protection.
These products span across a wide area of security markets — Zscaler has products in web security, a cloud firewall, advanced threat protection, anti-virus, data loss prevention and cloud application control. Moreover, most of their customers route all their web traffic through Zscaler’s platform.
Source: Company S-1
The company’s subscription pricing is calculated on a per-user basis and contracts are generally 1 to 3 years in length (mostly billed annually in advance); they have a variety of bundles based on customer size and which products customers want. Zscaler has 2,800+ customers in a range of industries, across 185 countries and count 200 of the Global 2000 as customers. The company sells through the channel, which is more common in the security market, and their top 5 channel partners represent ~50% of total revenue. While they do sell through the channel, Zscaler notes they still maintain direct relationships with their end-customers. In fiscal 2017, 54% of their revenue was from customers outside the U.S and no customer contributed more than 10% of total revenue over the past few years. Land-and-expand is a big part of their story and the company had a 122% dollar-based net retention rate as of Jan. 2018. Their average subscription ACV (annual contract value) was ~$51,000 as of Jul. 31 2017.
Given Zscaler’s product suite stretches across a wide range of security markets, they believe their TAM is $17.7B annually based on IDC data. Their products (for outbound internet gateways) span across URL filtering, anti-virus, content filtering, branch firewalls, advanced threat protection, sandboxing and data loss prevention markets. For inbound gateways, products typically include load balancers, DDoS prevention, external firewalls, VPN concentrators and internal firewall appliances. Zscaler also mentions IoT security as a future market opportunity.
While there is almost $20B spent annually on all of the aforementioned security products, the cloud security market, which is more immediately addressable for Zscaler, is much smaller today at <$5B, although it is growing very quickly.
Zscaler’s market is certainly competitive given their breadth of products. They compete with legacy platform vendors like Symantec, Check Point, Fortinet and Palo Alto, networking vendors like Cisco and Juniper, and companies with strong point solutions like FireEye and F5 Networks. Symantec is a fierce competitor — Zscaler has a risk factor describing their legal proceedings with the company. In fiscal 2017, Zscaler had almost $6M in litigation-related expenses, and the Symantec proceedings are likely a big piece of that.
Zscaler has raised $183M to date from investors including TPG, Lightspeed, CapitalG (Google Capital), Dell Technologies Capital, EMC Ventures and Sand Hill East. 5%+ pre-offering VC shareholders include TPG (8.7%). The CEO, Jay Chaudhry, is at a 25.5% pre-offering ownership stake. Zscaler’s last round was at a $943M pre-money valuation ($110M round led by TPG in Aug-2015).
Zscaler is at $176M of ARR and growing 50%+ YoY. While they’re still losing money, margins are improving. They have $71.5M of cash on the balance sheet and raised $183M, implying they spent ~$111M to get to $175M in ARR. Their implied payback periods averaged 24 months over the past 9 quarters, and 20 months in the most recent quarter. Their average customer pays them $51K (up from $38K in July 2016) and expansion is strong with a 122% net dollar retention rate. I would have suspected their average ACV (implied ARR / # of customers) would be higher, but they likely have a long tail of mid-market customers. Outputs of other financials and metrics are below:
Source: Company S-1
Source: Company S-1
Source: Company S-1
Zscaler is growing ARR quickly and is larger than most SaaS companies at IPO (other SaaS IPO ARR ramps here). Over the past year, they added $59.8M of net new ARR. They added $20M last quarter alone.
Source: S-1. Note: Implied ending ARR calculated by multiplying quarterly subscription revenue by four.
We don’t have Zscaler’s customer count for every quarter, but below are the periods for which I could derive their average ACVs. They are up 34% from FY 2016 to FY 2017.
Source: S-1. Note: Calculated by dividing implied ARR / # of customers
Source: Company S-1
Zscaler produces impressive net dollar retention and cohorts. Customers increase their spend over time as evidenced in the chart below.
Source: Company S-1
Zscaler discloses their 2015 cohort of customers’ contribution margin over time. They define contribution margin as “ARR from the customer cohort at the end of a period, less the associated cost of revenue computed using the reported gross margin, and applicable sales and marketing expenses”. As you can see from the chart below, Zscaler’s cohorts produce attractive expansion over time and are profitable in year 2.
Source: Company S-1
Source: Company S-1
Source: Company S-1
Source: Company S-1
Zscaler is likely to trade more like a high-growth SaaS company given they are nearly a 100% cloud-based / subscription business. Many security companies sell appliances so are not pure SaaS models. NTM (next-twelve-months) revenue will be a primary valuation metric along with 2018 and 2019 CY revenue estimates. Investors will drill in on when the company plans to reach profitability. I also looked at ARR multiples of public comparables against Zscaler’s in the second table below. Their last pre-money was ~$940M and I suspect they close trading well above that after the first day’s close.
Note: Enterprise value ranges and growth rates are illustrative.
Zscaler is an impressive business and one of the only cloud-first security platforms in market. While the company’s cloud security TAM is still in the early innings today, the market is rapidly moving in their direction. If they can continue to execute they could be a de-facto option for enterprises wanting to secure applications as they move to the cloud. Public market investors will like the platform story, growth, cohorts/ metrics and cloud-first approach, and will likely dig in on their path to profitability, addressable market in cloud-first security and any risk in their legal proceedings.
Overall, Zscaler is a great story and congrats to the team — I think they will have a very successful IPO and journey as a public company.
To receive these posts by email, click here.