Zscaler, the leading cloud security platform, filed for a $100M IPO with Morgan Stanley leading the offering. The company will trade under the ticker “ZS” on the Nasdaq Global Market and is the first SaaS IPO of 2018. Zscaler was founded in 2007 to help companies secure applications and networks in the cloud. As businesses move to the cloud, users, data and applications no longer reside within the traditional corporate perimeter or network, creating large gaps in IT security. Zscaler’s mission is to “empower organizations to realize the full potential of the cloud and mobility by securely connecting users to applications from any device, anywhere”. The surface area vulnerable to attacks within enterprises has increased dramatically, opening the door for more security breaches. Traditional perimeter approaches are fracturing due to trends like workforce mobility, the move to the cloud, and the dramatic increase in volume and sophistication of attacks. Enterprises need to address these risks while still delivering great user experiences and maintaining expensive, legacy security systems. Zscaler wants to fill this void by offering a cloud and mobile-first security platform.
Below is a grid comparing the legacy and modern security approaches from the Zscaler S-1.
Zscaler’s platform is distributed across 100+ data centers globally and each day processes almost 40 billion internet requests, blocks 100M+ threats and performs over 120,000 unique security updates. The company has more than 100 issued and pending patents for their technology. Their customers also see the benefit of Zscaler’s large and growing customer base — once a new threat is detected it can be blocked for users across their entire customer base.
Zscaler is growing fast and at scale — they did $84.8M of revenue in the first 6 months of their fiscal year which ends Jul. 31, up 51% YoY. 98–99% of their revenue is subscription and they are at $176M of implied ARR (annual recurring revenue), also up 51% YoY. Zscaler is losing money but margins are improving — in the most recent quarter they had a $(6.4)M operating loss, a (14)% margin. That is up from a $(9.3)M operating loss and (32)% margin in the prior year. The company has ~950 FTEs and is based in San Jose, CA.
While Zscaler has a wide range of security products; they offer two main cloud services (i) Zscaler Internet Access, or ZIA and (ii) Zscaler Private Access, or ZPA.
Zscaler Internet Access securely connects externally managed applications regardless of device, location or network. It becomes the choke-point for all internet traffic and ensures malware doesn’t come in and internal data doesn’t get out. It does this through a variety of products like access control, threat prevention and data protection. Zscaler’s second main service, Private Access, secures internally managed applications hosted on premise or on private or public clouds. Its functionality falls into 3 main areas which include secure application access, application segmentation, and application protection.
These products span across a wide area of security markets — Zscaler has products in web security, a cloud firewall, advanced threat protection, anti-virus, data loss prevention and cloud application control. Moreover, most of their customers route all their web traffic through Zscaler’s platform.
The company’s subscription pricing is calculated on a per-user basis and contracts are generally 1 to 3 years in length (mostly billed annually in advance); they have a variety of bundles based on customer size and which products customers want. Zscaler has 2,800+ customers in a range of industries, across 185 countries and count 200 of the Global 2000 as customers. The company sells through the channel, which is more common in the security market, and their top 5 channel partners represent ~50% of total revenue. While they do sell through the channel, Zscaler notes they still maintain direct relationships with their end-customers. In fiscal 2017, 54% of their revenue was from customers outside the U.S and no customer contributed more than 10% of total revenue over the past few years. Land-and-expand is a big part of their story and the company had a 122% dollar-based net retention rate as of Jan. 2018. Their average subscription ACV (annual contract value) was ~$51,000 as of Jul. 31 2017.
Given Zscaler’s product suite stretches across a wide range of security markets, they believe their TAM is $17.7B annually based on IDC data. Their products (for outbound internet gateways) span across URL filtering, anti-virus, content filtering, branch firewalls, advanced threat protection, sandboxing and data loss prevention markets. For inbound gateways, products typically include load balancers, DDoS prevention, external firewalls, VPN concentrators and internal firewall appliances. Zscaler also mentions IoT security as a future market opportunity.
While there is almost $20B spent annually on all of the aforementioned security products, the cloud security market, which is more immediately addressable for Zscaler, is much smaller today at <$5B, although it is growing very quickly.
Zscaler’s market is certainly competitive given their breadth of products. They compete with legacy platform vendors like Symantec, Check Point, Fortinet and Palo Alto, networking vendors like Cisco and Juniper, and companies with strong point solutions like FireEye and F5 Networks. Symantec is a fierce competitor — Zscaler has a risk factor describing their legal proceedings with the company. In fiscal 2017, Zscaler had almost $6M in litigation-related expenses, and the Symantec proceedings are likely a big piece of that.
Investors and Ownership
Zscaler has raised $183M to date from investors including TPG, Lightspeed, CapitalG (Google Capital), Dell Technologies Capital, EMC Ventures and Sand Hill East. 5%+ pre-offering VC shareholders include TPG (8.7%). The CEO, Jay Chaudhry, is at a 25.5% pre-offering ownership stake. Zscaler’s last round was at a $943M pre-money valuation ($110M round led by TPG in Aug-2015).
Financials and Metrics
Zscaler is at $176M of ARR and growing 50%+ YoY. While they’re still losing money, margins are improving. They have $71.5M of cash on the balance sheet and raised $183M, implying they spent ~$111M to get to $175M in ARR. Their implied payback periods averaged 24 months over the past 9 quarters, and 20 months in the most recent quarter. Their average customer pays them $51K (up from $38K in July 2016) and expansion is strong with a 122% net dollar retention rate. I would have suspected their average ACV (implied ARR / # of customers) would be higher, but they likely have a long tail of mid-market customers. Outputs of other financials and metrics are below:
Annual Historical P&L (000's)
Calculated Billings ($M)
Quarterly Subscription Revenue ($M)
Implied Ending ARR Over Past 10 Quarters ($M)
Zscaler is growing ARR quickly and is larger than most SaaS companies at IPO (other SaaS IPO ARR ramps here). Over the past year, they added $59.8M of net new ARR. They added $20M last quarter alone.
Average Subscription ACV (annual contract value)
We don’t have Zscaler’s customer count for every quarter, but below are the periods for which I could derive their average ACVs. They are up 34% from FY 2016 to FY 2017.
Operating and Free Cash Flow Margins
ARR Cohorts ($M)
Zscaler produces impressive net dollar retention and cohorts. Customers increase their spend over time as evidenced in the chart below.
Zscaler discloses their 2015 cohort of customers’ contribution margin over time. They define contribution margin as “ARR from the customer cohort at the end of a period, less the associated cost of revenue computed using the reported gross margin, and applicable sales and marketing expenses”. As you can see from the chart below, Zscaler’s cohorts produce attractive expansion over time and are profitable in year 2.
Implied Payback Periods in Months
Annual Cash Flows (000's)
Quarterly P&L / Metrics (000's)
Zscaler is likely to trade more like a high-growth SaaS company given they are nearly a 100% cloud-based / subscription business. Many security companies sell appliances so are not pure SaaS models. NTM (next-twelve-months) revenue will be a primary valuation metric along with 2018 and 2019 CY revenue estimates. Investors will drill in on when the company plans to reach profitability. I also looked at ARR multiples of public comparables against Zscaler’s in the second table below. Their last pre-money was ~$940M and I suspect they close trading well above that after the first day’s close.
Zscaler is an impressive business and one of the only cloud-first security platforms in market. While the company’s cloud security TAM is still in the early innings today, the market is rapidly moving in their direction. If they can continue to execute they could be a de-facto option for enterprises wanting to secure applications as they move to the cloud. Public market investors will like the platform story, growth, cohorts/ metrics and cloud-first approach, and will likely dig in on their path to profitability, addressable market in cloud-first security and any risk in their legal proceedings.
Overall, Zscaler is a great story and congrats to the team — I think they will have a very successful IPO and journey as a public company.
To receive these posts by email, click here.