Zscaler: Likely To Benefit From Rising Cloud Security Penetration (NASDAQ:ZS)

Zscaler headquarters campus in Silicon Valley — Michael Vi

Investment Thesis

Zscaler (NASDAQ:ZS) is one of the most rapidly developing companies in the cybersecurity market. Due to a low penetration of cloud security services in the corporate environment at the moment, the SSE market will put up an average annual growth of 36% until 2025, compared with the average of 9.5% for the broader cybersecurity market.

During the period of an extensive QE program and low rates investors assessed ZS’s performance over a long term and confidence in an infinite growth was unwavering. However, we see that as economy slows the market has moved to assessing the potential of high-growth-but-no-profit stocks over a shorter timeline, while the required return rate for investors has climbed. As the result Zscaler’s shares price decreased significantly from peak. We recommend to buy Zscaler’s shares for long-term investors.

Zscaler’s business

Zscaler is one of the largest providers of cloud security in the US. The company took a leading position in Gartner’s Magic Quadrant for Security Service Edge for the 11th straight year in 2021.

According to the definition by Softprom, SASE is a new networking and cloud security model that has been recommended by Gartner and converges various network access and security capabilities, including CASB, SWG, DLP, ZTNA and others into an integrated platform to provide connectivity and security for users regardless of their location and devices they utilize.

The company was founded by Jay Chaudhry, an Indian-American serial entrepreneur and investor who was convinced that the Internet would be the new corporate network as the trend for digitalization accelerated. And his bet worked. An exponential growth of the cloud computing market called into question the existing model of data protection, specifically, the perimeter security concept. The growth of cybercrimes showed that the outdated concept should be superseded by a new model, a concept by the name of zero trust. In simple words, zero trust means protection of every data storage node and verification of any access request even if the request comes from a user that was previously allowed to enter the network perimeter.

The company is rapidly growing and developing overseas markets. However, because demand for cloud security services is mostly concentrated inside the US, revenue is skewed in favor of the Americas.

Let’s first look into the concept of zero trust and how the company perceives it.

According to the definition by Kaspersky, companies and governments used the perimeter security approach when protecting data and infrastructure. That approach implies a thorough verification of anything that tries to connect to the resources of companies or government agencies from the outside. Having gained trust once (and getting through the barrier) the users of a device or an app get a certain range of rights and freedom to act. For example, a simple login and password to an account is a perimeter security technology as it requires no further validation inside the network.

The zero trust approach means denial of trust to any connection, no matter if it comes from outside or inside the network. The approach also implies an isolation of all network infrastructure elements from each other to reduce the attack surface.

There’s no clear-cut definition of the zero trust concept. For example, the requirement for multi-factor authentication for gaining access and rights at certain nodes of the system is a practice of the zero trust concept.

The company sees the implementation of the new concept by moving a company’s physical network into the cloud, thus removing the need for a constant protection of the network’s perimeter.

Why does the castle-and-moat model of network architecture (the perimeter security model) have some considerable deficiencies? First of all, it’s important to understand that any device, corporate or personal, that’s connected to the Internet is an alluring attack surface for various malware. Upon gaining access to the internal infrastructure of a device that’s already inside the castle, or network, malware mimics an internal user and looks for the most valuable and vulnerable nodes, stealing data or bringing to a halt an entire production unit.

The cloud product from Zscaler that’s based on the zero trust concept removes the notion of the perimeter by:

Eliminating the visibility of nodes for malware;
Connecting users of services directly to the services, without going through a special center;
Inspecting any uploaded or downloaded content.

It’s worth noting that Zscaler isn’t in competition with Okta and CrowdStrike, as they focus on different markets. It’s the other way round: Zscaler has integrated the solutions by Okta and CrowdStrike in its cloud system. For example, Okta provides user identity solutions, and the first step for gaining access is to pass an authentication as a user. The second step is an integrated product from CrowdStrike, which identifies the device that seeks access. Ultimately, as has been said earlier, after going through a series of additional verifications, the device is connected directly to the apps through the cloud, without intermediaries.

The company is offering 3 main security options:

Zscaler to secure users. There are 3 products that are available as part of this option: ZIA (Internet Access), ZPA (Private Access), ZDX (Digital Experience)
Zscaler to secure workloads (Posture Control)
Zscaler to secure IoT devices. There are also 3 products that are available as part of this option: ZIA (Internet Access), ZPA (Private Access), ZDX (Digital Experience)

ZIA (Internet Access)

The hub-and-spoke network pattern was up-to-date when company employees regularly came to the office and gained access to certain data and apps inside the network perimeter. As demand for remote control and management increased, the castle-and-moat model grew ever more vulnerable to external attacks.

As network complexity increased and corporate solutions (SAP, Microsoft and so on) grew more integrated, companies invested ever more in data protection by installing separate security modules from various providers (firewalls, antiviruses, sandboxes).

However, this model of data protection is extremely cost-intensive and considerably reduces traffic inside the network. Companies have also encountered more extensive risks as various corporate products SAP, Microsoft and so on) migrated to the cloud and demand for remote work increased. That means the perimeter has simply vanished. How to protect it?

One solution that has been proposed is ZIA. Engagement with SaaS and IaaS platforms is done through the cloud, where various security modules are integrated in one product (while earlier they were available only separately). Comprehensive traffic protection now follows the user, and the user doesn’t have to adapt to network conditions.

ZPA (Private Access)

The ZPA product, unlike the first product, aims to provide secure access to the internal resources and data of a company. ZPA is often compared with VPN, which companies require to connect to internal apps (it hides the user’s online identity). But with the ZPA a user gets access to apps without having to access the network, unlike VPN, which first connects the user to the network and then to the app. Let’s take a closer look at the process.

The process of using ZPA is represented below, so let’s take an in-depth look at each of the phases. Whenever a user (an employee, a vendor, a partner and so on) tries to gain access to internal apps of a company, ZPA comes into play:

A user authentication process takes place by means of SAML (Security Assertion Markup Language), which involves a transfer of data between an authorized identity provider (an IDP such as OKTA) and cloud or web-based apps.
The device is then verified by the pre-installed app Zscaler Client Connector.
The Zscaler app reroutes the user’s traffic to the nearest ZPA service, which acts as an intermediary and checks the user’s security and access policies.
The ZPA Service Edge then determines the app requested by the user and establishes a secure connection with the ZPA App Connector, a light-weight virtual machine that sits in the same environment as servers and apps.
Two tunnels that carry data traffic, one extended from the Zscaler Client Connector on the device and the other from the Zscaler App Connector, are connected together with the help of ZPA Service Edge.
As soon as connection is established between the user’s device and the app, the App Connector automatically inspects traffic in real time to detect and stop potential threats that could arise from users or devices, which may have been compromised.

The ZPA product, unlike the first product, aims to provide secure access to the internal resources and data of a company. ZPA is often compared with VPN, which companies require to connect to internal apps (it hides the user's online identity). But with the ZPA a user gets access to apps without having to access the network, unlike VPN, which first connects the user to the network and then to the app. Let's take a closer look at the process. — Zscaler

ZDX (Digital Experience)

Zscaler Digital Experience is a solution for digital experience monitoring that’s provided as software as a service. ZDX troubleshoots and resolves end user experience issues regardless of the user’s location. In addition, it provides continuous monitoring of network groups and apps for the service desk to get insight into the performance of endpoint devices, the network and the apps. Said otherwise, it’s a security guard that keeps watch over the nodes, traffic and the system.

Posture Control

Posture Control is a cloud native application protection platform (CNAPP) that takes a new approach to cloud native application security with a 100% agentless solution, which uses machine learning to correlate hidden risks caused by misconfigurations, threats, and vulnerabilities across the entire cloud stack.

Given the quality of its services, Zscaler continues to lead the SSE market for 11 straight years, according to Gartner.

Why Zscaler?

As we have mentioned before, the company doesn’t have strong direct rivals, whose products would be fully focused on the SSE market. Moreover, the company boosts the appeal of its products by establishing partnerships with the leaders of related markets where it lacks expertise. Said otherwise, its lead is reinforced by other leaders.

Let’s thumb through the list of publicly traded companies that are exposed to the SASE/SSE market: Zscaler, Palo Alto Networks, Cisco and so on and compare the products they offer. According to research by EMA, Zscaler has the fullest range of integrated solutions, which sets the company apart from the competition.

The SASE market, according to Gartner, will show an average annual growth of 36% until 2025 and will reach $14.7 bln. It’s worth noting that the average annual growth of the global cybersecurity market until 2026 will be a smaller 9.5%, and the market will reach the value of $345 bln, according to Statista.

Research by consultant McKinsey projects the growth will happen at a more impressive pace. According to the estimate, the cybersecurity market could potentially jump tenfold and reach ~$2 trillion if various solutions are adopted more broadly. For example, an average of just 3% of companies now apply cloud technology to protect data. Market segments where current penetration or utilization is the least will put up the most substantial growth due to the low-base effect. That’s, for example, where Zscaler operates.

The company pegs its potential addressable market at $72 bln in the long term, which is in line with the median value of McKinsey’s estimate range.

From the perspective of user count, the company estimates its potential addressable market at 20 thousand organizations, with a focus on medium and small-sized businesses. We are also confident that Zscaler will be able to grab almost all the addressable market over the long term (our forecast period runs to 2035) by offering a more efficient and comprehensive solution to the user, compared with other vendors.

We are basing our forecasts on ZS’s long-term goals for expanding the user count in the segment of major enterprises (with a revenue in excess of $1000k a year), and in the segment of medium and small-sized companies (with a revenue above $100k, but below $1000k a year). We anticipate that the total number of customers will reach 3158 companies (+31% y/y) in 2023, and 3949 companies (+25% y/y) in in 2024.

Financial results outlook

Despite the challenging macroeconomic conditions worldwide, the company continues to incrementally increase its average revenue per user as it’s redoubling efforts to integrate users into its ecosystem. We expect the trend to continue. That way, the average revenue per user could total $142 thousand (+10% y/y) in 2023, and $147 thousand (+4% y/y) in 2024.

Revenue

As the industry leader, Zscaler is set to show a revenue growth of 49% y/y to $1628 mln in 2023, and the metric is estimated to reach $2147 mln (+31% y/y) in 2024. It’s worth noting that revenue will grow due to a strong expansion of the customer base as cloud security will spread ever more broadly across the corporate environment.

COGS

The company shows a high gross margin due to the following:

Every subsystem has been optimized to ensure high throughput capacity, which reduces the number of required servers;
The company has achieved high automation levels, which means it needs fewer employees to maintain processes.

We expect the company will be able to support the high gross margin levels of 81% of revenue over the forecast period.

EBITDA

For Zscaler, as any other rapidly-growing technology company, the most cost-extensive area is marketing (49% of revenue currently). We anticipate that over the long term, as the business matures, the marketing-spend-to-revenue ratio will decline to 10%, which will be the average for the technology industry.

Therefore, we are forecasting that ZS’s EBITDA will total $274 mln (+80% y/y) in 2023, and $450 mln (+64% y/y) in 2024.

Net Income

A steady decline of marketing spend will mean the company will generate a higher net income and free cash flow.

Therefore, we are forecasting that ZS’s net income will total $215 mln (+113% y/y) in 2023, and $362 mln (+68% y/y) in 2024.

ZS’s FCF will total $463 mln (+100% y/y) in 2023, and $780 mln (+69% y/y) in 2024.

Valuation

We are using the multiples method to evaluate the company, rather than the DCF method, based on its projected results in 2027, when EBITDA expansion will decelerate to reasonable levels.

The rating for the shares is BUY, as the upside over one year stands at 32%. The fair value price $148 for the shares has been achieved by discounting the projected price for 2027 at the rate of 13% per annum. Price is depicted in table below without discounting at 13%.

Risks

Significant reduction in cybersecurity budgets in companies than we expect. Companies are trying to implement cost cutting policies that have already affected marketing spending. Policies may include broader issues such as cybersecurity;
The emergence of a stronger competitor. Cybersecurity is highly competitive environment. This means that larger competitors may allocate significantly more capital to improve their product or to invent new one in order to take market share from Zscaler;
More severe recession than we expect. The company has a high exposure to small businesses. This means that with a deeper and longer recession, many companies will stop buying Zscaler products;

Conclusion

Zscaler is a bet on the long-term trend for the global cybersecurity adoption. The company should now benefit from rising penetration of cloud security in corporate world. That will enable Zscaler to triple its current level of customers. Due to strong future financial results we recommend to buy Zscaler’s shares for long-term investors.