Zscaler Looks Like Another Cybersecurity Winner

At the end of last year, we made 2 cybersecurity stocks some of the first "buy" calls from the new service: CrowdStrike (CRWD) and Fortinet (FTNT).

So far, the stock returns have been mixed: while CrowdStrike is down a few points, Fortinet has gained 23% and is beating the market by 22%.

More importantly though, both companies delivered strong first quarter results, both still have growth excellent prospects and strong financial footings, both have top notch, founder-led management teams, and both still trade more than 35% below my fair value estimate price.

The market still hasn't fully come around on the cybersecurity space, and for me, this just gives us more opportunity to add our exposure to it while valuations are attractive.

In that vein, investors could do one of two things. First, if CrowdStrike or Fortinet look good to you and you don't already own a position, certainly either of those look like great buys at the moment. Or, you can read on as we profile another highly attractive cybersecurity Green Screen stock: Zscaler (ZS).

Now you know the sector that Zscaler is in, but how is it different from these other two firms? What makes it stand out? Read on!

One Sassy Company

Zscalar is a "security-as-a-service" company, who's primary offering is access to their cloud security platform called SASE (secure access service edge, or "Sassy").

Traditional organizational network security revolves around the "walled castle" model. The castle is the company or organization's intranet - the "company network". All important network assets live in here: applications, data, etc. Surrounding it (the "wall") is the company's tightly controlled, network firewall-based security perimeter. To get inside, an employee, vendor, or customer has to be granted access via an on-network computing device, or by using a VPN.

This offers reliable protection, but the mobile device revolution and proliferation of software-as-a-service (SaaS) tools over the last 2 decades has blown up the model. SaaS software like Workday or Salesforce is often hosted by the vendor and cannot be brought in-network. VPNs are a clunky solution (especially for mobile), and employees tend to prefer to use their own devices. A new security paradigm is required.

This is what Zscaler's SASE platform is designed for. It sits between end-user devices like smartphones or laptops and corporate assets like SaaS instances (Zscaler Internet Access or ZIA) and even internal applications and networks (Zscalar Private Access or ZPA, a VPN alternative). Externally exposed network routes are sent through Zscaler's Zero Trust Exchange, which is essentially a proxy to enforce protections like access control, URL blocking, virus protection, file type controls, etc., before allowing access to the target asset. See the diagram below:

This model has a lot of advantages over traditional security models. Obviously, it solves the key problem of needing a security layer to access SaaS applications. It also allows continuous and immediate updating. The company applies thousands of security updates daily, transparently and immediately to all of its nearly 7,000 customers. The immense amount of traffic (280 billion requests daily!) sent through Zero Trust Exchange allows sophisticated AI/ML modeling to quickly identify threats and immediately block them for everyone.

Zscaler's Revenue Model and Growth Opportunity

Zscaler makes money by charging companies subscriptions to its platforms. There are various subscription tiers, offering gradually more security features for higher prices. Pricing is primarily on a per-user, per-year basis.

You know I love subscription revenues as they are fully recurring. Once customers sign up, they pay Zscaler year after year until they cancel. Generally, clients pay more year-to-year as their user base expands and they require more security features (not to mention modest price hikes that Zscaler may enact). The firm's net revenue retention rate is over 125%, meaning that not only don't customers leave, but they spend on average 25% more year-to-year on subscriptions.

Zscaler has delivered some pretty impressive top line growth. Its 3 year compound annual growth rate (CAGR) is a spicy 53%. For fiscal 2023 (ending in July), it is forecast to be over 40%, and early 2023 estimates call for continued 30%+ growth.

Looking at the big picture, there still looks to be a lot of runway for a firm generating just $1.5 billion in sales at present. Only about 40% of Fortune 500 companies use Zscaler, and a quarter of the Global 2000. Its current customer roster of 6,700 is a small percentage of the estimated 20,000 firms with more than 2,000 employees that the company considers potential customers. SASE networks are an emerging part of the cybersecurity landscape, with only 20% of large companies employing them today - Gartner estimates over 60% will have plans to use them by 2025.

It is a big opportunity that management estimates could be worth $70 billion dollars. If that is accurate, Zscaler has currently only penetrated about 2% of its opportunity. That leaves a lot of space for continued 25-30%+ annual growth for many years to come. The growth outlook is very strong and supportable here.

A Look At The Moat

As any consistent readers of this site know, enterprise software enjoys one very prominent moat factor: HIGH SWITCHING COSTS. It is expensive in both time and money for large companies to put an enterprise-spanning solution like Zscaler in place, and once it is being used successfully, switching vendors is highly unlikely for a long period of time. This gives us strong confidence that a recurring revenue firm like Zscaler will not rapidly lose a lot of its sales in a short period of time.

Certainly, Zscaler isn't losing many customers. As we mentioned before, its 125% dollar-based net retention rate points to the opposite - keeping and growing business with its existing clients. Even its gross retention rate of 90% is impressive in the overall SaaS world.

As for winning new business, Zscaler has all of the cards right now. It carries a Net Promotor Score (a ratio of satisfied to unsatisfied customers) of 80 - compare that to the SaaS average of just 30! In the Security Service Edge space, Zscaler is unrivaled, winning Gartner's coveted "Leader" title for 11 straight years. For the segment of cybersecurity it deals in, the company is far and away the #1 choice.

That's not to say there isn't competition, or that it won't get stronger. Expect to see SASE offerings hit the market from many of the traditional software (Microsoft), networking (Cloudflare, Cisco), and security vendors (Symantec, Palo Alto, Check Point, etc.). But those firms will have a tough time dislodging the clients Zscaler has already captured with its early mover status and focused product offerings.

Management and Financials

This one hits the mark on management. Jay Chaudhry is the CEO and Chairman. He founded Zscaler in 2008 after an already-impressive business career that included founding AirDefense, CipherTrust, CoreHarbor, and SecureIT (all of them acquired by larger firms). With almost 19% ownership of the company, Chaudhry's stake is worth close to $3 billion.

Under Chaudhry, Zscaler has thrived. We've talked already about its explosive growth over the past 5+ years. More impressively, it has generated that growth almost totally organically, while producing positive free cash flow (over 25% FCF margins), and strong cash returns on invested capital (over 40%). Of course, the stock price hasn't suffered either, beating the market by 4x since going public in 2018.

Employees back Chaudhry almost unanimously, with an impressive 97% rating on GlassDoor. It is extremely rare to see such widespread support for leadership.

One reasonable concern is Chaudhry's age. At 65, he is nearing the point where many CEO founders consider retirement, or at least stepping down a bit. This is a risk, but fortunately the firm seems to have a CEO-in-waiting in Dali Rajic, who was elevated to COO last year. Hired in 2019 to lead Zscaler's sales & marketing efforts, Rajic's success and promotion makes him an obvious next choice for the top seat, should Chaudhry decide to step back. At 48, he represents the next generation of leadership for the firm.

Risks

Cybersecurity firms are always exposed to the risk of a major, high-profile breach that can destroy trust with their customer base - just ask FireEye how damaging this can be! Zscaler is no exception. A widespread failure could cause many clients to consider moving their security trust elsewhere.

Like many growth stocks, a successful investment in Zscaler is going to require continued rapid growth. Even at a depressed stock price, we are still looking at a valuation that is 12 times sales at present. While I try to be reasonable with growth expectations, they are still a key part of the fair value estimate. If Zscaler cannot keep growing at a rapid rate, the current fair value estimate will prove to be too high and investors may lose money.

Conclusion

It should be pretty clear that Zscaler is a very good looking company that easily earns its way onto the Watch List. It has all the hallmarks we look for in a "green dot" stock: strong and sustainable revenue growth, recurring revenues, good economic moat protection, proven and reliable leadership, and an attractive financial model. While our Buy List is a little heavy in cybersecurity now, I still believe it is a great space to invest in long-term, and now is a good time to take advantage of what look like attractive valuations.

Zscaler is trading very close to the "trigger" point of 25% under fair value, but it isn't *quite* there yet. We will keep a close eye on this one. A few percent drop on a bad day and this one could find itself into the Buy List very soon!