Who Is Zscaler (ZS)?: A Cloud Gatekeeper Controlling the “Pathway” of Zero Trust—Its Strengths and Less-Visible Vulnerabilities

* This report is based on data as of 2026-01-08.

The business in one sentence: What Zscaler does, and who pays

Zscaler provides a cloud security platform built to ensure that “employees can safely use the internet and internal/cloud business applications regardless of where they work.” By replacing legacy staples like VPNs (tunnels into the corporate network) and site-by-site security appliances, it centralizes the communications “path” in the cloud and evaluates security and authorization on every access request.

Its customers are primarily enterprises and institutions (large corporates, government agencies, critical infrastructure, and organizations with many sites and plants). The protected users are “people who work”—employees, partners, and contractors. The revenue model is subscription-based, with annual (or multi-year) fees tied to employee count and the breadth of functionality enabled.

Simple enough for a middle-schooler: Zscaler’s three main “money-makers” and the value it delivers

1) Protecting internet usage: Inspect the traffic itself, not just the front door

Every time an employee goes online, Zscaler inspects that traffic in its cloud, blocking dangerous sites, suspicious downloads, and communications that violate company policy. The key is the architecture: protection is centralized in the cloud rather than delivered through hardware sitting in a corporate office.

2) Access control for internal/cloud apps: A “key that opens only the rooms you need,” not a VPN

Traditional VPNs can let users “roam broadly once inside the corporate network,” a weakness that can magnify damage when a breach occurs. Zscaler is built around “not exposing everything up front”: after validating the security posture of the user and device, it connects the user only to the applications they need, making unnecessary lateral movement (lateral movement) less likely. As large enterprises push to eliminate VPNs, real-world adoption examples have emerged (e.g., T-Mobile).

3) Data protection: Stop “exfiltration,” including accidental leakage

It helps prevent information leakage not only from attacks, but also from “accidents” like mis-sending or mis-sharing, by monitoring communications content and file movement. As distributed work expands, the value of “enforcing data rules in the cloud” becomes increasingly important.

Future pillars: Three expansions that could shape competitiveness even if not yet core

Zscaler’s story doesn’t stop at being a “gatekeeper (access control).” It’s expanding the domains it can address. This is about more than re-accelerating growth—it’s also about positioning to hold up as platforms consolidate.

• Automation and sophistication of security operations (detection through response): To support understaffed SOCs (security operations), it acquired Red Canary and is pushing toward reducing operational labor using AI (in the context of Agentic AI-driven Security Operations). This broadens its scope into “investigation and cleanup after an incident occurs.”
• Expansion into branches and plants (including OT/IoT): Plants and field environments often combine legacy equipment with diverse endpoints, which makes them difficult to secure. Zscaler is promoting integration for branches, campuses, and plants, OT/IoT segmentation, and partner access—expanding coverage from “employee-centric” to “sites and devices.”
• Strengthening positioning as a data foundation for the AI era: It sits where it can handle enormous volumes of traffic data, and by layering operational know-how (Red Canary) on top, it has a foundation that can more readily evolve toward “using data to decide and act.”

Why it is chosen: Top 3 strengths customers value / Top 3 pain points

What customers value (Top 3)

• Consistency that enforces the same rules across distributed workstyles: Easier to standardize policies even as locations change—HQ, home, travel, and branch sites.
• Containment of blast radius (lateral spread) through zero-trust design: An architecture that “allows only the necessary apps” makes it harder for damage to spread during a compromise.
• Scale and stability backed by large-scale operations: Experience processing massive global traffic volumes tends to translate into confidence in detection, performance, and resilience.

What customers are dissatisfied with (Top 3)

• Implementation and migration difficulty: VPN replacement and site consolidation require redesigning architecture and operations, making initial projects heavy (the greater the value, the more likely it becomes a “major construction project”).
• Greater integration increases resistance to vendor lock-in: Consolidating into a single vendor can be rational, but because security failures can be existential, psychological resistance often remains.
• Expectation management becomes harder as it expands into SOC: When a company highly rated as a gatekeeper expands into operations (detection through response), early post-acquisition integration can create dissatisfaction if “perceived value doesn’t catch up.”

What the long-term numbers imply about the “company type”: Fast Grower-class revenue, immature profits, but strong cash

On long-term fundamentals, Zscaler stands out for a two-track structure: “revenue keeps growing strongly, accounting profits (EPS) tend to stay negative, yet free cash flow (FCF) is robust.”

Revenue: A sustained “up-and-to-the-right” trajectory over 10 years

Annual revenue expanded from $0.05B in FY2015 to $2.67B in FY2025, with a 10-year CAGR of ~47.8% and a 5-year CAGR of ~44.0%, both very high. Over time, the pattern is largely “one-way expansion,” and it’s hard to read this as a business that repeatedly swings through pronounced peaks and troughs.

EPS: Losses persist, but the loss magnitude has narrowed

Annual EPS was FY2021 -1.93, FY2022 -2.77, FY2023 -1.40, FY2024 -0.39, FY2025 -0.27—still negative, but clearly improving. Because losses persist, 5-year and 10-year EPS growth rates (CAGR) can’t be calculated, which makes direct comparison to “profitable growth stocks” difficult using the same yardstick.

FCF: 5-year CAGR ~92.5%, with FCF margin in the 20% range

FCF improved from -$0.01B in FY2015 to $0.73B in FY2025, with a 5-year CAGR of ~92.5%. FCF margin has generally stayed in the 20% range since FY2021, reaching ~27.2% in FY2025. TTM FCF margin is ~29.9%, also high. For investors, it matters that the business is generating cash even while accounting profits remain negative.

ROE and margins: Accounting profits are negative, but the “degree of loss” is shrinking

ROE for the latest FY (FY2025) is -2.31%, i.e., negative. However, within the past five-year distribution it sits toward the smaller-loss end, suggesting loss rates have been narrowing. Margins tell a similar story: FY2025 gross margin is ~76.9%, a high level, but operating margin is ~-4.81% and net margin is ~-1.55%, i.e., an accounting loss. Meanwhile, FY2025 operating cash flow margin is ~36.4% and FCF margin is ~27.2%, so the cash profile remains strong—continuing the two-track structure.

Share count: Dilution is also a “cost of growth”

Shares outstanding increased from 26.1M in FY2015 to 154.4M in FY2025, implying dilution. Because this can weigh on how EPS is perceived, it’s important to keep tracking not only revenue growth but also results on a per-share basis.

Viewed through Lynch’s six categories: Closest to a Fast Grower-leaning “hybrid”

Under a mechanical classification, no clear flags are raised for Fast Grower / Stalwart / Cyclical / Turnaround / Asset Play / Slow Grower. The reason is straightforward: revenue is Fast Grower-class (5-year and 10-year CAGR in the 40% range), yet EPS, ROE, and operating margin remain negative—so it’s not yet a “classic Fast Grower” where profits compound alongside sales.

Also, because annual revenue has risen consecutively and peaks/troughs aren’t obvious, it’s hard to call it a Cyclical. And while losses are narrowing, it can’t be cleanly labeled a Turnaround because profitability hasn’t been reached. A practical framing that fits best is “Fast Grower-like revenue growth × immature accounting profits, but strong cash generation—a hybrid type.”

Current momentum: Decelerating versus the long-term average, but the “pattern” is intact

This matters for investment decisions. The key question is whether the long-term “pattern” (strong revenue, immature profits, strong cash) is still holding in the most recent period.

Latest TTM: Revenue +23.238%, FCF +30.055%, EPS still negative but improving

• Revenue growth (TTM, YoY): +23.238%
• Free cash flow growth (TTM, YoY): +30.055%
• EPS (TTM): -0.2588 (loss), EPS growth (TTM, YoY): +8.836%

Revenue and FCF are growing at a healthy clip, and TTM FCF margin remains high at ~29.9%. EPS is still negative; while it’s improving, it hasn’t reached profitability. In other words, the long-term pattern of “strong cash, but immature accounting profits” largely remains intact in the near term as well.

Keep in mind that FY (annual) and TTM (latest four quarters) cover different time windows, so the same metric can look different. That’s a time-period perspective issue, not a contradiction.

What “deceleration” means: Not a breakdown, but a shift from “hyper-growth to high growth”

The short-term momentum classification is Decelerating because the latest TTM growth is clearly below the five-year average (5-year CAGR). For example, revenue is TTM +23.238% versus a 5-year CAGR of ~44.0%. FCF is TTM +30.055% versus a 5-year CAGR of ~92.5%.

That said, over the most recent two years (eight quarters), the 2-year CAGR is ~22.3% for revenue and ~30.1% for FCF, which suggests the directional growth trend continues. So rather than calling it “stalling,” it’s more accurate to frame the current phase as a transition from mid-term “hyper-growth” to more recent “high growth.”

Profitability improvement: Operating losses continue to narrow

Margins show continued improvement: operating margin moved from ~-13.3% in FY2023 to ~-5.7% in FY2024 to ~-4.81% in FY2025, confirming a narrowing loss over the last three fiscal years. FCF margin (FY) also remains high, moving from ~20.6% in FY2023 to ~27.0% in FY2024 to ~27.2% in FY2025.

Financial safety: Indications of a net-cash tilt, and a two-sided view of interest coverage

Bankruptcy risk should be evaluated not just by whether profits are positive, but by looking at the debt structure, the cash cushion, and the ability to cover interest.

• Net Debt / EBITDA (latest FY): -15.80x (an inverse metric; the smaller it is—i.e., the deeper the negative—the more it tends to indicate a strong cash position)
• Cash ratio (latest FY): 1.47
• Debt-to-equity ratio (latest FY): ~1.00x
• Interest coverage (latest FY): -0.92 (because accounting profits are weak, profit-based metrics can look poor)

Bottom line: Net Debt / EBITDA points to a net-cash tilt and a relatively substantial cash cushion. On the other hand, because accounting profits are weak, interest-paying capacity can look weak on profit-based metrics—creating a two-sided picture. Based on current data, it’s hard to argue the company is “forcing growth with heavy effective debt,” while a prolonged timeline to profit improvement could reduce management flexibility and remains worth monitoring.

Capital allocation: Dividends are not a core theme; growth investment and cash generation are central

At least in this dataset, neither the latest TTM dividend yield nor dividend per share can be confirmed, and dividends are not a primary part of the thesis. It’s more natural to view value creation through reinvestment into business growth and the resulting build in cash generation capability (TTM FCF of $0.848B and TTM FCF margin of ~29.9%).

Cash flow quality: Why is FCF “thick even with losses”?

Zscaler’s accounting profits (EPS) are negative, yet its FCF margin remains high. For this kind of company, investors should separate at least these two questions.

• Whether immature EPS is “the result of investment”: It may simply reflect a phase where growth investments (development, sales, operational strengthening) are prioritized and accounting profits are pushed out.
• Whether FCF strength is “temporary”: FCF can move not only with revenue growth, but also with collection terms and the timing of expense recognition; sustainability should be assessed over multiple years while also accounting for the time-window differences between TTM and FY.

As of today, FCF margin is high in both FY and TTM and long-term improvement is clear, while accounting profits remain immature. That’s a central “investor reading point” for the company.

Where valuation stands (company historical only): Organizing via six indicators

Here we don’t compare to the market or peers; we only place Zscaler’s current valuation relative to its own history (primarily five years, with ten years as a supplement). Note that when profits are negative, PER and PEG can be hard to interpret and historical distributions may not be constructible. In those cases, we treat it as the simple fact that “valuation is difficult.”

PEG: Currently -97.41, but historical range comparison is not possible

PEG is -97.41. However, because there isn’t enough data to build 5-year and 10-year distributions, it can’t be positioned as “inside/outside the historical range.” The negative PEG is driven by EPS (TTM) of -0.2588.

PER: Currently -860.74x; historical range comparison is not possible

Because EPS (TTM) is negative, PER (TTM) is -860.74x. In this situation, PER is unlikely to be useful for decision-making, and because 5-year and 10-year distributions can’t be constructed, it also can’t be placed historically.

Free cash flow yield (TTM): 2.39%, on the high side versus the past 5 and 10 years

FCF yield is 2.39%, above the 5-year median of 1.42% and also above the upper bound of the typical range for both the past 5 and 10 years (i.e., on the higher-yield side within its own history). Meanwhile, in the most recent two years of quarterly progression, there are phases where yield trends downward; that needs to be understood by separating the “two-year direction” from the “current level.”

ROE (latest FY): -2.31%, with a relatively small loss versus history

ROE is -2.31%, i.e., negative. However, within the 5-year and 10-year distributions it sits above the upper bound of the typical range (= on the smaller-loss side). Over the last two years, after continuing to improve, it has fluctuated while staying at a smaller negative magnitude.

FCF margin (TTM): 29.93%, on the high side versus the past 5 and 10 years

FCF margin (TTM) is 29.93%, above the 5-year median of 21.36% and also above the upper bound of the typical range for both the past 5 and 10 years. Over the last two years on a quarterly basis, an upward direction is also evident, putting cash generation “as a ratio” in a historically elevated phase.

Net Debt / EBITDA (latest FY): -15.80x, net-cash leaning (inverse metric)

Net Debt / EBITDA is an inverse metric: the smaller it is (the deeper the negative), the more it tends to indicate a strong cash position. The latest FY is -15.80x, near the lower bound of the typical range over the past five years, and below the typical range over the past ten years—positioned further on the negative side (net-cash leaning). While the last two years include extreme values and show high volatility, the current level remains negative.

The success story: Why has Zscaler been winning?

Zscaler’s winning formula is “controlling the path for enterprise communications and access,” which effectively embeds security into day-to-day operations. Instead of the VPN-style model of “protect after you get in,” it makes a cloud-based decision on every request—“which apps to allow for this person, this device, and this context.” The need for a security design that limits lateral spread during a compromise is also a powerful adoption driver.

It’s also a business where operating a “security cloud” at global scale—processing massive traffic volumes—can directly improve quality factors like detection accuracy, latency, and stability. That creates a network-effect-like dynamic where “scale builds advantage through data and operational learning” (not a direct social-network effect, but an operational-learning type).

Is the story continuing: Consistency with recent moves (branch/OT and SecOps)

Versus 1–2 years ago, there are three notable narrative shifts.

• From zero trust = remote-work centric to branches/field/OT as well: The message is that the security boundary has expanded across the entire organization.
• From gatekeeper (access control) to operations (detection through response): With the Red Canary acquisition completed, it has moved from planning into execution.
• Consistency with the numbers: As growth rates normalize versus long-term averages, the push to rebuild the growth angle by expanding coverage aligns with fundamentals that show strong revenue and FCF but deceleration from hyper-growth.

That said, this consistency also means “it makes sense if it works.” Because expansion raises execution difficulty, it’s inseparable from the following “less visible fragilities.”

Quiet Structural Risks: Eight points to watch more closely the stronger it appears

• Volatility from enterprise concentration: The more it skews toward large enterprises, government, and critical infrastructure, the larger and longer projects become, making quarterly-to-annual optics more volatile. The stronger the integration orientation, the more likely it is to create situations where “winning is deep, but losing means losing everything at once.”
• Intensifying integrated platform wars: Competition isn’t just best-of-breed point solutions, but “overall strength including adjacent domains,” and the arena can shift quickly through M&A.
• Commoditization of SSE/SASE: As the market matures and offerings start to look like “similar functions,” differentiation shifts from philosophy to operating experience, smoothness of integration, and depth of visibility/automation.
• Rising dependence on external integrations: Even if manufacturing-style supply-chain dependence is limited, as SOC expansion and partner integrations increase, data integration, privilege design, and workflow alignment can become bottlenecks.
• Execution quality deterioration from “over-expansion”: When acquisition integration, sales complexity, and higher-touch support/operations all run in parallel, breakdowns in culture, hiring, and frontline load can show up in customer experience before they show up in the numbers.
• Reverse rotation in ROE/margins: It’s possible to see patterns where investment rises into slowing growth and the narrowing of accounting losses stalls, or where SOC expansion makes the cost structure heavier and degrades cash quality.
• Deterioration in interest-paying capacity (can look weak on metrics): Even with a substantial cash position, if accounting profits don’t catch up for an extended period, management flexibility can tighten.
• “Definition competition” in zero trust: The definition of the term itself becomes a competitive battleground, and the more customers demand “integration,” the more selection depends not only on purity of philosophy but also on a “single, cohesive post-integration experience.”

Competitive landscape: Who Zscaler competes with, and what the fight is about

Zscaler’s core arena is SSE/SASE (protecting communications and access in the cloud), expanding into zero trust, data protection, branch/plant integration, and SecOps (detection through response). Competition is shifting from “design philosophy superiority” alone to a contest of “scale and integration (platformization),” and from 2025 onward, industry consolidation and M&A have increased competitive pressure.

Key competitive players (names that frequently appear in deployments)

• Palo Alto Networks (often collides as a representative integrated platform)
• Netskope (often competes directly in the SSE/SASE core)
• Fortinet (strong in the context of network × security integration)
• Cisco (often becomes a natural option for large customers with existing network infrastructure)
• Cloudflare (can enter consideration backed by its global network infrastructure)
• CrowdStrike (pressure to take platform leadership from adjacent EDR/SecOps; can also be complementary via partnerships)

Key battlegrounds by domain: Where it can win, and where it can lose

• SSE: Inline inspection quality, policy unification, operational burden, visibility, and the cohesiveness of data protection.
• SASE: The integrated experience when consolidating into a single vendor, branch rollout, operational quality, and unified operations across network and security.
• ZTNA (VPN replacement): Ease of phased migration, exception handling, coexistence with legacy, and implementation capability.
• SecOps: Workflow cohesiveness from detection through response, noise reduction, response-time reduction, and other “operational outcomes.”

Moat (competitive advantage) and durability: Strengths are the “path” and operational learning; weakness is the “integrated experience”

Zscaler’s moat centers on (1) a cloud-based relay and inspection infrastructure that runs reliably at global scale, (2) operational data and learning (where scale improves quality), and (3) implementation capability to deliver enterprise migration projects end-to-end. The more deeply access control is embedded into enterprise operations, the more policies and exception handling become “operational assets,” raising switching costs.

On the other hand, as SASE platformization advances, the basis of comparison shifts from “individual functions” to the “integrated experience.” In that world, gaps in adjacent areas (network, endpoint, SOC) can thin the moat. Zscaler is leaning less toward “doing everything itself” and more toward building an integrated experience that includes partner integrations (e.g., strengthening integration with CrowdStrike); at the same time, it carries the risk that integration quality becomes the bottleneck.

Structural positioning in the AI era: A tailwind, but differentiation shifts from “having AI” to “operational outcomes”

In an AI-driven world, Zscaler looks more like enterprise infrastructure (middleware) than an application company. Its position—observing enterprise communications touchpoint data at high frequency—creates a natural tailwind for AI-driven detection and automation.

• Network effects: Growth in customers and traffic volume indirectly improves detection accuracy and operational-quality learning (operational-learning type).
• Data advantage: Beyond “user × application touchpoint data,” Red Canary strengthens the push to aggregate operational-context data.
• Degree of AI integration: Value is more likely to come from labor reduction across detect → investigate → respond, and further from closing the loop by “feeding detection back into blocking/control,” rather than simply adding point features.
• Mission criticality: This is an area where outages can cascade into business disruption, and as coverage expands to branches and field environments, criticality (the degree to which it cannot be stopped) rises.
• AI substitution risk: Full substitution is relatively less likely, but if SSE/SASE commoditizes, differentiation shifts to the “integrated operating experience (exception handling, observability, and effectiveness of automation),” and weakness here can create disadvantages on price and integration strength.

Leadership and culture: Founder-CEO consistency is a strength; execution load during expansion is a monitoring point

Founder and CEO Jay Chaudhry has consistently emphasized the philosophy of “moving away from perimeter defense centered on VPNs/firewalls and using zero trust to connect only what is necessary.” More recently, two additional pillars have been clarified: (1) extending zero trust across branches, field environments, and multi-environments, and (2) moving into SecOps and using AI to create an operational closed loop.

In leadership style, he often speaks from first principles—rebuilding existing structures—while repeatedly emphasizing a partner/ecosystem-first approach rather than “doing everything in-house.” That fits the company’s reality, where integration quality becomes decisive in platform competition.

For long-term investors, philosophical consistency and cash generation can provide staying power, while the expansion phase is also when organizational load can rise. The CFO transition (announced in May 2025) and organizational reinforcement can be read as scaling up, while also potentially signaling increased operational burden during the transition. There have also been reports of the CTO stepping down; continuity and authority design within the technical organization remain items to monitor (with the caveat that confirmation via primary sources is preferable).

On employee experience, because there is insufficient primary information to generalize changes since August 2025, we avoid definitive statements and keep this as a hypothesis based on “general patterns that often show up during expansion phases” (more concurrent initiatives → higher load; higher coordination burden for “major construction” deployments).

Understanding via a KPI tree: The causal drivers of enterprise value (what investors should monitor)

Because Zscaler runs a subscription model, value compounds as “customers increase,” “those customers expand scope,” and “renewals continue.” Mapping that causality as a KPI tree clarifies what to monitor.

End outcomes

• Sustained revenue growth (new wins + expansion within existing customers)
• Expansion of cash generation capability (depth of FCF)
• Improving profitability (narrowing losses → moving to profitability)
• Improving capital efficiency (ROE, etc.)
• Business durability (the core becomes embedded as infrastructure, with renewals and continuation occurring)

Intermediate KPIs (value drivers)

• Expansion of the customer base (number of adopting companies and expansion of deployment scope)
• Contract expansion per customer (incremental adoption of data protection, branches/plants, SecOps, etc.)
• Strength of renewals and retention (low churn, retention/expansion at renewal)
• Execution capability for deployment projects (can it deliver through design, migration, and operational adoption)
• Operational quality (stability, performance, reproducibility of detection)
• Completeness of the integrated experience (smoothness of integration with adjacent domains)
• Optimization of investment allocation (balance between growth investment and profitability improvement)

Constraints (frictions) and bottleneck hypotheses

• Implementation and migration difficulty (VPN replacement, branch rollout, exception handling becoming “major construction projects”)
• Rising integration difficulty (the more it expands into branches/OT and SecOps, the harder it is to make it a single cohesive whole)
• Shifts in competitive axis (point functions → integrated experience)
• Expectation management (does perceived value catch up in operations domains)
• Rising investment and organizational burden (more concurrent initiatives reducing execution quality)

For practical investor monitoring, the key questions are: “Is win probability deteriorating in heavy implementation deals?” “Is it staying core through renewal cycles?” “Is incremental adoption for branches/plants accumulating naturally?” “Is SecOps being discussed in terms of operational outcomes rather than ‘announcements’?” “Is integration quality becoming a bottleneck?” and “As growth normalizes, is investment allocation compatible with profit improvement?”

Two-minute Drill (summary for long-term investors): What is the “skeleton” of this stock?

• Zscaler’s core is a zero-trust platform that controls the cloud-based “path” for enterprise communications and access, enabling “minimum necessary connectivity” through per-request decisions.
• The long-term pattern is a two-track structure: revenue grows at a Fast Grower-class pace, while EPS and ROE remain immature (loss-making), but FCF margin is high.
• Near-term growth has decelerated versus the long-term average (hyper-growth → high growth), but the revenue/FCF growth trend and narrowing operating losses continue, and the pattern is broadly intact.
• Competition is shifting from the “core of zero trust” to “integrated platform wars,” and differentiation is increasingly driven not by features but by the integrated operating experience (especially outcomes from SecOps integration).
• The biggest less visible risk is that expanding coverage (branches/OT and SecOps) can create a new “growth angle,” but also raises integration difficulty and organizational burden; if experience quality deteriorates, the platform could be displaced during renewal cycles.