Zscaler (ZS) In-Depth Analysis: How the Zero-Trust Company That Controls Corporate Communications via a Cloud “Checkpoint” Can Grow in the AI Era

* This report is based on data as of 2026-03-01.

1. In one line: what the company does and why it matters

Zscaler (ZS) is built around a simple idea: when employees and devices access “internal systems,” “cloud-based business applications,” and “the internet,” that traffic is first routed through a cloud-based “checkpoint” for security verification. The old model—protecting the business with a VPN or an on-prem “perimeter”—has struggled to keep up with remote work, distributed locations, SaaS, multi-cloud, and generative AI. ZS sits at the center of a redesign of how enterprises “connect,” anchored in a zero-trust approach: not “separating inside and outside,” but “allowing only what is necessary for each user/device/app”.

2. Who the customers are and where it’s used

Customers skew from large enterprises down to mid-sized companies across a broad set of industries. The best fit is typically organizations that “have many sites,” “have a high share of remote work,” “are advancing cloud migration,” and “need governance as AI tool usage increases.”

• Enable secure access to critical internal applications from home or while traveling (as a VPN replacement)
• Standardize security operations across many sites such as branches and factories
• As generative AI and AI development environments proliferate, prevent data exfiltration and misuse

3. What it sells: the four pillars of core products (+ future upside)

At the heart of ZS is a “cloud-based security checkpoint.” Employee and device traffic first traverses the ZS cloud, where risks and policy violations are identified and blocked before the traffic reaches its destination. The key point isn’t just feature breadth—it’s the “path design” itself.

Pillar 1: A “security filter” for outbound internet/SaaS traffic (the largest pillar)

It blocks malicious sites, malicious files, and suspicious communications, while enforcing internal policies (for example, preventing certain data from being sent externally). The important part is that the same rules apply even when employees are off-network, which makes it a strong fit for distributed work.

Pillar 2: A “secure entry point” to internal applications (a major VPN-replacement pillar)

This pillar targets an architecture that tightly limits access—“this person (this device) can access only this application”—so that even if something is compromised, the blast radius is less likely to spread. It’s also adopted in situations where, alongside cloud migration of critical systems such as SAP, ZS is chosen on the “secure access” side.

Pillar 3: Protecting communications within the cloud (machine-to-machine) (mid-sized to growing pillar)

ZS is expanding beyond human-driven application access to protect large volumes of system-to-system traffic running inside the cloud. This tends to become more important as cloud usage scales.

Pillar 4: Making connectivity experience quality visible (supportive, but key to enterprise-wide rollout)

Security can’t come at the expense of usability—frontline users push back when things are “slow” or “can’t connect.” ZS emphasizes observability (visibility) to make root-cause analysis easier. In practice, this can be a deciding factor in whether “post-deployment expansion” actually happens.

Future pillars (potentially important even if revenue scale is small)

• AI security to manage AI usage at the company level: Identify which AI tools are being used and what’s being sent, then codify rules for what information can/cannot be shared to reduce incidents (“not banning AI,” but “governing with AI usage as a given”).
• “Automatically securing” communications inside the cloud: Adoption often accelerates as this becomes stronger—faster deployment and lower operational burden in areas that frequently rely on manual configuration.
• “Full replacement” at large enterprises: The more ZS expands from departmental deployments into an enterprise-standard connectivity platform spanning branches, factories, cloud, and critical applications, the more the deployment footprint can widen.

4. How it makes money: subscription-driven compounding from “partial deployment → incremental deployment”

The model is primarily recurring subscription revenue, typically priced around employee count and the scope of usage. Growth generally shows up in three ways.

• Existing customers add incremental functionality (additional layers of protection)
• User counts and adopting departments expand (enterprise standardization, post-M&A integration, etc.)
• Legacy approaches such as VPNs are retired and a broader footprint is replaced with ZS

5. Why it’s chosen: the value proposition, explained simply

• Same protection rules everywhere: Whether users are at headquarters or off-network, the same security policies can be applied.
• Not “let it through and then inspect,” but “check before letting it through”: Because traffic is designed to pass through a checkpoint, threats can be stopped earlier in the path.
• Scale can create learning effects: The more traffic it processes, the more attack signals it can observe and translate into better protection (with the caveat that the ultimate value depends on whether those signals are productized and operationalized).

6. Tailwinds (structural growth drivers): why the model fits this moment

• Distributed work and distributed IT: Remote work, multi-site operations, and SaaS have expanded the “place to protect” beyond the corporate perimeter.
• A shift away from perimeter-based protection such as VPNs: In some cases, large enterprises are actively moving forward with replacement.
• Rapid growth in AI usage increases data exfiltration risk: It becomes harder to see which AI tools are used by whom and what is being sent, increasing demand to “make it visible and stop it with rules.”

7. A critical “internal infrastructure” separate from the business: a massive cloud checkpoint network

By processing global traffic through its own cloud, ZS is set up to continuously iterate on threat detection and blocking. At scale, this can influence reliability, the pace of improvement, and operational quality—an advantage that can matter beyond pure feature checklists.

8. Long-term fundamentals: what “type” of company is this

Over the long run, ZS has combined very high revenue growth with strong expansion in free cash flow (FCF), while accounting profits (EPS) and ROE remain immature and have stayed negative for an extended period. Put simply: “the growth is real, but the end-state profitability profile is still being built.”

Revenue: high growth over both 10 years and 5 years

• Revenue CAGR: past 5 years +44.0% (annual)
• Revenue CAGR: past 10 years +47.8% (annual)

Revenue expanded from approximately $0.54 billion in 2015 to approximately $2.67 billion in 2025 (annual).

FCF: rapid expansion after turning positive, with margins reaching a high level

• FCF CAGR: past 5 years +92.5% (annual)
• FCF: 2025 approximately $0.727 billion (annual)
• FCF margin: 2025 27.2% (annual)

As a check on the most recent level, there is data showing revenue $3.00 billion, FCF $0.874 billion, and FCF margin 29.1% (all TTM). When FY (annual) and TTM present differently, it reflects differences in how the period is measured.

Profitability and capital efficiency: gross margin is high, but operating margin and ROE are still immature

• Gross margin: generally in the high-70% range over the long term (e.g., 2025 76.9% (annual))
• Operating margin: losses continue but are narrowing (2021 -30.8% → 2025 -4.8% (annual))
• ROE: latest FY (2025) -2.3% (annual)

ROE has been negative for a long time, but the magnitude of the losses has narrowed in recent years (e.g., 2022 -68.1% → 2025 -2.3% (annual)).

EPS: still negative, which makes long-term growth rates hard to interpret

• EPS: 2025 -0.27 (annual)

Since 2015, EPS has consistently been negative on an annual basis, and the past 5-year EPS growth rate (CAGR) is not calculable (because losses have persisted and can’t be defined mechanically). As a result, it remains difficult to frame the story using earnings multiples (PER) or PEG.

9. Peter Lynch-style “type”: closer to a Fast Grower (but with unfinished profitability)

The mechanical category flags in the dataset don’t definitively lock ZS into a single bucket, but in practical terms it is tilted toward Fast Grower. That said, it’s not the “finished form” Lynch tends to prefer—highly profitable growth—but rather a hybrid where revenue and FCF are strong while accounting profits (EPS) and ROE remain immature.

• Rationale 1: High revenue CAGR (past 5 years +44.0% (annual))
• Rationale 2: High growth even over 10 years (past 10 years +47.8% (annual))
• Rationale 3: Large expansion in FCF (past 5 years +92.5% (annual))

What complicates classification is that EPS is mostly negative, making PER/PEG difficult to anchor, and ROE is still -2.3% (annual) even in the latest FY.

10. Near-term (short-term momentum): growth continues, but it “reads as deceleration”

Relative to the long-term “type,” ZS is still posting positive revenue and FCF growth in the most recent year (TTM), so the Fast Grower-leaning foundation remains. However, growth rates are below the long-term averages, so the momentum label is best summarized as Decelerating.

Revenue (TTM): still strong, but below the long-term average

• Revenue growth rate: +23.9% (TTM, YoY)
• Reference: past 5-year average growth (annual CAGR): +44.0%

Over the past two years, revenue has grown at +21.6% on an annual average basis, with a clear positive slope. So rather than “breaking down,” it’s better framed as a step-down from ultra-high growth over the past five years toward a “normalized high-growth” rate.

FCF (TTM): strong levels, but growth has slowed versus the long-term average

• FCF growth rate: +25.8% (TTM, YoY)
• FCF: $0.874 billion (TTM)
• FCF margin: 29.1% (TTM)

Growth is slower than the past 5-year FCF growth (annual CAGR +92.5%), but the FCF margin remains high, and FCF over the past two years has continued to rise at +26.1% on an annual average basis. Here as well, this looks less like “deceleration from weakening cash generation” and more like a normalization of the growth rate.

EPS (TTM): improvement is notable, but interpretation is tricky while it’s still negative

• EPS: -0.4235 (TTM)
• EPS growth rate: +319.1% (TTM, YoY)

This points to narrowing losses, but EPS remains negative and can be volatile as a “speed” metric. For short-term characterization, revenue and FCF are therefore treated as the primary indicators.

Profitability (FY): operating margin is improving

• Operating margin: 2023 -13.3% → 2024 -5.7% → 2025 -4.8% (annual)

Even if revenue growth cools versus the long-term average, improving margins can still lift the company’s “growth quality (efficiency).”

11. Financial soundness (including a bankruptcy-risk framing): strong liquidity and net-cash leaning, but profit-based metrics still look weak

On near-term funding capacity, ZS appears to have a meaningful cash cushion and a net-cash-leaning balance sheet. At the same time, because accounting profitability is still immature, it’s important to recognize that profit-based soundness metrics can screen poorly.

Debt and leverage: net interest-bearing debt is negative

• Net interest-bearing debt / EBITDA: -15.8x (FY, latest)
• Debt-to-equity ratio: 1.00x (FY, latest)

Debt-to-equity is around 1x, but net interest-bearing debt/EBITDA is deeply negative, reflecting a net-cash-leaning structure where cash exceeds interest-bearing debt.

Liquidity (cash cushion): short-term payment capacity is relatively strong

• Cash ratio: 1.47 (FY, latest)
• Current ratio: 2.01 (FY, latest)

Interest coverage: immature profits show up directly in the metric

• Interest coverage: -0.92 (FY, latest)

Negative interest coverage reflects a phase where accounting profits are not yet stable. With FCF currently supporting the structure, this weakness can persist if profit improvement is delayed. From a bankruptcy-risk lens, liquidity and a net-cash-leaning structure provide support, while as long as profit metrics remain immature, “metric-level weakness” remains—a fair way to frame it.

12. Cash flow tendencies: how to interpret the EPS vs. FCF gap

ZS is clearly in a phase where “EPS is negative, but FCF is strongly positive.” That pattern can show up when accounting profitability is still developing, while a subscription model supports cash inflows and timing differences in investment and expense recognition overlap.

• FCF: $0.874 billion (TTM), FCF margin: 29.1% (TTM)
• Capex / operating CF: 17.1% (TTM)

A high FCF margin despite a meaningful investment load reinforces that the company is “growing while generating cash.” However, in periods where cloud infrastructure buildout and rising personnel costs continue, gross margin and overall margins can come under pressure—making this balance an important “quality” checkpoint.

13. Dividends and capital allocation: not a dividend story; oriented toward reinvestment

Dividend yield and dividend per share data for the latest TTM are insufficient, and at least within this dataset it’s most natural to view ZS as a company where dividends are not a primary part of the investment case. Capital allocation appears geared toward growth investment (product expansion, infrastructure, and talent) rather than dividends.

14. Where valuation stands today (positioning within its own historical range only)

Without benchmarking to market averages or peers, this section simply places ZS within its own historical valuation ranges (and does not tie that to an investment conclusion).

PEG: not calculable, which limits valuation work in this period

PEG cannot be calculated consistently in the data, and a historical range cannot be constructed, so historical positioning cannot be assessed.

PER: not calculable because EPS is negative

With EPS (TTM) negative, PER (TTM) is not meaningful, and historical comparisons can’t be made either. This is a common constraint for growth companies with still-developing profitability.

Free cash flow yield: high versus the past 5-year and 10-year ranges

• FCF yield: 3.73% (TTM, market cap = as of the report date)
• Past 5-year median: 1.42%, normal range upper bound: 1.99%
• Past 10-year median: 0.85%, normal range upper bound: 1.97%

FCF yield (TTM) sits above the upper bound of the normal range over both the past 5 and 10 years.

ROE: negative, but “better” (less negative) within the historical distribution

• ROE: -2.31% (FY, latest)
• Past 5-year normal range: -53.25% ～ -4.09% (median -27.90%)

ROE is still negative, but within the 5-year and 10-year distributions it stands out on the side with a smaller negative magnitude.

FCF margin: high versus the historical range

• FCF margin: 29.11% (TTM)
• Past 5-year normal range upper bound: 27.02%
• Past 10-year normal range upper bound: 22.48%

FCF margin (TTM) is above the upper bound of the normal range over both the past 5 and 10 years.

Net Debt / EBITDA: best read as an inverse metric where a deeper negative is generally better

• Net Debt / EBITDA: -15.80x (FY, latest)
• Past 5-year normal range: -16.25x ～ 4.21x
• Past 10-year normal range: -12.14x ～ 7.61x

This is an inverse indicator: a smaller value (a deeper negative) generally implies cash more comfortably exceeds interest-bearing debt. The latest FY value of -15.80x is toward the low end of the past 5-year normal range and below the lower bound of the past 10-year normal range, placing it near a net-cash position.

Combined view across metrics (positioning only)

• ROE (FY) is negative, but on the better side (smaller negative) within the historical distribution.
• FCF margin (TTM) and FCF yield (TTM) are on the high side versus the historical range.
• PER/PEG do not hold, so a multiple-based “current position” cannot be placed.

15. Success story: a structural view of why ZS has been winning

ZS’s core value isn’t simply the conceptual shift from perimeter security to zero trust. It’s that the company has made an architecture that forces traffic to pass through a cloud-side checkpoint work in real-world operations—and then placed enterprise connectivity, policy enforcement, and visibility on that path. As deployments expand, switching stops looking like “adding another tool” and starts looking like “re-architecting connectivity,” which tends to raise switching costs.

The company also discloses that its customer base is diversified by industry and that no single customer accounts for more than 10% of revenue, which can be viewed as a form of resilience to demand shocks (though in an enterprise-heavy model, “deal size” concentration can still influence how growth prints).

16. Story durability: do recent strategies still match the “winning formula”

Over the past 1–2 years, the shift hasn’t been away from “zero-trust connectivity,” but toward layering “data protection + AI usage governance” on top of the zero-trust foundation. That fits the same winning formula: visualize and control directly on the traffic path.

At the same time, because the hybrid profile persists—strong revenue and cash growth alongside immature accounting profits—the story becomes harder to sustain as a pure “high growth” narrative. The company is moving into a phase where efficiency and profitability also need to be part of the narrative. There are also observations that rising infrastructure and personnel costs could pressure gross margin, creating tension between growth investment and margin stability.

17. Competitive landscape: who it competes with and what the fight is really about (increasingly, “integrated platform competition”)

ZS competes with a wide range of security vendors selling “enterprise network protection.” In recent years, comparisons have increasingly shifted from individual feature superiority to platform-vs.-platform evaluations. Customers are less focused on zero-trust ideology and more on whether they can “migrate without incidents,” “reduce operational workload,” and “fit with existing assets.”

Key competitors (those customers can readily compare within the same budget and decision process)

• Palo Alto Networks (Prisma SASE/Access)
• Netskope (Netskope One)
• Cisco (Secure Access/SASE, including delivery models in partnership with carriers)
• Fortinet (FortiSASE, integrated with foundations such as SD-WAN)
• Cloudflare (Cloudflare One, integrated with network infrastructure)
• Microsoft (around Entra/Global Secure Access, identity-led)
• Cato Networks (SASE, including capture of AI domains)

The “essence of substitution” by domain

• Internet/SaaS inspection: less about whether inspection exists, more about whether policy operations consistency, observability, and experience quality are all in place
• VPN-replacement access: less about features, more about ease of migration including alignment with existing environments (design difficulty)
• Data protection/AI input governance: application understanding (what was sent) and rule design that can run in frontline operations
• Full-stack SASE (including sites/WAN): the more purchasing leadership shifts toward the network organization, the harder it becomes for ZS’s standalone advantage to work

A Lynch-style view of the industry × company combination

Cloud migration, distributed work, and rising AI usage that expands the “assets to protect” are clear tailwinds. But this is also a market where SSE/SASE can commoditize as it becomes more standardized, and where vendor consolidation can drive integrated bundling competition. Against that backdrop, it’s consistent to view ZS as trying to avoid a war of attrition by embedding deeply as a connectivity platform.

18. The moat: what the advantages are, and how durable they may be

ZS’s moat isn’t “the idea of zero trust.” It’s a set of advantages that compound through day-to-day operations.

• Switching costs: As enterprise traffic is standardized to run through ZS—and exception rules and app-specific policies become embedded in operations—switching increasingly resembles “rebuilding the connectivity design.”
• Operational quality (experience quality × inspection in tandem): The more it can sustain strong latency, stability, and visibility, the more likely enterprise-wide rollout is to continue.
• Data advantage: Observations of AI-usage traffic and data leakage/policy violations on the traffic path can feed improvements in detection and control.
• Limited network effects: Not a social-network-style dynamic, but one where deeper standardization within a customer makes incremental rollout easier and churn harder.

Durability is most likely to be tested when integrated platform competition intensifies and evaluation criteria shift toward “procurement/operations simplicity” and “bundling.” In those environments, a company can lose despite feature advantages, which is why the moat ultimately concentrates around “operational quality and depth of deployment.”

19. Structural positioning in the AI era: tailwind or headwind

ZS is positioned to visualize and control on the traffic path the rise in “AI application usage” and “data exfiltration/misdirection risk” across enterprise IT. Structurally, that makes it more likely to benefit from rising demand than to be a “victim” of AI adoption.

That said, AI-driven tools for automated vulnerability discovery and remediation could compress value in parts of the security stack. The key question is whether ZS’s advantage remains rooted in “enforcement as a traffic checkpoint” and “operational integration.” AI substitution risk is framed as moderate: even if some functions are substituted, “forced control on the path” is less likely to be displaced.

20. Quiet structural risks: what can crack first even when things look strong

This is not a claim that anything is “bad right now,” but rather a checklist of areas that often show stress first when the story starts to wobble.

• Skew in customer dependence (potentially visible in deal size): While single-customer dependence is not extreme, enterprise sales cycles scrutinize large deals, and even a shift toward more phased deployments can soften reported growth.
• Rapid shifts in the competitive environment (integrated bundling offensives): When “we want to consolidate via integration” matters more than price, procurement simplicity can win. If competitors offer “similar functionality + a broader bundle,” the winning formula can change.
• Loss of differentiation (commoditization of the concept): As the concept becomes mainstream, differentiation shifts to operations (incident rates, visibility, fit with existing environments, global experience). If the edge narrows here, renewals and expansions can slow.
• Supply chain dependence: Cloud delivery has fewer physical constraints, but as “boxes that simplify on-site deployment” increase, procurement and inventory issues can surface (this does not assert that major issues have materialized at present).
• Deterioration in organizational culture (declining execution): Enterprise-wide rollout depends on execution across proposal, design, deployment, and customer success. Management turnover and frontline fatigue during a growth phase can matter.
• Deterioration in profitability (margins): Operating margin is improving and FCF margin is high, but continued cloud infrastructure expansion and rising personnel costs could shift the profile toward “revenue grows but profitability doesn’t.”
• Financial burden (interest coverage) and capital structure: Liquidity is strong and net-cash leaning, but interest coverage screens weak due to immature accounting profits. Convertible-bond funding can introduce future dilution and capital-structure complexity (this does not indicate funding stress at present).
• Industry structure change: As competitors prepare for IPOs or large players expand functionality, customers can swing between “best-of-breed” and “integration,” making the winning formula harder to keep stable.

21. Management and culture: consistent vision, with execution as the real test

Founder and CEO Jay Chaudhry has maintained a consistent vision: shifting from box (perimeter)-centric security to cloud-centric security, and making zero trust not a point solution but an enterprise-wide standard. More recently, the company has repeatedly emphasized AI security and data security as pillars on that foundation, aiming to win through platform expansion.

Notably, ZS treats “making it work without incidents (availability and observability)” as a product and execution challenge—not just an ideal—which aligns with the competitive reality of balancing “inspection strength” with “experience quality.”

Generalized patterns that tend to appear in employee reviews (no assertions)

• As a growth company, friction can readily emerge in balancing growth investment, new domains, and cost discipline
• Because the product is mission-critical, workload can concentrate in customer-facing and operations teams
• At the same time, there tends to remain a cohort attracted by mission alignment and technical challenge

Governance/organizational observation points

• Leadership refresh oriented toward scaling is observable, including a CFO transition (June 2025)
• Disclosures such as a CTO departure suggest that changes in key roles can affect continuity of execution and warrant monitoring

22. Understanding via a KPI tree: the causal structure that drives enterprise value

Using a Lynch-style “business mechanism before the numbers” lens, ZS’s cause-and-effect becomes clearer when organized like this.

Ultimate outcomes

• Long-term revenue growth (compounds as deployment scope expands as an enterprise standard)
• Expansion of FCF generation (fuel for continuous improvement and competitive durability)
• Improvement in profitability (including narrowing losses)
• Improvement in capital efficiency (whether ROE and similar metrics improve)
• Strengthening of durability (harder-to-churn) via within-customer standardization

Intermediate KPIs (value drivers)

• Contract expansion within existing customers (partial deployment → enterprise standard)
• New customer acquisition (zero-trust migration, VPN replacement, cloud migration)
• Expansion of product mix (connectivity protection → data protection → AI usage governance)
• Increase in user counts and covered scope (employees, departments, sites, cloud)
• Operational quality (latency, stability, reachability)
• Degree of centralized policy operations (whether exception management is proliferating)
• Operational scale of cloud infrastructure (delivery cost structure)
• Balance between growth investment and efficiency

Constraints (frictions)

• Experience-quality risk associated with inspection and detour structures
• Difficulty of migration and operations (rebuilding connectivity design)
• Increasing complexity of license/module structures
• Shifts in the basis of comparison due to integrated platform competition (bundling, outsourced operations)
• Pressure on profitability from cloud infrastructure investment and rising personnel costs
• Metric-level weakness stemming from immature accounting profits
• Variability in execution as the organization scales

Bottleneck hypotheses (investor monitoring points)

• Whether experience quality is becoming a brake on enterprise-wide rollout (latency, reachability, app compatibility)
• Whether migration from partial deployment to an enterprise standard is progressing
• Whether data protection and AI usage governance are becoming embedded as operations rather than “add-on features”
• Whether the basis of comparison is shifting unfavorably amid integrated platform competition
• Whether exceptions are proliferating even as policy integration progresses
• Whether the balance between growth investment and efficiency is breaking down
• Whether continuity of organizational culture and execution structure is being maintained (changes in key roles, frontline fatigue)

23. Two-minute Drill (the investment thesis skeleton in 2 minutes)

The key to understanding ZS as a long-term investment is a model that, “by controlling the pathways of enterprise communications, turns security from an afterthought into ‘traffic rules.’” In a subscription model, the more ZS expands from partial deployments to an enterprise standard, the more incremental rollouts and switching costs can compound. But the outcome hinges less on ideology and more on whether the company can keep eliminating experience issues and deployment friction while competing against integrated platforms.

• Long-term type: Fast Grower-leaning with strong revenue (past 5-year CAGR +44.0%) and FCF (past 5-year CAGR +92.5%), but EPS and ROE are immature and PER/PEG are difficult to establish.
• Short-term type continuity: Growth continues even in TTM with revenue +23.9% and FCF +25.8%, but below the long-term average, creating a “deceleration” appearance.
• Financials: Liquidity is strong and net-cash leaning (Net Debt/EBITDA -15.8x (FY)), but interest-coverage metrics screen weak due to immature accounting profits (interest coverage -0.92 (FY)).
• AI era: A tailwind is likely as increased AI usage expands “communications and data that must be governed,” but there is also pressure from AI commoditizing parts of security; the focal point is whether the source of advantage remains in “on-path enforcement” and “operational integration.”