Investment Gems

Inside Zscaler’s Zero Trust Revolution: How It’s Quietly Replacing Firewalls Worldwide

Published by

Pepe Maltese

on

Inside Zscaler’s Zero Trust Revolution: How It’s Quietly Replacing Firewalls Worldwide

Zscaler is Leading a Multi-Year Infrastructure Replacement Cycle

For a long time, corporate security was built around firewalls, VPNs, MPLS networks, SD-WAN appliances, and branch routers. These systems are expensive to keep up—between hardware maintenance, software licenses, and constant upgrades—and they create headaches for remote and cloud-based users by slowing things down. Worse yet, they leave companies vulnerable to lateral attacks, where once an intruder gets in, they can easily move around the network. Now that so much work and data live in the cloud, businesses are starting to ask: why keep investing in a clunky, exposed, and costly security setup?

This is where Zscaler (ZS) steps in. Its Zero Trust Branch and Zero Trust Cloud solutions let companies toss out firewalls, routers, and SD-WAN devices at their branch offices. Instead, everything flows through the cloud-based Zscaler Zero Trust Exchange, which means no network is directly exposed and attackers can’t move sideways through systems. The result? Branch offices effectively “go dark” online, making them nearly invisible and dramatically reducing the chances of a breach. Unlike others who simply shift old firewall functions into the cloud, Zscaler has reimagined the entire architecture—cutting out network exposure entirely.

Early Indicators For Zscaler Thesis Playing Out

There are early signs this approach is catching on. More than 130 customers have already rolled out Zero Trust Branch, and interestingly, 57% of them are brand-new to Zscaler, not just upsells. The company is pushing hard to triple adoption of its Zero Trust solutions across all areas within the next year and a half.

From an investment perspective, the opportunity here is massive. As companies rip and replace old hardware like firewalls, SD-WANs, and branch routers, it could free up around $20–30 billion in security spending over the next three to five years. Zscaler, having gotten out ahead of this shift, looks better positioned than anyone else to grab a large piece of that pie. Every Zero Trust deal Zscaler lands doesn’t just add a customer—it locks in long-term revenue streams that could stretch five to ten years into the future.

Financials: Solid Revenue Growth with Increasing Scale

We can already see the impact of the investment thesis on the top and bottom lines. In Q2 (fiscal 2025), the company recorded revenues of $648 million, a 23% jump from the same time last year. Its Annual Recurring Revenue (ARR) crossed $2.7 billion, also up 23% year-over-year, on par with guidance.

Billings, a good signal for future revenue, rose 18% to $743 million, while unscheduled billings—new deals, upsells, and renewals—grew even faster at over 25%, a strong indicator that underlying demand remains healthy.

Management stuck to their full-year guidance, targeting revenue between $2.64 billion and $2.654 billion (about 22% growth).

Operating margin in Q2 FY25 hit roughly 22%, expanding by 200 basis points compared to a year ago. Gross margin stayed strong at 80.4%, just a hair below last year’s 80.8%. Free cash flow (FCF) margin reached a record 22%, even after factoring in data center capital spending equal to about 2% of revenue.

Source: Author’s Summary

Looking ahead, management expects the FCF margin to climb to between 24.5% and 25% for the full year, helped by better collections and billing efficiencies. With $2.9 billion in cash and investments on the balance sheet, Zscaler has plenty of financial firepower to fund growth and maybe even make some small strategic acquisitions. The big picture: Zscaler is starting to look like a mature SaaS company, comfortably operating above the “Rule of 45″—a key benchmark that combines revenue growth and free cash flow margin to gauge SaaS health.

Looking at the broader financial picture, management’s full-year 2025 outlook shows confidence in several areas: improving sales productivity, rising demand for new products like Zero Trust Branch and AI Analytics, and strong enterprise interest in modernizing security and AI protection strategies. Long-term, Zscaler sees itself operating at high-20s to low-30s operating margins once newer product lines mature and margins normalize, with revenue growth expected to hold steady in the 20%-plus range. The addressable market opportunity is massive too, expected to grow from around $72 billion today to about $100 billion.

Zscaler’s Valuation: Key Competitors and Adjacent Players

When thinking about the right peer group for Zscaler (NASDAQ: ZS), it makes sense to look at companies operating in nearby corners of cloud security, Zero Trust, SaaS infrastructure, and broader cybersecurity platforms. The most relevant peers share a few key traits: they run cloud-native architectures, generate recurring revenue through SaaS or subscription models, cater to enterprise-scale customers, and aim for platform breadth rather than offering just point solutions.

Here’s how Zscaler’s competitive landscape breaks down into three buckets: core strategic peers, adjacent SaaS security players. For the direct competitors, we will use Palo Alto Networks, Cloudflare and Fortinet. For the adjacent SaaS we will use Crowdstrike, Snowflake and ServiceNow.

Right now, Zscaler trades at about 14.14x forward sales — a lot cheaper than Cloudflare (around 25x), CrowdStrike (27x), or even ServiceNow (17x). It’s sitting pretty close to Fortinet’s multiple (13.5x) and well below the highs it used to command, back when it traded between 20x and 25x forward sales.

What this really means: investors have pulled back a bit in terms of expectations, but ZS is still priced in line with some of the biggest players, even though it’s growing faster than names like Fortinet. If Zscaler can keep putting up 20%+ revenue growth while expanding margins — boosted by Zero Trust Branch and AI analytics — there’s a clear path for its valuation to move higher.

Price-to-Free Cash Flow (P/FCF) looks high — but not crazy. At 49.3x P/FCF, Zscaler is definitely at a premium — but it’s not unreasonable compared to peers. It’s a bit higher than Fortinet (42.8x) and Palo Alto Networks (45.2x), but well below CrowdStrike’s (100.4x) and way below Cloudflare’s (250.4x).

Stack it up against broader software names like ServiceNow (54x) or Snowflake (60x), and ZS actually looks right in line — especially when you consider its free cash flow margins, which are holding strong between 22–25%.

Bottom line: the market is willing to pay up for Zscaler’s durable, high-margin recurring revenue model, but there’s still more room to run if new products catch fire. If Zscaler can close some of the product breadth and scale gaps between itself and bigger players like Palo Alto Networks and CrowdStrike — particularly around AI operations and full-platform capabilities — there’s a realistic case for a higher multiple.

Zscaler Main Investment Risks: Key Factors to Monitor in 2025

1. Go-to-Market (GTM) Execution Risk

Zscaler’s future growth isn’t just about selling what it already has — it’s about expanding its Zero Trust platform, driving large-scale branch refresh projects, and building momentum in AI-driven security. To get there, it needs to keep ramping up sales productivity, both through its direct teams and its global systems integrator (GSI) partners.

If reps struggle to position new offerings like Zero Trust Branch or Cloud Protection — or if productivity gains start to flatten — sales velocity could slow down.

What to keep an eye on:

  • Slower growth in the $1M+ ARR customer cohort
  • Net new customer additions flattening or declining net retention rates (NRR)
  • Rising sales and marketing spend without a matching boost in annual contract value (ACV)

2. Tougher Competition from Big Security Platforms

Zscaler’s competitive landscape is getting a lot fiercer. Full-suite players like Palo Alto Networks (with Prisma SASE and AI Copilot), CrowdStrike (Falcon Cloud Security and Identity Protection), Fortinet, and Cisco are increasingly crossing into Zscaler’s turf.

These incumbents can lean on long-standing relationships, offer aggressive bundling and discounts, and complicate Zscaler’s ability to land “rip-and-replace” deals, especially for firewall and SD-WAN refreshes.

What to watch for:

  • Pricing pressure or a dip in gross margins
  • Higher churn in core ZIA/ZPA products
  • Falling win rates or shrinking deal pipelines against big competitors like PANW and FTNT

3. Macro and Budgetary Pressures

Even though cybersecurity spending tends to be more resilient than other IT categories, today’s CFOs are scrutinizing every dollar. They want to see clear ROI, they’re consolidating budgets, and many are delaying big initiatives — including cloud refreshes and AI-driven upgrades.

Zscaler’s push into bigger, transformational projects like Zero Trust Branch and AI analytics could be delayed or scaled back if the economy worsens, interest rates stay high, or geopolitical risks flare up.

Key indicators:

  • Billings growth slowing relative to revenue
  • Longer sales cycles
  • Management sounding cautious about deal pipelines or conversion rates

4. Valuation Compression Risk

Even after the broader tech pullback, Zscaler is still priced for high expectations — trading around 14x P/S and 49x P/FCF. That valuation assumes ZS can keep delivering 20%+ revenue growth and 25%+ free cash flow margins.

If growth stumbles — whether from execution, tougher competition, or macro headwinds — the stock could suffer a multiple compression, especially if interest rates rise or markets turn more risk-averse.

Warning signs to monitor:

  • Any misses or pullbacks in forward guidance
  • Broader sector rerating (think about the volatility we’ve seen with NET)
  • Significant declines in “Rule of 40” performance (growth rate plus FCF margin)

Disclaimer: This text expresses the views of the author as of the date indicated and such views are subject to change without notice. The author has no duty or obligation to update the information contained herein. Further, wherever there is the potential for profit there is also the possibility of loss. Additionally, the present article is being made available for educational purposes only and should not be used for any other purpose. The information contained herein does not constitute and should not be construed as an offering of advisory services or an offer to sell or solicitation to buy any securities or related financial instruments in any jurisdiction. Some information and data contained herein concerning economic trends and performance is based on or derived from information provided by independent third-party sources. The author trusts that the sources from which such information has been obtained are reliable; however, it cannot guarantee the accuracy of such information and has not independently verified the accuracy or completeness of such information or the assumptions on which such information is based.

Leave a comment

Hi Fren,

Pepe Maltese

I used to trade inside the machine. Now I just raid it.

I publish two high-conviction setups daily — one momentum, one turnaround — filtered through tape structure, volume shifts, and misaligned narratives.

Some of these turn into full trades. A few evolve into deeper stories. The rest get cut.

This isn’t education. This is intelligence.

I don’t run ads. I don’t sell dreams. I track price, watch structure, and call bullshit when the story breaks.

Follow the setups. Fade the noise. Stick it to the man.

Let’s connect

Join!

Stay updated with our latest ideas by joining our newsletter.

Recent posts