So I'm happy to host today for keynote, Jay Chaudhry we -- here we go. [indiscernible] you should learn from her also. So as I start with all our companies, I kind of discuss what investors are asking us about, just to set the framework for the discussion, I'll do it very quick. SASE remains an extremely hot space with very fast growth for most companies. There are new entrants, though. And the question is 2 things. Number one, -- how do you respond to new entrants to the market? Is it -- is there a risk of commoditization " Second thing, which is more important is how do you grow beyond your kind of historical market of ZIA, ZPA?
What are the new areas you're going after? We started to see, first of all, orders, bookings are accelerating. growth is accelerating. We started to see growth outside of the ZIA, ZPA. And these are all the things I'm going to discuss. It's basically the risks and opportunities in the core business of Zscaler. So with that, I'll pass it on to Jay first because I know you want to go over a few things, and then we'll start our Q&A.
Great. Charles, thank you for the opportunity. Sometimes it's a little easier to visually see a few things. I'm not going to spend a lot of time on slides, but visually, you can kind of understand what kind of stuff can be done. Safe harbor, I'm sure you know it all. So I don't need to talk much about safe harbor. So as we started in this market, in general, the market is moving at a much faster pace, whether it's adoption of cloud, AI, security, there's no such thing as what you built 5, 7 years ago, you'll compete on the same thing. Things are moving faster, companies who can keep on innovating, handling the next level of issues, they do better. Zero Trust used to be the case, now it's Zero Trust everywhere. We'll talk more about that. Data security has become bigger and bigger and more and more complex issue, especially with AI. And what we call agentic operations, it's using AI to take advantage of disrupting security operations, even IT operations. Those are new 3 big areas of opportunities that we are driving. And I think we shared at the earnings call that these new areas are about $1 billion in ARR for us now.
This is how we look at the world moving. Zero Trust, sometimes they get coined as SASE. I personally think SASE is a misleading stuff. SASE is a collection that can allow any vendor to claim anything because they can be part of it. The more they can claim, the more research reports Gartner can sell, right? So from vendors, you hear SASE, from customers, you hear Zero Trust. That's really what happens out there. But it is about Zero Trust Exchange communication from any entity to any entry. I'm showing 3, 4 entries at the bottom. It used to be users. Now cloud workloads are important entries. IoT/OT is becoming bigger and bigger. Now AI agents need to communicate securely.
That becomes a big thing as well. And it used to be -- they needed to access SaaS, Internet cloud, now AI applications, LLM models, securing access becoming important. We have been moving pretty nicely at a great speed using our core competency, Zero Trust Exchange to deliver these solutions. So when competition says, I'm trying to do what Zscaler does, they're basically saying, I can try to solve the user problem, okay? There are 3 more entities we need to deal with, and that's what we're done. In order to do that, our Zero Trust Exchange has expanded. It used to be for Internet and private. We recently announced a B2B collaboration exchange where customer suppliers can all engage in a Zero Trust fashion.
And nobody else will talk about that because they aren't even thinking of it. And being able to have secure access to AI application, LLM models, we expanded our exchange to be able to handle that as well. So you're seeing Zero Trust everywhere for users, workloads, device in the branches and AI agents. AI agents are somewhat like users. We are the best party to be able to provide secure access to AI agents. Data security is becoming bigger and bigger. Customers do not want 5 vendors to do AI data security for them. Policy, it's hard. data protection policies can be very complex. Doing it with one vendor is hard enough. Trying to do 3 vendors becomes almost impossible. So we are in a position where we are central because we sit in the data path to do DLP. Then the customer starts expanding other areas with Zscaler as well.
So this new area. For the last 15 years, we have had one North Star exchange, the switchboard, who talks to who, they must talk through us. That's the left side. On the right side is -- for the first time, we are expanding in a new area. We're calling Agentic operations. This is taking all the logs and everything and disrupting security operations area and the IT operations area. This is a combination of our internal data, which is our core competency, our security research team that does amazing research, combined with Avalor acquisition from last year to give us a data fabric -- plus Red Canary acquisition we announced to be done. This puts us in a very good position with very disruptive technologies. That's what we like to do. So without going to detail, we'll have 2 main areas under that, exposure management and threat management. I'll hold the detail later.
Red Canary, sometimes people are confused the thing it's an MDR company, must be doing some managed service. Zscaler is fundamentally a technology company. We acquired them because they had some great agentic AI technology with lots of expertise in threat -- research response. They understand the SOC function very well. So they will accelerate our essentially ability to get to the most comprehensive solution by a significant amount of time. So it is getting to market faster is what drove this decision for us. And I can skip through some of that stuff.
So with that, let's jump into Q&A.
Excellent. I have a question on each and every slide here. I want to start from the bigger picture. When your customers call you 5 years ago, it was I have a branch. I don't want to have solutions in the branch. I don't want to have appliances. Give me a service to eliminate it. How is the discussion today? How do we migrate? How customers migrated from a connectivity and security problem to a more holistic Zero Trust problem. Are you still getting phone calls to say, I need a SASE solution or that the discussion is at a different level today?
Yes. Very different level. Five years ago, the discussion with Zscaler used to be, oh, I want ZIA or ZPA or ZDX was brand new at that time. And that discussion shifted was those are certain areas. I want to have Zero Trust access for users no matter where they go and understand their performance. So that's where it evolved from ZIA, ZPA, ZDX to Zero Trust users. And at that time, 5 years ago, the branch discussion was my NPL cost is low. I need local Internet breakout, but I also need SD-WAN at that time. So SD-WANs have evolved and grown.
They have complemented us. But the customers basically were still worried about SD-WAN enabling lateral threat movement because the networks are mesh networks. The job of the network is -- the design feature is once you get on the network, you go anywhere. It's like once some of the highway, highway is supposed to let me go without hitting any lights. That's what networks do. And now malware exploits it. Malware does the same thing. So that's where the next big notion became, even in the branch, you shouldn't be on the network. So we started coming up with the notion of Zero Trust branch, where branch is like an island. It's like just like your home.
You got a broadband connection, things work, you don't need SD-WAN, no route tables, this stuff. We have been advocating that message for the last 2, 3 years. And early on, we gave them a piece of software to do that. They said, I don't want a piece of software to put on something. I want you to be accountable. I want one party to call if I issue in the branch. So we moved, we listen to the customers. We offer today a plug-and-play appliance. -- that reduces the need for any box in the branch other than essentially a switch. So this is the very exciting part.
Now Zero Trust branch is one of the very, very sought-after solution. What made it even more compelling was the acquisition of a company, Airgap networking we did. Airgap creates Zero Trust inside the branch. What does that mean? In a branch office, take any of your offices. You say you've got 100 people sitting out there. You're connect to the network. Everyone can talk to everything. Your infected PC can infect me.
Then they're trying to deploy one more piece of software called network access control. They start doing virtual lands and all creates overhead. Airgap could do all of that without having to go through complexities. So North-South access to the Internet plus inside Zero Trust device segmentation has created tons of demand for us. Our customers understand that the future is not about firewalls and SD-WANs, future of Zero Trust. So now our journey starts, you have done Zero Trust for users. Now let's do Zero Trust for branches and Zero Trust for workloads.
Don't you need to complete your vision, don't you need a position in endpoint, meaning to have a true cloud-based endpoint solution.
You mean to do EDR?
EDR. And EDR today is not just EDR, XDR, EDR today is a lot more -- look at CrowdStrike, how many modules they have, 30 modules. It goes well beyond EDR, but a position -- the question is whether you need a position in endpoints.
So we have our agent deployed on every endpoint. There's about 55 million of them on PCs, another 20 million on mobile devices out there. Now if someone thinks that you should put 10 things on the endpoint, they are moving in the wrong direction. When you got millions of things out there, you want them to light test, not put too many things. More things on the endpoint means more configuration, more changes, more updates. Endpoint should be light test, cloud should have most of the stuff out there. So our agent does some of the core stuff. We are able to replace 4 or 5 agents that are needed out there. Now CrowdStrike, fundamentally, it's an EDR, okay? Now sure they can try to do DLP on it. But we do what needs to be done on the endpoint, performance management, I need to check on the endpoint, DLP on the endpoint, replacing VPN on the endpoint. We do everything on the endpoint other than the core EDR functionality.
The question, you're extremely disruptive, meaning companies need to change the way they work. They have firewalls, they have EDRs, they have endpoint protection. The tries, there is some overlap between what the endpoint, if they have SentinelOne or CrowdStrike, there is some overlap between what you're trying to do. The question is whether your disruption is not an inhibitor instead of being a promoter, meaning you go to traditional banks or -- and they tell you, we cannot change the way we operate. So what is your view, for example, on the -- I'll take it to another level. What's your view, for example, on the need to have a firewall inside the company and to provide also the traditional methods of companies working in addition to your disruptive way.
Right. So first of all, yes, our technology, you can call it disruptive, but it's not technology for the sake of technology. We are driven by 3 biggest benefits customers want. One, cyber on top of mind. Two, if I talk to the CEO, he wants for business agility. I want to open a new office in 2 days in Kuala Lumpur than 2 months the way it's done traditionally. They want things to happen at a faster pace. And three is cost and complexity. There's a lot of pressure on it. We are able to go in all the 3 things. Now our sales involve dealing with senior level management. If I go to a person who is managing firewalls or Blue Coat boxes, then I'm going to say, come on, replace me, okay? So it's -- that needs to be done for us. The second part is we are driven to achieve those goals.
Every CIO has pressure on cost. If they didn't have cost pressure, they could say, I'm going to keep on living with old technology. When I go in and say, if you are spending $100 million on your networking and your security ecosystem, -- what if I can cut it down to 50. We are actually able to do that and brought it down to $30 million. There are many, many large customers we have brought down the cost by 50%, 60%, 70%. If we can -- and we don't have to eliminate everything on day 1. It takes a little bit time and IT. So quarter-by-quarter, we're able to show them what we can take out, what we can save. Simplification is important. Complexity is the enemy of security, Complexity is the enemy of resilience and every enterprise needs both.
That's why I'm bracing us. Now are there some number of customers who are late adopters? Yes. Those are the ones we are out there. It used to be that early adopters will embrace Zscaler. Now with over 45% of Fortune 500 company embracing us, we are mainstream. In fact, I mean, there's so many leaders, CXOs who are buying Zscaler at the second time in the second company, third time, it's very exciting. So we can coexist. It's not like either Zscaler or something else. It's just a matter of time. In Phase 1, we'll take out this Phase 2, Phase 3 and so on and so forth. So if you look at our phases, now Zero Trust users is generally Phase 1. Branch becomes Phase 2, workloads become Phase 3 and so on and so forth.
How much of a risk you see from newcomers to classic SASE, meaning they don't have your entire vision and portfolio, but they provide ZIA, ZPA kind of competition.
It's kind of competition, but not really. If you look at the expanded people, they talk about more SASE vendors. I mean, one of them started 6 years ago to say, I can replace Zscaler. The other remaining firewall companies came along and say, I need to do that, too. I can do that, too. But good thing for us is they're taking the firewall technology, spinning up a virtual machine in the cloud and calling it SASE. It really doesn't -- that's not zero trust. They make -- that's why the message is generally not zero trust, Zero Trust. The message SASE, SASE, SASE out there. And SASE is not zero trust. They're trying to confuse the customer because they want to stay relevant. They don't want to get displaced.
Our job is to show the customer the benefits. And the technology is so compelling, works so well. that customers are so proud of it. I just came from our annual user conference in Vegas, and [indiscernible]. I mean, so many customers getting on stage, talking about the transformation they've done for business. Our customers don't stand up there and say, "Hey, I got this rules versus that rules" -- they're all driven by big business benefits. I had a customer on stage, maybe I don't need to name it publicly, who was brought in to run this company of 150,000 employees, okay? As a CISO, that happened because this company had 2 breaches within 1 year, okay? He came in, he partnered with us, rolled us out literally in the first 3 months, ZIA, a couple of more on ZPA and ZDX and all. After 18 months, he got promoted to become the CIO, okay? A lot of these people are seeing the opportunity to help the company and help themselves, too. It doesn't happen very often in this space.
I understand the vision. I shared the vision also, but the price difference is big, meaning if a customer only wants to have SASE, let's go to the extreme. The published price of Microsoft Entra is a fraction of your price, right? You need to have E5, you need to have other things, Active Directory, but what they publish is a fraction of your price. How do you -- and I don't know what is the price of Cisco or Check Point, but I know that Fortinet, if you use their cloud, the price is 1/3 of your price. So how do you avoid the issue of price erosion because still the majority of your revenues are ZIA, ZPA.
Right. So first of all, you can look at price or you can look at ROI and the value delivered, okay? We have a pretty good brand where almost every CIO CISO I talk to, they say, yes, your solution is the best. I want to make sure I can get a reasonable price. The question gets asked. And my answer to them is, great, I want to show you how much money you can save. So from an ROI point of view, I can do a better job. A firewall company could go to a CIO and says, and it happens from time to time. Oh, you're spending $4 million on Zscaler. You're spending $20 million on firewalls.
Why don't I do this? I give you more firewalls and for $25 million or $30 million, I give you all, all you can eat, ELA, okay? And what do we say? -- customer, you're spending $20 million on firewalls, that is becoming my mainframes. That's a liability. I can bring it down to $7 million and you give me $5 million, $7 million plus $5 million or $12 million. What will you do? Would you move to a modern platform and Zero Trust and $12 million? Or would you pay $30 million or $25 million? The math becomes very clear. We -- it's rare for us to lose a deal on price. The only time I will lose a deal on price is when my salesperson is engaged at some entry-level stuff hasn't really done proper engagement.
Got it. Yes. If I look at your revenues today, the composition is the majority is still ZIA, ZPA, ZDX. How long does it take for the other new products you highlighted here to dominate numbers, meaning to grow and be meaningful in the numbers?
Right. So first of all, even ZIA, ZPA, whatever they bought, we have an opportunity to take it actually 4x, 5x on the customer base, the number of modules we added is growing exponentially in that space. We announced a number of new products at Zenith Live. So we are not kind of -- don't underestimate what the core user base stuff does. And then data protection itself is growing very rapidly. We have said over 40% growth we have talked about for that. Our branch, the amount of interest in our Zero Trust branch is through the roof. It's very, very exciting. I have been talking about SD-WAN being transitional technology. It takes some time to evangelize.
We have done that. The market is ready to embrace that kind of stuff. Cloud is for workloads, very exciting. We started that journey. It took some time to evangelize because I never thought about doing Zero Trust with workloads. In the first couple of years, the deals we got from customers, they were intrigued. They said, I want to start small and get comfortable with it. Now we're beginning to do bigger deals. I think it's -- if you look at 5 years ago, 4 years ago, investors will ask, you're a ZIA company. Can you go cross-platform? Will ZPA become real? Will ZDX become real? My answer used to be, I believe that it's a matter of time that every customer will have ZIA, ZPA, ZDX for all users. We are there every new deal, I shouldn't say every because deals change.
The largest number of deals we do today, new deals are all 3 things together. Our upsell essentially takes you from -- if you're doing ZIA takes you do Zscaler users. I can tell you sitting here today, it's a matter of time, every customer with using Zscaler for users will become branch and cloud workload user as well because the story is so compelling. It's so simple, it's so logical. So we are very bullish. And then the totally new upside is security operations.
You and I spoke after you reported the results, and I asked you a question, and I'll ask it again. The story of Zscaler is expansion. You're expanding into many new areas. And -- but your NRR was flat, slightly down, let's say, flat quarter-over-quarter. What is the right way to measure your success when it comes to upsell and cross-sell?
Yes, it's a good question. We look at new business coming in as new logo and upsell. That's the #1 thing we track. We do share with you guys, too. We don't like NRR because it doesn't represent what we want to do. If I were a company sales there, new customer upsell, I start with selling 50 users for application developers, then I go to 100, I go to 150, that type of stuff, then my NRR will be very good. I want to start -- I want to sell every user. ZI always start with everyone. All users want to be sold upfront. And the customers are buying bigger and bigger platform upfront because we show cost savings of that. So the bigger the platform I sell upfront, lower my NRR. And if I can upsell within 4 quarters, it doesn't get picked up in NRR. So those 2 things kind of misrepresent NRR.
I talked to my CFO a few times, why don't we stop talking about NRR, Okay? The answer was, well, many times people look for it. It's kind of one of those things. I wish we don't even spend time on it, upsell versus new logo is the way to answer. We also tell you new logos. Our new logo ACV went up 40% last quarter year-over-year, pretty remarkable. As the base grows bigger and bigger, we are getting more and more upsell. Think of this way, this last quarter, combination of business that we got new ACV, slightly over 70% was upsell, okay? We are getting a lot of upsell. In fact, right now, I'm thinking upsell is easier. I want to do some really programs to push for new logos as well because generally, we are kind of left. It's okay, you bring ACV from new versus upsell. Both are big opportunities for us. And I see opportunity in both areas.
Yes. I want to ask about products to ask about data and AI, but I want to cover first a few things on the business and then go back to the product as time permits. You made changes, enhancements of your sales organization last year. Give us an update on sales efficiency and productivity and where things are today.
Yes, went through a fairly significant change. In life, in everything in business or technology, you tweak things, you incrementally improve things all the time. When every year, you need to do some step function bigger changes. Otherwise, things don't evolve. You see that in technology, in business too. The way you run business, $200 million business with go-to-market is very different than you run a $2 billion business. When we went public, we're sitting at whatever, $200 million, $300 million ARR. At that time, I knew I had to make a change in the go-to-market organization because it was not quite kind of structured and methodical soon after IPO, I brought in a new CRO.
That journey started, took us to $2 billion. I could see the changes were needed. Our team was pretty opportunistic, transactional because they would -- the world was wide open. Let's try this customer, this customer, this customer, which is great. Then large customers start to say, I need account-focused people who work with me, stay with me, understand it. So we made the move. That's when we brought the best CRO we could find out there, the gentleman who ran ServiceNow's all Americas business, about 70% of revenue. He moved on a journey to go through transition. We needed to bring leaders who were account focused, next sales reps on the process methodology and all. The transition is complete. We've done a great job. Sales productivity is up. We went through a bunch of attrition in the early stage. That's expected. It's gotten better. So we are excited and looking forward to a great fiscal '26.
And another thing that happened last quarter was your unscheduled bidding was scheduled is schedule, according to schedule. But the unscheduled grew very nicely. It grew 28%. The quarter before it was 20%. So we see acceleration. What is driving this acceleration in unscheduled biddings?
I mean -- so if you look at unscheduled billings.
Maybe to explain what it is first just.
So in fact, going forward, we don't even want to talk about scheduled and unscheduled. We start talking about it because of historical reasons, there are some areas where our scheduled billings was low in the first half and second was very high. rightfully, investors are saying, something is wrong. How are you going to go up to these big numbers. But -- so scheduled is already due to be paid by the customer by contract is nothing wrong. It gets billed and collected. unscheduled comes from 2 areas. One is the renewal. It's unscheduled because renewal needs to be renewed. There's a condition involved.
Our renewal rates have been very, very high. For us, the renewal is kind of scheduled, okay? Because if I lose a customer, I screwed up somewhere, it shouldn't be happening, okay? And then the new business is the more unknown part of it. And that's where either we upsell or we get new customers. Our number -- if you look at it, our #1 job is to make sure customers are happy. Happy customer renew, that's good. But happy customers also buy more. Our upsell was pretty strong. And new logo was very strong as well. and that's what we measure. I think the #1 job of the sales team is make sure they're able to do both new ACV is good, and you're seeing the ARR we are talking about will start giving you indication of how well we are doing in growing the core ARR business. And we feel bullish about it.
Got it. I want to go back to products and talk about data. Relative -- I mean, it's not new, but it's relatively new activity for the company. Can you explain -- first, explain the problem before you explain the solution. What is the problem? Why is it such an important area for you? And what is the opportunity there?
Yes. People talk about network security is such a big market out there. It's actually a silly concept. Network security means I want to secure the network. What is about securing the network? The packets are flowing and the packets are encrypted, okay? It's an old school concept that said, if I control my network and my things hang on it, let me try to secure the network. It's like securing a building or a campus from outside, okay? Once you're in, you're in. It's not about network security. We don't do network security. Firewalls do network security. We secure the data. The only thing that matters is data security. So data is sitting at some places. So starting 15, 20 years ago, there was a notion called DLP, data loss prevention. Where does data loss happened to Internet.
If Zscaler is sitting as a gateway to the Internet with ZIA, we are the best party to make sure nothing good leaks to the Internet. Fundamentally, ZIA does 2 things. Nothing bad should come in, nothing good should leak out. Our customers started out with cyber protection, nothing bad should come in. That's what ZIA did first. It's easier to implement it. DLP takes a little bit more work. You need to classify what's confidential, what's not confidential. Once they do it, then we are setting the place to take care of that. A couple of companies have done a good job in this area historically. Symantec had a company called Vontu, McAfee had some offerings and WebSense Forcepoint had some offerings there.
We have been replacing those solutions and giving them in-line data protection. But Data is no longer sitting in your data center. A lot of data is sitting in SaaS application. So you build solution for that. A lot of data is sitting on the endpoint. We have to build endpoint solution for that. Now more and more data is sitting in the cloud. Maybe it's sitting in S3 bucket, maybe it's sitting in Snowflake, that needs to be secured as well. And now more and more data is sitting your AI models, large language models that can be stolen or query. So about 6, 7 years ago, when we met a number of CISOs, they said, we are finding it so hard to DLP on just the data center. Imagine trying to work with 5 vendors to do all the 5 solutions, you guys should invest.
So we invested. We're doing classification of data and one set of policy that can secure data at any of the channel at any of the source. That's what's driving our growth. That sets us apart. No firewall company will come close to it because to really do inspection in line, you need to be a proxy. Firewalls are not proxy. Proxy says, here's our attachment. I'm going to open it. I'm going to do XYZ with it, and then I'll connect. Firewalls don't work that way. So we are in a pretty good position. We had announced at the end of last quarter or Q2 that we had exceeded about $350 million ARR in data security. We'll give you numbers at the end of this quarter as well, but we see it as a big opportunity.
So we built a solution not to go to market. We have created a special takeoff team for data protection. It needs a bit specialization. So they leverage our broad general sales team combined with these specialists to drive sales and customers are very happy with the results. And then AI/ML is further fueling the growth, further fueling the need for it.
Is data protection a single product, meaning many, many features, et cetera, but it's a single product or customers also have a menu they can choose from? How does it work?
Yes, there are hundreds of features. They are packaged in 8 modules. And customers can pick 3 or 5 or 8 to start with. They can pick and choose. In fact, some of these things took us to create something we call Z-Flex, flexible pricing. In the past, they would say, these 8 modules, I like them, but I can only afford 4. And they had to pick 4. Then they say, I really would rather my priority has changed. I want this. So Z-Flex allows you to do 3 things. One, you can pick 8 or 6 and say, but I won't use these for 1 year because I won't be able to get to it. I'm going to use these 4 for year 1 and these 3 in year 2.
That's kind of giving them flexibility to adopt with meaning with logical pricing. Number two, I want to be able to switch something. I bought A, I want to swap it with B. It allows you to give you the flexibility to swap. Number three, I may want 2 more. This pre-agreed upon pricing for adding more without going to negotiation and procurement. So it's a pretty nice model. Some of the questions we got from analysts and investors who kind of said, other vendors have different kind of flexible pricing. What I learned was they would say, we're going to do a $20 million deal during 4-year term, -- you know obligations. By the end of the fourth year, you must consume $20 million.
And as a CFO, how would I tell the Street what is going on? It's very hard. We don't want to go all the way there. We want to give you flexibility, but we also want customers' commitment, too. Anything that gets sold as a big blog never happens. If you really have plans and things to make it happen, things happen, and that's what we like.
And is data sold on its own, meaning you go to ZIA, ZPA, EDX customers and you tell them, "Hey, I have -- this is an upsell. I have something. Or can you have a situation where the customer is only a customer for data protection. They're not even a customer for ZIA, ZPA. What's -- I understand maybe the theory, but what's the practice? What's happening in reality?
Overall data protection modules, you can have 3 or 4 greenfield no ZIA or ZPA needed. But in general, from what I said, all bad things come from the Internet, all good things leak to the Internet. ZIA is central to make sure nothing leaks to the Internet. So with a few exceptions, most of the customers who do data protection.
It's an upsell.
It's an upsell. Or many, many times, it is part of the initial bundle.
Great. So we only have 8 seconds left, and I'm not going to open the lines for Q&A, unfortunately, because we don't have time, but I want to tell you something. I've been doing it for 25, 27 years. I have questions in my pocket. I didn't use them because I knew that with you, I can just go with a conversation because it's going to flow. So thank you very much for your candor and openness.
Thank you. We appreciate it. Thank you for your trust and confidence in us. We'll keep on delighting our customers and winning more business.
Great. Thank you.
