DruckFin

Zscaler Posts Record Margins and 25% ARR Growth, but Sales Leadership Exits and Decelerating Net New ARR Cloud the Outlook

Q3 Fiscal 2026 Earnings Call, May 26, 2026

Zscaler delivered what management characterized as a strong third quarter, with ARR growing 25% year-over-year to $3.5 billion and non-GAAP operating margin hitting an all-time high of 23%. Revenue of $850 million exceeded the top end of guidance, and year-to-date Rule of 55 performance — combining 26% revenue growth with a 29% free cash flow margin — underscores the operating leverage the company has been building. However, the quarter ended with an unwelcome disclosure: two sales leaders have departed, and management was deliberate enough about the disruption risk to embed a meaningful degree of conservatism into both Q4 guidance and an early fiscal 2027 outlook that implies a sharp deceleration in organic net new ARR growth.

The Sales Leadership Departure Is the Critical Variable

The most consequential piece of new information on this call was not the strong Q3 print but the announcement that two sales leaders from CRO Mike Rich's organization have left the company. Management was careful not to characterize these departures as voluntary or involuntary, and neither Jay Chaudhry nor CFO Kevin Rubin offered much in the way of operational detail. What they did offer was a meaningful downward revision to the tone of guidance. Chaudhry acknowledged that "there will be changes in leadership from time to time" and confirmed that an internal replacement has already been appointed for one of the roles, with the second hire described as being in late stages. The implicit acknowledgment is that for a business of Zscaler's complexity and deal size, sales team disruption at the leadership level can ripple through close rates and pipeline conversion in ways that are difficult to precisely quantify in real time.

When pressed by Deutsche Bank's Brad Zelnick on whether the pipeline was intact and the issue was simply a lower assumed close rate, Rubin confirmed the prudent approach without providing a counterfactual for what guidance would have been absent the transitions. That lack of specificity will likely frustrate investors trying to determine whether this is a one-quarter earnings management cushion or something more structurally concerning.

Fiscal 2027 Preliminary Outlook: Organic Deceleration Is Real

Rubin provided an unusually early preliminary view of fiscal 2027, guiding for total ARR and revenue growth of 16% to 17%. While he framed this as a deliberate effort to set expectations following the Red Canary acquisition and the shift to ARR as the primary growth metric, the math is sobering. The fiscal 2026 full-year guidance implies organic net new ARR growth — excluding Red Canary — of approximately 9.5%, and the 2027 framework implies roughly flat organic net new ARR on a year-over-year basis. Oppenheimer's Ittai Kidron pressed Rubin on whether the sales leadership departures were the only factor, and Rubin identified a second: the pace of uptake for the integrated SecOps solution being built around the Red Canary acquisition. "I don't know the pace of uptake amongst the existing customers for that," Rubin said plainly, adding that Red Canary's net new ARR is expected to grow at a slower rate than the overall business in fiscal 2027.

Rubin also acknowledged that new logo acquisition has been an underperforming area relative to internal expectations, though he was careful to reframe his earlier comments when Goldman Sachs's Gabriela Borges pushed back. "My expectations relative to the early look for next year took a tempered approach to how we thought about the contributions of new logos," he clarified, rather than suggesting the category itself was deteriorating. Zscaler currently serves approximately 4,500 enterprises out of a stated addressable base of 20,000, suggesting the whitespace is real but the go-to-market machinery to capture it requires investment. Chaudhry outlined four specific levers being activated: expanding sales coverage in the 2,000-to-10,000-seat segment, building VAR channel incentives specifically for new logo wins, leveraging GSI partnerships, and adding focus on major accounts. These are logical responses but will take time to show up in the numbers.

AI Protect Crosses $100 Million in Bookings; Zero Trust Branch ARR Triples

Beneath the guidance noise, several product metrics represent genuinely new information for investors. AI Protect, the company's solution for discovering AI assets, enforcing guardrails and conducting continuous red teaming — introduced in January — has now crossed $100 million in bookings over the trailing twelve months. Chaudhry described a seven-figure upsell at a Fortune 500 financial technology company where the product's ability to "inspect every prompt and response in real time to stop data leaks and attacks like prompt injection" and move customers "from a manual reactive effort to an automated proactive approach" was the central value proposition. The pipeline is described as robust and growing, and inbound interest has clearly accelerated in the wake of new frontier AI model capabilities.

Zero Trust Branch ARR has approximately tripled year-over-year, anchored in part by what Chaudhry described as the largest branch deal in Zscaler history — an eight-figure upsell with a leading healthcare system deploying across 2,000 sites at roughly half the cost of the displaced legacy solution. The company's count of Zero Trust Everywhere enterprises — customers purchasing all three pillars of Users, Branch and Cloud — grew from over 550 in Q2 to more than 700 in Q3, and this cohort represents the highest-value, most strategically entrenched customer segment in the portfolio. Data security also crossed $500 million ARR, up over 30% year-over-year, with consolidation dynamics driving meaningful upsell as sensitive data proliferates across multi-cloud environments.

Symmetry Systems Acquisition Targets Agentic Security — Technology Play, Not Revenue

Announced on May 21, the intended acquisition of Symmetry Systems introduces what Chaudhry described as a genuinely hard technical problem: mapping how identities, applications and data sources connect across an enterprise in real time. "Think of this way. In a large enterprise, all these identities — maybe users, workloads, maybe other machines — they access data sources that may be sitting out there somewhere. How do you know who is accessing what, when, where? Information sits in each application logs. Symmetry pulls that information and creates a very cool visual access graph." The technology is intended to be integrated into Zscaler's Zero Trust Exchange to enforce policy on AI agent interactions. Rubin confirmed this is a technology and talent acquisition — ARR is in the low single digits and financially immaterial. Investors should not expect near-term revenue contribution, but the strategic positioning around agentic security is directionally important given where the threat landscape is heading.

Frontier AI Models Are Compressing the Enterprise Security Window

Chaudhry spent considerable time on the macro threat backdrop, and his framing is worth understanding in detail. He cited Mythos, a new frontier AI model that can find software vulnerabilities at machine speed, as representing a structural shift in the attack surface problem. "Frontier models are multiplying unremediated vulnerabilities by as much as 10x and even more powerful models that are currently being developed will undoubtedly make it worse." The enterprise response, in his telling, cannot be a patching-only strategy because the backlog is accumulating faster than IT organizations can address it. Zscaler's architectural answer — hiding applications from the internet so they cannot be targeted, and eliminating lateral movement once an attacker does gain entry — is being positioned as the only durable response to this dynamic.

On the pipeline impact, Chaudhry was candid that meaningful revenue benefit from Mythos-related urgency is not baked into Q4 estimates but is expected to materialize in fiscal 2027. He specifically called out ZPA upsell for customers who have ZIA deployed broadly but have not extended private access to all users and locations, as well as growing interest in the company's deception technology, as the most immediate conversion opportunities. "Sometimes I feel like it's a 4.0-like moment," he said, comparing the current environment to prior inflection points for Zero Trust adoption.

CapEx Headwind Is Real and Deserves Attention

One underappreciated item in the print is the CapEx revision. Rubin guided fiscal 2026 CapEx to the high single digits as a percentage of revenue, up from prior guidance of mid-single digits, due to opportunistic pulling forward of data center equipment purchases to lock in prices ahead of expected increases. The cause is AI-driven demand for memory, storage and processors creating broad cost inflation and availability constraints. Looking ahead to fiscal 2027, Rubin guided CapEx as a percentage of revenue to increase by up to 200 basis points versus fiscal 2026 levels. As a direct consequence, free cash flow margin guidance for fiscal 2026 was revised down to approximately 22.8% to 23.3%, from the prior 26.5% to 27%. For a company that has historically used free cash flow generation as a key shareholder value narrative, this is a meaningful revision driven by external cost dynamics the company has limited ability to fully offset in the near term. A price increase was pushed through on branch appliances earlier this calendar year and is expected to flow through over the next several months, providing partial relief.

Z-Flex Program Gaining Momentum as a Strategic Retention and Upsell Lever

Z-Flex, the company's flexible multiyear commitment program, generated just over $480 million in TCV in Q3, up more than 60% quarter-over-quarter, bringing cumulative Z-Flex TCV to over $1 billion over the trailing twelve months at an average four-year term. The program is designed to allow customers to activate or swap modules without initiating a new procurement cycle, and Rubin cited it as a driver of shorter sales cycles and greater forward revenue visibility. Two illustrative examples from the quarter — an eight-figure Z-Flex deal with a Fortune 500 finance and insurance company that increased ARR by nearly 50% and a three-year eight-figure deal with a Global 2000 semiconductor manufacturer that increased annual spend by 60% — demonstrate the upsell mechanics working as intended. The program is becoming a meaningful structural advantage in customer retention and platform expansion, particularly as customers deepen module adoption.

Non-Seat Metered Usage Is Now More Than 30% of New ACV

A noteworthy commercial shift highlighted by Rubin: non-seat-based metered usage solutions delivered just over 30% of new ACV in Q3, with the ARR tied to those offerings growing more than 100% year-over-year. As AI agents proliferate and machine-to-machine interactions scale, the company's ability to monetize based on usage rather than headcount becomes structurally important. This is the business model evolution that underpins the long-term bull case — the addressable opportunity is no longer capped by enterprise employee counts. Cloud marketplace TCV reached approximately $900 million year-to-date through fiscal 2026, more than doubling year-over-year, reflecting the growing importance of marketplace procurement as an enterprise buying motion that aligns with cloud commit structures.

Zscaler, Inc. Deep Dive

Business Model and Core Offerings

Zscaler operates the world’s largest inline cloud security platform, functioning as a global digital switchboard that securely connects users, devices, and applications. The company’s fundamental premise is the obsolescence of the traditional corporate network perimeter. Instead of building moats around legacy data centers using physical firewalls and Virtual Private Networks (VPNs), Zscaler’s Zero Trust Exchange places a cloud-native software broker between the user and the application. The architecture relies on the principle of zero trust—an authorized user is granted access only to a specific application, not the underlying network, effectively neutralizing the risk of lateral threat movement.

The company monetizes this architecture through a highly predictable software-as-a-service model, with subscriptions accounting for roughly 98% of total revenue. Zscaler lands enterprise customers via tiered, per-user annual licensing, typically scaling from $70 to over $300 per user depending on the feature suite. The primary growth engine is a classic land-and-expand strategy. Customers generally start with Zscaler Internet Access (ZIA) for secure outbound web and software-as-a-service (SaaS) traffic. Over time, they layer on Zscaler Private Access (ZPA) for secure internal application access, and Zscaler Digital Experience (ZDX) for end-to-end performance monitoring. This modular expansion strategy is highly effective, reflected in dollar-based net retention rates that consistently hover around 115%.

Market Share, Customers, and the Competitive Landscape

Zscaler sits at the apex of the Security Service Edge (SSE) market. By 2026, the company protects approximately 45% of the Fortune 500 and processes over 500 billion daily transactions across its 150-plus global data centers. Gartner has consistently named Zscaler a Leader in SSE, recently elevating it to the highest position for execution. However, the competitive environment is increasingly brutal as the broader Secure Access Service Edge (SASE) market consolidates.

The company faces multi-front warfare. Palo Alto Networks is the most formidable incumbent threat, utilizing aggressive bundling to push its Prisma SASE platform. Palo Alto leverages its vast legacy firewall footprint to cross-sell cloud security, frequently competing on price to displace pure-play vendors. In the pure-play SSE arena, Netskope remains a fierce rival, particularly in deep data inspection, Cloud Access Security Broker (CASB), and Data Loss Prevention (DLP) capabilities, frequently contesting Zscaler in complex Fortune 100 deployments.

From the bottom up, Cloudflare is aggressively expanding into the enterprise zero-trust space. Leveraging its massive global Content Delivery Network (CDN), Cloudflare offers structurally lower latency and highly disruptive pricing, capturing developers and mid-market accounts while steadily moving upmarket. Finally, technology titans like Microsoft, with its Entra Private Access, and Cisco are bundling "good enough" zero-trust features into existing enterprise agreements, creating margin pressure at the lower end of the market.

Competitive Advantages

Zscaler’s primary moat is structural: its cloud-native architecture. Unlike legacy firewall vendors who retrofitted on-premises virtual machines into the cloud, Zscaler was built specifically as a multi-tenant proxy. At the core of this advantage is its Single-Scan Multi-Action (SSMA) technology. Instead of chaining security services serially—where traffic is decrypted, scanned by a firewall, passed to a DLP engine, then a CASB, and finally re-encrypted, causing severe latency—Zscaler inspects the decrypted data stream simultaneously across all security engines. This structural performance advantage is exceedingly difficult for hardware-heritage competitors to replicate.

The second pillar of Zscaler’s moat is data gravity. Processing over 500 billion daily requests provides unmatched telemetry. In the cybersecurity domain, machine learning and threat detection algorithms are only as effective as their training data. Zscaler’s massive visibility into global threat vectors allows it to block novel attacks for one customer and instantly propagate that defense across the entire user base.

Lastly, high switching costs insulate the business model. Once a global enterprise reroutes its core digital traffic through the Zero Trust Exchange, unpicks its legacy VPNs, and integrates Zscaler into its identity and access management workflows, the friction of ripping and replacing the platform is immense. This entrenchment yields exceptional revenue durability, evidenced by robust non-GAAP gross margins routinely exceeding 80%.

Industry Dynamics: Opportunities and Threats

The cybersecurity industry is undergoing a structural paradigm shift driven by the proliferation of artificial intelligence. Cyber threat actors are weaponizing generative AI to automate vulnerability discovery and autonomously deploy agents to execute large-scale lateral attacks. This dynamic renders legacy VPN architectures—where compromised credentials grant access to an entire corporate network—a catastrophic liability. The urgent need to neutralize AI-driven ransomware is the central tailwind accelerating zero-trust adoption globally.

However, the industry faces an overarching threat of vendor fatigue and budget scrutiny. Chief Information Security Officers (CISOs) are actively seeking to consolidate their sprawling security stacks from dozens of point solutions down to a handful of strategic platforms. While Zscaler is well-positioned as a platform consolidator, this exact dynamic plays into the hands of Palo Alto Networks and Microsoft, both of which can offer broader, albeit sometimes technologically shallower, enterprise-wide security suites. Zscaler must continually prove that its best-of-breed SSE approach delivers enough distinctive value to warrant remaining outside an enterprise's broader vendor consolidation contract.

New Growth Vectors and Disruptive Entrants

To sustain aggressive top-line growth, Zscaler is extending its zero-trust philosophy beyond the remote worker and into the physical branch, factory, and cloud workload. The introduction of Zero Trust SD-WAN and the Branch Connector appliance is a direct assault on the traditional routing markets dominated by Cisco and Fortinet. Instead of extending networks via site-to-site VPNs, Zscaler’s SD-WAN segments operational technology (OT) and Internet of Things (IoT) devices at the edge, removing physical firewalls entirely. Though currently viewed by analysts as nascent compared to established SD-WAN pure-plays, it represents a massive expansion of Zscaler’s Total Addressable Market.

Simultaneously, Zscaler has rapidly commercialized AI defense. In early 2026, the company launched AI Protect, a suite designed to secure employee use of public AI applications and safeguard proprietary enterprise AI workflows. This module scaled to a $100 million bookings run rate within months of launch, pushing Zscaler’s total AI Security annual recurring revenue (ARR) past $400 million, quarters ahead of internal targets.

On the disruptive front, the market is not static. New entrants are challenging the cloud-proxy model entirely. Agent-based startups, such as dope.security, argue that routing all traffic through a centralized cloud point-of-presence introduces unnecessary latency and privacy risks. These disruptors execute secure web gateway inspection directly on the endpoint device itself. While not yet a systemic threat to Zscaler's enterprise dominance, these edge-compute architectures represent a credible technological evolution that warrants close monitoring.

Management Track Record and Execution

Under the stewardship of founder and CEO Jay Chaudhry, management’s long-term track record of visionary product development and scale execution is exceptional, driving the company to $3.5 billion in ARR. However, recent execution has introduced turbulence, reflecting the friction of transitioning from high-growth software economics into an AI-infrastructure heavy reality.

In the fiscal third quarter of 2026, despite beating revenue expectations and reaching a record 23% non-GAAP operating margin, management shocked the market by aggressively slashing free cash flow margin guidance from roughly 27% down to 23%. This margin compression is driven by a heavy single-digit capital expenditure intensity required to build out the high-performance computing infrastructure necessary to handle advanced AI security workloads. Concurrently, a late Q3 2026 sales leadership shake-up, including the departure of two key sales executives, has introduced uncertainty regarding near-term field execution. Management is making a deliberate, highly convicted bet that sacrificing short-term free cash flow is essential to secure architectural dominance in the AI era. It is a necessary strategic pivot, but one that demands flawless execution over the coming fiscal year to validate the capital outlay.

The Scorecard

Zscaler remains the undisputed architectural leader in the zero-trust security paradigm. Its cloud-native proxy design, immense data gravity derived from 500 billion daily transactions, and high switching costs form a formidable competitive moat. The rapid market traction of its AI Protect module and the structural shift away from legacy VPNs indicate that the underlying demand for the Zero Trust Exchange is highly durable. The core business is effectively entrenching itself as the digital nervous system for the Fortune 500, insulated by stellar retention metrics and high gross margins.

Conversely, the near-term investment thesis requires a tolerance for friction. The company is actively digesting a transition in its go-to-market leadership at the exact moment Palo Alto Networks is ruthlessly pressing its bundling advantage. More critically, management’s abrupt downward revision in free cash flow margins signals that maintaining technological supremacy in the generative AI era requires substantial, sustained capital expenditure. The long-term structural tailwinds are intact, but Zscaler must navigate a challenging cycle of heightened capital intensity and fierce platform-level competition.

Read Next

Sivers Semiconductors: Pipeline Rockets to $800M But Near-Term Revenue Remains Elusive as FX and Defense Delays Bite

2026-05-31

Tempus AI: A Valuation Paradox as Foundation Model Performance and Tumor-Only FDA Approval Reframe the Growth Story

2026-05-31

Phreesia Deep Dive

2026-05-31

WhiteHawk Minerals Deep Dive

2026-05-30

Sunshine Silver Mining & Refining Deep Dive

2026-05-30

Safepoint Holdings Deep Dive

2026-05-30
Disclaimer: This article is for informational purposes only and does not constitute investment advice or a recommendation to buy, sell, or hold any security. Our analysts provide detailed coverage of corporate events but can make mistakes, always conduct your own due diligence. The views and opinions expressed do not necessarily reflect those of DruckFin. We have not independently verified all information used herein, and it may contain errors or omissions. Before making any investment decision, consult a qualified financial advisor. DruckFin and its affiliates disclaim any liability for any losses arising from reliance on this content. For full terms, see our Terms of Use.