TL;DR:

• Zscaler’s Q3 did not break the business, but it broke the re-rating case: revenue and ARR still grew 25%, margins hit a record, and platform metrics like Z-Flex, Zero Trust Everywhere, AI Protect, and non-seat usage continued scaling, but the FY27 growth outlook reset the stock from “hidden compounder” to “prove-it story.”

• The key thesis shift is from interception to anticipation: Zscaler remains highly valuable where it is strongest, inline traffic inspection, access enforcement, app invisibility, and lateral-movement reduction, but AI may move the highest-value security decisions upstream into code, identity, endpoint, browser, cloud configuration, and agent governance.

• The stock now depends on whether Zscaler can move upstream, not just monetize the wire: the bear case is maturity, the base case is a durable high-teens compounder, and the bull case requires proof that Symmetry, AI Protect, non-seat usage, and Zero Trust Everywhere can turn Zscaler into an AI-era security control plane rather than a utility-like SASE platform.

“Zscaler shares tumble as much as 28%... after the security software company gave a fourth-quarter revenue forecast that was weaker than expected.”

That was the market’s version of the story. A clean enough quarter, an imperfect guide, a violent stock reaction.
I do not think that is quite right. Zscaler did not fall because Q3 was bad. Revenue grew 25%. ARR grew 25%. Operating margin reached an all-time high. Z-Flex kept scaling. Zero Trust Everywhere added customers. AI Protect crossed $100 million of bookings. This was not a broken print.
The harder issue is that Q3 made my prior framework incomplete.

For the last few quarters, I have argued that Zscaler was being priced as decelerating SaaS while becoming security infrastructure. The logic was reasonable. Z-Flex was turning point-product purchases into platform commitments. Non-seat metered usage suggested a shift from headcount-based SaaS to traffic-based infrastructure. Zero Trust Everywhere expanded the platform from users to branches and workloads. AI agents seemed to make Zscaler’s inline architecture more valuable because agents do not buy seats; they create traffic, identities, access requests, and policy decisions.

That thesis was not built on bad facts. The facts are still there.

What was wrong was the leap from those facts to inevitability. I asked whether Zscaler’s architecture was valuable. It is. I should have asked whether the most valuable security decisions were still happening at the point where Zscaler is strongest.

That is the question Q3 forced.

From Interception to Anticipation

Cybersecurity has historically been an interception business.

Firewalls intercepted packets. Antivirus intercepted files. EDR intercepted processes. Zscaler intercepted connections. The stack was organized around catching threats at the moment of action.

Zscaler’s architecture was an elegant answer to that world. Instead of exposing applications to the internet and defending the perimeter around them, Zscaler hid applications behind the Zero Trust Exchange, connected users to specific applications rather than networks, inspected traffic inline, and reduced lateral movement. In a world where the decisive moment was the connection, being in the path of the connection was a powerful place to sit.

AI changes the geography.

The obvious effect of frontier models like Mythos is speed: vulnerabilities can be discovered faster, exploits can be reasoned through faster, and attackers can move faster. That is the point management emphasized, and it is real. Jay Chaudhry’s answer is that enterprises cannot patch fast enough, so the better defense is to make applications invisible and limit lateral movement.

That is still right.

But there is another implication. If frontier models help defenders find vulnerabilities in their own codebases, configurations, endpoints, identities, and deployment environments before attackers do, then the marginal value in security begins to move upstream. The decision is no longer only made at the moment of connection. It is made earlier: in the codebase, the identity graph, the endpoint, the browser, the cloud configuration, and the deployment pipeline.

This does not make Zscaler irrelevant. It does make the bull case harder.

In the interception era, the inline exchange looked like the natural control plane. In the anticipation era, the control plane may be wherever the enterprise can understand and reduce risk before traffic exists.

That is a different game.

Glasswing Validates the Problem, Not the Winner

Project Glasswing matters, but not in the simplistic way I first wanted it to matter.

Zscaler has access to Claude Mythos Preview through Glasswing and is using it to harden its own systems and improve security for customers. That is good. It validates the urgency of the problem Zscaler has been describing.

But access to Mythos is not, by itself, the edge.

Microsoft can attach frontier-model security to Entra, Defender, Windows, Edge, Azure, GitHub, and Microsoft 365. CrowdStrike can attach it to endpoint telemetry, identity protection, managed detection and response, and incident response workflows. Palo Alto can attach it to firewalls, SASE, Prisma Cloud, Cortex, XSIAM, and now CyberArk’s identity layer. Zscaler can attach it to the Zero Trust Exchange.

That is a strong control point. It is not obviously the default one.

The right lesson from Glasswing is not that Zscaler lost. The right lesson is that AI-security urgency is broad, and the companies best positioned to monetize it will be the ones that convert frontier-model intelligence into closed-loop workflow: find the issue, understand the blast radius, enforce the policy, remediate the weakness, and prove the risk was reduced.

Zscaler has part of that loop. It sees traffic. It enforces policy. It hides applications. It reduces lateral movement. With Symmetry Systems, it is adding an access graph: which identities are touching which applications, models, and data sources. That is the right move.

But it is also a tell. Zscaler is trying to move upstream from the wire because the value is moving upstream too.

What Q3 Still Proved

It would be too easy, and too wrong, to turn this into a clean dismissal.

Zscaler’s platform evidence improved in Q3.

Zero Trust Everywhere customers rose to more than 700, up from over 550 in Q2. Non-seat-based metered usage was just over 30% of new ACV, with ARR tied to those offerings growing more than 100% year over year. Z-Flex generated just over $480 million of TCV in the quarter, up more than 60% sequentially, with more than $1 billion over the last twelve months and an average four-year term. Data Security crossed $500 million of ARR, growing more than 30%. Zero Trust Branch ARR roughly tripled year over year. AI Protect bookings crossed $100 million over the past twelve months.

These are not filler numbers. They are the best evidence that Zscaler is not merely a mature seat-based SASE company.

The old bull case said Zscaler could escape the headcount model. A user-seat business grows with employees. A traffic-and-policy business grows with applications, workloads, branches, data, agents, prompts, responses, and machine-to-machine interactions. Q3 provided more evidence that this shift is happening.

The problem is that it is not yet large enough to control the total growth algorithm.

That is where the thesis needs to be updated, not abandoned.

The Model Caught Up With the Structure

If the marginal security dollar is moving upstream, then a network-layer company with a maturing core should look exactly like Zscaler just looked: strategically relevant, commercially active, operationally strong, but financially normalizing.

That is what Q3 showed.

Revenue and ARR still grew 25%, but Q4 revenue guidance implies roughly 22% growth. Full-year FY26 ARR guidance implies net-new ARR growth excluding Red Canary of roughly 9.5%. Free cash flow margin guidance was cut to 22.8–23.3%, largely because CapEx is moving higher. Two sales leaders departed at the end of Q3. Most importantly, management’s early view for FY27 is only 16–17% ARR and revenue growth.

The guide was not the diagnosis. It was the diagnosis showing up in the model.

A 25% ARR grower with visible platform expansion can still ask investors to underwrite a premium compounder. A 16–17% forward grower with higher CapEx and sales-transition uncertainty is something else. It may still be high quality. It may still be strategically important. But it no longer gets paid for hidden torque unless that torque reaches reported growth.

That is the difference between Q1/Q2 and Q3.

In Q1 and Q2, I could argue that the market was staring at the speedometer while the engine-built torque. Q3 says the road changed. The engine may still be there, but the hill is steeper than I thought.

Retiring the ServiceNow Analogy

The ServiceNow analogy should be retired.

I used it because the pattern looked similar: decelerating growth, multiple compression, switching costs compounding underneath, and a market too impatient to recognize an infrastructure asset in formation. ServiceNow eventually re-rated because it became the workflow operating system for enterprise IT. Being the operating system is the most valuable position in a technology stack.

Zscaler is not obviously becoming the operating system of cybersecurity.

It may be becoming something more like the cardiovascular system: essential, durable, difficult to remove, economically attractive, but not necessarily where the highest-value decisions originate. The brain may be moving upstream, toward identity, endpoint, code, browser, cloud configuration, and agent governance.

That distinction matters for the multiple.

The updated interpretation is therefore not that Zscaler is broken. It is that Zscaler is more durable than bears think and less re-ratable than bulls hoped.

Variant Perception, Revised

The old variant perception was: The market sees decelerating SaaS. We see security infrastructure.

The updated variant is narrower: The market is right to remove the premium multiple but may be wrong to assume the platform transition has failed.

That is less exciting. It is also more honest.

At roughly $125, most of the obvious de-rating has already happened. The stock is not priced like a category-defining 25% compounder anymore. It is priced more like a high-teens software company with good margins, a strong installed base, and a credible but unproven path into AI-era security.

For underwriting discipline, the three-year setup now looks different.

In the bear case, Zscaler is a mature SASE-plus platform growing revenue at 12–14% through FY29, with free cash flow margins around 22–23% and a 3.5–4.0x sales multiple. That supports a stock around $105–125. This is not a disaster case; it is a maturity case.

In the base case, Zscaler is a reset compounder. Revenue compounds at 16–17%, free cash flow margin settles around 25–26%, and the market pays 5.0–5.5x sales for a durable but no longer exceptional security platform. That gets you roughly $165–190.

In the bull case, Zscaler proves it can move upstream. Non-seat usage scales, Symmetry’s access graph matters, AI-agent traffic monetizes, and Zero Trust Everywhere becomes a default architecture rather than a bundle. Revenue compounds at 20–22%, free cash flow margin reaches 28–30%, and the multiple expands to 7–8x sales. That supports $245–285.

The important change is not the arithmetic. It is the migration of assumptions.

What used to be my base case is now the bull case. The base case is a good company at a fair price. The bear case is maturity. The bull case requires Zscaler to prove it can participate in anticipation, not just interception.

What Would Change This View

The thesis is still alive, but the tests need to be tighter.

The first test is growth. FY27 ARR and revenue growth need to move back above 18–19%, and organic net-new ARR needs to recover toward the mid-teens. If Zscaler stays at 16–17% total growth and around 10% organic net-new ARR growth, the market is right to treat it as mature software.

The second test is the consumption transition. Non-seat ACV needs to stay above 30% and move toward 35%; Z-Flex needs to sustain quarterly TCV above $450–500 million; Zero Trust Everywhere needs to keep adding customers at a strong pace. That is the proof that Zscaler is escaping the human-seat model.

The third test is upstream relevance. Symmetry and AI Protect need to become more than product slides. The signpost is whether Zscaler can move from “we inspect traffic” to “we map identity-to-data risk and enforce policy before the connection matters.”

Finally, free cash flow margin needs to stabilize above 24–25% despite higher infrastructure spending. If growth slows and cash quality falls, the stock does not deserve a re-rating.

Upstream of the Wire

Zscaler’s strategic thesis did not break in Q3. Its grace period did.

The company still matters. Interception is not going away. Most cybersecurity work for the next decade will still involve stopping attacks in motion, limiting lateral movement, inspecting traffic, and enforcing access. Zscaler remains one of the best-positioned companies for that world.

But the marginal dollar may be moving upstream, to code, identity, endpoint, browser, cloud configuration, and agent governance. That is where anticipation happens. And multiples are set by the marginal dollar.

This is the correction.

I was right that Zscaler’s inline architecture is valuable. I was too quick to assume it would become the highest-value control plane in the AI era. Q3 did not prove that assumption false, but it made the burden of proof much heavier.

Zscaler is not in the penalty box waiting for the market to remember what it is. It is in a structural trial over where security value accrues next.

Being early was indistinguishable from being wrong because the re-rating I was underwriting was built on the wrong altitude. The architecture that looked like infrastructure in the interception era may look more like utility in the anticipation era.

I should have listened sooner. The business is durable enough to keep owning, but the re-rating case now must be earned.

ZS 0.00%↑