TL;DR:

• Guidance conservatism is not new: Zscaler has beaten the high end of revenue guidance for 28 consecutive quarters—reacting to a “just matched the beat” raise ignores this history.

• Backlog tells the real story: RPO acceleration reflects Z-Flex momentum, platform expansion, and long-term commitments that haven’t hit the P&L yet.

• Structural tailwinds emerging: SAP RISE migration and platform consolidation position Zscaler to erode firewall economics just as its platform pillars outgrow the legacy core.

From Reuters:

“Zscaler beats Wall Street estimates for quarterly revenue and profit.” Then came the second paragraph: “However, shares fell more than 7% in extended trading.” By Tuesday’s close, the damage had widened to 13%. The culprit, according to RBC analysts quoted in the piece, was that “the increase in revenue outlook was smaller than the first-quarter revenue beat.”

In plain English: Zscaler had a great quarter, but its CFO refused to sound more optimistic about the rest of the year. Traders hate that.

The question worth asking, though, is whether traders are looking at the right thing. I’ve argued in previous pieces that Zscaler is becoming security infrastructure, not software — that it’s following the same architectural path Salesforce traveled in the late 2000s, when “the cloud” went from punchline to inevitability. Q1 FY26 is the clearest evidence yet that the transformation is working. The market, focused on guidance semantics, appears to have missed it entirely.

The Speedometer and the Engine

Start with what actually happened. Revenue grew 26% YoY to $788 million, beating guidance by about $14 million. Annual recurring revenue hit $3.2 billion, also up 26% YoY. Free cash flow margin came in at 52%, which combined with the growth rate produces what management calls “Rule of 78” — shorthand for elite SaaS economics that only a handful of companies at scale have achieved.

Jay Chaudhry, Zscaler’s founder and CEO, couldn’t resist: “We operated at Rule-of-78… one of only five enterprise SaaS companies with over $3 billion in ARR, growing at over 25%.”

These are good numbers. But here’s where it gets interesting.

Remaining performance obligations (RPO), the contracted backlog that hasn’t yet flowed through the income statement: grew 35% YoY to $5.9 billion. That’s nine percentage points faster than revenue. Nine percentage points faster than ARR. The backlog is building faster than the P&L can absorb it.

Now look at what spooked the market. Zscaler raised its full-year revenue outlook by roughly $19 million — almost exactly the Q1 beat. The implied message: we crushed this quarter, and we’re assuming nothing improves from here.

Think of it as a speedometer versus an engine. The speedometer: management’s guidance, reads 23 mph. The engine, the backlog: is revving at 35%. Traders, understandably, trade the speedometer. It’s the number they can model, the number that flows through their DCFs, the number that determines whether estimates go up or down.

But here’s what those traders seem to have forgotten: Zscaler’s speedometer has been wrong for seven years straight.

The Longest Beat Streak in Enterprise Software

I went back through every Zscaler earnings call since the company went public in 2018. What I found was remarkable: in 28 quarters, Zscaler has beaten the high end of its revenue guidance. Not met. Not hit the midpoint. Beaten the high end. Every single time.

The profitability beats are even more dramatic. In the early years, management would guide for operating losses and deliver profits. In FY19, they guided for a $6-7 million operating loss in Q2 and delivered a $9.4 million profit — a swing of $15 million on a $74 million revenue quarter. As the company scaled, the pattern continued: guide conservatively, beat significantly, raise full-year numbers, repeat.

CFO Remo Canessa has been explicit about the philosophy. “Our philosophy related to guidance is to be prudent,” he said on the Q4 2021 call. Two years later, same message: “We like to be prudent with our guidance. And that’s historically what we’ve done and we continue to do that.”

This isn’t sandbagging in the pejorative sense. It’s a deliberate strategy to build credibility, manage uncertainty, and maintain flexibility to invest in growth without “missing” numbers. The result is a company that has historically, not lowered full-year guidance. The trajectory is always up, walked incrementally higher each quarter.

So when the market sells off because the guidance raise “only” matched the beat, what they’re really reacting to is... the same thing Zscaler has done for 28 quarters. The pattern isn’t new. The market’s memory is just short.

The question isn’t whether the guidance is conservative. It obviously is. The question is what the actual leading indicators say about the business. And those indicators, particularly RPO, are telling a different story than the stock price suggests.

Hotel California Economics

For most of its history, Zscaler sold security the way everyone sells security: product by product. You’d buy Zscaler Internet Access for web filtering, maybe add Zscaler Private Access for internal applications, layer on some data loss prevention if you were sophisticated. Each capability required its own procurement cycle, its own budget approval, its own renewal negotiation. Sales reps fought for wallet share against competitors like Palo Alto and Netskope at every turn.

Z-Flex changes this completely. Under Z-Flex, customers commit to a multi-year spend envelope: not a product, not a bundle, but access to the platform itself. Once they’re inside, they can activate modules, swap capabilities, expand coverage, all without going back to procurement. It’s the difference between ordering à la carte and buying the all-inclusive resort package.

The numbers tell the story. Z-Flex bookings exceeded $175 million in total contract value during Q1, up 70% from the prior quarter. It now represents about 20% of total bookings, up from essentially nothing a year ago. And the deals are getting larger. Chaudhry described an aerospace customer that increased annual spend by 40% and added nine modules in a single transaction, all under Z-Flex.

The thing to understand about Z-Flex is what happens after a customer signs. They stop shopping. They stop taking competitor calls. They’ve already committed the budget; the only question is which rooms to use. You can check out individual modules any time you like, but you never really leave the platform.

This is the Hotel California insight, and it’s more important than it might initially appear. Zscaler’s historical vulnerability has always been bundling: the risk that Microsoft would include “good enough” security with Office 365, or that Palo Alto would offer SASE as part of a larger platform deal. In a product-by-product world, Zscaler had to win every evaluation. In a Z-Flex world, they only have to win once.

CFO Kevin Rubin was careful on the call not to oversell it: “It allows customers to commit to spend… generally over longer periods of time… It does not have a different impact to ARR… [but] gives us greater visibility over the long term.” That last phrase is the key. Z-Flex doesn’t accelerate revenue recognition, but it dramatically increases the certainty of future revenue.

This is why RPO is growing faster than ARR. This is why the backlog is building faster than the P&L can absorb. The dollars are committed; they just haven’t been recognized yet. And that gap, between RPO growth and revenue growth, is the room the CFO has chosen not to guide to.

Given Zscaler’s 28-quarter track record of “prudent” guidance, betting against that gap closing seems unwise.

The Platform That Makes Z-Flex Work

Z-Flex only works if there’s something worth subscribing to. A multi-year platform commitment makes sense if the platform keeps expanding, keeps getting better, keeps solving problems you didn’t know you had when you signed. It makes no sense if you’re locking into a static product.

This is where Q1 gets genuinely impressive. All three of Zscaler’s growth pillars: AI Security, Zero Trust Everywhere, and Data Security; beat their fiscal 2026 targets. In Q1. Three quarters early.

AI Security ARR exceeded $400 million, growing more than 80% YoY. The original FY26 target was $400 million; management raised it to $500 million. Zscaler is now processing over 90 billion AI and machine learning transactions monthly. As enterprises deploy AI agents that access corporate resources, interact with external APIs, and process sensitive data, that traffic needs inspection. Zscaler is building the checkpoint where every AI agent shows its passport.

Zero Trust Everywhere, the full bundle of users, branches, and cloud workloads, now has over 450 enterprise customers. The FY26 target was 390. Data Security ARR is approximately $450 million and growing faster than total company ARR, as enterprises consolidate the junk drawer of DLP, CASB, and email security point products.

The point isn’t that any individual pillar is exceptional. The point is that they’re all working simultaneously, which means Z-Flex customers have somewhere to grow. Sign the platform deal today for Zero Trust users; expand to branches next quarter; add AI Security when your board starts asking about agent governance. The flywheel spins because the platform keeps expanding.

This is the Salesforce playbook, executed in security. Start with a wedge: Salesforce had CRM, Zscaler had web filtering. Expand the platform until customers can’t imagine leaving. Make the subscription the default, not the exception. Zscaler is further along this path than the market seems to appreciate.

SAP RISE and the Firewall Funeral

If Z-Flex is the commercial insight of Q1, SAP RISE is the strategic one. And it might be the most underappreciated part of the entire call.

Chaudhry drew an explicit parallel: “Just like the migration of Microsoft Exchange to Office 365 was a big tailwind… I believe the migration of SAP on-prem to SAP RISE will have a similar impact on our business.”

Here’s why that matters. When enterprises ran SAP in their own data centers, they needed firewalls, lots of them. North-south firewalls at the perimeter. East-west firewalls between segments. The data center was the architectural center of gravity, and companies like Palo Alto Networks built billion-dollar franchises protecting it.

SAP RISE changes everything. Workloads move to the cloud. Users access them over the internet. The data center is no longer the center: identity is. And suddenly, CIOs face a choice that didn’t exist before.

• Option A: Rebuild yesterday’s architecture in the cloud. Deploy firewalls in AWS. Set up ExpressRoute connections. Configure VPNs. Recreate the complexity you spent the last decade managing, just in a different location.

• Option B: Skip the firewall entirely. Let users access SAP RISE through Zscaler over the public internet. Authenticate every connection. Inspect every packet. Treat the network as hostile and identity as the perimeter.

Chaudhry told the story of an eight-figure healthcare deal that chose Option B: “Without Zero Trust Cloud, the customer would have had to deploy a significant number of North-South and East-West firewalls… This customer told me that in the last 15 years, they have not been so excited about a solution.”

The competitive implication is stark. SAP RISE isn’t just a growth vector for Zscaler: it’s an attack on Palo Alto’s core moat. Every enterprise that migrates SAP to the cloud without deploying new firewalls is revenue Palo Alto won’t see. Every CIO who realizes that the firewall was protecting a perimeter that no longer exists is a customer who won’t be buying next-generation firewall upgrades.

Palo Alto, of course, isn’t standing still. Their Prisma SASE offering competes directly, and CloudGenix gives them an SD-WAN story for branch connectivity. But there’s a structural problem: Palo Alto’s incentive is to protect the firewall franchise, which means their architecture still assumes the data center matters. Zscaler’s architecture assumes it doesn’t. When the customer’s actual workload is moving to SAP RISE — to someone else’s cloud — the “protect the data center” pitch becomes increasingly difficult to make. You can’t firewall a perimeter that no longer exists.

This is Zscaler playing offense. The defensive story: surviving Microsoft bundling, competing with Palo Alto on features, is well understood. The offensive story: using cloud migrations to obsolete the firewall category entirely — is what makes the long-term thesis compelling.

What I Got Wrong, What I Got Right

For readers who’ve followed my previous pieces on Zscaler, Q1 clarifies the thesis in useful ways.

What I got right: the “security infrastructure versus software” framing is playing out. A company processing 500 billion daily transactions across 20 petabytes of traffic isn’t a software vendor you evaluate against competitors. It’s a utility you subscribe to. The Rule-of-78 economics: mid-20s growth with 50%+ free cash flow margins, are infrastructure economics, not software economics. And the platform flywheel is real: all three pillars beating annual targets in Q1 isn’t luck, it’s execution.

What I underweighted: Z-Flex. I understood the product strategy but missed how much the commercial model mattered. Hotel California economics — customers committing to the platform rather than buying products — changes the competitive dynamic more than I appreciated. It’s Zscaler’s answer to bundling, and it’s working faster than I expected.

What’s new: SAP RISE emerged as a clearer catalyst this quarter. The comparison to the Office 365 migration wave is apt; this is another enterprise workload shift that happens to obsolete legacy infrastructure along the way. And agentic SecOps, through the Red Canary and SPLX acquisitions, has moved from interesting to strategically important. When millions of AI agents need governance, someone will provide the checkpoint.

What I’m watching: Three things.

First, the core ZIA/ZPA business is growing slower than the emerging pillars. The roughly $2 billion legacy franchise needs to convert to Zero Trust Everywhere for overall growth to sustain; platform conversion has to work.

Second, there’s a margin question. Gross margins dipped to 79.9% from 80.6% as new AI products run on public cloud infrastructure rather than Zscaler’s owned network. This is a deliberate trade-off: management is optimizing for speed-to-market over efficiency, getting AI Security to $400 million ARR before competitors can establish position. The question is whether margins revert as these products scale onto Zscaler’s infrastructure, or whether AI workloads are structurally more expensive to run. Management says optimization will come; I want to see the trajectory over the next two quarters.

Third, the acquisitions brought talent as much as technology. Retention matters.

The Gift the Market Gave You

At $252, Zscaler trades at roughly 11.8x fiscal 2026 EV/Sales and about 40x free cash flow. That’s not cheap by any normal standard. But for a mid-20s grower with 26%+ free cash flow margins, a platform flywheel that’s demonstrably spinning, and a commercial model shift that’s increasing customer lock-in, it’s not unreasonable either.

More importantly, it’s not the “priced for perfection” setup that existed before earnings. The stock was up 60% year-to-date. The expectations embedded in the price required acceleration, and management delivered “consistent” instead. The selloff makes sense if you’re trading the next two quarters.

It makes less sense if you’re underwriting the next two years. The backlog is building. The platform is expanding. The commercial model is shifting from products to subscriptions. The firewall’s center of gravity is eroding. None of that shows up in Q2 guidance: but then again, good news never shows up in Zscaler’s guidance. Twenty-eight quarters of “prudent” forecasts followed by beats suggests this is a feature, not a bug.

The Work Continues

I wrote in an earlier piece about the Salesforce parallel. In 2008, the question was whether critical business systems should live in “someone else’s computer.” The financial crisis made cost savings urgent; Salesforce was there with an answer. By the time incumbents realized the architectural shift underway, it was too late. The companies that moved early outperformed for a decade.

The parallel today is security. The question is whether enterprise security should live in the network, in firewalls and VPNs and data center appliances; or in the cloud, delivered as a service, with identity as the perimeter. The migration to SAP RISE, the proliferation of AI agents, the dissolution of the corporate network into a collection of remote workers and branch offices and cloud workloads, all of it points the same direction.

Chaudhry ended the earnings call with characteristic understatement: “With our strong go-to-market engine, we are well positioned to exceed $10 billion in ARR.”

Translation: the work continues. A 13% drawdown is noise. The architectural shift is signal.

The market, for now, is trading the speedometer. I’m watching the engine, and so far, betting against that engine has been a losing trade.

ZS 0.00%↑