Zscaler generates nearly 100% of its $2.673 billion in fiscal year 2025 revenue from subscription services, with customers paying recurring fees for access to the Zscaler Zero Trust Exchange platform. The subscription model is the engine of the business: customers sign multi-year contracts for cloud-delivered security services, paying recurring fees that create predictable revenue streams and a $2.468 billion deferred revenue balance as of July 31, 2025. The business model rests on three interconnected revenue drivers: new customer acquisition, upsell within existing customers through additional platform modules, and retention of the installed base. New customers typically begin with Zscaler Internet Access (ZIA) for secure internet and SaaS access, then expand into Zscaler Private Access (ZPA) for zero trust connectivity to private applications, Zscaler Digital Experience (ZDX) for performance monitoring, and Zscaler AI Protect for securing AI workloads. This land-and-expand strategy is evidenced by the company's dollar-based net retention rate, which has historically been strong though moderating from 125% during the COVID-19 period to approximately 114% in recent quarters. The company's gross retention remains high, indicating that few subscription dollars are lost to churn annually — a figure that reflects both product stickiness and the high switching costs associated with migrating security policies and traffic flows from a unified cloud platform. The unit economics are compelling: GAAP gross margins are approximately 77%, while non-GAAP gross margins reach 80%. The company achieved non-GAAP operating income of $580.1 million in fiscal 2025, or 22% of revenue, up from $442.2 million or 20% of revenue in fiscal 2024. This margin expansion comes from operating leverage as the fixed costs of platform development and data center infrastructure are spread across a growing customer base. Zscaler spent $672.5 million on research and development in fiscal 2025, representing 25% of total revenue, a substantial investment that funds AI security innovation, platform scaling, and new product development. The sales and marketing engine consumed $1.26 billion in fiscal 2025, or 47% of revenue, reflecting the enterprise sales cycle complexity where deals often involve 12–18 month procurement processes, multiple stakeholder approvals, and proof-of-concept deployments. General and administrative expenses were $251.8 million, or 9% of revenue. The company's cash conversion is exceptional: operating cash flows reached $972.5 million in fiscal 2025, consistent with 36% of revenue, while free cash flows hit $726.7 million, or 27% of revenue. This cash generation funds strategic acquisitions — including the Red Canary acquisition in August 2025, Avalor for $350 million in 2024, and Airgap Networks in 2024 — as well as the $1.7 billion convertible senior notes issued in July 2025. The business model's vulnerability is its dependence on large enterprise customers: approximately 45% of revenue comes from Fortune 500 companies, and the enterprise concentration creates exposure to macroeconomic cycles and IT budget freezes. When enterprises delay security investments or extend procurement cycles, Zscaler's new logo acquisition slows. The company's customer growth has decelerated from 24% in 2021 to approximately 12% in 2024, reflecting market maturation and competitive pressure. The platform's architecture is the hidden enabler of this model. Because Zscaler operates as a cloud-native proxy — not as an appliance or software that customers install — the company controls the entire security stack, from traffic inspection to threat intelligence to policy enforcement. This creates a network effect where the platform improves for all customers as more traffic flows generate more threat signals, which improve AI models, which improve detection accuracy. The AI monetization strategy is emerging: Zscaler AI Protect and AI Guardrails are included in existing subscription tiers, but the Red Canary acquisition creates opportunities for managed security services revenue. The company is also building an ecosystem through technology integrations with identity providers (Okta, Microsoft Entra ID, Ping), endpoint detection and response vendors, and cloud platforms (AWS, Azure, GCP). The international opportunity is substantial: while the U.S. remains the primary market, EMEA and APAC are growing as the company invests in regional data centers, localization, and partner capacity. The SLED (state, local, and education) and healthcare verticals represent growing strengths, with the company achieving U.S. Department of Defense CMMC Level 2 certification and becoming the first ISV to earn AWS ISV Competencies in Healthcare, Education, and Government. The business model's durability is ultimately a function of the data gravity it creates. Once a customer routes its internet traffic, SaaS access, and private application connections through Zscaler's Zero Trust Exchange, extracting that traffic to migrate to a competitor becomes technically complex, operationally risky, and financially prohibitive. This data gravity, combined with the continuous improvement of the platform through AI and the expanding module ecosystem, creates a compounding advantage that is difficult for competitors to overcome.