How Zscaler, Inc. Makes Money

Zscaler generates nearly 100% of its $2.673 billion in fiscal year 2025 revenue from subscription services, with customers paying recurring fees for access to the Zscaler Zero Trust Exchange platform. The subscription model is the engine of the business: customers sign multi-year contracts for cloud-delivered security services, paying recurring fees that create predictable revenue streams and a $2.468 billion deferred revenue balance as of July 31, 2025. The business model rests on three interconnected revenue drivers: new customer acquisition, upsell within existing customers through additional platform modules, and retention of the installed base. New customers typically begin with Zscaler Internet Access (ZIA) for secure internet and SaaS access, then expand into Zscaler Private Access (ZPA) for zero trust connectivity to private applications, Zscaler Digital Experience (ZDX) for performance monitoring, and Zscaler AI Protect for securing AI workloads. This land-and-expand strategy is evidenced by the company's dollar-based net retention rate, which has historically been strong though moderating from 125% during the COVID-19 period to approximately 114% in recent quarters. The company's gross retention remains high, indicating that few subscription dollars are lost to churn annually — a figure that reflects both product stickiness and the high switching costs associated with migrating security policies and traffic flows from a unified cloud platform. The unit economics are compelling: GAAP gross margins are approximately 77%, while non-GAAP gross margins reach 80%. The company achieved non-GAAP operating income of $580.1 million in fiscal 2025, or 22% of revenue, up from $442.2 million or 20% of revenue in fiscal 2024. This margin expansion comes from operating leverage as the fixed costs of platform development and data center infrastructure are spread across a growing customer base. Zscaler spent $672.5 million on research and development in fiscal 2025, representing 25% of total revenue, a substantial investment that funds AI security innovation, platform scaling, and new product development. The sales and marketing engine consumed $1.26 billion in fiscal 2025, or 47% of revenue, reflecting the enterprise sales cycle complexity where deals often involve 12–18 month procurement processes, multiple stakeholder approvals, and proof-of-concept deployments. General and administrative expenses were $251.8 million, or 9% of revenue. The company's cash conversion is exceptional: operating cash flows reached $972.5 million in fiscal 2025, consistent with 36% of revenue, while free cash flows hit $726.7 million, or 27% of revenue. This cash generation funds strategic acquisitions — including the Red Canary acquisition in August 2025, Avalor for $350 million in 2024, and Airgap Networks in 2024 — as well as the $1.7 billion convertible senior notes issued in July 2025. The business model's vulnerability is its dependence on large enterprise customers: approximately 45% of revenue comes from Fortune 500 companies, and the enterprise concentration creates exposure to macroeconomic cycles and IT budget freezes. When enterprises delay security investments or extend procurement cycles, Zscaler's new logo acquisition slows. The company's customer growth has decelerated from 24% in 2021 to approximately 12% in 2024, reflecting market maturation and competitive pressure. The platform's architecture is the hidden enabler of this model. Because Zscaler operates as a cloud-native proxy — not as an appliance or software that customers install — the company controls the entire security stack, from traffic inspection to threat intelligence to policy enforcement. This creates a network effect where the platform improves for all customers as more traffic flows generate more threat signals, which improve AI models, which improve detection accuracy. The AI monetization strategy is emerging: Zscaler AI Protect and AI Guardrails are included in existing subscription tiers, but the Red Canary acquisition creates opportunities for managed security services revenue. The company is also building an ecosystem through technology integrations with identity providers (Okta, Microsoft Entra ID, Ping), endpoint detection and response vendors, and cloud platforms (AWS, Azure, GCP). The international opportunity is substantial: while the U.S. remains the primary market, EMEA and APAC are growing as the company invests in regional data centers, localization, and partner capacity. The SLED (state, local, and education) and healthcare verticals represent growing strengths, with the company achieving U.S. Department of Defense CMMC Level 2 certification and becoming the first ISV to earn AWS ISV Competencies in Healthcare, Education, and Government. The business model's durability is ultimately a function of the data gravity it creates. Once a customer routes its internet traffic, SaaS access, and private application connections through Zscaler's Zero Trust Exchange, extracting that traffic to migrate to a competitor becomes technically complex, operationally risky, and financially prohibitive. This data gravity, combined with the continuous improvement of the platform through AI and the expanding module ecosystem, creates a compounding advantage that is difficult for competitors to overcome.

Zscaler's growth strategy rests on four pillars: AI-powered security innovation, platform expansion through acquisitions, international market penetration, and managed security services monetization. The AI pillar is the most capital-intensive and potentially transformative. In fiscal 2025, the company spent $672.5 million on R&D, 25% of total revenue, to embed AI across its platform. The strategy is to leverage Zscaler's massive data scale — 500 billion daily transactions and 300 trillion signals — to train AI models that competitors with smaller data sets cannot match. Zscaler AI Protect secures generative AI workloads by applying zero trust principles to AI models, agents, and data pipelines. AI Guardrails enforce policies on public and private AI applications. The Red Canary acquisition adds AI-powered threat detection and response capabilities that leverage behavioral analytics and global threat intelligence. The platform expansion pillar involves strategic acquisitions that fill capability gaps. The August 2025 Red Canary acquisition adds managed detection and response, endpoint visibility, and identity-based threat detection. The 2024 Avalor acquisition ($350 million) added risk quantification and data fabric technology for security operations. The 2024 Airgap Networks acquisition added network segmentation capabilities. The 2023 Canonic acquisition added SaaS supply chain security. These acquisitions are integrated into the unified Zero Trust Exchange platform rather than operated as separate products. International expansion is the third pillar. While North America generates the majority of revenue, EMEA and APAC are growing as the company invests in regional data centers for data sovereignty compliance, localization, and expanded partner capacity. The company has achieved significant certifications in international markets, including GDPR compliance in Europe and regional data center deployments. Managed security services monetization is the fourth pillar. The Red Canary acquisition creates opportunities for Zscaler to offer managed SOC services directly and through partners. The company can leverage its massive data processing capabilities to offer threat hunting, incident response, and continuous monitoring services that generate recurring revenue beyond software subscriptions. The land-and-expand strategy remains central: new customers typically start with ZIA for internet security, then add ZPA for private application access, ZDX for digital experience monitoring, and AI Protect for AI workload security. The dollar-based net retention rate, while moderating, remains above 100%, indicating that existing customers expand their spending over time. The company's customer count growth has decelerated, suggesting that the strategy must shift from new logo acquisition to deeper penetration within existing accounts and upsell of new modules. The M&A strategy is selective and capability-focused, with acquisitions typically in the tens to hundreds of millions of dollars range — small relative to the company's cash position but adding critical capabilities that would take years to build internally. The integration strategy is to embed acquired technology into the Zero Trust Exchange platform, preserving the architectural purity that is Zscaler's competitive moat.