In our previous article we examined Zscaler’s founding insight, the secular drivers behind Zero Trust adoption, and the evolving competitive landscape as hyperscalers and best-of-breed challengers fight for enterprise mindshare.

As explored in Part 1, Zscaler’s architecture is proven. The open question is whether the company can defend its role as the neutral control point for secure access—especially as Microsoft, Palo Alto, and Cloudflare push similar narratives and bundle adjacent capabilities.

This article evaluates Zscaler’s strategic durability using Hamilton Helmer’s “7 Powers” framework. We assess which advantages remain intact, which are weakening, and which are strengthening as adoption scales. We then turn to valuation—testing how much of Zscaler’s future is already priced in, and what assumptions are required to support an investment case.

Zscaler is a strong business. The question is whether its strategic advantages are sufficient to preserve relevance and pricing power in a market that is rapidly consolidating.

If you haven’t read part 1, you can read it here

At Pumice Capital, we publish free, in-depth fundamental research on high-quality companies built to compound over decades. Our focus is a concentrated portfolio of resilient, growth-driven businesses with a 10+ year horizon — backed by deep, differentiated analysis rarely found in mainstream coverage.

Recent reports: Cloudflare (NET) | Confluent (CFLT) | Snowflake (SNOW)

If you want early access to our latest research on the companies shaping the future, you can subscribe for free today.

1 – Power analysis

Zscaler’s early advantage stemmed from counter positioning, but its current moat is built on process power, switching costs, and brand strength. The company’s integrated product suite supports significant expansion within existing accounts, and its founder-led culture has enabled consistent innovation—often ahead of larger incumbents.

While scale and network effects offer some protection against smaller challengers, they are largely neutralised when competing with legacy vendors and hyperscalers.

A) Scale economies

Definition: Marginal costs decline faster than rivals can match - producing an unreplicable cost structure.

Rating - Weak (stable): Zscaler’s scale provides an edge over smaller vendors such as Wiz, Illumio, Armis, and Netskope. However, it is on par—or behind—larger incumbents and platform players.

This makes scale a relative advantage, not an absolute one. Hyperscalers can subsidise SSE offerings as part of broader cloud bundles, eroding any cost-based differentiation.

• Palo Alto, Cisco, Fortinet: These legacy vendors operate at comparable or greater customer/device scale and can cross-subsidise SSE infrastructure from larger product portfolios. Fortinet’s hardware margins fund aggressive pricing; Cisco leverages its vast channel and global backbone; Palo Alto can bundle Prisma Access into multi-product deals.

• Cloudflare: Runs a larger global network (335+ cities) serving multiple workloads, giving it bandwidth-buying power Zscaler can’t match.

• Microsoft & Google: Hyperscalers have orders-of-magnitude more network and compute scale, owning undersea cables and data centres globally. They can absorb SSE workloads into existing cloud footprints at near-zero incremental network cost. Security modules inside Microsoft 365 E5 can be priced near zero for incremental customers, nullifying scale-based cost advantages.

B) Network effects

Definition: Each new user increases the value of the product for others, with the product continuing to become more valuable as the number of users grows.

Rating - Weak (Stable): Zscaler’s customers do not directly interact, so there is no classic network effect. The only network-like benefit is aggregated threat intelligence.

In theory, more Zscaler customers → more traffic analysed → faster detection of new threats → better protection for all. However, threat intel can be bought, shared via industry feeds, or collected by rivals with their own massive telemetry.

Beyond a certain threshold, incremental telemetry also yields diminishing returns. This limits the extent to which scale translates into differentiated security outcomes.

• Palo Alto & Cisco: See threat data from thousands of firewalls and endpoint agents.

• Microsoft: Collects telemetry from Windows, Office, Azure, and Defender (1.4b+ Windows devices).

• Cloudflare: Inspects global web traffic across >25 million domains.

C) Counter positioning

Definition: A superior business model that incumbents rationally avoid copying because it would damage their core business. It is only a lasting source of advantage if the incumbent’s inaction remains structurally rational - driven by cannibalisation risk, internal conflict, or strategic constraint.

Rating - Weak (Decreasing): Once a clear advantage versus appliance vendors, this power has now largely been erased as the market has gone all-in on cloud. It exists in remnants across legacy players, but we expect this will go to zero over time.

• In the 2010s, firewall and gateway vendors thrived on high-margin hardware. Zscaler’s cloud-native, multi-tenant SaaS model eliminated boxes, cut costs, and updated continuously — a direct threat to that profit model.

  • Palo Alto’s CEO (2017) stated they held back cloud rollout to avoid “collapsing” firewall revenue.

• Zscaler capitalised, cementing its lead, and incumbents only embraced cloud after Zscaler proved it out.

• Eventually (c.2020), Palo Alto, Cisco, and Fortinet accepted the inevitable shift, building or buying cloud/SASE platforms.

As counter-positioning fades, Zscaler loses one of its most asymmetric advantages, leaving it more exposed to direct product and pricing battles.

D) Switching costs

Definition: Customer lock-in created by the financial, operational, and risk burdens of replacing a vendor.

Rating - Strong (Increasing): Once deployed, Zscaler becomes deeply embedded in customer infrastructure, making replacement costly, risky, and slow. Lock-in is strongest with large, multi-module enterprises (85% of $1M+ customers use 2+ modules; 65% use 3+ as of FY24), increasing entanglement.

That said, high switching costs can cut both ways: they may slow churn, but also extend sales cycles and constrain Zscaler’s ability to win competitive displacements at scale.

Moving providers involves:

• Reconfiguring network routing and authentication (AD/SSO).

• Deploying new endpoint agents to thousands of devices.

• Rewriting security policies, retraining IT, and re-onboarding users.

• Running dual systems in parallel to avoid outages, doubling cost during transition.

While strong, lock-in could degrade if buyer preference shifts toward modular ‘best-of-suite’ rather than single-vendor entrenchment —mixing Zscaler with Microsoft Defender or Cloudflare. In such a scenario, Zscaler’s ability to dictate price or prevent churn would be meaningfully weaker.

E) Branding

Definition: The ability to win preference or pricing power because of brand trust or prestige, even when products are functionally similar.

Rating - Moderate (Stable): Zscaler has strong brand equity in cloud security and Zero Trust, and regularly appears as a front runner in Gartner’s Magic Quadrant for SSE.

A decade as the clear SSE/Zero Trust leader has given Zscaler a brand halo that can swing deals when technical and price differences are small. In risk-averse enterprise security buying, this is meaningful.

Gartner Magic Quadrant for Security Service Edge

• Consistent #1 positioning — 10+ years as a Gartner MQ Leader, top in Forrester Wave, and often the reference vendor for Zero Trust.

• Halo of trust — Zscaler is used by Fortune 500 banks, defence agencies, and governments, with public case studies in highly regulated industries.

• Thought leadership — Regularly shapes Zero Trust narratives in analyst research and media coverage.

• Partner validation — Deep integrations with Microsoft, CrowdStrike, and Okta reinforce credibility and reach.

Brand, however, does not close deals alone — technical fit, ROI, and integration remain important. Rivals like Palo Alto, Cisco, and Microsoft have broader brand reach across more of the IT stack.

F) Cornered resource

Definition: Exclusive control over a valuable asset (IP, data, talent, rights) that rivals cannot replicate or acquire.

Rating - None (Stable): Zscaler has no irreplaceable asset that competitors cannot access or build themselves.

Certifications and partnerships are replicable — FedRAMP High was achieved early, but Netskope and Palo Alto now match it; integrations with Okta, Microsoft, and SD-WAN vendors are non-exclusive.

Core capabilities are architectural rather than proprietary (see process power), and talent is mobile across the industry.

• No unassailable IP moat — core SSE capabilities are architectural choices, not patented choke points. Palo Alto, Netskope, and Cloudflare have built similar capabilities independently.

• Talent and leadership are exceptional but portable — several SSE competitors are led by ex-Zscaler or ex-Juniper staff.

G) Process power

Definition: Advantage gained from unique, opaque, and hard-to-replicate processes—rooted in tacit knowledge and sustained execution excellence—that competitors cannot match despite copying inputs, unlike superficial “good culture” or generic operational efficiency.

Rating - Strong (Stable): Zscaler’s 15+ years operating a massive security cloud have created unique technical and organisational muscle memory, underpinning its continuous delivery of new features without downtime.

Despite poaching talent, and with bigger budgets, competitors have faced scaling and performance issues.

• Founder-led culture — Chaudhry has embedded his deep technical expertise, long-term orientation, and willingness to prioritise architectural purity over short-term sales expedience into Zscaler’s DNA.

• Enterprise migration expertise — Repeatable Fortune 500 rollout playbooks integrating identity (AD/SSO), reconfiguring global routing, and retiring VPNs with minimal disruption.

• Cross-product synergy — Natively integrated ZIA, ZPA, ZDX enable unified policy application and monitoring across internet access, private apps, and user experience.

While processes and culture are hard to replicate, bureaucracy could erode agility if the founder-led culture diminishes over time.

2 – Valuation

While Zscaler’s technology leadership and enterprise penetration are undeniable, the stock trades at a premium that embeds strong assumptions about sustained growth and continued dominance in Zero Trust.

To assess whether today’s valuation is justified, we benchmark Zscaler against peers on trading multiples, test upside and downside scenarios through DCF modelling, and identify the operational and strategic milestones investors should monitor most closely.

Comparable company trading multiples

Zscaler currently trades 15% below its 52-week high at $269.6/sh (25 Aug 2025 close), implying a c.13x EV/NTM revenue multiple based on consensus forecasts. This premium valuation reflects much higher growth vs. legacy peers, but is still well below companies like CrowdStrike (20.0x) or Cloudflare (28.5x) who share a similar growth outlook.

This valuation implies an expected decline in revenue growth to the high-teens, and hence is justified as long as the company maintains its current market share (our forecast industry CAGR to 2035 is 19%—see our previous article here).

This appears achievable—but only if Zscaler maintains current execution discipline. A slip in innovation velocity or pricing pressure from hyperscaler bundling could quickly make these assumptions look optimistic.

Discounted cash flow modelling

To assess the reasonableness of Zscaler’s trading price, we run a DCF using three scenarios - one where continued execution enables further market share growth, one where current share is maintained, and one where growth declines materially.

Base Case

Implied value = $275.3sh - c.2% above current price.

Our base case assumes Zscaler defends its current competitive position and grows in-line with the market, growing revenue at 18% p.a through to FY35.

Investors are effectively underwriting continued persistence rather than material acceleration, assuming that switching costs and process power are sufficient to hold share, even if scale economies and network effects remain relatively weak.

Key assumptions:

• NRR moderates over time, falling by 0.5% p.a. to 110% by 2035.

• New customers grow at a declining rate - falling by 5% p.a. (in-line with FY24).

• Gross profit margin is maintained at c.80%.

• Opex compression from 62% of revenue in FY24 to 53% of revenue by FY35 (excluding SBC), and capex intensity steady at 14%.

• c.2% annual shareholder dilution.

• Terminal revenue multiple of 11.5x applied in FY35 (assumes valuation re-rates back in line with what top tier legacy players like PANW command today).

Bull Case

Implied value = $404.4/sh - c.50% above current price.

Under a bull case, Zscaler remains a dominant enterprise presence and continues to expand its share of wallet across the security stack. Overall, this implies 24% p.a. revenue growth through to FY35.

This scenario assumes switching costs and process power not only hold but strengthen, with customers consolidating spend around Zscaler as the default secure access control point. Such a path would allow Zscaler to trade closer to Cloudflare’s premium.

Relative to the base case, we have assumed:

• NRR is 5% higher in all years.

• New customer acquisition is 5% higher - maintaining growth at FY24’s level.

• All other assumptions are constant.

Bear Case

Implied value = $193.4/sh - c.(28%) below current price.

In our bear case, we assume much lower growth and margin compression amidst tough competition. Overall, this implies 14% p.a. revenue growth through to FY35.

The bear case effectively models an erosion of Power—where hyperscaler bundling blunts pricing, switching costs weaken as modular adoption rises, and brand halo proves insufficient to sustain premium positioning. In this world, Zscaler converges toward the economics of firewall vendors rather than sustaining platform-like multiples.

Relative to the base case, we have assumed:

• NRR is 2.5% lower in all years.

• New customer acquisition growth is reduced by 5% - falling by 10% p.a.

• Gross profit margin is reduced by 5%.

• Terminal revenue multiple is reduced by 2.0x to 9.5x, reflecting a lower growth outlook and less robust competitive positioning.

• Other assumptions unchanged.

Valuation takeaways

At c.13x NTM revenue, Zscaler’s valuation embeds meaningful growth moderation and provides some margin of safety relative to its faster-growing peers. The key investor question is whether switching costs and customer entrenchment offset the structural threat of hyperscaler bundling.

Relative to peers:

• CrowdStrike: Zscaler trades at a 34% discount on revenue multiples despite higher near-term growth and better margins, potentially reflecting weaker perceived optionality outside its core or a weaker competitive advantage.

• Cloudflare: The gap is wider still with a 54% discount, possibly due to a premium given to Cloudflare for its exposure to AI inference at the edge and the company’s platform capability.

• Palo Alto: Zscaler retains a 15% premium, justified by its higher growth and cleaner business model.

For long-term investors, this setup offers a reasonable risk/reward skew with asymmetric upside potential that could be unlocked if Zscaler extends its Exchange deeper into adjacent security functions and proves resilient against platform consolidation.

• The base case suggests the stock is broadly fairly priced if Zscaler simply maintains its position as a neutral Zero Trust control point.

• The bull case highlights that durable 20%+ growth and deeper product penetration could re-rate the stock by 40–50%, bringing multiples closer to CrowdStrike or Cloudflare.

• The bear case underscores the risk of commoditisation and margin compression, where Zscaler could trade closer to mature firewall vendors.

Conclusion

Zscaler’s addressable market is forecast to grow at 19% annually, increasing the company’s SAM to $277b by 2030, and as a market leader the company is well positioned to ride this wave.

The base investment case rests on conviction in Zscaler’s ability to maintain its execution discipline, leveraging the strong switching costs and brand trust that has been developed over the past 18 years to earn its fair share of growth. While these powers do not guarantee invulnerability, they do suggest resilience: customers face material friction in switching, and CIOs continue to view Zscaler as the archetype of cloud-native Zero Trust.

The bull case — switching costs are strengthening with multi-module adoption, a capable management team can further climb the adjacency ladder into an array of complementary products, and history points to a proven capability of out-innovating peers. Given FY24 revenue amounted to only 2% of the SAM, there is a credible growth runway and hitting mid-20s revenue growth is not impossible (or even unlikely).

The bear case — Zscaler innovates too slowly, and has its lunch eaten by agile product specialists (Wiz, Illumio, Armis, Dynatrace) or platform players seeking to commoditise Zscaler’s offerings within their broader ecosystems (Cloudflare, Microsoft).

Overall, the stock is not priced for perfection, it is priced for persistence. Investors must decide whether Zscaler’s process discipline and switching costs are enough to offset the gravitational pull of bundled platforms.

On balance, we believe they are. Our view is that there is sufficient power to maintain and grow the business at or above market levels, and as a result rate the business as a BUY in our portfolio at current levels.