Zscaler Surpassed $3 Billion ARR by Displacing Legacy VPN and Firewall Infrastructure with Zero Trust SASE
Surpassed $3B ARR by replacing VPN and firewalls with Zero Trust cloud, adopted by 45% of the Fortune 500.
Zscaler, a Large Enterprise Cybersecurity company, created value through New Customer Acquisition and Customer Expansion.
Zscaler is the world's largest security cloud, providing Zero Trust Network Access (ZTNA) and Secure Access Service Edge (SASE) to enterprises globally, recognized as a Leader in Gartner’s 2025 Magic Quadrant for Security Service Edge (SSE) for the fourth consecutive year. The company operates a purpose-built cloud platform — not a virtualized version of legacy hardware — through which it inspects over 500 billion transactions per day across more than 150 global data centers.
In the late 2010s, enterprise security architectures were dominated by on-premises firewall appliances, MPLS-based WANs, and VPN concentrators — a model structurally misaligned with the shift to cloud and remote work. Legacy perimeter-based security required traffic to backhaul through corporate data centers for inspection, creating latency, cost, and complexity as users connected from anywhere and applications migrated to SaaS. Security teams managing five to ten point-product vendors faced growing operational overhead and inconsistent policy enforcement.
By fiscal year 2024 (ending July 31, 2024), Zscaler had $2,167.8 million in revenue and a dollar-based net retention rate (DBNR) of 115%, with 567 customers generating more than $1 million in annual recurring revenue. Growth was concentrated in large enterprise displacement: organizations replacing Cisco VPN, Palo Alto Networks hardware firewalls, and MPLS networking with Zscaler’s cloud-delivered platform — a structural market shift that Zscaler uniquely positioned to capture as the only pure-play SASE vendor at scale (Zscaler 10-K FY2025, Business Overview).
Zscaler's platform displacement strategy operated on three levels simultaneously. First, Zscaler Private Access (ZPA) targeted VPN replacement, providing application-level access without placing users on the corporate network — eliminating the lateral movement risk inherent in traditional VPN architectures. Second, Zscaler Internet Access (ZIA) replaced proxy appliances and web security gateways, bundling SSL inspection, cloud sandboxing, CASB, and DLP in a single cloud service. Third, beginning in fiscal 2023 and accelerating through 2025, Zscaler expanded into adjacent markets: data security via DSPM, AI-powered threat intelligence, and Zero Trust for Branch — replacing SD-WAN for branch office networking.
The implementation followed a deliberate land-and-expand pattern. Initial deployments typically started with ZIA for internet access or ZPA for application access, replacing specific point products. Once deployed, the all-cloud architecture made adding modules frictionless — expanding from ZIA to ZPA required no hardware procurement or separate management console training, dramatically reducing friction for successive expansions.
| Metric | FY2024 | FY2025 | Change |
|---|---|---|---|
| Revenue | $2,167.8M | $2,673.1M | +23.3% |
| Annual Recurring Revenue (Q4) | ~$2,471M | $3,015M | +22% YoY |
| Customers >$1M ARR | 567 | 664 | +17.1% |
| Total customers | ~8,700 | 9,400+ | +8% |
| Dollar-Based Net Retention Rate | 115% | 114% | −1 pt |
| Data Security platform ARR | — | ~$425M | new disclosure |
| Fortune 500 penetration | — | 45% | — |
| Global 2000 penetration | — | >40% | — |
ARR figures from Q4 earnings disclosures. FY2024 ARR estimated from FY2025 year-end and ~22% growth rate.
Zscaler's single most consequential strategic choice was refusing to sell hardware or support on-premises deployments. Most security incumbents preserve legacy architectures by offering hybrid modes — keeping existing appliances in place alongside new cloud services. Zscaler forced architectural displacement: customers had to commit to cloud-native security or not buy at all.
That choice created friction in the sales cycle but dramatically raised switching costs post-deployment. Once an organization routes all internet traffic through ZIA and all application access through ZPA, removing Zscaler requires rebuilding the security architecture from scratch. The 114% DBNR — sustained over multiple years — is the consequence: customers don't leave because leaving means replacing everything.
The land-and-expand pattern deserves scrutiny. Early Zscaler analysis treated large platform bookings as success even when only one module was in production. The shift to prioritizing "two or three modules fully deployed before adding more" over "maximum modules sold upfront" improved expansion ARR quality — customers who use what they've bought expand; customers with shelfware don't renew. This operational discipline, rather than the platform architecture itself, explains why DBNR held above 114% even as the customer base scaled past 9,000 organizations.
The $425M Data Security ARR by FY2025 signals a second act: Zscaler is now displacing standalone DSPM and DLP vendors the same way it displaced VPN and firewall vendors. Operators watching security consolidation should note that the displacement pattern — purpose-built cloud architecture, no hardware option, forced architectural commitment — is replicable into any adjacent category where legacy point products coexist with a cloud-native alternative.
Fortinet Grew Service Revenue 20% to $4 Billion by Bundling NGFW, SASE, and OT Security Under a Single FortiOS Platform
Platform Consolidation and Platformization Strategy in Cybersecurity
Critically, Zscaler rejected hybrid approaches: the company built no hardware form factor and offered no on-premises deployment option. This forced complete architectural displacement rather than co-existence alongside legacy equipment, raising deal complexity but increasing switching costs once customers standardized on the platform.
By July 31, 2025, over 40% of Global 2000 companies and 45% of Fortune 500 companies were Zscaler customers. The company invested in a 'zero trust transformation' narrative backed by professional services, MSSPs, system integrators, and technology alliances with Microsoft, ServiceNow, and CrowdStrike — giving enterprise buyers a defensible business case for reallocating hardware CapEx to subscription OpEx. Data Security platform ARR reached approximately $425 million by fiscal year 2025, demonstrating that module expansion beyond core SASE was gaining traction (Zscaler Q4 FY2025 earnings report).
By fiscal year 2025 (ended July 31, 2025), Zscaler reported $2,673.1 million in revenue, up 23.3% from $2,167.8 million in FY2024 (Zscaler 10-K FY2025, filed September 11, 2025). Annual Recurring Revenue reached $3,015 million in Q4 FY2025 — representing approximately $544 million of ARR added in a single fiscal year, growing 22% year over year from approximately $2,471 million at the end of FY2024. The number of customers generating more than $1 million in ARR grew from 567 in FY2024 to 664 in FY2025, a 17.1% increase reflecting ongoing displacement of larger enterprise security budgets.
The dollar-based net retention rate held at 114% in FY2025 (versus 115% in FY2024), meaning existing customers expanded spend by 14% annually — driven primarily by module add-ons including data security, identity threat detection, and deception technology. The total customer base reached 9,400+ organizations (Zscaler Q4 FY2025 earnings press release).
Zscaler’s 23% revenue growth and 22% ARR growth demonstrate sustained enterprise demand for full architectural displacement over incremental hardware upgrades. As the only pure-play SASE vendor at scale and a recognized Gartner Magic Quadrant Leader in SSE for four consecutive years, Zscaler’s trajectory reflects accelerating market share concentration in cloud-native Zero Trust security.
Three factors made platform displacement viable at Zscaler's scale.
First, Zscaler built its platform on a multi-tenant cloud architecture from day one — not a virtualized hardware stack. This gave the platform inherent scalability and global inspection capacity without the operational overhead of physical appliances, making it structurally cheaper to operate than the legacy alternatives it displaced. The absence of a hardware business model meant Zscaler had no incentive to preserve legacy architectures, unlike incumbent vendors with appliance revenue to protect.
Second, a partner ecosystem of MSSPs, system integrators, and technology alliances co-sold and co-delivered Zscaler deployments. The alliance with Microsoft — with Zscaler serving as the default Zero Trust access layer for Microsoft 365 and Azure environments — was particularly consequential for enterprise sales cycles, embedding Zscaler into Microsoft's own sales motions and advisory recommendations.
Third, Zscaler's account teams adjusted mid-execution from broad platform selling to focused deep deployment: rather than selling all modules upfront, they prioritized complete production deployment of two or three modules before adding adjacent capabilities. This shift reduced implementation risk and improved expansion ARR quality. Without this change — had teams continued selling all modules simultaneously — large deals would have included inactive licensed capacity, inflating bookings while depressing usage and renewal probability.
CoStar Group Grew Apartments.com from $600M to $1.07 Billion in Revenue Through a Self-Reinforcing Network Flywheel of Listings, Visitors, and CRE Data