NASDAQ: ZS

Many of the largest enterprises and government agencies in the world rely on our solutions to help them accelerate their move to the cloud. We have over 9,400 customers across all major geographies, with an emphasis on larger organizations, and we currently count approximately 40% of the Forbes Global 2000 and over 45% of Fortune 500 companies as customers. Our customers span every major industry, including financial services, healthcare, insurance, manufacturing, automotive, airlines and transportation, conglomerates, consumer goods and retail, media and communications, public sector and education, energy, technology and telecommunications services.

We have experienced significant growth, with revenue increasing from $1,617.0 million in fiscal 2023 to $2,167.8 million in fiscal 2024 to $2,673.1 million in fiscal 2025, representing year-over-year revenue growth of 34% and 23%, respectively. We experienced net losses of $41.5 million, $57.7 million and $202.3 million in fiscal 2025, fiscal 2024 and fiscal 2023, respectively. We expect we will continue to incur net losses for the foreseeable future.

We pioneered a cloud platform, the Zscaler Zero Trust ExchangeTM platform, which represented a fundamental shift in the architectural design and approach to networking and security that allows companies to securely accelerate their digital transformation initiatives.

The Zscaler Zero Trust Exchange is a cloud-native platform, which implements Zero Trust principles to securely connect users, devices, applications and workloads, including AI agents, without relying on traditional hub-and-spoke network architecture and firewall-centric security. These technologies have become a roadblock to transformation for organizations that want to compete in today’s digital world. Firewalls and virtual private networks, or VPNs, create a perimeter around the corporate network and everything inside the perimeter is implicitly trusted. This is one of the root causes of ransomware attacks. Zscaler’s Zero Trust model operates on the principle that users, workloads, devices and AI

3

Table of Contents

Agents are untrusted by default, irrespective of the network they are connected to. This approach reduces the attack surface and prevents lateral threat movement, while improving business resilience. We believe that Zero Trust combined with AI is rapidly becoming the new foundation for enterprise security architectures. Zscaler is pioneering this convergence of Zero Trust + AI, enabling enterprises to embrace technologies in a manner that is more secure, more scalable, more resilient and increasingly adaptable to the modern world.

Our ever-evolving platform provides our customers with a flexible and scalable approach to better secure their operations, optimize user experience, eliminate complexity, reduce costs and respond to the challenges and opportunities of AI and future new technologies. As the threat landscape evolves and companies look to further embrace AI and the cloud, our platform has evolved to focus on four core solutions: Zero Trust Everywhere, Data Security Everywhere, Security for AI and Agentic Operations.

•Zero Trust Everywhere – extends the principles of Zero Trust across all locations – branches, campuses, cloud, factories, entities, users, workloads, IoT/OT systems and autonomous AI agents.

•Data Security Everywhere – is Zscaler’s approach to safeguarding sensitive information across its entire lifecycle, from creation to storage, transmission and access, regardless of location, device or application.

•Security for AI – allows organizations to securely embrace public and private AI applications.

•Agentic Operations – refers to the integration of advanced AI technologies to empower both Security Operations, or SecOps, and IT Operations, or ITOps, teams with increased efficiency and actionable insights.

Zero Trust Everywhere

Our Zero Trust Exchange cloud security platform delivers our core Zero Trust Everywhere products through the deployment of our comprehensive and integrated solutions, each built natively in the cloud to power digital transformation.

Zero Trust Everywhere spans three core domains: Zero Trust Users, where users are never placed on the corporate network; Zero Trust Cloud, where workloads communicate only through the Exchange; and Zero Trust Branch, where branches, factories, warehouses, IoT/OT devices and autonomous AI agents are secured as independent entities and connected solely through policy-based access. Together, these capabilities deliver a unified Zero Trust architecture that replaces legacy firewalls, VPNs and SD-WANs with a model purpose-built for the modern enterprise.

Zero Trust Users

People remain the weakest link in enterprise security. Compromised credentials, unmanaged devices and phishing attacks continue to be the entry point for many breaches. Zero Trust Users is designed to protect the workforce, third parties, business-to-business, or B2B, partners and suppliers by assuming no user is trusted by default. Every user – internal or external, on any device, from any location – must prove their identity, demonstrate a secure posture and meet policy requirements before being granted access to an application.

This approach eliminates the risks of putting users on a corporate network. Instead, users connect only to the specific applications they are authorized to use – whether SaaS, internet, AI applications or private applications hosted in data centers, clouds or factories. By removing the network path, threats cannot move laterally if a user is compromised.

By treating every user as untrusted, continuously analyzing risk and enforcing adaptive, per-session policies, Zero Trust Users reduces the likelihood of breaches, protects sensitive data and ensures a secure, reliable experience for everyone

4

Table of Contents

accessing enterprise applications and services. Zscaler delivers this functionality via the following core services: Zscaler Internet AccessTM, or ZIATM, Zscaler Private AccessTM, or ZPATM, and Zscaler Digital ExperienceTM, or ZDXTM.

Zscaler Internet Access

ZIA provides secure access to externally managed applications, including SaaS applications and internet destinations regardless of device, location or network. ZIA provides inline content inspection and firewall access controls across all ports and protocols to protect organizations and users from external threats, secure data in motion and prevent data from leaking out to unauthorized sites. Policies follow the user to provide identical protection on any device, regardless of location; any policy changes are enforced for users worldwide. Our inline cloud security platform assesses and correlates the risk of the content to protect against sophisticated attacks, including ransomware and phishing. The cloud platform applies AI and machine learning, or ML, across over 500 billion daily transactions to quickly identify and block unknown threats and to identify and categorize unknown destinations.

ZIA enables the following capabilities:

Cyberthreat Capabilities – Our holistic, future-ready threat defense functionality enables protection against threats using a range of approaches and techniques. Our threat prevention capabilities provide multiple layers of protection to prevent sophisticated ransomware, phishing and zero-day cyber attacks. Built on the principle of least privilege, our proxy architecture enables full Transport Layer Security, or TLS,/Secure Sockets Layer inspection at scale, with connections brokered between users and applications based on identity, context and business policies. We provide functionality that traditionally has been offered by disparate, stand-alone products. Our core cloud platform threat prevention capabilities include:

•Advanced Threat Protection: Our advanced threat protection functionality uses techniques including AI/ML, advanced heuristics, signatures and reputation to deliver real-time protection from malicious internet content like browser exploits, scripts, zero-pixel iFrames, malware and botnet callbacks. Over 250,000 unique security updates are performed every day to the Zscaler cloud to keep organizations protected. Once we detect a new threat to a user, we block it for all users across all customers. We call this the “cloud security effect.”

•Sandbox: Our cloud sandbox enables enterprises to block zero-day exploits and advanced persistent threats by analyzing unknown files for malicious behavior, and it can scale to every user regardless of location. Our cloud sandbox was designed and built to be multi-tenant and allows customers, using AI, among other analytics, to determine which traffic should be sent for detonation. As an integrated cloud security platform, customers can set policies by users and destinations to prevent patient-zero scenarios and to analyze, hold and detonate suspicious files in the cloud sandbox before they are sent to a user.

•Browser Isolation: Our cloud browser isolation functionality creates an isolated browsing session that enables users to access any webpage on the internet without downloading any of the web content served by the webpage onto a local device or the corporate network. With cloud browser isolation, users are not directly accessing active web content; instead, only a safe rendering of pixels is delivered to the user. Malicious code that may be hidden in the web content is kept at bay. Customers can select and isolate traffic based on specific policies and/or automatically based on our AI enabled risk determination. The combination of cloud browser isolation and cloud sandbox enables administrators to perform content disarm and reconstruction to flatten, sanitize and securely deliver files free of active content.

5

Table of Contents

Zscaler Private Access

ZPA provides Zero Trust Network Access to secure access to internally managed applications, either hosted internally in data centers or hosted in private or public clouds. ZPA is designed around four key tenets that fundamentally change the way users access internal applications:

•connect users to applications without bringing users on the network, preventing lateral movement;

•never expose applications to the internet;

•segment access to applications without relying on the traditional approach of network segmentation; and

•provide remote access over the internet without VPNs.

ZPA leverages a global policy engine that governs access to internally managed applications regardless of location. If access is granted to a user, our ZPA solution connects the user’s device only to the authorized application without exposing the identity or location of the application. As a result, applications are not exposed to the internet, further limiting the external attack surface. This results in reduced cost and complexity, while offering better security and an improved user experience.

Our ZPA solution includes broad functionality, which we categorize by the following areas:

•Cyberthreat Protection and Data Protection: Our ZPA solution delivers the same cyberthreat protection and data protection functionality that is applied to internet traffic via our ZIA solution.

•Application Discovery: Similar to cloud access security broker, or CASB, application discovery reports for internet hosted SaaS applications, our ZPA solution provides granular discovery of internally managed applications to aid in the creation and oversight of segmentation policies. Because our ZPA solution sits on the application layer and is name-based or domain-based, organizations can quickly and seamlessly identify their internally-managed applications and then easily provision appropriate policies.

•Secure Application Access: Since our ZPA solution delivers seamless connectivity to internally managed applications and assets whether they are in the cloud, enterprise data center or both, administrators can set global policies from a single console, enabling policy-driven access that is agnostic to the network the users are on. By creating seamless access to applications regardless of a user’s network, our ZPA solution eliminates the need for traditional remote access VPNs, reverse proxies and other similar products.

•Application Segmentation: Our architecture provides capabilities that enable user and application level segmentation, a vast improvement over traditional network segmentation. As each user-to-application connection is segmented with microtunnels, each of which is a temporary session between a specific user and a specific application, lateral movement across the network is prevented, significantly reducing security risk. Since users are granted access only to applications for which they have permission and are not granted full access to the network, microtunnels eliminate the need for an internal firewall.

•Application Protection: Our ZPA solution initiates outbound-only connections between authenticated users and internally managed applications using microtunnels. Access is provided to users without bringing them onto the corporate network and without exposing applications to the internet. Internally managed applications are not discoverable or identifiable. With no inbound connections and no public IP addresses, there is no inbound attack surface and therefore no threat of distributed denial-of-service, or DDoS, attacks. For allowed connections, our ZPA solution also provides Web Application Firewall functionality, including OWASP Top 10 protections for threats, such as Structured Query Language injection and cross-site scripting, to block common attack vectors.

6

Table of Contents

•Reduce Attack Surface: Our architecture utilizes inside out connections that are outbound from users to the Zero Trust Exchange platform, which allows customers to deny all inbound connections. This reduces their attack surface by not exposing IP addresses of all devices, applications, appliances or workloads to the internet. Reduced attack surface results in lower exposure to zero-day application vulnerabilities and eliminates the need for DDoS mitigation.

•Browser Isolation: Our cloud browser isolation is used with our ZPA solution to provide isolated sessions to internal web applications without allowing data to transfer down to unmanaged devices or active content to be uploaded into sensitive internal applications. Combining cloud browser isolation with browser-based access provides a simplified, more cost-effective alternative to VDI for employees, contractors and B2B partners, by effectively keeping sensitive data off unmanaged devices.

The primary use cases for our ZPA solution include:

•remote workforce access to private applications without legacy VPN, providing Zero Trust from office to data center;

•deliver user-to-application segmentation, thus eliminating the risk of lateral threat propagation enabled by legacy Firewall and VPN based security architecture;

•providing non-employees with secure access to internal applications;

•securely connecting B2B customers, service providers and supplier access to applications typically deployed as B2B portals in an extranet;

•direct-to-cloud access to internally managed applications hosted in public cloud environments, such as Azure, AWS and GCP; and

•access to applications following a merger or acquisition by providing named users with access to named applications, without the need to merge networks.

Zscaler Digital Experience

ZDX is designed to measure end-to-end user experience across key business applications, providing an easy-to-understand digital experience score for each user, application and location within an enterprise. As users have become mobile and applications have moved to the cloud, traditional network performance monitoring tools have become increasingly irrelevant. Enterprises can no longer reliably collect performance metrics or indicators along the traditional network path as they could when they owned the network and applications ran in their own data centers. ZDX leverages advanced AI-enabled root cause analysis to proactively pinpoint issues in the network path, providing detailed insights into whether disruptions stem from a user’s device, WiFi connection, local internet, service provider or the destination application itself. With ZDX's expanded functionality, enterprises can now utilize predictive analytics to identify potential performance degradations before they impact end users, enabling faster remediation and minimizing downtime. Additionally, ZDX can easily differentiate localized issues – such as problems affecting a single user, application or location – from broader systemic issues impacting multiple users or locations, ensuring quicker and more focused responses. Administrators benefit from enhanced real-time monitoring and seamless integration into existing IT workflows, all via a simple visual interface that eliminates the need for additional hardware or software.

Zero Trust Cloud

Our Zero Trust Cloud offers a comprehensive solution for securing customer workloads across hybrid environments, encompassing both public clouds and private data centers. This platform is built on a Zero Trust architecture, utilizing our

7

Table of Contents

Zero Trust Exchange for centralized security policy enforcement and robust data protection. Zero Trust Cloud is designed to securely connect workloads and inspect all traffic, enabling the detection and mitigation of cyber threats like ransomware, preventing data loss and facilitating workload segmentation to halt the lateral movement of threats. This strategy aims to provide customers with consistent threat and data protection, eliminate the attack surface, reduce operational complexity and lower overall costs.

Our Zero Trust Cloud solution includes broad functionality, which we categorize by the following ideas:

•Secure Workload to Internet: Our Zero Trust Cloud provides a solution for securing outbound communications from customer workloads to the internet. This capability is designed to protect workloads hosted in public clouds, private data centers or hybrid environments when they connect to external resources such as application programming interfaces, or APIs, SaaS platforms, third-party services or AI agents. Rather than trusting the underlying network, our Zero Trust model is founded on verifying the identity of the workload itself and enforcing granular access policies for any internet-bound request. To protect against cyber threats and data loss, the solution performs cloud-scale TLS inspection, which is designed to identify and block malicious attacks and prevent the unauthorized exfiltration of sensitive data from our customers' cloud workloads.

•Zero Trust Gateway: Zero Trust Gateway is a new deployment model for Zero Trust Cloud that dramatically improves operational efficiency. Customers can now rapidly deploy Zero Trust Cloud. Zero Trust Gateway, a fully managed Zscaler service available in the cloud service provider, allows customers to route traffic to Zscaler via an endpoint service using the most optimized path. This enables real-time inspection and filtering of traffic, preventing unauthorized access and mitigating threats. Zero Trust Cloud, deployed via Zero Trust Gateway, secures workload-to-internet and workload-to-workload traffic across multi-cloud environments, eliminating the need for traditional cloud firewalls, VPNs, express routes or direct connects.

•Workload Microsegmentation: Our Workload Microsegmentation solution secures mission critical applications inside public clouds and data centers to stop lateral threat movement, preventing application compromise and reducing the risk of data breaches. Our agent-based offering solution utilizes an innovative, AI-enabled approach that is simpler to deploy and operate than traditional segmentation solutions, and improves the security of east-west communication by verifying the identity of the communicating application software, services and processes to achieve a Zero Trust environment. This reduces the attack surface, resulting in lower risk of application compromise and data breaches.

Zero Trust Branch

Our Zero Trust Branch solution brings Zero Trust principles to secure communications between and within branches, factories, data centers and campuses. It reimagines branches as independent “café-like” environments, connecting directly to our Zero Trust Exchange over broadband, 5G or satellite. The network becomes pure transport, while business policies determine who can access what, when and where. With this model, branches become like islands and are invisible to the internet, dramatically reducing the attack surface and eliminating lateral threat movement. This eliminates the need for north-south firewalls, VPNs, network access control, or NAC, systems and costly routing infrastructure, sharply lowering complexity, risk and cost.

Legacy branch architectures built on MPLS or legacy SD-WAN solutions inherently enable lateral movement, allowing compromised devices in one location to infect applications and systems across the corporate network. This model creates unnecessary cyber risk and adds costly complexity. Zero Trust Branch neutralizes that risk by eliminating implicit trust and lateral movement, stopping ransomware and malware spread.

8

Table of Contents

Our Zero Trust Branch solution includes broad functionality, which we categorize by the following ideas:

•Zero Trust SD-WAN: Our Zero Trust SD-WAN solution provides branches and data centers with fast, reliable access to the internet and private applications with our Direct-to-CloudTM architecture that provides strong security and operational simplicity, with the ability to deploy locally by virtual machine or by purchasing a plug-and-play appliance. Our Zero Trust SD-WAN solution eliminates lateral threat movement by connecting users and IoT/OT devices to applications through our Zero Trust Exchange platform. Branch traffic can be securely forwarded directly to the Zero Trust Exchange, where ZIA or ZPA policies can be applied for full security inspection and access identity-based control of branch and data center communications.

•Zero Trust Device Segmentation: Our Zero Trust Device Segmentation solution provides agentless segmentation for enterprise IT and OT environments, creating a "network of one" where even devices on the same network can only communicate with each other if authorized. The combination of Zero Trust SD-WAN with Zero Trust Device Segmentation extends the Zero Trust Exchange platform to protect east-west traffic in branch offices, campuses, factories and plants with critical OT infrastructure, eliminating the need for east-west firewalls, NACs and traditional microsegmentation solutions, while simultaneously delivering operational simplicity.

Data Security Everywhere

Our data security functionality enables enterprises to prevent unauthorized sharing or exfiltration of confidential information by users, devices, servers, workloads and AI agents, thereby reducing business and compliance risks for our customers. We provide inline monitoring of data flows between users and applications, workload to workload, API to API and applications to LLMs with AI-powered auto data discovery, reducing the risk of inadvertently transmitting sensitive data and intellectual property. We also provide out-of-band discovery and remediation of data risks across a wide range of data stores, including SaaS, IaaS/PaaS, cloud data lakes and warehouses and on-prem systems. Core cloud platform data security services include:

•Advanced AI-Powered Data Classification: Our data classification engines leverage a variety of technologies and techniques to identify customer sensitive data. Predefined, custom dictionaries and automated AI discovery tools identify sensitive customer data by leveraging efficient pattern-matching algorithms, regular expressions, AI-based training models and keywords. Additional advanced classification techniques, including exact data match, indexed document matching and ML-based optical character recognition, enable our customers to identify and secure sensitive data across billions of unique structured data fields.

•Enterprise Data Loss Prevention: Our data loss prevention, or DLP, technology enables enterprises to alert and/or block transmission or sharing of sensitive data across exfiltration channels. This includes inline data in motion to external internet destinations and unmanaged endpoints, data at rest in SaaS environments through out-of-band API integrations, securing public cloud infrastructure data in Azure, AWS and GCP and protecting endpoints by preventing printing or copying to local storage, including USB devices. Additionally, our Email DLP solutions secure corporate email traffic, including Microsoft Exchange and Gmail.

•Unified SaaS Security: Our CASB, SaaS security posture management, or SSPM, and our SaaS supply chain security combine to discover and control known and unknown applications, identify SaaS misconfigurations, find and mitigate potentially risky third-party connections into those SaaS applications and scan data residing in those applications for threats and data protection violations. By doing TLS inspection at scale, we provide malware protection, DLP and CASB functions that can be performed both inline and out-of-band, for specific sanctioned and unsanctioned applications. Business policies can be defined with granular access control for specified cloud applications, such as the ability to upload or download files or post comments on videos based on different user or group identity.

9

Table of Contents

•Email Security: Our email security solution leverages advanced cloud-delivered protections to secure inbound and outbound email traffic against sophisticated threats, such as phishing, malware and ransomware. Integrated with our Zero Trust Exchange platform, it ensures comprehensive inspection and policy enforcement without relying on traditional email gateways. The solution employs AI and ML to detect and block malicious payloads, suspicious links and compromised accounts in real time. Additionally, this solution enhances DLP by identifying and mitigating risks associated with sensitive information being shared via email.

•Data Security Posture Management: Our Data Security Posture Management, or DSPM, technology enables enterprises to discover and mitigate risk across their vast range of data stores – including public cloud, SaaS, data lakes and warehouses and on-premise data systems. Advanced classification and contextual analysis enables enterprises to understand where sensitive data resides, and to uncover risks related to posture configuration, access entitlements or compliance. Automated workflows enable organizations to remediate these risks, integrating with mainstream IT Service Management tools such as Service Now and Jira. The solution empowers organizations to proactively remediate data risks and avoid sensitive data exposures or compliance violations.

Security for AI

The emergence of generative AI models is fundamentally transforming businesses, as enterprises and their stakeholders have rapidly embraced this new technology. Enterprises are adopting public GenAI SaaS applications, such as ChatGPT, Microsoft Copilot, Gemini and others, and are also investing to develop their private AI applications, such as customer-facing, employee-facing or supplier-facing chatbots and agents. This growing adoption of AI is leading to an emergence of a new category of risks that go beyond traditional cyber and data risks, including prompt injection, toxicity, training data leakage, model poisoning, tool poisoning and other risks. To enable our customers to safely and securely adopt these public and private AI applications, we are expanding our Security for AI Applications portfolio.

Security for Public AI Applications – Public GenAI SaaS applications can improve employee productivity, however they also present new risks for organizations, such as data loss and unauthorized access to classified or sensitive information. Zscaler’s Public AI security solutions give visibility, provide access control, protect sensitive information leakage and defend against emerging adversarial attacks. Our solutions for public AI applications include:

•GenAI Security: Our GenAI security offerings provide enterprises with comprehensive visibility and control over generative AI tool usage to prevent data loss while enabling productivity benefits. Our solution allows organizations to create and enforce policies around which generative AI tools users can access and how they interact with them, including through secure browser isolation to protect sensitive data. The platform delivers granular controls including prompt-level visibility, AI/ML-based URL filtering, DLP enforcement and the ability to restrict data upload methods while allowing productive AI interactions. In addition to inline controls, our solution offers proactive discovery and analysis of AI systems in cloud environments. This solution helps organizations deal with model sprawl, identify new AI attack vectors and govern data connected to AI systems. Our solutions also help safeguard the use of AI embedded in SaaS applications, such as Microsoft Copilot, to help ensure that data being used by Copilot is properly protected. This comprehensive approach enables organizations to harness the innovation and efficiency benefits of generative AI while maintaining robust data security and regulatory compliance.

•Zscaler AI Guard for Users: Our Zscaler AI Guard for Users secures the prompts and responses between employees of our customers and public GenAI applications. AI Guard enforces policies on prompts and responses to protect against toxicity, prompt injection, code sharing, sensitive-data leakage and other adversarial attacks. In addition, AI Guard provides granular visibility into prompts, responses and log events, including the associated metadata, for consumption and analysis by security operations center, or SOC, teams.

10

Table of Contents

Security for Private AI Applications – Enterprises are developing private AI applications, such as chatbots and AI-agents, using large language models, or LLMs, such as ChatGPT, Anthropic, Gemini, Llama, DeepSeek and more. Our private AI security solutions provide visibility and policy enforcement. Our solutions for private AI applications include:

•AI-SPM: Zscaler AI-SPM provides deep visibility into all AI services, agents and models deployed in a customers’ environment. Leveraging advanced LLM classification, Zscaler AI-SPM discovers, classifies and assesses risks of sensitive data that maps to any AI services, providing a 360-degree view of all of data and its correlated risks.

•AI Guard for Private LLMs: Zscaler’s AI Guard provides guardrails with purpose-built detectors sitting inline between LLMs and private AI apps. With continuous monitoring, secure deployment and advanced protection, AI Guard enables organizations to harness the power of AI while keeping their models and data safe from exploitation.

•AI Decoys for LLMs: AI Decoys for LLMs is designed to prevent sensitive data leakages and unauthorized access in environments leveraging LLMs, extending our existing deception capabilities. It uses AI-generated decoy information to mislead and neutralize potential threats, safeguarding critical organizational assets.

Agentic Operations

Security Operations

Reducing cyber risk is a priority for all enterprises, especially at the executive and board of directors level, making holistic security operations a key area of focus for our customers. Our security operations solutions include both proactive security initiatives, focused on identifying security gaps before they can be exploited, and reactive security programs, centered on finding and containing incidents after they happen. These solutions include broad and differentiated capabilities in both domains and are categorized into the following areas:

Proactive Security Operations

Exposure Management – Zscaler’s exposure management platform ingests and analyzes a wide range of exposure intelligence sources to deliver a comprehensive view of organizational risk. It integrates data from Zscaler systems, such as our Zero Trust Exchange platform, and third-party data from more than 150 sources including: vulnerability scans; misconfigurations; shadow IT discovery and unmanaged devices (including IoT/OT); security information and event management, or SIEMs; security orchestration, automation and response systems; endpoint protection platforms; and global threat intelligence feeds. It also integrates contextual data such as asset criticality, business impact and user behavior. Our Data Fabric for Security ingests, synthesizes and enriches this data to yield compelling insights for exposure management by security teams. Our exposure management platform includes:

•Unified Vulnerability Management: Our unified vulnerability management solution provides dynamic and customizable prioritization, streamlined reporting, automated workflows for remediation and contextualized risk-based assessments of a customer’s risk landscape. This solution leverages our Data Fabric for Security to deliver actionable insights, prioritized risk analysis and operational efficiencies. Our customers gain significantly enhanced and automated analytics and decision-making in real-time without the need for manual data aggregation and collection.

•Asset Exposure Management: Our asset exposure management capabilities provide organizations with deep visibility into their digital attack surface, enabling them to identify, assess and remediate asset vulnerabilities before they can be exploited. By continuously monitoring all assets – whether hosted on-premises, in the cloud or within hybrid environments – our solution helps uncover shadow IT, misconfigurations, unpatched systems and other hidden risks. This solution leverages our Data Fabric for Security to provide advanced analytics and automation,

11

Table of Contents

prioritize critical exposures based on business impact and threat likelihood and empower organizations to proactively reduce their attack surface and strengthen their overall security posture. This approach aligns with our commitment to providing comprehensive, scalable solutions that help customers minimize risk in a rapidly evolving threat landscape.

Reactive Security Operations

Threat Management – Zscaler delivers advanced capabilities including deception technologies, identity threat detection and managed detection and response. Our acquisition of Red Canary, Inc, or Red Canary, strengthens this portfolio with its agentic AI-driven threat detection that autonomously reduces alert fatigue, hunts threats and delivers faster, more accurate incident containment. We will integrate these advanced SOC capabilities with our Data Fabric for Security, enabling more robust SOC capabilities over time and helping customers reduce or eliminate their dependence on costly legacy SIEM systems. Our threat management offerings include:

•Deception: Our deception solution augments our customers’ ability to detect the presence of an adversary in their network by deploying decoys. These decoys disrupt adversaries by detecting their presence in the network and initiating mitigation using automatic orchestration via the Zscaler platform and other third-party solutions. Customers can quickly deploy these capabilities by leveraging a diverse library of built-in decoys including various types of applications, network components and IoT services. The high-fidelity low-volume alerts allow customers to implement meaningful automation workflows to prevent lateral spread.

•Red Canary Managed Detection and Response: Our Managed Detection and Response (MDR) service offering, added through our acquisition of Red Canary, provides threat detection and on-demand incident response services to augment our customers’ security operations capabilities and reduce reliance on extensive internal resources or specialized expertise. This capability leverages advanced technologies including agentic workflows, AI-supported threat intelligence, expert analysis and automated runbooks to identify and address complex cybersecurity threats.

•Identity Protection: Attackers commonly target users and identities as the point of entry and use that access to escalate privileges and move laterally. Our Identity Protection capability provides continuous visibility into identity misconfigurations and at-risk permissions by scanning common identity providers. Identity Protection augments this visibility with guidance in the form of scripts, commands and tutorials to remediate identity risk and reduce customers’ internal attack surface. In addition to preventive capabilities, Identity Protection also provides high-fidelity detection for identity-based attacks like stolen credentials, multi-factor authentication bypasses and privilege escalation techniques that typically pass through existing defenses in cases of identity compromise.

Agentic IT Operations

Zscaler is also extending Agentic Operations to IT through our ZDX product. Traditional IT operations depend on siloed monitoring tools that provide limited visibility and require manual troubleshooting across networks, devices and applications. These limitations result in long ticket resolution times, frustrated users and higher operating costs. With ZDX's expanded functionality, enterprises can now utilize predictive analytics to identify potential performance degradations before they impact end users, enabling faster remediation and minimizing downtime. ZDX leverages advanced AI-enabled root cause analysis to proactively pinpoint issues in the network path, providing detailed insights into whether disruptions stem from a user’s device, WiFi connection, local internet, service provider or the destination application itself. It also leverages AI-driven automation to deliver end-to-end visibility into user experience, network performance and application health. With agentic remediation capabilities, ZDX can detect endpoint issues, resolve tickets and proactively improve performance without human intervention. For example, ZDX can identify device misconfigurations, degraded application paths or network bottlenecks, and automatically correct them, reducing resolution time, avoiding downtime and creating a better user experience.

12

Table of Contents

By transforming IT operations from reactive to proactive, ZDX enables enterprises to improve user productivity and satisfaction, reduce IT operations cost and deliver consistent digital experiences at global scale.

Our Technology and Architecture

We are driven by technology and innovation. We developed a highly scalable, multi-tenant, globally distributed cloud capable of providing inline inspection of internet and SasS traffic, securing access to private applications, protecting cloud applications, managing digital experience and scanning for exposures and misconfigurations. We designed a purpose-built three-tier architecture starting with our core operating system and adding layers of security and networking innovations over time. Our cloud platform is protected by more than 725 issued and pending patents in the United States and other countries. Our cloud is distributed across more than 160 public exchanges globally and thousands of private exchanges at the edge, and processes over 500 billion requests per day from users across over 185 countries.

Our platform is designed to be resilient, redundant and high-performing. It is built as software modules that run on standard x86 platforms without dependency on custom hardware. The platform modules are split into the control plane (Zscaler Central Authority), the enforcement plane (Zscaler Enforcement Nodes) and the logging and statistics plane (Zscaler Log Servers) as described below:

•Zscaler Central Authority: The Zscaler Central Authority monitors our entire security cloud and provides a central location for software and database updates, policy and configuration settings and threat intelligence. The collection of Zscaler Central Authority instances together act like the brain of the cloud, and they are geographically distributed for redundancy and performance.

•Zscaler Enforcement Nodes: Customer traffic is directed to the nearest Zscaler Enforcement Node, where security, management and compliance policies served by the Zscaler Central Authority are enforced. The Zscaler Enforcement Node also incorporates our differentiated authentication and policy distribution mechanism that enables any user to connect to any Zscaler Enforcement Node at any time to ensure full policy enforcement. The Zscaler Enforcement Node utilizes a full proxy architecture and is built to ensure data is not written to disk to maintain the highest level of data security. Data is scanned in random-access memory only and then erased. Logs are continuously created in memory and forwarded to our logging module.

•Zscaler Log Servers: Our technology is built into the Zscaler Enforcement Node to perform lossless compression of logs, enabling our platform to collect over 130 terabytes of unique raw log data every day. We do not collect customer data other than logs, and those logs are encrypted and transmitted to our log server at a destination of choice selected by the customer without ever writing to disk at the enforcement nodes. Logs are transmitted to our logging servers over secure connections and multicast to multiple servers for redundancy. Our dashboards provide our customers visibility into their traffic to enable troubleshooting, policy changes and other administrative actions. Our analytics capabilities allow customers to interactively mine billions of transaction logs to generate reports that provide insight on network utilization and traffic. We do not rely on batch reporting; we continuously update our dashboards and reporting and can stream logs to a third-party SIEM service as they arrive. Regardless of where users are located, customers can choose to have logs stored in the United States or the European Union/Switzerland. Customer data is isolated as part of our multi-tenant architecture.

•Data Fabric for Security: Our Data Fabric for Security capabilities empower organizations to seamlessly integrate, analyze and act on security data across distributed environments. By unifying data from user activity, applications, devices and workloads across on-premises, cloud and hybrid networks, our platform provides real-time visibility into potential threats and vulnerabilities. This interconnected “fabric” enables security teams to break down silos, correlate insights from multiple sources and make proactive, data-driven decisions to mitigate risks. With advanced automation and AI-driven analytics, our Data Fabric for Security transforms raw security data into actionable

13

Table of Contents

intelligence, helping organizations respond faster to incidents, comply with regulatory requirements and maintain a robust security posture across their increasingly complex IT ecosystems.

Our platform is a critical integration point positioned in the data path providing secure access to the internet, cloud and internal applications. We complement and interoperate with key technology and cloud vendors across major market segments, including identity and access management device and endpoint management, as well as SIEM for reporting and analytics. Many of these vendors, like us, were developed in the cloud and together provide a foundation for a modern access and security architecture.

Growth Strategies

The growing use of the internet and the increasing adoption of the cloud and mobility are driving network and application transformation. As a provider of a fully integrated, multi-tenant cloud security solution, we enable our customers to accelerate this secure transformation to the cloud and believe we are uniquely positioned to maximize value as they undertake these transitions. Key elements of our growth strategy include:

•Continue to win new customers. We believe that we have a significant opportunity to expand our customer base, both in the United States and internationally. We have invested significantly in our sales and marketing organization to execute against this opportunity.

•Expansion in existing customers. We leverage a land-and-expand approach with our existing customers to sell subscriptions for additional users, additional solutions and premium solution bundles that contain more functionality.

•Leverage channel partners to participate in cloud transformation initiatives. We have invested in establishing long-standing relationships with global telecommunications service providers and are expanding our network of global system integrators and regional telecommunications service providers and cloud-centric value-added resellers and public cloud marketplaces.

•Expansion and innovation of services. We continue to invest in research and development and acquire new technologies and products to add new and differentiated solutions to our existing product portfolio and to improve the overall functionality, reliability, availability and scalability of our cloud security platform.

•Expansion into additional market segments. We are targeting the expansion of our immediate addressable market into additional markets, segments and verticals. For example, we are targeting our expansion into new geographies in the Asia Pacific, Latin America and Middle East regions.

We sell to enterprises of all sizes. As of July 31, 2025, we had over 9,400 customers, including approximately 40% of the Forbes Global 2000 and over 45% of Fortune 500 companies. Many of our customers include major global enterprises that send virtually all of their internet traffic through our cloud security platform. Our customers operate in a variety of industries, including automotive, airlines and transportation, conglomerates, consumer goods and retail, energy, financial services, healthcare, insurance, manufacturing, media and communications, public sector and education, technology and telecommunications services. Approximately 49% of our revenue was from customers outside the United States for all periods presented. No end customer contributed more than 10% of our revenue in fiscal 2025, fiscal 2024 and fiscal 2023.

14

Table of Contents

Sales and Marketing

Although we have a channel sales model, we use a joint sales approach in which our sales force develops relationships directly with our customers, and together with our channel account teams, works with our channel partners on account penetration, account coordination, sales and overall market development. Our customer care and success teams maintain high-touch relationships with our customers to deploy and manage our cloud platform, identify, analyze and resolve performance issues and respond to security threats. We believe customer service touchpoints are opportunities to further develop our relationship with our customers and potentially generate incremental revenue through the addition of new users and services.

Our channel partners consist of global telecommunications service providers, system integrators, value-added reseller partners and public cloud marketplaces, and we leverage their relationships to expand our reach, improve procurement and accelerate customer fulfillment.

We enter into agreements with our channel partners in the ordinary course of business. The contracts typically have a one-year term and renew automatically, subject to cancellation by either party upon 90 days’ notice. These agreements contain standard commercial terms and conditions, including payment terms, billing frequency, warranties and indemnification. Our channel partners generally place purchase orders with us after receiving orders from customers. We generally maintain privity of contract with customers through end user subscription agreements.

We expect to continue investing in our channel partners as we provide them with education, training and programs, including supporting their independent sales of our solutions. We believe that such investment, and investments in our sales force, will lead to significant expansion in our customer base, which will materially impact our business and results of operations.

Our marketing strategy is focused on platform and brand awareness, which drives our opportunity pipeline and customer demand. This strategy is account-based, enabling us to pursue targeted marketing activities across both digital and non-digital channels. We anticipate increasing our marketing team headcount and are investing in programs designed to elevate our brand in the market and engage new enterprise accounts. We also participate in a number of cloud and security industry events. In addition, we have a deeply integrated ecosystem of channel partners, with whom we engage in joint marketing activities.

Data Center Operations

We have expanded the Zero Trust Exchange over 160 public exchanges and thousands of private exchanges at the edge, which are built to be highly resilient, have multiple levels of redundancy and provide failover to other data centers in our network. Our data centers are co-located within top-tier internet interconnection hubs that have direct connectivity, known as peering, to major telecommunication service providers, SaaS providers, public cloud providers, internet content providers and popular internet destinations. A number of our data centers are also located with our service provider partners.

Compliance

Our platform has received numerous industry standard and internationally recognized certifications upon successful completion of further independent third-party assessments, including ISO 27001, ISO 27701, ISO 27018, ISO 27017, SOC2, SOC 3 CSA-STAR and HIPAA.

We also built a leading U.S. and international government compliance portfolio. We are authorized at the FedRAMP Moderate and High levels and Impact Level 5 with the DOD for ZPA. In addition, in the U.S. we are authorized at both the FedRAMP Moderate and High levels for ZIA, among others. We also hold CMMC Level 2 certification, ITAR, FIPS, CJIS

15

Table of Contents

and VPAT 508 in our U.S. Government portfolio. We also became the first cloud-based SaaS security company to achieve StateRamp for state and local governments. Internationally, we are IRAP Protected and APRA in Australia, Cyber Essentials and G-Cloud in the UK, C5 in Germany, ITSG-33 Prob B in Canada, ISMAP in Japan, MTCS in Singapore and, most recently, Spain Gov CPSTIC catalog listing and ENS-High.

Research and Development

Our research and development organization is responsible for the design, architecture, operation and quality of our cloud platform. In addition to improving on our features and functionality, this organization works closely with our cloud operations team to ensure that our platform is reliable, available and scalable. ThreatLabZ, our internal team of security experts, researchers and network engineers, analyzes the global threat landscape, works to eliminate threats across our cloud platform and reports on emerging security issues.

Research and development expense was $672.5 million, $499.8 million and $350.8 million for fiscal 2025, fiscal 2024 and fiscal 2023, respectively. Our research and development leadership team is predominantly located in San Jose, California, and we also maintain research and development centers internationally, including in India, Canada, Israel and Spain.

Competition

The market for security solutions is defined by changing technologies, an evolving threat landscape and complex enterprise needs. Our competitors and potential competitors include legacy on-premises appliance vendors and other vendors across a number of categories:

•independent IT security vendors, which offer a broad mix of network and endpoint security products;

•large networking and other vendors, which offer security appliances and/or incorporate security capabilities in their networking products and other services;

•companies with point solutions that compete with some of the features of our cloud platform, such as proxy, firewall, CASB, sandboxing and advanced threat protection, AI security, data loss prevention, encryption, load balancing and VPN; and

•other providers of IT security services that offer, or may leverage related technologies to introduce, products that compete with or are alternatives to our cloud platform.

The principal competitive factors in the markets in which we operate include:

•delivering security from the cloud regardless of location of the user;

•platform features, effectiveness and extensibility;

•platform reliability, availability and scalability;

•rapid development and delivery of new capabilities and services;

•ability to integrate with other participants in the security and networking ecosystem;

•price, total cost of ownership and network cost savings;

•brand awareness, reputation and trust in the provider’s services;

•strength of sales, marketing and channel partner relationships; and

16

Table of Contents

•quality of customer support.

We believe we are positioned favorably against our competitors based on these factors. Our cloud platform integrates many of the point products offered by our competitors and potential competitors, which is a key differentiator. However, many of our competitors have substantially greater financial, technical and other resources, greater brand recognition, larger sales forces and marketing budgets, broader distribution networks, more diverse product and services offerings and larger and more mature intellectual property portfolios. They may be able to leverage these resources to gain business in a manner that discourages users from purchasing our services, including through selling at zero or negative margins, offering concessions, product bundling or maintaining closed technology platforms. Further, many organizations have invested substantial personnel and financial resources to design and operate their appliance-based network security architecture and may not be willing or ready to abandon those historical investments. As our market grows and rapidly changes, we expect it will continue to attract new companies, including smaller emerging companies, which could introduce new products and services. In addition, we may expand into new markets and encounter additional competitors in such markets.

Intellectual Property

Our success depends in part upon our ability to protect and use our core technology and intellectual property rights. We rely on a combination of patents, copyrights, trademarks, trade secret laws, contractual provisions and confidentiality procedures to protect our intellectual property rights. As of July 31, 2025, we had more than 725 issued patents and pending patent applications, including more than 325 issued patents in the United States and other countries. Our issued patents expire between 2028 and 2044 and cover various aspects of our cloud platform. In addition, we have registered “Zscaler” as a trademark in the United States and other jurisdictions, and we have registered other trademarks and filed other trademark applications in the United States. We are also the registered holder of a variety of domestic and international domain names that include “Zscaler” and similar variations. In addition to the protection provided by our intellectual property rights, we enter into confidentiality and invention assignment or similar agreements with our employees, consultants and contractors. We further control the use of our proprietary technology and intellectual property rights through provisions in our subscription and license agreements. Despite our efforts to protect our trade secrets and proprietary rights through intellectual property rights, licenses and confidentiality agreements, unauthorized parties may still copy or otherwise obtain and use our software and technology. In addition to our internally developed technology, we also license software, including open source software, from third parties that we integrate into or bundle with our cloud platform.

Our industry is characterized by the existence of a large number of patents and frequent claims and related litigation based on allegations of patent infringement or other violations of intellectual property rights. We believe that competitors will try to develop products and services that are similar to ours and that may infringe our intellectual property rights. Our competitors or other third-parties may also claim that our platform infringes their intellectual property rights. In particular, companies in our industry have extensive patent portfolios. From time to time, third parties, including certain of these companies and non-practicing entities, have in the past and may in the future, assert claims of infringement, misappropriation and other violations of intellectual property rights against us or our customers or channel partners, with whom our license or other agreements may obligate us to indemnify against these claims. Successful claims of infringement by a third-party could prevent us from offering certain services or features, require us to develop alternate, non-infringing technology, which could require significant time and during which we could be unable to continue to offer our affected subscriptions or services, require us to obtain a license, which may not be available on reasonable terms or at all, or force us to pay substantial damages, royalties or other fees. As we face increasing competition and gain an increasingly higher profile, the possibility of intellectual property rights claims against us grows. We cannot assure you that we do not currently infringe, or that we will not in the future infringe, upon any third-party patents or other proprietary rights. See “Risk Factors—Risks Related to Our Business—Claims by others that we infringe their proprietary technology or other rights, or other lawsuits asserted against us, could result in significant costs and substantially harm our business, financial condition, results of operations and prospects” for additional information.

17

Table of Contents

Government Regulation

Our business activities are subject to various federal, state, local and foreign laws, rules and regulations. Compliance with these laws, rules and regulations has not had, and is not expected to have, a material effect on our capital expenditures, results of operations and competitive position as compared to prior periods. Nevertheless, compliance with existing or future governmental regulations, including, but not limited to, those pertaining to global trade, business acquisitions, consumer and data protection, privacy, employment, labor and taxes, could have a material impact on our business in subsequent periods. For more information on the potential impacts of government regulations affecting our business, see “Item 1A - Risk Factors.”

Human Capital

As of July 31, 2025, we had a total of 7,923 employees in locations around the world. We have not experienced any work stoppages and we consider our relations with our employees to be positive and collaborative.

Zscaler's vision is to create a world in which the exchange of information is always secure and seamless. Specifically, ensuring that our people and culture are aligned with this vision is critical to our success. In order to continue to innovate and to execute our business strategy, we must attract, develop and retain skilled employees, particularly in the areas of product development, engineering, sales and customer success.

Our Culture

Our culture is about creating an environment where our global workforce can contribute their best work to help our customers and our business succeed. Zscaler's cultural values are:

•Teamwork

•Ownership

•Passion

•Innovation

•Customer Obsession

We build this culture through the feedback we receive from our employees through company-wide surveys as well as informal feedback channels throughout the year. We ultimately view and measure the success of our culture by our ability to sustain great business results.

Employee Development

We invest in our employees through a suite of programs from their first day of employment to develop their talent and skills as our business grows. Our leadership approach establishes clear expectations, enables measurement and actionable feedback and ensures that our people managers have access to learning and resources that help them to embody our leadership principles.

In addition, new employees in our customer care and success teams are enrolled in structured sales and product training to build their knowledge. Our technical teams have access to live and online training resources and participate in frequent company tech talks where training on best practices and latest developments are shared. We build the skills and capabilities of our senior leaders through intentional investment in their development and opportunities for them to network, collaborate and problem solve together.

To supplement our internal resources, we work with external experts to offer focused development for our leaders, as well as targeted offerings on topics that are critical to enhancing the capabilities of our talent. We offer tuition reimbursement for eligible employees to further enhance their career growth through higher education.

18

Table of Contents

Compensation and Benefits

We provide competitive compensation and benefits packages to attract and retain our talent. In addition to base pay, employees may be eligible for performance based bonuses that are tied to our financial performance and long-term equity incentives that vest subject to continued service. Certain employees may also need to achieve defined performance metrics for parts of their long-term incentives to vest. Our employee performance management program aligns individual achievement and corporate goal attainment with compensation. Employees are assessed on both what was achieved and how they achieved it to help build a high-performance culture that delivers for our customers and is aligned to our cultural values.

We offer an employee stock purchase plan, which allows employees to contribute a percentage of their wages to purchase our stock at a discount. In addition to cash and equity compensation, we offer our employees a robust portfolio of benefits, such as health, well-being, parental leave and retirement programs, to meet their individual and family needs.

Health, Safety and Well-being

The health and safety of our employees is our top priority. We recognize the need to create a flexible working environment that balances collaboration, innovation and connectivity with personal preferences for employees to do their best work. Our employee wellness programs support employees across four pillars: physical, emotional, social and financial. These programs are designed to meet the needs of our employees through connection and support, with flexibility for local and targeted approaches. We will continue to review and invest in programs to provide for the health, safety and well-being of our employees.

Corporate Information

We were incorporated in the state of Delaware in September 2007 as SafeChannel, Inc., and in August 2008, we changed our name to Zscaler, Inc. Our principal executive offices are located at 120 Holger Way, San Jose, CA 95134, and our telephone number is (408) 533-0288. Our website address is www.zscaler.com. Information contained on, or that can be accessed through, our website does not constitute part of this Annual Report on Form 10-K.

Available Information

Our Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K, proxy statement, and all amendments to these filings, are available free of charge from our investor relations website (https://ir.zscaler.com/financial-information/sec-filings) as soon as reasonably practicable following our filing with or furnishing to the SEC of any of these reports. The SEC’s website (https://www.sec.gov) contains reports, proxy and information statements and other information regarding issuers that file electronically with the SEC.

Zscaler investors and others should note that we announce material information to the public about our company, products and services and other issues through a variety of means, including our website (https://www.zscaler.com), our investor relations website (https://ir.zscaler.com), our blogs (https://www.zscaler.com/blogs), press releases, SEC filings, public conference calls and social media, in order to achieve broad, non-exclusionary distribution of information to the public. We encourage our investors and others to review the information we make public in these locations as such information could be deemed to be material information. Please note that this list may be updated from time to time.

The contents of any website referred to in this Form 10-K are not intended to be incorporated into this Annual Report on Form 10-K or in any other report or document we file.

19

Table of Contents