CompanyGraph
Zscaler Inc.
ZS · United States
Decrypts, inspects, and re-encrypts enterprise internet traffic inline at distributed edge data centers, replacing the network perimeter with cloud-based Zero Trust enforcement.
Zscaler's system is built around inline SSL/TLS decryption at distributed edge locations, which requires deep packet inspection to complete within milliseconds because a broken session is indistinguishable from an outage to the application layer — and that fixed latency budget sets a hard ceiling on how much inspection logic can execute per packet, limiting how many security features can be added without degrading performance. That same geographic distribution, which eliminates the need for backhaul, forces continuous cross-location synchronization of threat signatures and policy state, because any divergence either passes uninspected traffic or drops legitimate sessions across the entire customer base at once. Expanding the edge network to reduce that risk is itself constrained by the per-location sequencing of co-location negotiations, peering agreements, and jurisdiction-specific certifications — a bottleneck that data sovereignty laws deepen by mandating localized infrastructure rather than consolidated capacity. Customers cannot easily escape this architecture because switching requires rebuilding SAML configurations, application-specific traffic policies, FedRAMP and SOC 2 certifications, and API integrations with tools such as Splunk and ServiceNow from scratch — a process measured in months.
How does this company make money?
The platform is sold through annual subscription licenses priced according to the number of users and the volume of data processed through the Zero Trust Exchange. Data loss prevention, browser isolation, and digital experience monitoring are sold as separate add-on subscriptions layered on top of the base license.
What makes this company hard to replace?
Switching away requires reconstructing custom SAML configurations tied to Active Directory and identity providers — a process that takes months. Application-specific traffic policies are embedded directly in customer networks, and FedRAMP and SOC 2 certifications must be obtained separately by any replacement vendor. API integrations with existing security tools such as Splunk and ServiceNow add further steps that must be rebuilt from scratch.
What limits this company?
SSL/TLS decryption, deep packet inspection, and re-encryption must complete within milliseconds at each edge location. The cryptographic processing budget per session is fixed by human-perceptible latency tolerance, which caps how much inspection logic can execute per packet and sets the hard ceiling on how many security features can be added without degrading application performance.
What does this company depend on?
The mechanism depends on SSL/TLS certificate authorities for traffic decryption rights, Microsoft Azure and AWS infrastructure hosting the edge data centers, threat intelligence feeds from security vendors including Proofpoint and CrowdStrike, internet exchange points for low-latency connectivity, and FedRAMP authorization to serve U.S. government customers.
Who depends on this company?
Enterprise IT departments whose remote workers lose internet access entirely if edge centers fail. Microsoft 365 and Salesforce applications become unreachable when traffic routing breaks. Financial services firms whose trading applications experience latency spikes during security processing delays. Healthcare systems whose HIPAA-compliant data flows require continuous policy enforcement to remain in compliance.
How does this company scale?
Security policy templates and threat signatures replicate instantly across all edge locations once developed. Edge data center deployment, however, requires physical co-location negotiations, local internet peering agreements, and jurisdiction-specific data handling certifications at each site — none of which can be automated or centralized — and that per-location sequencing remains the bottleneck as the network grows.
What external forces can significantly affect this company?
GDPR and emerging data sovereignty laws require traffic to remain within specific jurisdictions, forcing the build-out of localized edge infrastructure rather than consolidating capacity. Chinese internet restrictions and U.S. export controls on encryption technology limit where global deployment is possible. Remote work adoption is accelerating the replacement of enterprise VPN infrastructure, changing the rate at which organizations seek alternatives.
Where is this company structurally vulnerable?
The Zero Trust guarantee holds only when policy and threat intelligence are synchronized across all edge locations at the same time. A synchronization failure therefore propagates a security gap or a session blackout across the entire customer base at once — the geographic breadth that makes backhauling unnecessary is the same breadth that converts any coordination failure into a company-wide outage.