The Invisible Layer Protecting the World's Biggest Companies

In this episode of Motley Fool Hidden Gems Investing, Motley Fool analyst Jason Moser talks with Zscaler CFO Kevin Rubin about zero-trust security, the agentic AI threat landscape, and why the cybersecurity build-out may be one of the most durable investment themes of the next decade.

To catch full episodes of all The Motley Fool's free podcasts, check out our podcast center. When you're ready to invest, check out this top 10 list of stocks to buy.

A full transcript is below.

This podcast was recorded on June 7, 2026.

Kevin Rubin: There's no going back, if you will. I mean, as an industry, agentic is going to be as disruptive as, any of the tech waves have been in the past, whether it was mobile, Internet, etc. This is just the next frontier of how businesses will need to compete.

Jason Moser: That was Zscaler CFO Kevin Rubin on the future of AI security. I'm Motley Fool analyst Jason Moser. I sat down with Kevin to talk about how Zscaler’s protecting the world's largest organizations from an exploding wave of cyber threats and why the rise of agentic AI could be the biggest opportunity the company has ever seen. Enjoy.

Welcome to Motley Fool Conversations. I’m Jason Moser. Today, I'm excited to welcome the CFO of Zscaler, Mr. Kevin Rubin. Now, prior to Zscaler, Kevin was the CFO at BetterUp. Prior to that, he served as the CFO of Alteryx, a company that Motley Fool members are likely familiar with. Today, we're diving into the business of cybersecurity and Zscaler's role in this crucial market. Kevin, welcome to the show.

Kevin Rubin: Thanks, Jason. Appreciate you guys having us on.

Jason Moser: Well, really happy to have you here. And I guess the first thing I want to get into here because when we talk about cybersecurity, most of us, whether we're investors or not, we know that cybersecurity is necessary, but we don't exactly understand what it ultimately. There's so many different ways to view it. First things first, we said at the top, Zscaler is a cybersecurity company, but what is it that ZScaler actually does?

Kevin Rubin: Thanks for the question. It really comes down to two fundamental things in my mind. No. 1 is preventing bad actors from getting into your corporate network and being able to access sensitive information or breaching your environment. No. 2 is ensuring that sensitive data and corporate assets don't escape out of your corporate network. Those are the fundamental things that we seek to solve.

Jason Moser: I can tell you just from my day-to-day, we use Zscaler all the time here at The Motley Fool, and I appreciate that you're looking out for us. We hear a lot about zero trust. That's a word that we hear a lot in the cybersecurity market. Zscaler really pioneered a zero-trust model years ago, before it became mainstream. But now it seems like everybody claims to offer zero trust. I guess I'm wondering, like, can you talk a little bit about what separates genuine zero trust from what other people call zero trust? I've heard it called zero-trust washing before. Like, is there a unique property or quality to Zscaler or zero-trust dynamic?

Kevin Rubin: Zero trust is a set of principles that simply mean provide the least amount of access only for the necessary particular use for either an individual, a workload, or a device that sits within the corporate environment. The concept is you should not give access to anything and everything because somebody wants to access a single application. The principles are clear: give the least necessary access for what it is that somebody or something is trying to accomplish with that particular request. We architected Zscaler specifically with those principles in mind. The way that we approach zero trust and cybersecurity is through our zero-trust exchange. We don't believe, in today's environment, that companies need to build out large, complicated corporate networks. That was something that happened, you know, 30 or 40 years ago, when the Internet didn't exist, and stable ability to drive traffic didn't exist. But today, those are as common as driving on the interstate. If you go back probably 100 years, you had oil drillers who had to build private roads to be able to access their oil fields because general public roads didn't exist. Today, you don't see organizations building basic infrastructure to be able to access certain assets. The same analogy would hold true as you think about corporate access to applications and other corporate sets of data.

Our approach is simple. You allow your users and other resources to access what they need. Only at the time that they need it, and you go through the zero-trust exchange. Think about it as a one-to-one set of connection. You want to access your email. By way of example, you request access to the email server. We authenticate you. We ensure that you're authorized to access that. We allow you to get your email, and then that session terminates when you're done using email. The next time you come in, in the background, we'll go through that same process. In doing so, you don't have the ability to move laterally within the network. You have no reason or business to go to other applications if all you're doing is looking to serve email. The same would hold true if you're trying to go to your HRIS system or you're trying to go to your CRM system. Access what you need, be able to do the work that you need to do, but then get off the network and become invisible again.

That's how we've philosophically approached zero trust. If you are largely building corporate networks and providing network-based security architecture, your application of zero trust is likely through very complicated policy-driven zero trust principles, and our argument would be to your point about zero-trust washing, it's probably not effectively zero-trust, but you can brand it as zero-trust and go to market with that. We are actually living, breathing, and applying the principles in how we’ve architected our zero-trust exchange and our cybersecurity service.

Jason Moser: Well, I'm going to get into some numbers here as the CFO. I think you like that, but you've set a target of $5 billion and beyond in annual recurring revenue here over the next several years. You're guiding for $3.75 billion in revenue this year. As an investor, that's an exciting growth prospect, but I wonder what are the drivers that will get you there?

Kevin Rubin: Thanks for the question. We have a series of growth levers that are available to us as we think about our path to $5 billion and more. First off, you know, we started with zero trust for users, so the ability to protect user communication traffic between users and applications. We then extended that to zero-trust cloud. Being able to provide the same zero trust principles to workload-to-workload communication. Think about that as an application, talking to an application. Then, more recently, we extended that to zero-trust branch, the idea that organizations have branch offices. You can think about a bank and having branches around the country. All of those branches need to ultimately connect into other systems and resources, and we don't think that they all need to connect to each other and form a mesh network, as is traditionally thought. But connect each individual device in a branch to only the application that it needs. If it's a door sensor to monitor access, have it connect to the application that monitors access. It doesn't need to connect to other applications, and it certainly doesn't need to connect to other branches, as is the case today. If one of those devices were to get breached in the traditional sense, it has the ability to infect your entire web network in the zero-trust branch situation. If one particular device gets breached, it's limited the attack surface to that particular device.

The other area of growth opportunity for us is data security. We have seen significant momentum in our ability to protect data. As a service, we sit in the path of traffic, and so we have an ability to inspect that traffic as it's going back and forth. We have an ability to apply policy. That's how we determine what is and isn't acceptable use. On top of that, now we can also provide data security. Looking at the data that is being transacted back and forth and what is and isn't acceptable to go in and out of the organization, as we talked about at the upfront of the conversation.

Then, lastly, AI. AI is a very significant tailwind for us from a couple of different dimensions. First is we're going to be extending zero trust for users, branch, and cloud into zero trust for agents. The ability to orchestrate from a cybersecurity perspective, the communication between an agent and another agent or an agent and an individual, as well as machine-to-machine communication, and ensure that the same principles of one-to-one communication lease permissioning is adhered to. We think that's a huge opportunity. You have today, we protect more than 50 million users, and tomorrow, that could be millions or billions of agents that are doing work on behalf of organizations. If one rogue agent got breached or hacked, imagine the damage that they could produce in an organization if it had the ability to move throughout that corporate network and have access to things that it never needed to. Again, applying those zero-trust principles to agents is something that is near and dear to us.

Lastly, we’ve all heard a lot about Mythos and these frontier models that have been introduced more recently, and just the proliferation of vulnerability identification. Palo Alto was identified just this week as having a vulnerability that had been unknown for years, that got exposed by one of these models. It just reinforces the fact that companies today have got a backlog of vulnerabilities that they need to patch, and that's just what's known on their plate today. These models are identifying vulnerabilities at a rate and a pace that is at machine pace. We're talking about volumes of vulnerabilities that we can't even solve the vulnerabilities that were already identified previously, and now we're just piling on significantly more vulnerabilities that were unknown for decades, and it's overwhelming IT organizations. They can't possibly keep pace in terms of their ability to patch and address these things.

Our solution is very simple. Hide your applications behind Zscaler Exchange. What you can't see, you can't breach. In our architectured approach to cybersecurity, you hide your applications, and you only provide access to what is needed at that time, and so your blast radius gets minimized to a single device.

Jason Moser: This is a great segue. I'm glad you got us into the AI conversation because that's really where I wanted to go next. One thing I noticed, in this recent earnings call, you talked about joining the partnership with Anthropic via Project Glasswing. I think that's a really interesting concept. We're seeing tech companies of all walks joining into that consortium, so to speak. I wonder what opportunities does that partnership offer Zscaler?

Kevin Rubin: I think we're still uncovering all of the opportunities, to be candid. These are models that weren’t specifically developed initially to identify vulnerabilities, and yet they were doing so at machine speed and at a scale that nobody anticipated. We were an early partner with Anthropic in Glasswing. We’re an early partner with OpenAI on Daybreak, and it really does give us an opportunity to understand these models. We get to apply those models internally and understand how it would affect us. Then we get to learn and be able to apply those learnings to our customers and prospects so that we can provide the best cybersecurity for them and their environments. Being a participant has, obviously, been very important for us, and we have a great relationship with the frontier model companies.

Jason Moser: This is obviously a very competitive space. You've got incumbents out there that are building integrated security platforms and just really going all in. Zscaler is not the most acquisitive company in the world, but you recently made a fairly big acquisition in Red Cary. I wonder if you could just talk a little bit about why y'all did that what you think the challenges and the opportunities there are.

Kevin Rubin: One of the areas of opportunity that we've seen for a bit of time is the fact that we sit on an incredible amount of high-fidelity, rich security-oriented data. We process a half a trillion transactions a day through the zero trust exchange, orders of magnitude greater than even Google searches on a given day, to put a context to how much volume of traffic goes through our security cloud each and every day. We believe we have a unique position to provide our customers with an understanding and a perspective and a context around that data that is unique to us as a vendor. The rationale behind Red Canary was they had a decade-plus experience doing detection and response. They had taken that experience and established dozens of agents that were being able to scale that experience across a wide population of data. If we could pair that with our rich data set, that does provide a very unique set of information and insights to our customers. That was the ultimate approach and philosophy. Red Canary, after evaluating a variety of vendors in the space, surfaced as the right partner for us in being able to integrate their technology into what we will ultimately launch in the near term, which is our integrated secOps solution. The goal is to migrate legacy Red Canary customers into this new integrated solution, as well as offer it to existing customers, and we think it's a very differentiated opportunity to provide that insight.

Jason Moser: I want to go back to AI for just a second because I think one of the headlines that we're seeing a lot these days is companies starting to question the return on investment in regard to AI. Token usage is eating up budgets left and right. You're starting to question whether what's cheaper, the employee or the AI. It used to be that that was the argument was AI is going to make it cheaper, but now the employees are starting to look like maybe that's not a bad option after all. I wonder, do you feel like Zscaler, are you recognizing clear ROI on these AI investments today, or is this more of an investment in the future that you are having faith that it will pay off?

Kevin Rubin: It's a little bit of both, if we're being, you know, completely candid. I mean, we're at early innings as an industry around AI. We have seen significant productivity using AI in areas like engineering and product development. We've seen significant benefits in customer support and some of the other areas that early successes have been realized by others, as well. Those are real tangible benefits that we have been seeing and taking advantage of our approach internally to AI is not human or AI. It's really human and AI. How do we best pair agents, excuse me, AI, and agentic technology with our existing workforce to provide the best productivity and outcomes for customers? That's the lens at which we look at AI use. It certainly is exploding internally in terms of the various different teams that are using it. We are very focused on how we balance between token usage and what those outcomes are. Certain models are much more expensive in terms of tokens than others. We're trying to be very mindful in what models we use for what use cases and what outcomes. But there's no going back, if you will. I mean, as an industry, agentic is going to be as disruptive as any of the tech waves have been in the past, whether it was mobile, Internet, et cetera. I mean, this is just the next frontier of how businesses will need to compete.

Jason Moser: I like that. AI plus the person. It does seem to work really well. Just speaking as an analyst here at The Fool, I mean, I use those tools every day. I mean, they are absolutely helpful. I mean, I still like to do my own writing, but it's like search 2.0. I've always viewed it as this evolution of search, and we're just have access to more information than ever before, and it can put things together so much more quickly. I like that. The AI plus the person. That's a good perspective there.

As CFO, cybersecurity budgets are one of the last things that are ever cutting a downturn. This is just mission-critical stuff. You can't go without it. But by the same token, I mean, we're seeing a macro environment where I think CFOs across the board are having to scrutinize every dollar that's going out the door. I just wonder, how's this macro environment affecting your company's decision-making over the past years? Is it something that's keeping you up at night?

Kevin Rubin: Well, there's two dimensions or two ways in which I think about it. From a commercialization, Zscaler is an incredible value proposition to a large organization that has built its a cybersecurity based on traditional network based security, hardware and the like. If you look at the ROI of deploying Zscaler in a large network infrastructure, it is significant. You are deprecating a bunch of firewalls, VPNs, SDWANs, MPLS devices. You are replacing those with a service that provides you with your traffic and your inspection and your security. Those customers who have deployed ZScaler benefit from a significantly lower total cost of ownership under ZScaler. As I think about the opportunity in this environment, it's only becoming more evident that customers and prospects need to be looking outside the box, both figuratively, literally, in terms of how they approach cybersecurity. Those conversations are incredibly compelling when we sit down with customers and prospects and spell out what they can get rid of in their corporate network by deploying Zscalers. It's a highly cost-efficient way to provide frankly better service.

If we think about, again, this idea that vulnerabilities are being identified faster and deeper than ever before, your best defense of that is being able to hide behind a service like ours, and we're uniquely positioned the largest security cloud in the world. We operate a security cloud across 160-plus points of presence. So there's a deep amount of expertise and scale that sits behind Zscalers internally, we also benefit from the fact that our entire business runs on Zscaler. My cost of cybersecurity is going to naturally be less than a competitor or another vendor that is using traditional cybersecurity. You know, the other tension point today is, as we talked about, it's AI and the cost of AI relative to your overall financial model. Those companies that are best able to manage that balance will be the most competitive companies in the market today.

Jason Moser: Clearly, your customers like what you're giving them. I mean, I saw in this recent earnings call, I mean, customers that are generating over $1 million in annual recurring revenue that grew 18% from a year ago to 748. I think that's really encouraging. We'll leave it there. He's the CFO of Zscaler. Mr. Kevin Rubin, thank you so much for joining us today.

Kevin Rubin: Thank you for having me. I appreciate it.

Jason Moser: As always, people on a program may have interest in the stocks they talk about, and The Motley Fool may have formal recommendations for or against, so don't buy or sell stocks based solely on what you hear. All personal finance content follows Motley Fool editorial standards and is not approved by advertisers. Advertisements are sponsored content and provided for informational purposes only. To see our full advertising disclosure, please check out our show notes. For the Motley Fool Hidden Gems Investing team podcast, I'm Jason Moser. Thanks for listening. We'll see you next time.

Jason Moser has positions in Palo Alto Networks and Zscaler. The Motley Fool has positions in and recommends Zscaler. The Motley Fool recommends Palo Alto Networks. The Motley Fool has a disclosure policy.