Jay Chaudhry has spent years arguing that security should connect users directly to authorised applications rather than place them on a trusted corporate network. In 2026, the founder, chairman and chief executive of Zscaler is applying the same principle to a more difficult population: AI agents, models, data services and machine identities that can act at extraordinary speed. The strategic logic is strong. The operational challenge is to extend the zero-trust platform without turning a clear architectural idea into a crowded collection of products and acquisitions.
Zscaler enters that challenge with momentum. Third-quarter fiscal 2026 revenue rose 25 per cent to $850.5 million, while annual recurring revenue increased 25 per cent to $3.525 billion. Excluding Red Canary, ARR grew 21 per cent to $3.398 billion. Non-GAAP operating margin reached a record 23 per cent, and free cash flow rose 14 per cent to $136 million. Management lifted full-year revenue guidance to roughly $3.33 billion and expected ARR between $3.740 billion and $3.749 billion.
These results show that Chaudhry can expand the business while improving adjusted profitability. They also reveal the contribution of acquisition. Red Canary added $127 million of ARR in the quarter, narrowing the difference between reported and organic growth. Acquired capability can accelerate entry into managed detection, browser security, AI red teaming and data access governance. It can also create overlapping technologies, sales motions and cost structures. Chaudhry’s 2026 leadership test is integration under pressure from a threat landscape that will not wait.
Agents break the old security model again
Traditional network security assumed that employees and devices connected to applications through identifiable locations and relatively stable identities. Cloud adoption weakened that model, creating the opening for Zscaler’s Zero Trust Exchange. AI agents make the old assumptions even less useful. An agent can call multiple tools, access a database, generate code and initiate a workflow in seconds. Its identity may be short-lived, its permissions inherited and its behaviour difficult for a human team to observe in real time.
Chaudhry’s answer is to treat each interaction as an event that requires identity, policy, inspection and least-privilege access. Zscaler says its platform processes 750 billion transactions a day, providing a large telemetry base for detecting patterns and enforcing controls. The concept is appealing: an agent should reach only the application or data required for a task, without receiving broad network access or a path for lateral movement. If compromised, its blast radius should remain narrow.
The execution standard is higher than in human access. Machine actions occur too quickly for manual approval at every step, yet fully autonomous permission can create severe risk. Zscaler needs policy that reflects context, data sensitivity, agent provenance and intended action. Customers also need traceability showing who authorised an agent, what it accessed and where information went. Security cannot become so restrictive that legitimate automation loses its value. Chaudhry must balance containment with usable speed.
A wider platform through acquisition
Zscaler has assembled several pieces around the core exchange. Red Canary adds managed detection and response with human expertise. SPLX contributes AI red-teaming capabilities. SquareX strengthens browser security for unmanaged devices and bring-your-own-device environments. The planned acquisition of Symmetry Systems adds an access graph intended to map relationships among identities, agents, applications and data. Together they could create a broad system for discovering AI use, testing models, controlling access and responding to threats.
The potential advantage is shared context. A browser event, agent request, data relationship and detection alert become more valuable when analysed together. The potential weakness is operational fragmentation. Separate consoles, policy languages, data stores and commercial packages would force security teams to perform the integration Zscaler promises to remove. Chaudhry should judge each integration by whether it reduces customer steps and increases the intelligence of the core platform. Revenue contribution alone is not enough.
Project AI-Guardian illustrates the ecosystem dimension. Zscaler is working with global system integrators and technology partners to connect security signals across AI, cloud and infrastructure services. No vendor controls the full enterprise AI estate, so interoperability is essential. Yet partnerships can become marketing alliances with limited technical depth. Customers need policies and alerts to move across systems, not a diagram of logos. Chaudhry must insist on measurable integrations and common response workflows.
Innovation must survive economic scrutiny
Security budgets are resilient but not unlimited. Chief information security officers already manage numerous tools, and AI products have created another wave of specialised offers. Zscaler’s consolidation pitch can win if it replaces legacy virtual private networks, secure web gateways and point tools while lowering administrative burden. The company must show total cost reductions and risk outcomes, not only wider feature coverage. Platform deals that grow through discounting may lift ARR while weakening future price realisation.
The fiscal third-quarter margin provides an encouraging base. Non-GAAP operating income rose to $195.8 million, while the corresponding margin improved to 23 per cent. GAAP operations still produced a $29.6 million loss, partly because stock-based compensation and acquisition-related charges create a large difference between accounting views. Chaudhry needs continued progress in both operating discipline and transparency. Investors will increasingly expect a company with more than $3.5 billion in ARR to convert platform scale into durable GAAP profitability.
Free-cash-flow guidance was reduced because capital expenditure was expected to consume a high-single-digit percentage of revenue. Investing in global infrastructure can strengthen performance, sovereignty and resilience, but it must produce returns. Zscaler operates through more than 160 data centres and is expanding localised controls. Chaudhry has to match capacity with customer demand while preserving the latency advantage central to inline security. Infrastructure is part of the product, yet overbuilding can weaken the economics of growth.
Trust is the product
Zscaler’s position inside customer traffic creates a high level of responsibility. The platform must inspect activity without becoming an unacceptable privacy or availability risk. As it adds AI analysis, customers will ask how telemetry is used, where it is processed and whether models can expose sensitive content. Clear data boundaries, regional controls and auditability are essential. Sovereignty enhancements in 2026 reflect demand from governments and regulated enterprises that want central policy with local control.
The company is also using advanced models within its own software development and security operations. Partnerships give defenders access to cyber-focused AI for vulnerability discovery, triage and remediation. This can increase speed, but it introduces model risk into the process protecting the platform itself. Human review, evaluation and rollback remain important. Chaudhry’s team should demonstrate that AI-assisted security improves detection and response without creating opaque automated decisions.
A failure of the platform could have cascading consequences because customers route critical access through it. Zscaler must therefore maintain redundancy, transparent incident response and disciplined change management while shipping products quickly. Founder-led urgency is an advantage in a fast market, but cybersecurity rewards reliability over theatrical speed. Chaudhry’s credibility rests on making innovation operationally boring once it reaches production.
Asia expands both opportunity and obligation
Chaudhry was born in Himachal Pradesh, India, and built his technology career in the United States before founding several security companies. His inclusion among Asia-linked global leaders reflects that journey. The regional market is also central to Zscaler’s growth. Asian enterprises are modernising networks, connecting factories and devices, adopting cloud services and experimenting with agents while navigating strict national rules. Zero trust offers an architecture suited to distributed operations if it can be localised.
Partnerships with Singtel for cellular internet of things and operational technology in Southeast Asia, and with Bharti Airtel on an India AI and cyber-threat research centre, indicate a more regional approach. Such initiatives can provide threat intelligence, distribution and skills. They must lead to deployed controls and customer outcomes. Operational technology in particular requires careful design because latency or false blocking can affect physical processes. Zscaler cannot simply apply office access policy to industrial environments.
The region will also test sovereignty. Data and security logs may need to remain within national boundaries, while multinational customers want consistent global policy. Zscaler’s platform has to separate control from local processing without creating gaps. This technical and regulatory flexibility can become a competitive advantage, but it requires sustained investment in infrastructure, legal expertise and local support. Chaudhry’s global architecture must accommodate national realities.
Coherence is the next moat
Chaudhry has already established zero trust as a commercial platform and kept Zscaler growing above 20 per cent at meaningful scale. AI agents give him another architectural opening because identity, data and application boundaries are being redrawn. The company’s products, acquisitions and alliances provide many of the required parts. The decisive question is whether customers experience them as one policy system with shared intelligence, predictable economics and dependable operations.
If Zscaler can govern human and machine access through the same exchange while improving response and reducing tool sprawl, Chaudhry will have extended his original thesis into the agentic era. If integration lags, the company risks becoming the kind of complex security estate it was created to simplify. Growth, margins and product announcements suggest strong execution so far. In 2026, however, leadership will be measured less by the number of capabilities added than by how clearly they reinforce a single trust architecture.