Zscaler Inc.: 10-K Risk Factor Changes

It is virtually impossible for us to entirely mitigate the risk of breaches of our cloud platform or other security incidents affecting our cloud platform or our internal systems, networks or data. In addition, the functionality of our platform may be disrupted, either intentionally or due to negligence, by third parties, including disgruntled employees or contractors and other current or former employees or contractors. The security measures we use internally and have integrated into our cloud platform, which are designed to detect unauthorized activity and prevent or minimize security breaches, may not function as expected or may not be sufficient to identify or protect against certain attacks. Enterprises are subject to a wide variety of attacks on their networks and systems, and techniques used to sabotage or to obtain unauthorized access to networks in which data is stored or through which data is transmitted change frequently and generally are not recognized until launched against a target. The growth in state sponsored cyber activity, including those actions taken in connection with the current conflict between Russia and Ukraine, showcase the increasing sophistication of cyber threats. As a result, we may be unable to anticipate these techniques or implement adequate measures to prevent an electronic intrusion into our customers through our cloud platform or to prevent breaches and other security incidents affecting our cloud platform, internal networks, systems or data. Further, once identified, we may be unable to remediate or otherwise respond to a breach or other incident in a timely manner. Actual, perceived or purported security breaches of our cloud platform could result in actual, perceived or purported breaches of our customers’ networks and systems. Our internal systems are exposed to the same cybersecurity risks and consequences of a breach as our customers and other enterprises. However, since our business is focused on providing reliable security services to our customers, we believe that an actual, perceived or purported breach of, or security incident affecting, our internal networks, systems or data, could be especially detrimental to our reputation, customer confidence in our solution and our business. Additionally, many of our personnel work remotely on a hybrid or permanent basis, which may pose additional data security risks. Further, our vendors and service providers may also be the targets of cyberattacks, and their systems and networks may be, or may have been, breached or contain exploitable defects or bugs that could result in a breach of or disruption to their or our systems and networks. Our ability to monitor our vendors’ and service providers’ data security is limited, and, in any event, third parties may be able to circumvent their security measures, resulting in the unauthorized access to, misuse, disclosure, loss, alteration, or destruction of our data, including confidential, sensitive, and other information about individuals. Geo-political factors including international conflicts, such as between Russia and Ukraine and in the Middle East, may increase the risk of such cyberattacks. Any actual, perceived or purported security breaches or other security incidents that we suffer with regard to our platform, systems, networks or data, including any such actual, perceived or purported security breaches or security incidents 28 28 28 Table of Contents Table of Contents that result, or are believed to result, in actual, perceived or purported breaches of our customers’ networks or systems, could result in: •the expenditure of significant financial resources in efforts to analyze, correct, eliminate, remediate or work around errors or defects, to address and eliminate vulnerabilities and to address any applicable legal or contractual obligations relating to any actual, perceived or purported security breach or other security incident; •negative publicity and damage to our reputation, brand, and market position; •harm to our relationships with, and a loss of, existing or potential customers or channel partners; •delayed or lost sales and harm to our financial condition and results of operations; •a delay in attaining, or the failure to attain, market acceptance; and •legal claims and demands (including for stolen assets or information, repair of system damages and compensation to customers, customers of customers and business partners), litigation (including stockholder claims), regulatory inquiries or investigations and other liability. Any of the above could materially and adversely affect our business, financial condition and results of operations. While we maintain insurance, our insurance may be insufficient to cover all liabilities incurred in relation to actual, perceived or purported security breaches or other security incidents. We also cannot be certain that our insurance coverage will be adequate for liabilities actually incurred, that insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, including our financial condition, operating results and reputation.

It is virtually impossible for us to entirely mitigate the risk of breaches of our cloud platform or other security incidents affecting our cloud platform or our internal systems, networks or data. In addition, the functionality of our platform may be disrupted, either intentionally or due to negligence, by third parties, including disgruntled employees or contractors and other current or former employees or contractors. The security measures we use internally and have integrated into our cloud platform, which are designed to detect unauthorized activity and prevent or minimize security breaches, may not function as expected or may not be sufficient to identify or protect against certain attacks. Enterprises are subject to a wide variety of attacks on their networks and systems, and techniques used to sabotage or to obtain unauthorized access to networks in which data is stored or through which data is transmitted change frequently and generally are not recognized until launched against a target. The growth in state sponsored cyber activity, including those actions taken in connections with the Russia-Ukraine crisis, showcase the increasing sophistication of cyber threats. As a result, we may be unable to anticipate these techniques or implement adequate measures to prevent an electronic intrusion into our customers through our cloud platform or to prevent breaches and other security incidents affecting our cloud platform, internal networks, systems or data. Further, once identified, we may be unable to remediate or otherwise respond to a breach or other incident in a timely manner. Actual or perceived security breaches of our cloud platform could result in actual or perceived breaches of our customers’ networks and systems. Our internal systems are exposed to the same cybersecurity risks and consequences of a breach as our customers and other enterprises. However, since our business is focused on providing reliable security services to our customers, we believe that an actual or perceived breach of, or security incident affecting, our internal networks, systems or data, could be especially detrimental to our reputation, customer confidence in our solution and our business. Additionally, many of our personnel continue to work remotely, which may pose additional data security risks. Further, our vendors and service providers may also be the targets of cyberattacks, and their systems and networks may be, or may have been, breached or contain exploitable defects or bugs that could result in a breach of or disruption to their or our systems and networks. Our ability to monitor our vendors’ and service providers’ data security is limited, and, in any event, third parties may be able to circumvent their security measures, resulting in the unauthorized access to, misuse, acquisition, disclosure, loss, alteration, or destruction of our data, including confidential, sensitive, and other information about individuals. Geo-political factors including international conflicts, like the Russia-Ukraine crisis, may increase the risk of such cyberattacks. 30 30 30 Table of Contents Table of Contents Any real or perceived security breaches or other security incidents that we suffer with regard to our platform, systems, networks or data, including any such actual or perceived security breaches or security incidents that result, or are believed to result, in actual or perceived breaches of our customers’ networks or systems, could result in: •the expenditure of significant financial resources in efforts to analyze, correct, eliminate, remediate or work around errors or defects, to address and eliminate vulnerabilities and to address any applicable legal or contractual obligations relating to any actual or perceived security breach or other security incident; •negative publicity and damage to our reputation, brand, and market position; •harm to our relationships with, and a loss of, existing or potential customers or channel partners; •delayed or lost sales and harm to our financial condition and results of operations; •a delay in attaining, or the failure to attain, market acceptance; and •legal claims and demands (including for stolen assets or information, repair of system damages and compensation to customers and business partners), litigation, regulatory inquiries or investigations and other liability. Any of the above could materially and adversely affect our business, financial condition and results of operations. While we maintain insurance, our insurance may be insufficient to cover all liabilities incurred in relation to actual or perceived security breaches or other security incidents. We also cannot be certain that our insurance coverage will be adequate for liabilities actually incurred, that insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, including our financial condition, operating results, and reputation.

Our future success is substantially dependent on our ability to attract, retain and motivate the members of our management team and other key employees throughout our organization. In particular, we are highly dependent on the services of Jay Chaudhry, our chief executive officer and chairman of our board of directors, who is critical to our future vision and strategic direction. We rely on our leadership team in the areas of operations, security, marketing, sales, support and general and administrative functions, and on individual contributors on our research and development team. Although we have entered into employment agreements with our key personnel, these agreements have no specific duration and constitute at-will employment. We do not maintain key person life insurance policies on any of our employees. The loss of one or more of our executive officers or key employees could seriously harm our business. In the last year, we have added several new senior management employees. Any significant leadership change or senior management transition involves risk, especially nearly simultaneous changes involving so many leaders and employees, and any failure to transition effectively or to retain these new leaders could hinder our strategic planning, business execution and future performance. To execute our growth plan, we must attract and retain highly qualified personnel. Competition for these personnel in the San Francisco Bay Area, where our headquarters are located, and in other locations where we operate, is intense, especially for experienced sales professionals and for engineers experienced in designing and developing cloud applications, security software and AI and ML solutions. In addition, the United States and other regions in which we operate have in the past and may again in the future experience acute workforce shortages for highly skilled workers, which in turn, can create hyper-competitive wage environments that may impact our ability to attract and retain employees. We have from time to time experienced, and we may continue to experience, difficulty in hiring and retaining employees with appropriate qualifications. For example, in recent years, recruiting, hiring and retaining employees with expertise in the cybersecurity industry has become increasingly difficult as the demand for cybersecurity professionals has increased as a result of the ongoing cybersecurity attacks on global corporations and governments. Many of the companies with which we compete for experienced personnel have greater resources than we have. In addition, job candidates and existing employees often consider the value of the equity awards they receive in connection with their employment. Volatility or lack of performance in our stock price may also affect our ability to attract and retain our key employees. If we fail to successfully attract, integrate or retain qualified personnel to fulfill our current or future needs, or if we need to materially increase the value of the compensation packages necessary to attract and retain these employees, our business, operating results and financial condition could be materially and adversely affected.

Our future success is substantially dependent on our ability to attract, retain and motivate the members of our management team and other key employees throughout our organization. In particular, we are highly dependent on the services of Jay Chaudhry, our chief executive officer and chairman of our board of directors, who is critical to our future vision and strategic direction. We rely on our leadership team in the areas of operations, security, marketing, sales, support and general and administrative functions, and on individual contributors on our research and development team. Although we have entered into employment agreements with our key personnel, these agreements have no specific duration and constitute at-will employment. We do not maintain key person life insurance policies on any of our employees. The loss of one or more of our executive officers or key employees could seriously harm our business. To execute our growth plan, we must attract and retain highly qualified personnel. Competition for these personnel in the San Francisco Bay Area, where our headquarters are located, and in other locations where we operate, is intense, especially for experienced sales professionals and for engineers experienced in designing and developing cloud applications and security software. In addition, the United States and other regions in which we operate are experiencing an acute workforce shortage for highly skilled workers, which in turn, has created a hyper-competitive wage environment that may impact our ability to attract and retain employees. We have from time to time experienced, and we expect to continue to experience, difficulty in hiring and retaining employees with appropriate qualifications. For example, in recent years, recruiting, hiring and retaining employees with expertise in the cybersecurity industry has become increasingly difficult as the demand for cybersecurity professionals has increased as a result of the recent cybersecurity attacks on global corporations and governments. Many of the companies with which we compete for experienced personnel have greater resources than we have. In addition, job candidates and existing employees often consider the value of the equity awards they receive in connection with their employment. Volatility or lack of performance in our stock price may also affect our ability to attract and retain our key employees. Also, certain of our key employees have become, or will soon become, vested in a substantial amount of equity awards, which may give them a substantial amount of personal wealth. This may make it more difficult for us to retain and motivate these employees, and this wealth could affect their decision about whether or not they continue to work for us. If we fail to successfully attract, integrate or retain qualified personnel to fulfill our current or future needs, or if we need to materially increase the value of the compensation packages necessary to attract and retain these employees, our business, operating results and financial condition could be materially and adversely affected.

Our business activities are subject to various restrictions under U.S. export and similar laws and regulations, including the U.S. Department of Commerce's Export Administration Regulations and various economic and trade sanctions regulations administered by the U.S. Department of the Treasury's Office of Foreign Assets Control. The U.S. export controls and trade and economic sanctions include restrictions or prohibitions on the sale or supply of certain products and services to U.S. embargoed or sanctioned countries and governments of these countries, as well as other persons and entities. For example, the U.S. and other countries have implemented economic and other sanctions, as well as increased export controls in response to the current conflict between Russia and Ukraine. These measures have continued to increase. These export controls and sanctions and any additional restrictions may impact our ability to continue to operate in Russia and other affected regions. In addition, various countries regulate the import of certain technology and have enacted or could enact laws that could limit our ability to provide our services and software and operate our cloud platform or could limit our customers’ ability to access or use our services or software in those countries. Although we take precautions to prevent our services and software from being provided in violation of such laws, our services and software may have been in the past, and could in the future be, provided inadvertently in violation of such laws, despite the precautions we take. If we fail to comply with these laws and regulations, we and certain of our employees could be subject to civil or criminal penalties, including the possible loss of export privileges and fines. We may also be materially and adversely affected through penalties, reputational harm, loss of access to certain markets, or otherwise. Obtaining the necessary authorizations, including any required licenses, for a particular transaction may be time-consuming, is not guaranteed and may result in the delay or loss of sales opportunities. In addition, changes in our platform, or changes in export, sanctions and import laws and regulations, could delay the introduction and sale of subscriptions to our platform in international markets, prevent users in certain countries from accessing our services or, in some cases, prevent the provision of our services to certain countries, governments, persons or entities altogether. Any change in export or import regulations, economic sanctions or related laws, shift in the enforcement or scope of existing regulations or change in the countries, governments, persons or technologies targeted by such regulations could decrease our ability to sell subscriptions to our platform or provide software to existing customers or potential new customers with international operations. Any decrease in our ability to sell subscriptions to our platform or provide software could materially and adversely affect our business, results of operations and financial condition.

Our business activities are subject to various restrictions under U.S. export and similar laws and regulations, including the U.S. Department of Commerce’s Export Administration Regulations and various economic and trade sanctions regulations administered by the U.S. Treasury Department’s Office of Foreign Assets Control. The U.S. export control laws and U.S. economic sanctions laws include restrictions or prohibitions on the sale or supply of certain products and services to U.S. embargoed or sanctioned countries, governments, persons and entities. For example, the U.S. and other countries have implemented economic and other sanctions in response to the Russia-Ukraine crisis. These sanctions and any additional sanctions may impact our ability to continue to operate in Russia and other affected regions. In addition, various countries regulate the import of certain technology and have enacted or could enact laws that could limit our ability to provide our services and operate our cloud platform or could limit our customers’ ability to access or use our services in those countries. Although we take precautions to prevent our services from being provided in violation of such laws, our services may have been in the past, and could in the future be, provided inadvertently in violation of such laws, despite the precautions we take. If we fail to comply with these laws and regulations, we and certain of our employees could be subject to civil or criminal penalties, including the possible loss of export privileges and fines. We may also be materially and adversely affected through penalties, reputational harm, loss of access to certain markets, or otherwise. Obtaining the necessary authorizations, including any required license, for a particular transaction may be time-consuming, is not guaranteed and may result in the delay or loss of sales opportunities. In addition, changes in our platform, or changes in export, sanctions and import laws, could delay the introduction and sale of subscriptions to our platform in international markets, prevent users in certain countries from accessing our services or, in some cases, prevent the provision of our services to certain countries, governments, persons or entities altogether. Any change in export or import regulations, economic sanctions or related laws, shift in the enforcement or scope of existing regulations or change in the countries, governments, persons or technologies targeted by such regulations could decrease our ability to sell subscriptions to our platform to existing customers or potential new customers with international operations. Any decrease in our ability to sell subscriptions to our platform could materially and adversely affect our business, results of operations and financial condition.

During any period, the conditional conversion feature of the Notes is triggered, holders will be entitled to convert the Notes at any time during specified periods at their option. During the three months ended July 31, 2024, the conditions allowing holders of the Notes to convert were not met. If one or more holders elect to convert their Notes, unless we elect to satisfy our conversion obligation by delivering solely shares of our common stock (other than paying cash in lieu of delivering any fractional share), we would be required to settle a portion or all of our conversion obligation through the payment of cash, which could adversely affect our liquidity. As a result of the upcoming maturity date of the Notes (July 1, 2025), we have classified the Notes as current liabilities on the consolidated balance sheet as of July 31, 2024, which may be seen as a material adverse reduction of our net working capital.

During any period, the conditional conversion feature of the Notes is triggered, holders will be entitled to convert the Notes at any time during specified periods at their option. During the three months ended July 31, 2023, the conditions allowing holders of the Notes to convert was not met. If one or more holders elect to convert their Notes, unless we elect to satisfy our conversion obligation by delivering solely shares of our common stock (other than paying cash in lieu of delivering any fractional share), we would be required to settle a portion or all of our conversion obligation through the payment of cash, which could adversely affect our liquidity. In addition, even if holders do not elect to convert their Notes, we could be required under applicable accounting rules to reclassify all or a portion of the outstanding principal of the Notes as a current rather than long-term liability, which would result in a material reduction of our net working capital.

Our operations and performance depend in part on worldwide economic conditions and the impact these conditions have on levels of spending on IT networking and security solutions. Our business depends on the overall demand for these solutions and on the economic health and general willingness of our current and prospective customers to purchase our security services. A broad reduction in IT security spending would have a material impact to our business. The United States and the global economy have recently experienced historically high levels of inflation. While inflation rates moderated in 2023 and continue to moderate into 2024, the existence of inflation in the U.S. and global economy and the pricing pressure created by rising inflation in prior periods has and may continue to result in high interest rates and capital costs, shipping costs, supply shortages, increased costs of labor, weakening exchange rates and other similar effects. Elevated inflation rates can affect our expenses, especially employee compensation. In addition, rising interest rates could adversely affect the value of our investments and cash on hand and increase our borrowing costs. Inflation and related increases in interest rates could also increase our customers' operating costs, which could result in reduced IT budgets, less demand for our solutions, or delays in new orders, renewals or payments due to us. Governments have and are implementing fiscal policy interventions in response to high levels of inflation, including raising interest rates or keeping them at elevated levels. Even if these interventions lower inflation to desirable levels, they may also reduce economic growth rates, create recessions and increase unemployment rates. This could have an adverse 42 42 42 Table of Contents Table of Contents effect on our consolidated financial condition and results of operations. For example, if our customers were to reduce their IT budgets or workforces in response to deteriorating economic conditions, they may not purchase or renew subscriptions for our services or may renew for fewer users or less expensive services. These policy changes have provided a benefit to us as a result of the increased interest income we earn on our cash and investments, but a reduction of interest rates in the future would reduce this income. The impact of economic conditions, including the ongoing effects of inflation, high interest rates and regional or global recessions could materially and adversely affect our business, operating results and financial condition in a number of ways, including by reducing sales, lengthening sales cycles and requiring us to lower prices for our services. Risks Relating to Legal, Regulatory, Accounting and Tax Matters

Our operations and performance depend in part on worldwide economic conditions and the impact these conditions have on levels of spending on IT networking and security solutions. Our business depends on the overall demand for these solutions and on the economic health and general willingness of our current and prospective customers to purchase our security services. A broad reduction in IT security spending would have a material impact to our business. The United States has recently experienced historically high levels of inflation. According to the U.S. Department of Labor, the annual inflation rate for the United States was approximately 6.0% year to date for 2023, 6.5% for 2022 and 7.0% for 2021. The existence of inflation in the U.S. and global economy has and may continue to result in higher interest rates and capital costs, shipping costs, supply shortages, increased costs of labor, weakening exchange rates and other similar effects. If the inflation rate continues to remain elevated, it will likely affect our expenses, especially employee compensation. Additionally, the United States technology industry is experiencing a workforce shortage for highly skilled workers, which, in turn, has created a hyper-competitive wage environment that may further increase our operating costs. In addition, rising interest rates could adversely affect the value of our investments and cash on hand and increase our borrowing costs. Inflation 42 42 42 Table of Contents Table of Contents and related increases in interest rates could also increase our customers' operating costs, which could result in reduced IT budgets, less demand for our solutions, or delays in new orders, renewals or payments due to us. Governments are raising interest rates and implementing fiscal policy interventions in response to high levels of inflation. Even if these interventions lower inflation, they may also reduce economic growth rates, create recessions and increase unemployment rates. This could have an adverse effect on our consolidated financial condition and results of operations. For example, if our customers were to reduce their IT budgets or workforces in response to deteriorating economic conditions, they may not purchase or renew subscriptions for our services or may renew for fewer users or less expensive services. These policy changes have provided a benefit to us as a result of increased interest income we earn on our cash and investments, but a reduction of interest rates in the future would reduce this income. The impact of economic conditions, including the ongoing effects of COVID-19, inflation and regional or global recessions could materially and adversely affect our business, operating results and financial condition in a number of ways, including by reducing sales, lengthening sales cycles and requiring us to lower prices for our services.

On June 25, 2020, we issued $1,150 million in aggregate principal amount of our 0.125% Convertible Senior Notes due 2025, or the Notes, which mature on July 1, 2025. We may be required to use a substantial portion of our cash flows from operations to pay interest, principal or other required payments on our indebtedness. For instance, holders of the Notes have the right to require us to repurchase their Notes upon the occurrence of a fundamental change (which is defined in the indenture governing the Notes) at a repurchase price equal to 100% of the principal amount of such Notes to be repurchased, plus accrued and unpaid interest, if any, to, but excluding, the fundamental change repurchase date for such Notes. Additionally, upon conversion of the Notes, unless we elect to deliver solely shares of our common stock to settle such conversion (other than paying cash in lieu of delivering any fractional share), we will be required to make cash payments in respect of the 2025 Notes being converted. Our ability to make such payments or to refinance our indebtedness, including the Notes, depends on our future performance, which is subject to economic, financial, competitive and other factors beyond our control. Such payments will reduce the funds available to us for working capital, capital expenditures and other corporate purposes and may limit our ability to obtain additional financing for working capital, capital expenditures, expansion plans and other investments. Our business may not continue to generate cash flow from operations in the future sufficient to service our debt and make necessary capital expenditures. If we are unable to generate such cash flow, we may be required to adopt one or more alternatives, such as selling assets, restructuring debt or obtaining additional equity capital on terms that may be onerous or highly dilutive. If we are unable to engage in any of these activities or engage in these activities on desirable terms, it could result in a default on our debt obligations, which would adversely affect our financial condition. 51 51 51 Table of Contents Table of Contents

On June 25, 2020, we issued $1,150 million in aggregate principal amount of our 0.125% Convertible Senior Notes due 2025, referred to herein as the Notes. We may be required to use a substantial portion of our cash flows from operations to pay interest and principal on our indebtedness. Our ability to make scheduled payments of the principal, to pay interest on or to refinance our indebtedness, including the Notes, depends on our future performance, which is subject to economic, financial, competitive and other factors beyond our control. Such payments will reduce the funds available to us for working capital, capital expenditures, and other corporate purposes and may limit our ability to obtain additional financing for working capital, capital expenditures, expansion plans, and other investments. Our business may not continue to generate cash flow from operations in the future sufficient to service our debt and make necessary capital expenditures. If we are unable to generate such cash flow, we may be required to adopt one or more alternatives, such as selling assets, restructuring debt or obtaining additional equity capital on terms that may be onerous or highly dilutive. If we are unable to engage in any of these activities or engage in these activities on desirable terms, it could result in a default on our debt obligations, which would adversely affect our financial condition.

To increase our revenue and achieve and maintain profitability, we must add new customers. To add new customers, we must successfully convince IT decision makers that security delivered through our cloud platform provides significant advantages over legacy on-premises appliance-based security products and competing cloud-based products. Additionally, many of our customers broadly deploy our products, which requires a significant commitment of resources from our customers. These factors significantly impact our ability to add new customers and increase the time, resources and sophistication required to do so. 20 20 20 Table of Contents Table of Contents In addition, numerous other factors, many of which are out of our control, have impacted and may in the future impact our ability to add new customers, including potential customers’ commitments to legacy IT security vendors and products, real or perceived switching costs, competition from hybrid or cloud security products, our failure to expand, retain and motivate our sales and marketing personnel, our failure to develop or expand relationships with our channel partners or to attract new channel partners, failure by us or our partners to help our customers to successfully deploy our cloud platform, negative media or industry or financial analyst commentary regarding us or our solutions, or similar solutions offered by other vendors, litigation and general economic conditions. As a result of challenging macroeconomic conditions, we have experienced and may experience in the future increased scrutiny and a longer approval process for initial purchases by new customers, particularly for larger transactions. We cannot predict how long these challenging macroeconomic conditions will persist, and customer cautiousness could continue or worsen or result in potential customers deciding to forego our services entirely. If our efforts to attract new customers are not successful, our revenue and rate of revenue growth may decline, we may not achieve profitability and our future results of operations could be materially harmed.

To increase our revenue and achieve and maintain profitability, we must add new customers. To do so, we must successfully convince IT decision makers that, as they adopt SaaS applications and the public cloud, security delivered through the cloud provides significant advantages over legacy on-premises appliance-based security products. Additionally, many of our customers broadly deploy our products, which requires a significant commitment of resources. These factors significantly impact our ability to add new customers and increase the time, resources and sophistication required to do so. In addition, numerous other factors, many of which are out of our control, may now or in the future impact our ability to add new customers, including potential customers’ commitments to legacy IT security vendors and products, real or perceived switching costs, competition from hybrid or cloud security products, our failure to expand, retain and motivate our sales and marketing personnel, our failure to develop or expand relationships with our channel partners or to attract new channel partners, failure by us to help our customers to successfully deploy our cloud platform, negative media or industry or financial analyst commentary regarding us or our solutions, or similar solutions offered by our competitors, litigation and deteriorating general economic conditions. For example, the COVID-19 pandemic disproportionately affected certain of the industries and markets which we serve, such as transportation, hospitality, and leisure, and increased inflation and higher interest rates have disproportionately affected other industries and markets which we serve, such as banking, financial services, and retail. As a result of challenging macroeconomic conditions, we have experienced and may experience in the future increased scrutiny and a longer approval process for initial purchases by new customers, particularly for larger transactions. We cannot predict how long these challenging economic conditions will persist, and customer cautiousness could continue or worsen or result in potential customers deciding to forego our services entirely. If our efforts to attract new customers are not successful, our revenue and rate of revenue growth may decline, we may not achieve profitability and our future results of operations could be materially harmed.

We are expanding our international operations and staff to support our business in international markets. Our corporate structure and associated transfer pricing policies contemplate the business flows and future growth into the international markets, and consider the functions, risks and assets of the various entities involved in the intercompany transactions. The amount of taxes we pay in different jurisdictions may depend on the application of the tax laws of the various jurisdictions, including the United States, to our international business activities, changes in tax rates, new or revised tax laws or interpretations of existing tax laws and policies, and our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements. For example, certain jurisdictions have recently introduced a digital services tax, which is generally a tax on gross revenue generated from users or customers located in those jurisdictions, and other jurisdictions are considering enacting similar laws. The taxing authorities of the jurisdictions in which we operate may challenge our methodologies for pricing intercompany transactions pursuant to the intercompany arrangements or disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a challenge or disagreement were to occur, and our position was not sustained, or if there are changes in tax laws or the way existing tax laws are interpreted or applied, we could be required to pay additional taxes, interest and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows and lower overall profitability of our operations. Our financial statements could fail to reflect adequate reserves to cover such a contingency. In 2021, the Organization for Economic Cooperation and Development announced an Inclusive Framework on Base Erosion and Profit Shifting including Pillar Two Model Rules defining the global minimum tax, which calls for the taxation of large multinational corporations at a minimum rate of 15%. Subsequently multiple sets of administrative guidance have been issued. Many countries have implemented or are in the process of implementing the Pillar Two legislation, which will apply to us beginning in fiscal 2025. Management is currently assessing the jurisdictions that could give rise to additional taxation as well as any potential impacts as a result of the implementation of the rules.

We are expanding our international operations and staff to support our business in international markets. Our corporate structure and associated transfer pricing policies contemplate the business flows and future growth into the international markets, and consider the functions, risks and assets of the various entities involved in the intercompany transactions. The amount of taxes we pay in different jurisdictions may depend on the application of the tax laws of the various jurisdictions, including the United States, to our international business activities, changes in tax rates, new or revised tax laws or interpretations of existing tax laws and policies, and our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements. For example, certain jurisdictions have recently introduced a digital services tax, which is generally a tax on gross revenue generated from users or customers located in those jurisdictions, and other jurisdictions are considering enacting similar laws. The taxing authorities of the jurisdictions in which we operate may challenge our methodologies for pricing intercompany transactions pursuant to the intercompany arrangements or disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a challenge or disagreement were to occur, and our position was not sustained, or if there are changes in tax laws or the way existing tax laws are interpreted or applied, we could be required to pay additional taxes, interest and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows and lower overall profitability of our operations. Our financial statements could fail to reflect adequate reserves to cover such a contingency. The Organization for Economic Cooperation and Development has been working on a Base Erosion and Profit Shifting Project that, if implemented, would change various aspects of the existing framework under which our tax obligations are determined in many of the countries in which we do business. Currently, nearly 140 countries have approved a framework that imposes a minimum tax rate of 15%, among other provisions. As this framework is subject to further negotiation and implementation by each member country, the timing and ultimate impact of any such changes on our tax obligations are uncertain. Similarly, the European Commission and several countries have issued proposals that would apply to various aspects of the current tax framework under which we are taxed. These proposals include changes to the existing framework to 44 44 44 Table of Contents Table of Contents calculate income tax, as well as proposals to change or impose new types of non-income taxes, including taxes based on a percentage of revenue. For example, several jurisdictions have proposed or enacted taxes applicable to digital services which apply to our business.

We have incurred net losses in all annual periods since our inception, and we expect we will continue to incur annual net losses for the foreseeable future. We experienced net losses of $57.7 million, $202.3 million and $390.3 million for fiscal 2024, fiscal 2023 and fiscal 2022, respectively. As of July 31, 2024, we had an accumulated deficit of $1,148.1 million. Because the market for our cloud platform is rapidly evolving and cloud-based security solutions have not yet reached widespread adoption, it is difficult for us to predict our future results of operations. We expect our operating expenses to increase significantly over the next several years as we continue to hire additional personnel, particularly in research and development and sales and marketing, expand our operations and infrastructure, both domestically and internationally, and continue to develop our platform. If we fail to increase our revenue to offset the increases in our operating expenses, we may not achieve or sustain profitability in the future. Additionally, our business strategy continues to focus primarily on long-term growth. As we execute on this strategy, we may ultimately be unable to achieve or sustain profitability at the level contemplated by industry or financial analysts and our stockholders, and as a result, our stock price may decline.

We have incurred net losses in all periods since our inception, and we expect we will continue to incur net losses for the foreseeable future. We experienced net losses of $202.3 million, $390.3 million and $262.0 million for fiscal 2023, fiscal 2022 and fiscal 2021, respectively. As of July 31, 2023, we had an accumulated deficit of $1,090.4 million. Because the market for our cloud platform is rapidly evolving and cloud security solutions have not yet reached widespread adoption, it is difficult for us to predict our future results of operations. We expect our operating expenses to increase significantly over the next several years as we continue to hire additional personnel, particularly in sales and marketing, expand our operations and infrastructure, both domestically and internationally, and continue to develop our platform. If we fail to increase our revenue to offset the increases in our operating expenses, we may not achieve or sustain profitability in the future.

We derive a significant portion of our revenue from contracts with government organizations, and we believe the success and growth of our business will in part depend on our successful procurement of additional public sector customers. However, demand from government organizations is often unpredictable, and we cannot assure you that we will be able to maintain or grow our revenue from the public sector. Sales to government entities are subject to substantial risks, including the following: •selling to government agencies can be highly competitive, expensive and time-consuming, often involving significantly longer procurement cycles than commercial sales, and significant upfront time and expense without any assurance that such efforts will generate a sale; •U.S. or other government requirements relating to the formation, administration and performance of contracts with the public sector affect how we and our channel partners do business with governmental agencies; 33 33 33 Table of Contents Table of Contents •U.S. or other government certification requirements applicable to our cloud platform, including the Federal Risk and Authorization Management Program (FedRAMP), are often difficult and costly to obtain and maintain and failure to do so will restrict our ability to sell to government customers; •government demand and payment for our services may be impacted by public sector budgetary cycles and annual funding authorizations, including the impacts of possible government shutdowns, and government sales are inherently at risk of securing funding; •sales to the U.S. and other governments are subject to procurement regulations, which impose heightened compliance obligations on us and our channel partners; •governments routinely investigate and audit government contractors’ administrative processes and compliance with procurement regulations and any unfavorable investigation or audit could result in fines, civil or criminal liability, further investigations, damage to our reputation and debarment from further government business; and •government customers procuring commercial items get the benefit of more favorable terms and conditions by operation of law, regardless of agreed upon contractual terms. The occurrence of any of the foregoing could cause governments and governmental agencies to delay or refrain from purchasing our solutions in the future and could result in temporary suspension or permanent debarment from sales to government organizations. Any such penalties, disruptions or limitations in our or our channel partners' ability to do business with the public sector could have a material adverse effect on our business, operating results, financial condition and prospects.

We derive a portion of our revenue from contracts with government organizations, and we believe the success and growth of our business will in part depend on our successful procurement of additional public sector customers. However, demand from government organizations is often unpredictable, and we cannot assure you that we will be able to maintain or grow our revenue from the public sector. Sales to government entities are subject to substantial risks, including the following: •selling to government agencies can be highly competitive, expensive and time-consuming, often requiring significant upfront time and expense without any assurance that such efforts will generate a sale; •U.S. or other government certification requirements applicable to our cloud platform, including the Federal Risk and Authorization Management Program, are often difficult and costly to obtain and maintain and failure to do so will restrict our ability to sell to government customers; •government demand and payment for our services may be impacted by public sector budgetary cycles and funding authorizations, including the impacts of possible government shutdowns; and •governments routinely investigate and audit government contractors’ administrative processes and any unfavorable audit could result in fines, civil or criminal liability, further investigations, damage to our reputation and debarment from further government business. The occurrence of any of the foregoing could cause governments and governmental agencies to delay or refrain from purchasing our solutions in the future or otherwise have an adverse effect on our business and operating results. 37 37 37 Table of Contents Table of Contents

We are increasingly utilizing and have recently begun building and executing AI and ML capabilities, including, for example, those relating to generative AI and large language models, into our product offerings. The rapid evolution of AI and ML requires the application of resources to develop, test and maintain our products and services to help ensure that AI and ML are implemented responsibly in order to benefit our business, while also minimizing any unintended or harmful impact. As with many developing technologies, AI and ML present risks and challenges, many of which may be unknown, that could affect their further development, adoption, and use. These risks and challenges could undermine public confidence in AI and ML, which could slow or even halt its adoption and negatively affect our business. Further, a quickly evolving legal and regulatory environment may cause us to incur increased research and development costs, or divert resources from other development efforts, to address social and ethical issues related to AI and ML. The use of AI technologies also presents emerging ethical issues that could become controversial. As a result of these and other challenges associated with our use and implementation of AI and ML, we may in the future be subject to legal liability, competitive harm, regulatory action, including new proposed rules and legislation regulating AI in jurisdictions such as the European Union, new applications of existing data protection, privacy, cybersecurity, information security, intellectual property, and other laws, and brand or reputational harm.

We are increasingly utilizing and building AI and ML capabilities into our product offerings as well as incorporating the AI and ML into our internal operations to increase productivity and accelerate innovation. The rapid evolution of AI and ML, including the latest development and accessibility of generative AI technology, requires the application of resources to develop, test and maintain our products and services to help ensure that AI and ML are implemented responsibly in order to benefit our business, accelerate innovation, and increase productivity, while also minimizing any unintended or harmful impact. As with many developing technologies, AI and ML present risks and challenges, many of which may be unknown, that could affect their further development, adoption, and use. These risks and challenges could undermine public confidence in AI and ML, in particular generative AI, which could slow or even halt its adoption and negatively affect our business. Further, a quickly evolving legal and regulatory environment may cause us to incur increased research and development costs, or divert resources from other development efforts, to address social and ethical issues related to AI and ML. As a result of these and other challenges associated with our use and implementation of AI and ML, we may in the future be subject to legal liability, competitive harm, regulatory action, including under new proposed legislation regulating AI and/or generative AI in jurisdictions such as the European Union, new applications of existing data protection, privacy, cybersecurity, information security, intellectual property, and other laws, and brand or reputational harm. 29 29 29 Table of Contents Table of Contents

Our business is subject to regulation by various federal, state, local and foreign governmental agencies, including agencies responsible for monitoring and enforcing laws and regulations relating to privacy, data protection, information security and cybersecurity, employment and labor laws, workplace safety, product safety, environmental laws, consumer protection laws, anti-bribery laws, import and export controls, federal securities laws and tax laws and regulations. In addition, emerging tools and technologies we utilize in providing our products, like AI and ML, are subject to regulation under new laws as well as new applications of existing laws. In certain jurisdictions, these regulatory requirements may be more stringent than in the United States. These laws and regulations impose added costs on our business. Noncompliance with applicable regulations or requirements could subject us to: •investigations, enforcement actions and sanctions; •mandatory changes to our cloud platform; •disgorgement of profits, fines and damages; •civil and criminal penalties or injunctions; •claims for damages by our customers or channel partners; •termination of contracts; and •loss of intellectual property rights. If any government sanctions are imposed, or if we do not prevail in any possible civil or criminal litigation, our business, operating results and financial condition could be adversely affected. In addition, responding to any action will likely result in a significant diversion of management’s attention and resources and an increase in professional fees. Enforcement actions and sanctions could materially harm our business, operating results and financial condition. As a global employer, we are subject to various labor laws, including worker classification laws, that impact compliance obligations regarding working time, proper payment for time worked, time off regulations, as well as anti-retaliation, discrimination and harassment policies and compliance with employee representative rights. We take reasonable efforts to comply with applicable labor laws and regulations impacting our workforce, but failure to comply with such laws could result in government enforcement actions and penalties, may negatively impact business operations and may be harmful to our reputation and our ability to attract and retain employees. 43 43 43 Table of Contents Table of Contents These laws and regulations impose added costs on our business, and failure to comply with these or other applicable regulations and requirements could lead to claims for damages from our channel partners or customers, penalties, termination of contracts and loss of exclusive rights in our intellectual property.

Our business is subject to regulation by various federal, state, local and foreign governmental agencies, including agencies responsible for monitoring and enforcing laws and regulations relating to privacy, data protection, information security and cybersecurity, employment and labor laws, workplace safety, product safety, environmental laws, consumer protection laws, anti-bribery laws, import and export controls, federal securities laws and tax laws and regulations. In addition, emerging tools and technologies we utilize in providing our products, like artificial intelligence and machine learning, may also become subject to regulation under new laws or new applications of existing laws. In certain jurisdictions, these regulatory requirements may be more stringent than in the United States. These laws and regulations impose added costs on our business. Noncompliance with applicable regulations or requirements could subject us to: •investigations, enforcement actions and sanctions; •mandatory changes to our cloud platform; •disgorgement of profits, fines and damages; •civil and criminal penalties or injunctions; •claims for damages by our customers or channel partners; •termination of contracts; •loss of intellectual property rights; and •temporary or permanent debarment from sales to government organizations. If any governmental sanctions are imposed, or if we do not prevail in any possible civil or criminal litigation, our business, operating results and financial condition could be adversely affected. In addition, responding to any action will likely result in a significant diversion of management’s attention and resources and an increase in professional fees. Enforcement actions and sanctions could materially harm our business, operating results and financial condition. We endeavor to properly classify employees as exempt versus non-exempt under applicable law. Although there are no pending or threatened material claims or investigations against us asserting that some employees are improperly classified as exempt, the possibility exists that some of our current or former employees could have been incorrectly classified as exempt employees. In addition, we must comply with laws and regulations relating to the formation, administration and performance of contracts with the public sector, including U.S. federal, state and local governmental organizations, which affect how we and our channel partners do business with governmental agencies. Selling our solutions to the U.S. government, whether directly or through channel partners, also subjects us to certain regulatory and contractual requirements. Failure to comply with these requirements by either us or our channel partners could subject us to investigations, fines and other penalties, which could have an adverse effect on our business, operating results, financial condition and prospects. As an example, the U.S. Department of Justice, or DOJ, and the General Services Administration, or GSA, have in the past pursued claims against and financial settlements with IT vendors under the False Claims Act and other statutes related to pricing and discount practices and compliance with certain provisions of GSA contracts for sales to the federal government. The DOJ and GSA continue to actively pursue such claims. Violations of certain regulatory and contractual requirements could also result in us being suspended or debarred from future government contracting. Any of these outcomes could have a material adverse effect on our revenue, operating results, financial condition and prospects. 38 38 38 Table of Contents Table of Contents These laws and regulations impose added costs on our business, and failure to comply with these or other applicable regulations and requirements could lead to claims for damages from our channel partners or customers, penalties, termination of contracts, loss of exclusive rights in our intellectual property and temporary suspension or permanent debarment from government contracting. Any such damages, penalties, disruptions or limitations in our ability to do business with the public sector could have a material adverse effect on our business and operating results.