The security industry has always chased grand unifications. Every few years another vendor promises the single pane of glass. That one platform to tame the chaos of logs, alerts, and events. Today that ambition has shifted to SIEM and observability. Splunk, Elastic, and Sumo tout the union of performance and security telemetry. Datadog has added SIEM features. The logic is simple. If you already monitor every metric and trace, why not correlate them with threats and compliance rules?

It is a seductive vision. I wrote a short note on it back in January. It is also exactly what makes American cloud security company Zscaler1 interesting. Because they have chosen a different path. They don’t want to be your appliance partner or SIEM or observability console. Instead, they have doubled down on being something completely different: the broker in the middle that sits between every user, device, and application.

Think of PayPal, Stripe, or Square. Those companies didn’t become banks or storefronts. They became the trusted intermediaries, verifying and settling every transaction. Zscaler plays the same role in security. They are not the bank. They are not the store. They are the exchange.

This positioning isn’t theoretical, but nor is it entirely new. Large institutions have always needed brokers to connect users, applications, and networks. What makes Zscaler different is not that it invented the broker role, but that it has re-engineered it by delivering what used to be physical infrastructure as software. Zscaler already plays that role at serious scale, brokering connections for large banks and governments in Asia Pacific via thirty-two regional data centres, including five across Australia and New Zealand. You don’t get embedded at that level unless the fabric is trusted.

The technical decision was simple but radical. Zscaler rejected the heavy bill-of-materials and hardware-centric model of security appliances, re-imagining security enforcement as a cloud-native service delivered through a single global fabric capable of inspecting and enforcing traffic in real time.

That shift matters because enterprises now run in a distributed, SaaS-first world. Workers log in from homes and branches no longer bound by the corporate perimeter, apps live far beyond the company data centre, and disruption across all lines of business is a constant.

Under these modern conditions, backhauling traffic through appliances suddenly feels as dated as routing digital payments through cheques. Practically speaking, in Zscaler’s model, a user (or asset) in Brisbane or Bengaluru simply connects to the nearest node, traffic is inspected, then brokered to its destination, be that Salesforce, Microsoft 365, or even a legacy app in a dusty data centre. Enforcement follows the user, not the network.

The philosophy is blunt. Zero Trust at scale. No safe zones, no trusted locations. No user or device is trusted simply for being “inside” the LAN. Everyone and everything is effectively off the network. This isn’t just an elegant architecture. It tackles the hard truth that many cyberattacks don’t come from shadowy outsiders but from trusted staff, stolen identities, or compromised devices already inside the perimeter. By removing the assumption of internal trust, Zscaler minimises the blast radius so that when compromise happens, its impact stays contained.

The adoption challenge Zscaler faces is not whether the architecture works. It does. But whether companies can change their mindset. Because while it sounds (theoretically) simple, it also collides with thirty years of entrenched network thinking. Network engineers have built LANs the same way for decades. Firewalls, proxies, and intrusion appliances have defined security. Vendors like Palo Alto, Cisco, and Fortinet thrived on it. Zscaler grew up serving those same customers, many of whom remain comfortable with boxes.

But the perimeter is dissolving. In an as-a-Service world, traffic rarely touches the old edge. Users connect from everywhere, applications live anywhere, and inside and outside are blurred. What makes Zscaler different is that enforcement has to travel with the traffic.

Zscaler’s model works because it is a service, not a product. Like PayPal, it sells trust, not hardware. But its go-to-market still carries the weight of the old appliance world. The sales channels, the network diagrams, even the SKUs all echo a product company. That mismatch matters, because Zscaler is not just another vendor in the replacement cycle. It is a displacement company. It isn’t swapping out one firewall for a shinier firewall, or one VPN concentrator for another. It is displacing the entire premise that appliances belong at the centre of enterprise security. Closing the gap between what it truly is (a trust service built to displace the old model), and how it still presents itself to the market will be one of Zscaler’s biggest hurdles to its next wave of growth.

On trust, I think the roadmap is good. Suspicious files can be detonated in safe zones. Analytics can act as early-warning radar. Decoys can trap anyone targeting AI systems. Large language model requests can be filtered to stop leakage and runaway costs. I think that taken together these moves also hint at a bigger ambition. Not just to broker traffic, but to broker data itself. Zscaler is already branding this layer Zscaler Data Fabric (for Security).

That stance sets it apart from others. If I look at other recent announcements in the security provider market, Dynatrace is embedding security into developer pipelines, Check Point is buying its way into AI-native stacks, and BeyondTrust is treating AI agents as identities to govern. Each aims to own vertical slices of the stack whereas Zscaler defines itself by horizontal neutrality. It connects to everyone, competes with no one.

This is where the PayPal analogy sharpens. PayPal began as a settlement layer, then expanded into wallets and credit. Stripe grew from API payments into billing and treasury. Square evolved from card readers into a full financial ecosystem. Each began as a broker, and once they had earned ubiquity, they built outward along the trust curve.

Zscaler now faces the same pivot. It has already proven itself as the trusted exchange for traffic. The question is what comes next? In that sense, the future of Zscaler will be defined less by whether it can broker trust (it can), and more by what it builds on top of the trust it has already earned. In commercial terms, I think the former means protecting the base, whereas the latter is where whole new client personas begin to emerge.

For now, its strength lies in what it refuses to do. It does not build a SIEM. It does not chase observability. It streams logs outward, keeping neutrality intact. That neutrality is its moat. But at times it can also make the company’s positioning feel a little defensive, or at least not fully committed to being different. To truly own the role of global broker, it is important that Zscaler defines itself in positive terms, not just by what it declines.

I think it is too easy or basic to say that neutrality also makes Zscaler an irresistible acquisition target.

On paper you could imagine Datadog acquiring it to close the loop from detection to enforcement. Or Cisco, now owning Splunk, finally delivering the platform story it has promised. But an acquisition would kill neutrality. Splunk would no longer prioritise a Cisco-owned Zscaler. Elastic and Sumo would pull back. The very thing that makes Zscaler valuable would evaporate.

Perhaps that is why Zscaler stays out of analytics. Its value is being the settlement layer of the cloud era. They are the broker that every connection flows through, and where every flow is verified before it proceeds. If the industry keeps buying physical appliances, its position weakens. But if SaaS adoption continues to accelerate (explode), Zscaler becomes a more dominant logical control point. It is very easy to see a future where economic gravity favours the broker.

I found myself wondering just how big Zscaler can get. Can they achieve ubiquity? Do they even aspire to that? PayPal only became indispensable once it reached small merchants. Stripe lowered the barrier for developers. Square armed cafés and market stalls. Ubiquity turns brokers into ecosystems.

Zscaler has already convinced banks, governments, and multinationals. But can Zero Trust become as default and invisible as tapping a card at checkout? Or will Zscaler settle into the IBM path of seeking to dominate at the top, but never chase ubiquity? Microsoft built for ubiquity. IBM never did.

That choice between broad reach and elite dominance now looms. If Zscaler can cross the line, it becomes the PayPal of security. If not, it remains a trusted brand at the top end, while others shape the mainstream.

Either way, the broker model has history on its side. When executed in its purest form, it tends to win. And when it does, it rewrites the rules for everyone else.

Recommendations

Recommendations are available to paid subscribers.