Zscaler SSE · Cloud Security ProcurementWhite Paper

The Zscaler renewal playbook: building the entitlement baseline before you commit the term

Zscaler prices ZIA and ZPA per user per year by edition, then co sells them as one blended number, and the 2026 opening proposal defaults to a three year term carrying a 7 to 10 percent annual uplift. Buyers who reconcile the active user baseline and cap the ramp recover 20 to 32 percent.

Prepared by Redress Compliance · June 2026 · Representative Zscaler estate (benchmark scenario, not a quote).

Executive summary

The 2026 Zscaler negotiation turns on one count and three commercial controls. The count is your active licensed users, the people who actually route traffic through ZIA or reach private apps through ZPA. The controls are the edition tier, the term length, and the annual uplift, and the recoverable money sits in the user reconciliation, not the bundle name.

Zscaler does not publish list prices and quotes a custom number per estate. Reported enterprise rates run from $72 to $325 per ZIA user per year and $140 to $375 per ZPA user per year by edition, so a 10,000 user combined estate commonly opens between $900,000 and $1.5 million per year at list before add ons.

The fiscal lever is real. Zscaler closes its fiscal year on July 31, and deals signed in its fiscal fourth quarter, May through July, typically carry deeper discount authority than equivalent first quarter deals. Timing the signature into that window is one of the cleanest moves a buyer controls.

In the worked estate below the opening proposal totals $2,000,000. Reconciling the active user baseline, scoping the module stack, anchoring the per user editions, and capping the ramp cuts that to $1,500,000, a recovery of $500,000 or 25 percent. The framework draws on 500 plus enterprise engagements. Start 6 to 9 months before the renewal date.

$900k to $1.5M
Typical list range for a 10,000 user combined ZIA and ZPA estate before add on modules, set by edition and user count.
20 to 32%
Buyer side recovery band against the Zscaler opening commercial once the active user baseline and the ramp are reconciled.
7 to 10%
Compounding annual uplift commonly baked into the three year Zscaler term when the buyer does not cap it.
25%
Blended recovery in the worked estate below, from opening proposal to optimized renewal (benchmark scenario, not a quote).
1.

How does Zscaler price the Zero Trust Exchange in 2026?

Zscaler prices its platform per user per year, packaged into editions, with the user count rather than the traffic volume driving the bill. You pay for licensed users on each product family, so the committed user count you sign is the cost driver, and the lever is the gap between that commitment and your real, reconciled population.

The platform splits into two priced cores and a set of metered add ons. Zscaler Internet Access is the web and inspection core. Zscaler Private Access replaces remote access for named applications. See the current packaging on the Zscaler products page.

The first non obvious mechanic is the blended single number. Zscaler co sells ZIA and ZPA as one combined per user figure, which hides whether the oversize sits in the inspection seats or the private access seats. Split the quote into its two product lines before you accept any count.

Product familyWhat it coversReported per user per yearCost driver
ZIA (Internet Access)Secure web gateway, inspection, threat protection$72 to $325Active routed users by edition
ZPA (Private Access)Zero trust access to private applications$140 to $375Users reaching named private apps
ZDX (Digital Experience)End user performance monitoringAdd on per userSupported endpoints
Data Protection, Risk360DLP, posture, board reporting overlaysAdd on per user or platformScoped project, not headcount

Reported ranges reflect public benchmark sources; Zscaler does not publish list pricing. Benchmark ranges: Redress Compliance advisory engagement file, 2024 to 2025.

2.

Lever one: how do you build a verified entitlement baseline?

Build the baseline on active users, then price the deal on that reconciled number. An entitlement baseline that survives vendor scrutiny ties every licensed seat to a person who actually routes traffic or reaches a private app, not to total headcount pulled from the directory.

The second non obvious mechanic is the directory inflation default. Zscaler quotes sized to the full identity directory count, which sweeps in contractors, service accounts, and departed users who never touch the platform.

In the worked estate the ZIA proposal carries 8,000 users while the reconciled active population is 7,500. The ZPA proposal carries 8,000 while only 6,500 reach a named private application.

Licensed seats by module: proposal count vs reconciled active count02k4k6k8kZIAZPAZDXProposalReconciled8,0007,5006,5005,500

Representative Zscaler estate. Proposal seat count versus the reconciled active count per module once contractors, service accounts, and non routed users are removed. Benchmark scenario, not a quote.

Where the user count leaks

3.

Lever two: which Zscaler editions should you anchor?

Anchor each product to the lowest edition that covers your required controls, then add modules selectively. Zscaler tiers ZIA and ZPA from Business through Transformation, and each step up raises the per user rate across the whole licensed population rather than only the incremental users.

The third non obvious mechanic is the edition uplift on the full base. Moving from Business to Transformation re prices every user, so a control needed by one department drags the rate for all 8,000 seats. Decide the edition on the controls the majority actually need, and license exceptions separately.

EditionAdds over the tier belowReported ZIA per user per yearBuyer side position
BusinessCore secure web gateway and inspection$72 to $120Baseline most users here
TransformationAdvanced threat, sandboxing, DLP, deception$200 to $325Scope to users who need the controls
ZPA BusinessCore zero trust app access$140 to $220Baseline private access users here
ZPA TransformationApp segmentation, privileged access, isolation$280 to $375Reserve for the named high control set
Where the common advice on Zscaler editions is wrong. The standard account team pitch is to license everyone on the Transformation edition now to future proof the estate and unlock the deepest multi year discount. We disagree. Across the Zscaler negotiations Fredrik Filipsson ran in 2024 and 2025, the buyers who held the majority on Business and scoped Transformation to the users who genuinely needed advanced controls beat the headline bundle discount. A deep discount on a top edition most users never exercise is still pure waste, and it compounds into every annual uplift.
4.

Lever three: which add on modules should you defer?

Defer ZDX, Data Protection, Cloud Browser Isolation, and Risk360 until a project owns each one. They inflate the base when bought ahead of use, and at renewal they reset toward list because nobody can show the usage that justified the discount.

The fourth non obvious mechanic is the assumed add on line. Zscaler presents these overlays as default lines on the proposal rather than as scoped projects, so they ride into the committed base without a named owner. Strip them back to a separate decision with its own justification.

ModuleBuy now ifDefer if
ZDXAn operations team owns the experience dataNo team consumes the telemetry yet
Data ProtectionA data loss program is liveNo data owner assigned
Cloud Browser IsolationThird party or unmanaged access needNo defined use case
Risk360Board reporting cadence requires itNo reporting owner

How should you treat the experience and posture overlays?

Buy ZDX only when a named team consumes the path telemetry monthly. Buy Risk360 only when a board reporting cadence depends on it. Without an owner each overlay is shelfware carrying a renewal cost.

5.

Lever four: what per user rates should you target?

Reconcile the user count first, then anchor each per user rate to a defensible number before you discuss term. Zscaler quotes the opening per user figure high so the discount looks generous, which is why the count has to be settled before the rate conversation starts.

19%

Median recovery on the ZIA line

Across enterprise Zscaler reconciliations the inspection seat count and edition together carried the largest single share of the recovery once the active user baseline was proven.

12 to 20%

Fiscal fourth quarter discount edge

Deals signed in Zscaler fiscal Q4, May through July, commonly carry deeper discount authority than equivalent first quarter deals of the same size.

Metered unitOpening proposal rateNegotiated band, upper volumeBuyer side move
ZIA user per month$9.00$6.00 to $8.00Reconcile active routed users, then anchor the rate
ZPA user per month$6.50$4.50 to $6.00Scope to named private app users, drop the rest
ZDX user per month$2.50$1.50 to $2.20Size to supported endpoints with an owner

Benchmark ranges: Redress Compliance advisory engagement file, 2024 to 2025.

6.

Lever five: how do you cap the ramp and the annual uplift?

Match the committed user volume to your rollout curve and cap the annual increase in writing before you agree the term. The default 2026 Zscaler term is three years, and the opening proposal usually commits the entire estate from year one, so you pay for coverage that arrives over time as if it were live at signature.

The fifth non obvious mechanic is the absence of a true down. The committed user floor does not fall when the headcount drops, so an over sized year one commitment is locked for the full term while unused seats are forfeited each year. Negotiate a ramped commit and a true down right before you accept any multi year length.

ClauseOpening postureBuyer side target
Annual uplift7 to 10 percent compoundingCap at or below CPI, 0 to 3 percent
Expansion rateAdded users at listFixed per user rate for true ups
User true downNo reduction rightTrue down on headcount or estate change
RampFull estate committed year oneStep commit against a documented rollout
7.

The five contract clauses that protect the budget

Convert the negotiated numbers into clauses, because a rate you win in conversation evaporates without a written hold. These five clauses decide whether your Zscaler commitment protects the budget across the full term, and each one closes a gap the opening order form leaves open.

The sixth non obvious mechanic is split anniversary dates. When modules renew on separate dates, the buyer never reaches a single moment of full leverage, so co terming every line to one anniversary is itself a negotiated win, not an administrative detail.

8.

BATNA: how do you build a competitive anchor and what side letter language holds it?

Enter the renewal with a documented alternative and a deliberate signing date, because a credible second option is the single strongest source of price pressure you control. Zscaler competes with Palo Alto Prisma Access, Netskope, Cisco, and Cato Networks, and a priced alternative is the only thing that reliably moves the Zscaler number.

Per the Zscaler investor relations disclosures, the company reported fiscal 2025 revenue of about $2.67 billion, up 23 percent year over year, and it continues to push net retention. A vendor defending high retention is sensitive to a reference account testing the market, which is the lever the buyer should hold quietly rather than threaten loudly.

Which alternatives create real pressure?

What side letter language do we use?

We fix the wins outside the order form in a short side letter. It records the per user rate hold, the uplift cap, the expansion rate, the true down trigger, and the single co term date, each as a binding commitment surviving the order form. The side letter is where a verbal concession becomes enforceable.

9.

What counter moves neutralize the standard Zscaler tactics?

Most Zscaler tactics are predictable, and each has a clean buyer side counter. The discipline is to recognize the move and respond with a position you prepared before the call, not in it.

Vendor tacticWhat it doesBuyer side counter
Blended ZIA and ZPA numberHides which product is oversizedDemand the two product lines split before any count
Assumed add on linesRides overlays into the committed baseStrip overlays to scoped projects with owners
Quarter end pressurePushes a fast signature for a deeper discountUse the fiscal Q4 window on your timeline, not theirs
Top edition defaultLicenses everyone on TransformationBaseline Business, scope Transformation to need
10.

What does the worked estate recovery look like?

The worked estate shows where the 20 to 32 percent recovery comes from. The opening proposal totals $2,000,000 a year across the four lines. Reconciling the user baseline, scoping the modules, anchoring the editions, and capping the ramp brings it to $1,500,000, a recovery of $500,000 or 25 percent.

LineOpening proposalOptimized renewalRecovery
ZIA (Transformation, then right sized)$864,000$684,000$180,000
ZPA (scoped to named app users)$624,000$452,400$171,600
ZDX (sized to owned endpoints)$240,000$138,600$101,400
Data Protection and Risk360$272,000$225,000$47,000
Total annual$2,000,000$1,500,000$500,000

ZIA: 8,000 users at $9.00 falls to 7,500 at $7.60 per month. ZPA: 8,000 at $6.50 falls to 6,500 at $5.80. ZDX: 8,000 at $2.50 falls to 5,500 at $2.10. Benchmark scenario, not a quote.

Annual spend by line: opening proposal vs optimized renewal0$225k$450k$675k$900kZIAZPAZDXDP + Risk360OpeningOptimized

Annual spend by line. Navy is the opening proposal, green the optimized renewal. Numbers match the recovery table above. Benchmark scenario, not a quote.

Total annual spend: opening proposal vs optimized renewal0$0.5M$1.0M$1.5M$2.00MOpening proposal$1.50MOptimized renewal$500k recovery, 25 percent

Total annual spend before and after the levers. The 25 percent recovery sits inside the 20 to 32 percent band. Benchmark scenario, not a quote.

11.

What should procurement do this quarter?

Turn the framework into a renewal plan before the forecast hardens into a committed band. The steps are ordered on purpose, because the active user reconciliation earns the right to use every later lever.

Months 9 to 6

Measure and reconcile

Pull the identity directory, separate active routed users from contractors and leavers, and split the ZIA and ZPA populations.

Months 6 to 3

Scope and test

Set editions to real control needs, defer the overlays to scoped projects, and price one named alternative as a written walk option.

Months 3 to 0

Negotiate and lock

Anchor the rates, fix the five clauses in a side letter, time the signature into fiscal Q4, then decide term length last.

  1. Pull the identity directory and reconcile the active ZIA and ZPA user counts.
  2. Split the blended quote into separate ZIA and ZPA product lines.
  3. Set the edition for the majority on Business, scope Transformation to need.
  4. Defer ZDX, Data Protection, Isolation, and Risk360 to scoped, owned projects.
  5. Anchor the per user rates to the negotiated band before discussing term.
  6. Build a ramped commitment against a documented rollout plan with a true down.
  7. Price a credible alternative and hold it as a written walk position.
  8. Fix the five clauses in a side letter and time the signature into fiscal Q4.

Recommendation: reconcile the active user baseline and cap the ramp before you commit term.

  • Start 6 to 9 months out. The recovery comes from proving the real active user count and a credible alternative, and both take time the late starter does not have.
  • Size the editions on real control needs first. Reconcile users, scope modules, anchor the rates, and cap the uplift, then test any three year commit against the reconciled number and the fiscal Q4 window.

We are glad to tie a meaningful part of the fee to delivered value.

Prepared by Redress Compliance · redresscompliance.comBuyer side. Independent.