The Zscaler renewal playbook: building the entitlement baseline before you commit the term
Zscaler prices ZIA and ZPA per user per year by edition, then co sells them as one blended number, and the 2026 opening proposal defaults to a three year term carrying a 7 to 10 percent annual uplift. Buyers who reconcile the active user baseline and cap the ramp recover 20 to 32 percent.
Prepared by Redress Compliance · June 2026 · Representative Zscaler estate (benchmark scenario, not a quote).
Executive summary
The 2026 Zscaler negotiation turns on one count and three commercial controls. The count is your active licensed users, the people who actually route traffic through ZIA or reach private apps through ZPA. The controls are the edition tier, the term length, and the annual uplift, and the recoverable money sits in the user reconciliation, not the bundle name.
Zscaler does not publish list prices and quotes a custom number per estate. Reported enterprise rates run from $72 to $325 per ZIA user per year and $140 to $375 per ZPA user per year by edition, so a 10,000 user combined estate commonly opens between $900,000 and $1.5 million per year at list before add ons.
The fiscal lever is real. Zscaler closes its fiscal year on July 31, and deals signed in its fiscal fourth quarter, May through July, typically carry deeper discount authority than equivalent first quarter deals. Timing the signature into that window is one of the cleanest moves a buyer controls.
In the worked estate below the opening proposal totals $2,000,000. Reconciling the active user baseline, scoping the module stack, anchoring the per user editions, and capping the ramp cuts that to $1,500,000, a recovery of $500,000 or 25 percent. The framework draws on 500 plus enterprise engagements. Start 6 to 9 months before the renewal date.
How does Zscaler price the Zero Trust Exchange in 2026?
Zscaler prices its platform per user per year, packaged into editions, with the user count rather than the traffic volume driving the bill. You pay for licensed users on each product family, so the committed user count you sign is the cost driver, and the lever is the gap between that commitment and your real, reconciled population.
The platform splits into two priced cores and a set of metered add ons. Zscaler Internet Access is the web and inspection core. Zscaler Private Access replaces remote access for named applications. See the current packaging on the Zscaler products page.
The first non obvious mechanic is the blended single number. Zscaler co sells ZIA and ZPA as one combined per user figure, which hides whether the oversize sits in the inspection seats or the private access seats. Split the quote into its two product lines before you accept any count.
| Product family | What it covers | Reported per user per year | Cost driver |
|---|---|---|---|
| ZIA (Internet Access) | Secure web gateway, inspection, threat protection | $72 to $325 | Active routed users by edition |
| ZPA (Private Access) | Zero trust access to private applications | $140 to $375 | Users reaching named private apps |
| ZDX (Digital Experience) | End user performance monitoring | Add on per user | Supported endpoints |
| Data Protection, Risk360 | DLP, posture, board reporting overlays | Add on per user or platform | Scoped project, not headcount |
Reported ranges reflect public benchmark sources; Zscaler does not publish list pricing. Benchmark ranges: Redress Compliance advisory engagement file, 2024 to 2025.
Lever one: how do you build a verified entitlement baseline?
Build the baseline on active users, then price the deal on that reconciled number. An entitlement baseline that survives vendor scrutiny ties every licensed seat to a person who actually routes traffic or reaches a private app, not to total headcount pulled from the directory.
The second non obvious mechanic is the directory inflation default. Zscaler quotes sized to the full identity directory count, which sweeps in contractors, service accounts, and departed users who never touch the platform.
In the worked estate the ZIA proposal carries 8,000 users while the reconciled active population is 7,500. The ZPA proposal carries 8,000 while only 6,500 reach a named private application.
Representative Zscaler estate. Proposal seat count versus the reconciled active count per module once contractors, service accounts, and non routed users are removed. Benchmark scenario, not a quote.
Where the user count leaks
- Directory blend: the full identity directory counted as licensed users, including contractors and service accounts.
- Departed users: leavers still carried on the seat count between joiner mover leaver cycles.
- Private app overscope: every employee licensed for ZPA when only a subset reaches a named private application.
Lever two: which Zscaler editions should you anchor?
Anchor each product to the lowest edition that covers your required controls, then add modules selectively. Zscaler tiers ZIA and ZPA from Business through Transformation, and each step up raises the per user rate across the whole licensed population rather than only the incremental users.
The third non obvious mechanic is the edition uplift on the full base. Moving from Business to Transformation re prices every user, so a control needed by one department drags the rate for all 8,000 seats. Decide the edition on the controls the majority actually need, and license exceptions separately.
| Edition | Adds over the tier below | Reported ZIA per user per year | Buyer side position |
|---|---|---|---|
| Business | Core secure web gateway and inspection | $72 to $120 | Baseline most users here |
| Transformation | Advanced threat, sandboxing, DLP, deception | $200 to $325 | Scope to users who need the controls |
| ZPA Business | Core zero trust app access | $140 to $220 | Baseline private access users here |
| ZPA Transformation | App segmentation, privileged access, isolation | $280 to $375 | Reserve for the named high control set |
Lever three: which add on modules should you defer?
Defer ZDX, Data Protection, Cloud Browser Isolation, and Risk360 until a project owns each one. They inflate the base when bought ahead of use, and at renewal they reset toward list because nobody can show the usage that justified the discount.
The fourth non obvious mechanic is the assumed add on line. Zscaler presents these overlays as default lines on the proposal rather than as scoped projects, so they ride into the committed base without a named owner. Strip them back to a separate decision with its own justification.
| Module | Buy now if | Defer if |
|---|---|---|
| ZDX | An operations team owns the experience data | No team consumes the telemetry yet |
| Data Protection | A data loss program is live | No data owner assigned |
| Cloud Browser Isolation | Third party or unmanaged access need | No defined use case |
| Risk360 | Board reporting cadence requires it | No reporting owner |
How should you treat the experience and posture overlays?
Buy ZDX only when a named team consumes the path telemetry monthly. Buy Risk360 only when a board reporting cadence depends on it. Without an owner each overlay is shelfware carrying a renewal cost.
Lever four: what per user rates should you target?
Reconcile the user count first, then anchor each per user rate to a defensible number before you discuss term. Zscaler quotes the opening per user figure high so the discount looks generous, which is why the count has to be settled before the rate conversation starts.
Median recovery on the ZIA line
Across enterprise Zscaler reconciliations the inspection seat count and edition together carried the largest single share of the recovery once the active user baseline was proven.
Fiscal fourth quarter discount edge
Deals signed in Zscaler fiscal Q4, May through July, commonly carry deeper discount authority than equivalent first quarter deals of the same size.
| Metered unit | Opening proposal rate | Negotiated band, upper volume | Buyer side move |
|---|---|---|---|
| ZIA user per month | $9.00 | $6.00 to $8.00 | Reconcile active routed users, then anchor the rate |
| ZPA user per month | $6.50 | $4.50 to $6.00 | Scope to named private app users, drop the rest |
| ZDX user per month | $2.50 | $1.50 to $2.20 | Size to supported endpoints with an owner |
Benchmark ranges: Redress Compliance advisory engagement file, 2024 to 2025.
Lever five: how do you cap the ramp and the annual uplift?
Match the committed user volume to your rollout curve and cap the annual increase in writing before you agree the term. The default 2026 Zscaler term is three years, and the opening proposal usually commits the entire estate from year one, so you pay for coverage that arrives over time as if it were live at signature.
The fifth non obvious mechanic is the absence of a true down. The committed user floor does not fall when the headcount drops, so an over sized year one commitment is locked for the full term while unused seats are forfeited each year. Negotiate a ramped commit and a true down right before you accept any multi year length.
| Clause | Opening posture | Buyer side target |
|---|---|---|
| Annual uplift | 7 to 10 percent compounding | Cap at or below CPI, 0 to 3 percent |
| Expansion rate | Added users at list | Fixed per user rate for true ups |
| User true down | No reduction right | True down on headcount or estate change |
| Ramp | Full estate committed year one | Step commit against a documented rollout |
The five contract clauses that protect the budget
Convert the negotiated numbers into clauses, because a rate you win in conversation evaporates without a written hold. These five clauses decide whether your Zscaler commitment protects the budget across the full term, and each one closes a gap the opening order form leaves open.
- Per user rate hold: fix the ZIA, ZPA, and ZDX per user rates for the term and the first renewal.
- Uplift cap: limit the annual increase to CPI or below, applied to the committed base.
- Expansion rate lock: set the price for added users so true ups never default to list.
- User true down: the right to reduce the committed floor on headcount or divestiture change.
- Module co terming: align ZIA, ZPA, ZDX, and every overlay to one anniversary date.
The sixth non obvious mechanic is split anniversary dates. When modules renew on separate dates, the buyer never reaches a single moment of full leverage, so co terming every line to one anniversary is itself a negotiated win, not an administrative detail.
BATNA: how do you build a competitive anchor and what side letter language holds it?
Enter the renewal with a documented alternative and a deliberate signing date, because a credible second option is the single strongest source of price pressure you control. Zscaler competes with Palo Alto Prisma Access, Netskope, Cisco, and Cato Networks, and a priced alternative is the only thing that reliably moves the Zscaler number.
Per the Zscaler investor relations disclosures, the company reported fiscal 2025 revenue of about $2.67 billion, up 23 percent year over year, and it continues to push net retention. A vendor defending high retention is sensitive to a reference account testing the market, which is the lever the buyer should hold quietly rather than threaten loudly.
Which alternatives create real pressure?
- Palo Alto Prisma Access: the broad SASE comparator, useful for module by module pricing pressure.
- Netskope: strong on data centric controls, a credible test of the inspection and DLP rate.
- Cisco and Cato: network led comparators that test the private access and connectivity rate.
What side letter language do we use?
We fix the wins outside the order form in a short side letter. It records the per user rate hold, the uplift cap, the expansion rate, the true down trigger, and the single co term date, each as a binding commitment surviving the order form. The side letter is where a verbal concession becomes enforceable.
What counter moves neutralize the standard Zscaler tactics?
Most Zscaler tactics are predictable, and each has a clean buyer side counter. The discipline is to recognize the move and respond with a position you prepared before the call, not in it.
| Vendor tactic | What it does | Buyer side counter |
|---|---|---|
| Blended ZIA and ZPA number | Hides which product is oversized | Demand the two product lines split before any count |
| Assumed add on lines | Rides overlays into the committed base | Strip overlays to scoped projects with owners |
| Quarter end pressure | Pushes a fast signature for a deeper discount | Use the fiscal Q4 window on your timeline, not theirs |
| Top edition default | Licenses everyone on Transformation | Baseline Business, scope Transformation to need |
What does the worked estate recovery look like?
The worked estate shows where the 20 to 32 percent recovery comes from. The opening proposal totals $2,000,000 a year across the four lines. Reconciling the user baseline, scoping the modules, anchoring the editions, and capping the ramp brings it to $1,500,000, a recovery of $500,000 or 25 percent.
| Line | Opening proposal | Optimized renewal | Recovery |
|---|---|---|---|
| ZIA (Transformation, then right sized) | $864,000 | $684,000 | $180,000 |
| ZPA (scoped to named app users) | $624,000 | $452,400 | $171,600 |
| ZDX (sized to owned endpoints) | $240,000 | $138,600 | $101,400 |
| Data Protection and Risk360 | $272,000 | $225,000 | $47,000 |
| Total annual | $2,000,000 | $1,500,000 | $500,000 |
ZIA: 8,000 users at $9.00 falls to 7,500 at $7.60 per month. ZPA: 8,000 at $6.50 falls to 6,500 at $5.80. ZDX: 8,000 at $2.50 falls to 5,500 at $2.10. Benchmark scenario, not a quote.
Annual spend by line. Navy is the opening proposal, green the optimized renewal. Numbers match the recovery table above. Benchmark scenario, not a quote.
Total annual spend before and after the levers. The 25 percent recovery sits inside the 20 to 32 percent band. Benchmark scenario, not a quote.
What should procurement do this quarter?
Turn the framework into a renewal plan before the forecast hardens into a committed band. The steps are ordered on purpose, because the active user reconciliation earns the right to use every later lever.
Measure and reconcile
Pull the identity directory, separate active routed users from contractors and leavers, and split the ZIA and ZPA populations.
Scope and test
Set editions to real control needs, defer the overlays to scoped projects, and price one named alternative as a written walk option.
Negotiate and lock
Anchor the rates, fix the five clauses in a side letter, time the signature into fiscal Q4, then decide term length last.
- Pull the identity directory and reconcile the active ZIA and ZPA user counts.
- Split the blended quote into separate ZIA and ZPA product lines.
- Set the edition for the majority on Business, scope Transformation to need.
- Defer ZDX, Data Protection, Isolation, and Risk360 to scoped, owned projects.
- Anchor the per user rates to the negotiated band before discussing term.
- Build a ramped commitment against a documented rollout plan with a true down.
- Price a credible alternative and hold it as a written walk position.
- Fix the five clauses in a side letter and time the signature into fiscal Q4.
Recommendation: reconcile the active user baseline and cap the ramp before you commit term.
- Start 6 to 9 months out. The recovery comes from proving the real active user count and a credible alternative, and both take time the late starter does not have.
- Size the editions on real control needs first. Reconcile users, scope modules, anchor the rates, and cap the uplift, then test any three year commit against the reconciled number and the fiscal Q4 window.
We are glad to tie a meaningful part of the fee to delivered value.