Zscaler / Zero Trust Exchange | Procurement Strategy White Paper

How to Cut the Zscaler Zero Trust Exchange Bundle Before You Sign

Right sizing the edition and the user community before signature recovers 17 to 24 percent against the opening proposal, and the deepest discounts close in Zscaler Q4, which ends July 31.

Prepared by Redress Compliance · June 2026 · Representative Zscaler estate scenario (benchmark scenario, not a quote).

Executive summary

The Zscaler bill is set by two numbers, not by the discount. Those numbers are the edition you commit to and the user community count you commit it across. Get both right before signature and you recover 17 to 24 percent against the opening proposal. Chase the headline discount alone and you lock an inflated base for the full term.

In a representative 18,000 user estate, the opening Transformation proposal lands at 5.4 million dollars per year. Removing 2,000 inactive accounts and moving 5,000 web only users to the Business edition brings the committed spend to 4.14 million dollars, a recovery of 1.26 million dollars, or 23 percent, before a single point is argued on the headline rate.

The term then compounds the result. An uncapped contract climbs at the standard 7 percent annual uplift. Across three years the opening path costs 17.36 million dollars; the optimized path with a written flat cap costs 12.42 million dollars. That is 4.94 million dollars of avoided spend that lives entirely in the clauses, not the discount.

Your deadline is the calendar. Zscaler closes its fiscal year on July 31, and Q4 carries the deepest authorized discounting. Start 9 to 12 months out, build the baseline, and bring the renewal to signature inside that window with the caps already drafted.

17–24%
Typical recovery against the opening Zscaler proposal when edition and user count are right sized first.
$300 / $168
Benchmark effective per user per year for the Transformation versus Business edition at enterprise scale.
7%
Standard annual renewal uplift, uncapped by default, that resets a strong year one discount toward list.
9–12 mo
Lead time to build a credible baseline and BATNA before the renewal date arrives.
01

Background and market context

Zscaler sells the Zero Trust Exchange as a platform, and it prices the platform as a per user per year subscription wrapped inside an edition. The list you receive is never a menu of modules. It is an edition tier, and the edition sets your floor for the full term.

The vendor has the leverage of momentum. Zscaler reported fiscal 2025 revenue of 719 million dollars in its fourth quarter alone and 3.0 billion dollars of annual recurring revenue, with calculated billings up 32 percent. A vendor growing that fast does not discount out of weakness. It discounts to hit a number inside its own calendar.

That calendar is your single most useful lever. The fiscal year ends July 31, so the May to July quarter is when account teams carry the most authorized discount and the most pressure to close. Time your signature into that window and the same proposal arrives with a deeper floor.

The three tactics you will meet

02

Move one. The Zero Trust Exchange subscription structure

Start by reading the structure for what it is. Zscaler does not bill per module consumed. It bills per committed user, at the edition rate, for the committed term. Your entitlement baseline is therefore a count of committed users times an edition rate, not a tally of features.

That single fact reframes the whole negotiation. The questions that move money are how many users you commit, which edition each user sits in, and what the rate does at renewal. Everything else is detail. Read the current packaging on the Zscaler Zero Trust Exchange page and the pricing and plans page before you accept any line.

What a verified entitlement baseline looks like

A baseline that survives Zscaler scrutiny has three columns: the active user, the edition that user needs, and the modules that user actually has enabled in the admin console. Build it from console data, not from the order form.

03

Move two. The Business and Transformation editions

The edition choice is the largest single decision in the contract. The Transformation edition bundles modules that most buyers do not deploy in year one, including advanced data protection, deception, and privileged remote access. You pay for the full stack from day one while adoption trails by quarters.

At enterprise scale, public marketplace listings put the Transformation edition far above Business. The published AWS Marketplace packages show Business near 315 dollars per user per year and Transformation above 600 at list. Negotiated rates sit lower, but the ratio holds: Transformation roughly doubles the per user cost.

Where the common advice is wrong. The standard reseller pitch is to chase the biggest year one discount headline. We disagree. A 45 percent discount on the Transformation edition across an inflated user count, with an uncapped renewal, costs more over three years than a 30 percent discount on a right sized Business and Transformation mix with a written flat cap. The discount is theater. The edition mix, the user floor, and the renewal cap are the deal.

The table below shows the representative estate. The opening proposal commits all 18,000 users to Transformation. The optimized commitment removes 2,000 inactive accounts and moves 5,000 web only users to Business.

Line itemOpening proposalOptimized commitment
Users committed18,00016,000
Transformation edition users @ $30018,000 = $5,400,00011,000 = $3,300,000
Business edition users @ $1680 = $05,000 = $840,000
Inactive accounts removed02,000 = $0
Annual committed spend$5,400,000$4,140,000

Representative Meridian Industrial Group estate, 18,000 directory users. Benchmark scenario, not a quote. Benchmark ranges: Redress Compliance advisory engagement file, 2024 to 2025.

$0 $2M $4M $6M $5.40M Opening (all Transformation) $4.14M Optimized (mixed edition) Transformation $3.30M Business $0.84M Opening over commit

Year one committed spend. Opening proposal 5.40 million dollars versus optimized commitment 4.14 million dollars, a 23 percent recovery. Benchmark scenario, not a quote.

04

Move three. The ZIA, ZPA, and ZDX module catalog

Inside every edition sit the three pillars. Zscaler Internet Access is the secure web gateway and inspection core. Zscaler Private Access is private application access. Zscaler Digital Experience is performance monitoring. Most overpay hides in how widely the last two are scoped.

How each pillar leaks money

Public ranges place ZIA near 72 to 325 dollars per user per year and ZPA near 140 to 375, with ZDX adding roughly 18 to 60, depending on tier and retention, per aggregated marketplace data. The spread is the point: the same pillar carries very different rates, which is why a benchmarked per user price is your strongest counter.

05

Move four. The user community sizing

User count is the single largest cost lever, and it is almost always set on the high side. The committed community is a floor you pay for, not a metered ceiling you draw down. Commit 18,000 and shed staff, and you still pay for 18,000 unless you wrote a true down right.

Set the count against the active workforce, not the directory. In our representative estate, 2,000 of 18,000 accounts had not authenticated in 90 days. Removing them recovers 600,000 dollars in year one at the Transformation rate, with no concession asked of the account team.

20–35%
Bundled modules never enabled

Share of Transformation edition modules the customer never turns on, across the renewals we benchmarked.

8–15%
User count overstated

How far the committed community sits above the active workforce at most first renewals.

7 in 10
Uncapped renewals

First time contracts that leave the renewal uplift uncapped, resetting the discount toward list.

Benchmark ranges: Redress Compliance advisory engagement file, 2024 to 2025. Across roughly 25 to 35 Zscaler renewals Morten Andersen benchmarked.

06

Move five. Posture control, cellular, and IoT scope

Posture control, cellular protection, and IoT or OT coverage ride in as assumed lines and inflate the base. They are real products with real value, but they belong to specific projects, not to the platform floor.

Pull them out of the base commitment. Price each one separately and add it only when a named project owns the budget and the deployment. A line with no owner is a line you will pay for and never deploy.

The discipline in one rule

07

Move six. The five price protection clauses

The deal is won in the clauses, not the discount. These five decide whether your commitment protects the budget for the full term or quietly erodes it. Draft them before you respond to the proposal.

ClauseWhat it controlsBuyer side target
1. Renewal uplift capThe annual increase at renewalCapped at a published index, 3 to 5 percent ceiling, or flat for the term
2. True down rightReducing committed users at anniversaryReduce up to 10 to 15 percent without penalty
3. Co term controlHow mid term adds affect the end dateAdds priced pro rata, base term end date unchanged
4. Data export and exitOffboarding and log export at end of termWritten export path and a transition window
5. Add on price holdThe rate for future modulesSame discount band held for the full term

The most expensive omission is the co term trap. A mid term module add can reset the whole contract to a new common end date, quietly extending your commitment by a year. Price every add on pro rata to the existing end date, in writing.

08

Move seven. The exit and renewal rights

A capped renewal uplift is worth more than two points on the headline discount. Tie the cap to a published index and lock it for the full term. The chart below shows why the cap, not the discount, decides the three year cost.

$0 $2M $4M $6M Year 1 Year 2 Year 3 5.40 5.78 6.18 4.14 4.14 4.14 Three year gap: $17.36M uncapped versus $12.42M capped = $4.94M Uncapped, 7% annual uplift Written flat cap

Three year committed spend per year. Uncapped path 5.40, 5.78, 6.18 totalling 17.36 million dollars; flat capped path 4.14 each year totalling 12.42 million dollars. Benchmark scenario, not a quote.

What to secure

09

BATNA construction and side letter language

The account team moves off the opening quote when it sees a credible alternative, not when it hears a complaint. Your best alternative to a negotiated agreement is a qualified competitor with a real, costed proposal in hand.

The credible alternatives

Build the BATNA before you counter. Benchmark the per user rate, qualify one alternative with a written proposal, and start the process 9 to 12 months before the renewal date. A documented alternative is the only thing that reliably moves the price.

Side letter language we use. Where the master agreement resists change, we move the protections into a signed side letter: renewal uplift capped at the lesser of a named index or four percent; true down right of up to fifteen percent of committed users at each anniversary; and a written data export and transition right effective at termination for any reason. A side letter binds the same as the order form and is easier to get signed inside Q4.
10

Common mistakes and traps

The deals leak in predictable places. Each trap below resets a strong year one position into a weak three year one.

The sequence matters

Fix these in order. Baseline first, then edition, then terms. A clean user baseline earns the right to argue edition mix, and a right sized edition earns the right to hold the line on the renewal cap.

Year one recovery of $1.26M, by lever User right sizing $0.60M · 48% Edition downgrade $0.66M · 52% $0 $0.35M $0.70M Removing 2,000 inactive users plus moving 5,000 to Business. Shares sum to 100 percent. Benchmark scenario.

The 1.26 million dollar year one recovery splits 0.60 million from user right sizing and 0.66 million from the edition downgrade.

The renewal timeline

9 to 12 months out

Build the baseline

Inventory active users against the directory. Map deployed modules from the console. Cut the inactive and the unused.

6 to 3 months out

Construct the BATNA

Benchmark the per user rate. Qualify one competitive alternative with a written proposal. Model the edition mix.

3 months to signature

Lock the clauses

Negotiate the five clauses. Time the signature into Zscaler Q4. Cap the renewal and secure the true down before you sign.

11

Frequently asked questions

What is the single biggest Zscaler procurement lever?

Right sizing the bundle edition and user count before committing to a multi year term. Edition and user count drive the price, so getting both correct up front beats negotiating the headline discount alone.

How much can a coordinated Zscaler engagement recover?

Roughly 20 to 35 percent against the opening proposal across the engagements our practice benchmarked in 2024 to 2025. The recovery comes from edition selection, user alignment, and uplift control.

Does a multi year commitment help or hurt?

It can earn a discount band, but only when your user count and edition are stable and right sized. Avoid locking an inflated user count for several years, because the term then compounds the overspend.

How do you build leverage with the account team?

Benchmark the per user rate, qualify a credible competitive alternative, and start 9 to 12 months before the renewal date. A documented alternative is what moves the account team off the opening quote.

Recommendation from Redress Compliance

Build the baseline, then the edition, then the terms, and bring it to signature in Q4. The recovery is sequenced, and the sequence is what protects the budget across the full term.

  • Right size first: commit users against the active workforce and the edition each role needs, not the roadmap.
  • Cap before you sign: lock the renewal uplift to a published index and secure a true down right and a data export path in writing.

We are glad to tie a meaningful part of the fee to delivered value.

Prepared by Redress Compliance · redresscompliance.com Buyer side. Independent. Industry recognized.