Owens. I'm with Piper, and I cover security and infrastructure for the firm. Very pleased to be having a Q&A session with our next company, which is Tenable. With me from the company to my immediate left is Steve Vintz. I actually got the left and right mixed up this morning, so I'm really happy. And then Glen Pendley, who is the CTO, is sitting to Steve's left.
So it's late in the day. I'd love to make this as interactive as possible to keep everybody going here. So if there's any questions, just give me a nod or a hand if you wanna continue on a thread, as well. So, gentlemen, thank you very much. Good to see you.
Thanks, Rob.
Yep.
Happy to be here.
So, Steve, let's just talk about macro, and we were together at RSA, and right after your first quarter, we saw some pushouts and some challenges, and then a lot more normalization around second quarter. And I hate to call you an old-timer, but I know that Tenable is not your first CFO gig. So just maybe talk about what you're seeing from a demand perspective and just how the macro is playing out right now.
Sure. Well, first, Tenable, we're the cyber exposure company. We help companies understand and reduce their cyber risk. Companies are increasingly embracing digital transformation. There's a proliferation of assets, and we have technology that discovers and assess systems for vulnerabilities and exploits, and we do that across a very broad surface of attack, from traditional compute environments to public cloud, both pre- and post-production, to industrial control systems, internet-facing assets, Active Directory environments.
You know, in terms of the macro, I think it's fair to say it's, you know, it's very fluid. If you look at last year, we came out of the second half of the year growing 22%-23%. Went into this year, eyes wide open, set the expectations for high teens. You know, Q1 played out a little differently than what we expected.
In this market, I would characterize. You know, the selling environment is still challenging. We'll talk about demand just momentarily. The quarters, typically, over the past year, year and a half, have been a little more back-end loaded. It's not unusual for us or any software company to close over 50%, 60% plus of their new business in the last month of the quarter, and specifically the last two weeks. In Q1, there was what was Silicon Valley Bank was making headlines.
There was a run on deposits for some of the regional banks. And some of our, you know, very committed, very highly qualified deals in financial services and tech and telecom consequently wind up pushing. So, obviously, Q1 played out a little differently than what we expected.
If you look at Q2, we would say things stabilized quite a bit. Closed a high percentage of of opportunities that we expected to close in the quarter. Demand is the strongest it's ever been. We're seeing significant growth at the top of the funnel. We're doing more large deals now than we ever have before. Tenable One, our unified exposure management platform, has been a catalyst of growth in that regard. The selling prices are 70% higher.
O verall, just feeling really good about our ability to close deals, continue to win and take share, continue to demonstrate growth in a market that I would say is, you know, still, still a challenge. But if you're adding value, demonstrating value, you certainly will, will have success, and we have.
And where are customer conversations around prioritization right now?
From a buying perspective or from a security perspective?
Yes.
You wanna.
Yeah, sure.
Go please.
Well, look, if historically, if you look at spend in security, it's been on detect and response type technology. So, security budgets historically have been a small percentage of IT budgets. IT budgets are, you know, a couple of points of revenue.
I think increasingly, if you look over the years where interest rates are low and corporate spending has been high, companies have been quick to deploy new technologies. And so the average CISO has, what, 80, 90, 100+ security vendors in their supply chain.
Historically, security's been best of breed. I think what you're seeing now is the start of a secular shift, more towards consolidation around kind of key vendors and market leaders, and there's a little bit of vendor fatigue. So I think increasingly, customers are turning to their existing suppliers and asking if there's additional capability and utility that they can provide within the enterprise.
Tenable One, one of the reasons why it's resonating so well is because it's helping consolidate some security categories and obviates the need for additional spend, and addresses a much broader problem for a lot of our buyers in terms of helping them understand their risk.
Also, security departments are, you know, although there's been a fair amount of investment, under-resourced at times, and really need greater tools and insight to drive prioritizations and help reduce risk, which is what we're all about.
I think, like, security, probably like every part of the business, anytime somebody's gonna make an investment, they wanna maximize the value that they get out of any investment. So when they're looking at different security tools to, to invest in, they wanna make sure that they are getting, you know, every single drop of value, and if they're able to reduce other vendors, is one aspect of it, or just taking advantage of other investments that they've made is a, is another.
From one thing, I've-- having conversations with different CISOs, it's definitely maximizing the return on any speak, too. I'm sure half the room knows Tenable One forwards and backwards, the other half may not.
Okay.
So can you talk about what Tenable One just encompasses and what it consolidates, and the value proposition, then we can talk about the financial side of Tenable One.
So, yeah, Tenable One is our, our platform that we introduced last year. It was, you know, a few years in the making. We've put a lot of work into this, and I think the, the simplest way to try to explain it is i f you really simplify security, there's only two types of security tools in the world.
The types of security tools that are looking at activity and attacks and trying to stop bad guys, and security tools are trying to assess the environment, quantify risk, and give, like, actions to kind of prioritize, remediate that risk before you get attacked. It's super generalization, but basically, those are the only two types of tools. Tenable is historically sat in the preventative side of, like, assessing the environment and giving, a form of risk quantification.
What Tenable One enables us to do is not just enumerate a bunch of CVEs or just jump into a bunch of adjacent markets and try to quantify things in the silo, but treat preventative security like a big data problem by programmatically identifying every single different aspect of every different system across the environment, and programmatically build relationships to quantify what I call applied risk.
So just looking at a single variable in the equation to say, "Well, here's where you need to prioritize," is not enough, 'cause a vulnerability on one laptop, even if it's the same vulnerability on another laptop, isn't exactly the same risk. And security practitioners know this, but every single security vendor since the beginning of time has treated all things equal.
What we're trying to do, like I said, is treat it like a big data problem, and do a better job of quantifying real risk. That's Tenable One in a very quick nutshell.
The economics behind Tenable One, which I think you alluded to before.
Yes. Well, they're, you know, very compelling. Tenable One is a product that we launched last year. You have to have a little historical context. When we went public, we had a singular focus on VM, and then over the years, we've become much more strategically relevant to our customers as we've brought new products to market to help customers understand, you know, vulnerabilities, threats, and web applications, public cloud environments, OT, some of the other areas that I mentioned before.
Tenable One is the integration of the data sets of all those different asset types into a single platform. Selling prices, as I mentioned earlier, are significantly higher, 70% higher when we sell Tenable One, relative to selling a standalone VM. Tenable One is now over 20% of our new enterprise sales.
We have hundreds of customers, almost, you know, close to a thousand customers using Tenable One. We're about 10% penetrated back into our enterprise base, so it's a massive upsell for us. We believe it'll provide a continued tailwind of growth for, you know, for a long time to come, and obviously excited about some of the new capabilities, both organically and inorganically, that we brought to market recently with Tenable One.
Tenable One gives you cloud coverage. Why, why does Tenable have a right to win in the cloud? When we look at cloud peer plays, when we look at the networking vendors who are going after cloud, when we look at the endpoint vendors who are going after cloud, when we look at the caching vendors that are going after cloud, why do you have the right to win? Or is it just such a big rising tide on the markets?
I think there is some of that. I think there's just a lot of opportunity in the cloud, so there's... I don't think any one vendor will win at all. But I think what gives us a unique opportunity in the cloud space, so we've been doing cloud security for a few years. Some of it's organically grown. We made an acquisition a few years ago. We've announced an acquisition last week.
And, you know, it's our hypothesis that, like I mentioned a little bit earlier, that the goal of Tenable One is not to do things kind of in a silo. So when you look at some of these pure play cloud security vendors, even in a perfect world, like, let's say you've magically secured your entire cloud environment, you've made the impossible happen.
How long is your cloud environment gonna be secure when the developers that are pushing code to the cloud or changing infrastructure in the cloud has crap hygiene on his laptop, and he clicks on every link in his inbox? Like, there's more, there's more to securing different parts of the attack surface than just looking at each part in the silo. Attackers don't think in silos, so why are we trying to secure these things in silos? It just makes no sense.
So when you look at the breadth of coverage and the amount of information we have across our entire customer base, knowing how multiple aspects of the attack surface are configured, tying that back into the cloud, I think gives us a unique opportunity to, you know, not only secure the cloud based on the, the things that we've done, but also start tying together different aspects, whether it's the code itself being deployed or the people managing the cloud, which others can't do, so.
Do you find that you win with Tenable One in verticals that are either more regulated or things of that nature, that they, they look at risk management maybe as kind of a separate security area? Because when we talk about the big ones, so it's identity, endpoint, network, you know, people don't really talk about cyber risk management, yet I think the way we've always articulated it, it's, it's how you talk about the business of security, how you can articulate risk to the board, risk to the C-level. And so I'm just curious where you tend to win in those cloud situations, if there's any rhyme or reason.
So from what I've seen is, especially historically, just the way the security market has evolved, when people looked at proactive security, you know, where we've sat doing the assessment, where it's usually been treated like a compliance exercise. Like, so it's, I have to do VM, and, like, enumerate CVEs, and my SLA says I need to patch critical vulnerabilities.
Can you just define CVE for them?
A CVE is a software vulnerability.
Thank you.
It's like the nomenclature of, like, "Hey, this is bad software. There's a vulnerability," and it's given a number so people know how to track it. Given critical, high, like, there's different severities. But people have historically treated it as like a compliance exercise, not as the security one, whereas it's very easy to treat, like, endpoint, you know, like response sort of activity-driven security tools very clearly, because if it stops an attack, you can point to that and be like: "Hey, look, we stopped something."
And I think what you're seeing now, and I have different reasons why I think that's historically been the case, but you're seeing more and more people, I think, today understand that no matter how many security tools they buy on the proactive side, they're still getting exploited.
So, like, this investment that they're making, like, it's obviously not working, treating it like a compliance exercise. We're seeing more and more people understand that you need to start treating proactive security as a security exercise and not a compliance one. And the story of Tenable One and what we're trying to achieve there, I think, really resonates with them.
You wanna dive into the Ermetic acquisition?
Sure.
What it is, what it does, why it fits.
I'll just give a couple of highlights, and then, Glen, feel free to interject. This was an acquisition that we announced last week, where we acquired an Israeli-based company called Ermetic. They're a kind of a full unified CNAPP offering, which we'll talk a little more about, but it adds expansionary capability to Tenable.
We're strong, we're really strong in certain areas of the cloud. Increasingly, you know, we are winning deals in the cloud, having great success selling it back into our customer base, and we're also selling cloud security as part of our Tenable One offering. And so this is purely market driven. It's something our customers and partners certainly want, is more capability in this market.
If you look at our TAM collectively, it's $25 billion, $10 billion of which is in cloud security. It's our largest and fastest growing area. This acquisition gives us a larger footprint in cloud. It's TAM expansionary, increases it to over $30 billion, and represents a significant upsell opportunity for us.
Yeah. And why Ermetic? Why now? I think, you know, like Steve said, this has been, you know, customer driven by us. We've been pretty successful with the stuff we've built and acquired over the last few years, but they want more. And the reason why Ermetic kind of made sense is that philosophically, you know, I've already talked about the Tenable One, the bigger, big data context thing. Philosophically, they think of the same thing.
Their lens was through the, you know, just looking at the cloud, and they started off as a cloud identity and entitlement management product, and they've kind of evolved into the broader CNAPP. And, you know, our philosophy is like identity being such a big part of risk quantification, because that's the only way you can measure actual impact, is knowing, you know, the downstream effect.
Everything just kind of made sense. If you look at where some of the players in the cloud security space are strong, there's one or two. Like, CNAPP is alphabet soup. There's, like, a million and one things that make up CNAPP, right? If you, if you look at where our strengths are and you look at where Ermetic is strong, I think things just kind of line up.
Like, they have an amazing end-user experience, like, the time to value is there. Strong in identity. We're strong on a lot of the assessment stuff, and obviously, the platform gives us an opportunity for bigger differentiation. People are asking for it. We felt like the alignment was there and, philosophically and from a product perspective, and we went for it.
So I'd like to explore a little bit, unless there's any questions at the moment. Love to explore a little bit just the, the route to market, because as we think about CNAPP and cloud security, you've got the traditional security vendors that are shifting a little bit more left, and then you have those security vendors that are just focused on dev. I'm going to sell.
I think we'll have Wiz on stage tomorrow, but we're just gonna sell a solution to dev that is holistic cloud security. So I'd love to understand, kind of your view on this opportunity and, and the route that Tenable is gonna take.
So, it depends on the definition of dev, if... Because there's, like, different organizations handle what they call DevOps a little bit differently than the actual application writers. In some cases, you know, they take the more traditional SRE as defined by Google. Like, the DevOps team are just building frameworks and enabling developers to manage the code, so they're writing their code, they're managing it in production.
It's a very different persona than how other organizations that they manage the cloud infrastructure, developers are just writing the code for an application that just happens to run in the cloud. So I think there's varying levels of kind of how this plays, but I think generally speaking, it just makes sense philosophically. The sooner you can just, like, do security... If you could do security before anything is running in production, why wouldn't you do that?
Why introduce any form of risk if you don't have to? I think the challenge is, in some cases, depending on how your organization treats the cloud. I think there are opportunities where going to the developer makes complete sense for the cloud. Like, one of when we acquired Accurics, a big part of the value prop we saw with them is the infrastructure as code scanning, like doing assessment of the cloud in the pipeline before things change. They, you know, they're responsible for Terrascan, which is the most widely used IaC scanning tool. And so there is a use case, like, there's, like, real value there.
I think when you start looking at source code develop, like, people that are writing Java code or like C code, then that level of developer and security tools around it, I think it's going to be a challenge for security vendors that are, like, cloud specific to jump into that, 'cause it's a very different persona buyer. Where I think cloud security vendors and what we're doing with Tenable One is there are some really good tools out there that developers use from a security perspective.
We should be ingesting that data, building relationships, and tying it back to the whole code to cloud concept, is a very real use case that we should account for. But whether one vendor should be trying to scan everything or handle it, I don't think it's smart from a technology and a go-to-market perspective.
Right. Any questions at this point? Yeah, Nathan.
Yeah, one for Steve. I think Ermetic is one of the biggest acquisitions you guys have done historically, and curious your thought process of why it made sense to spend a lot here on what kind of opportunity, what the bigger layer for it, private valuations in general, kind of coming back down to what would make more sense to do a bigger acquisition?
Sure. Well, we're obviously very excited about the promise of the Ermetic acquisition. As I mentioned before, this adds expansionary capability in our largest TAM, the fastest growing, in an area where we're seeing real momentum and real customer pull. Probably an opportunity we would not have had maybe a year or so ago, when rates were lower and corporate spending was much higher.
This is a company that's been successful raising money to date, raised collectively, you know, close to $100 million, including such backers as Accel, lots, you know, tier one VC, very product driven. The company spent a lot of money bringing, you know, evolving the product and hardening the product.
Amit's not here, but what he would say is that it's some of the most exciting tech he's seen in security in the last 10 years. So super excited about the offering and, you know, the complement it offers to what we do. You know, one of the toughest things for a company, though, certainly in this market, is you have to be able to grow, and this company's been doubling over the last couple of years.
But you also have to have a business model that's, you know, kind of almost fully baked. And so this is a company that, you know, still had somewhat of a burn, had the opportunity to raise money, perhaps in terms that were a little different than what they've historically raised money at.
You know, getting the go-to-market right is every bit as tough as bringing a product to market successfully sell. We're strong in areas where they needed help. So, this acquisition made a lot of sense because we were strategically aligned. You know, they obviously want to completely dominate the market, and we think they can help us do so.
There's significant incentives from a retention standpoint for them and their team to be here for many years to come. We're gonna continue to make investments, you know, in their offering, and kind of combines areas where we're strong with areas where they are just, you know, very elegant.
So for us, we looked at it and said, "Okay, we have confidence we can sell it." We said for next year, it was gonna add two points of top line growth, CCB growth. That implied $18 million-$20 million of sales. Multiple was reasonable in that regard. So, what we've seen in the past from the M&A side is that some of these opportunities are either extremely small, like $1 million of ARR or less.
Usually, they represent the customer base, the personal Rolodex of the cofounders, or some that maybe have some size, whether it's $50 million, $100 million+ , with still crazy valuations. So we've remained patient. We think, you know, we think this is the right deal at the right price and the right time for us.
Yeah, please.
Can you go back to Tenable One for a second? Where along that penetration curve do you think story gets tougher, and that your relationship with Tenable is much more down, so not going to be looking for?
Yeah. So, the catalyst for Tenable One is a desire from a customer to assess more than to do more than just traditional VM. Because Tenable One, just as refresher, includes, you know, web app security, cloud security, Active Directory security, internet-facing assets, ASM.
And the pricing, if you were to try to buy this à la carte, it would be, you know, more expensive than what you could buy, you know, with Tenable One. So, you know, the incentive for the customer from a price perspective is the ability to assess risk across different asset types. If customers wanna do, you know, more traditional VM, we have products for that, and the market's very established in that regard.
If there's a desire to understand your risk more broadly across, you know, the, the attack surface, usually what compels that, that's usually what compels the purchase for Tenable One. Because we price them based on the number of assets. ASPs are higher because we cover more assets, consequently. Obviously, desire to understand risk more broadly.
I think one other point, too, is even if your job is to do traditional vulnerability management, the value prop for Tenable One is you may not care at all about identity security. That's not your thing. You just do traditional VM. But what the platform is, it's not, I really hate, "the platform" is such an overused term, but, like, when we're bringing this data together, it's driving back a very differentiated experience to the rest of the product.
So if your company went in on Tenable One and started using the identity products, as a VM user, your experience fundamentally changes immediately. So now you can start doing identity-based vulnerability management. You can start making more informed decisions that show me every administrator, like something basic, show me every administrator in my environment with critical vulnerabilities.
You can start doing that, or here are some vulnerabilities that are on attack path, you know, that can move laterally. These are things I need to prioritize. So even from a traditional VM perspective, the consumption of Tenable One and the other products and the third-party data that we bring in, fundamentally changes how traditional VM is done. So, and that's the inverse is true for the other products as well.
So kind of put the bow on it, I guess. You, you've talked about top of funnel being strong, your win rates improving.
And I think you've, in a lot of ways, kind of articulated the vision of cyber risk management and how comprehensive you're getting. Is it that the market is starting to get this message and move with you? Are you seeing competition not be as strong as it was historically, if they've pivoted different directions? You know, just trying to, I guess, understand some of the comments you've had, just around the success you've seen in the win rates.
Yeah, you know, I think it really starts with, starts really with the customer. We have over 3 million users of our Nessus product. We have-- well, it's, and Nessus is one of the most ubiquitous products in all of cybersecurity. Creates competitive mode and actually creates a compelling flywheel effect to our enterprise platform.
We have 40,000+ customers, and it, it starts with this ability to do one thing really well, which is discover and assess systems, devices, and assets for vulnerabilities and exploits. And customers are now asking us to do that across other areas of cyber. So for us, you know, when we look at product, whether it's organic or inorganic, it has to be good go-to-market alignment. We want to sell it to the same buyer.
We want, you know, basically, you know, similar ASPs. We don't want it to dramatically change the sales cycle or the selling price, because that can inject complexity into the sales process. We want it to expand the core value prop of where we're strong. Our roots are in vulnerability management. Exposure management is an outgrowth of that. It's a massive market opportunity. We're answering the question, how secure are we for our customers?
And we're doing that in a much broader way than we have in years past. So we think we're doing a lot of the right things to be successful. Years ago, security was all about malware. Now more recently, it's been ransomware, and we talked about this last night. Cloud security didn't exist years ago. We're starting to just talk about AI.
This, the chapter in security is yet to be written. It'll continue to evolve, and I think those with, you know, of some size, and we're approaching $1 billion in sales, CCB, customers with a massive, companies with a massive customer base, who are leaders in their own, in their own right, I think are gonna continue to be successful here, and we have confidence that we will be.
Great. Thank you, guys.