Thank you for joining us today for our inaugural Investor Day. My name is Erin Karney, and I'm Head of Investor Relations at Tenable. Since our IPO three and a half years ago, the world has changed in so many ways. We certainly did not imagine that our first Investor Day would be virtual. We have achieved several milestones, and our platform continues to evolve in many ways to serve our customers. We are excited to share updates with you today. In addition to hearing the familiar voices from Amit and Steve, you will hear from some other Tenable leaders that have made tremendous contributions to our success. Before we get started, I wanna do a quick overview of today's agenda.
We will have four approximately 25-minute presentations, a business and strategy update provided by Amit Yoran, Chief Executive Officer, a product review by Nico Popp, Chief Product Officer, go-to-market update by Mark Thurmond [COO] , Chief Operating Officer, and Dave Feringa, Senior Vice President, Worldwide Sales, a financial overview and outlook by Steve Vintz, Chief Financial Officer. After the presentations, we will conduct a question and answer session. There will be 10-minute breaks between each presentation and between the last presentation and Q&A. Finally, we have opened up the Q&A to everyone. Please submit a question any time throughout the presentations. There is a question bar located under your presentation window. As some of you know, our vendor for our event experienced outages this morning related to a broader AWS outage.
We have no reason to believe this will occur again, but on the off chance it does, we will continue to record the session for replay. We will subsequently follow up with a question and answer session at a later date. Before I turn the call over to Amit, I wanna remind everyone that we will make forward-looking statements during the course of these presentations, including statements relating to Tenable's expectations regarding long-term growth and profitability, growth and drivers in Tenable's business, our competitive position in the market, growth in our customer demand for and adoption of our solutions, the potential benefits of our acquisitions, and plans of innovation and new products and services. You should not rely upon forward-looking statements as a prediction of future events.
Forward-looking statements represent our management's beliefs and assumptions only as of today and should not be considered representative of our views as of any subsequent date. With that, Amit will kick us off.
All right. Excellent. Thank you. Welcome. Tenable, obviously, we're very excited to host you for our first Investor Day and share more insights into our business and strategy. Next slide. Oh, all right. Well, we're jumping through. My name is Amit Yoran. I'm the CEO of Tenable. I've been the CEO since January 2017. Prior to Tenable, I served as the President of RSA, the founding Director of the U.S.-CERT program and have been in the cybersecurity space for 30 years. Wanna talk a little bit about our performance. In scale, our customer base is up almost 50%. We now have more than 35,000 customers at Tenable.
We've expanded our partner ecosystem, including an extensive distribution network, and we've expanded sales, surpassing $600 million in CCB by year's end. Extremely excited about our expansion and how we're extending our technology leadership. Over the past few years, we've really secured our leadership position in the vulnerability management market. We've developed more holistic, unified exposure platform, ability to solve more pain points for our customers and their use of technology. We're gonna talk more about that, shortly. We continue to deliver impressive results, including strong growth with CCB and revenue at more than 25% bigger and achieve impressive profitability, including free cash flow almost a year earlier than previously anticipated and discussed at the time of the IPO. Next slide.
Tenable is the industry and market leader in vulnerability management, and I don't think anybody that uses VM products, tracks the VM market, participates in the VM market would contest that by just about every single measure possible. Nessus has been the gold standard for assessing system security and vulnerabilities, and it remains so. This year alone, we've had over 1 million downloads of Nessus. It was ubiquitous and probably one of the most beloved products in the security space. It continues to move the needle. It continues to be very aggressively adopted and embraced across the community. We continue to lead the market by a long country mile in terms of coverage of different types of vulnerabilities, the accuracy of our assessments, the time to market for developing new checks as critical new vulnerabilities emerge.
I'd say the user community recognizes and appreciates our leadership. Over the last couple of years, we've averaged over 360 new customers onto our enterprise platform per quarter. The more than 35,000 customers we have. If you think about VM as identifying, classifying, prioritizing, mitigating misconfigurations that can be exploited across an environment, Tenable is the absolute market leader by just about every stretch and dimension. If you go to the next slide, I can say definitively that it's not only users in the VM community that believe that, but pretty much every single market analyst and market analysis has us as the market leader, whether you're looking at Frost & Sullivan, Gartner, Forrester, IDC. Regardless of who you talk to, customers, partners, analysts, anyone in and around the VM space will tell you pretty much the same response.
It is Tenable that has really differentiated ourselves as the market leader. We're the best in class at finding assets, identifying how those assets are configured and how and where they're vulnerable, and prioritizing those vulnerabilities and exposures and guiding our customers on how to best manage risk. If that is your mission within the enterprise, then Tenable has differentiated itself as the market leader in the product to use. If you go to the next slide, we'll talk a little bit about Log4Shell. Right? This is a severe risk to the entire Internet. Like, we've been talking about this basically over the last four or five days, since it was released as the Internet Fukushima.
Let me tell you a little bit about Log4Shell, 'cause I think it's a great case study and analysis on the strategic importance and value of what we deliver as a company. Log4Shell. Simply put, it's a remotely executable vulnerability which gives an attacker full access and gives them full control of the system that they attack. It's extremely easy to exploit. It can happen over a ton of different attack vectors. Four different characteristics that I have been highlighting for folks is that, look, Log4j is absolutely pervasive. It's all over almost every single infrastructure and environment. It's how systems, modern systems log today. It's not only ubiquitously used in infrastructure, it's embedded in all sorts of different applications.
On your infrastructure, you can find it and fix it if you're diligent, if you're proactive, and if you're using applications which have been developed using Log4j, then you've got to wait for those vendors to update their software before you can self-select saying, "Hey, we have this issue." You can look for that issue. They have to update their software, and you have to go about updating, patching, fixing all these different applications which have Log4j vulnerable versions embedded into it. This is a very serious issue. It's remotely exploitable. It can take control of systems, and it is absolutely pervasive in infrastructure and in applications. Log4j runs in Java, right? Think about that for a minute. It means that it is the perfect payload.
It is portable across heavy equipment, across network servers, down to printers, to your kid's Raspberry Pi. It works on Java, which means it works everywhere. Oh, by the way, Java has been, like, the number one, number two most popular development language for the last 20 years. It runs everywhere. This exploit, the vulnerability is pervasive. The exploit runs on basically every system you can imagine. The third point is that systems don't have to be Internet-facing or accessible to be compromised, right? Think about a web server or a mail server. They're gonna log activity. Even if they aren't running Log4j, right, they're gonna pump the logs to a system that is, that's analyzing those logs, that's creating business intelligence from the logs that are generated or being used to troubleshoot or performance monitor, all sorts of different.
If data's important, the infrastructure you're using Log4j. Even if they're not Internet-connected, maybe the system collects the logs and then it'll offload them in some periodic basis or stream them to a logging server, which could be, and probably is, internal. Boom, even though the internal system isn't accessible, that exploit will still work. If you think about that, it's easy to imagine in a web server or mail server. Think about it as a modern application, right? Modern applications are hyper-distributed with lots and lots of microservices running all over the place and logging to different places. This issue is a real mess. What I can tell you is that absolutely nothing can block it, right? There were some early, you know, claims or level of excitement.
Oh, we'll just throw a web application firewall or a next-generation firewall, and we'll block it." Unless you're gonna block all Java, which is not practical because it will break just about everything that you're doing as an enterprise, you can't block it. It's not gonna be blocked by your WAF, by your next-gen firewall, by your XDR, and it's not gonna be found by those systems either. Maybe they'll find a local version, but in a complex mesh environment of microservices, the only way to do that is using your vulnerability management solution with the remote checks. This issue has really highlighted the importance, the capability that Tenable has been delivering for 20 years and is the absolute market leader. In the first 24 hours, we released checks.
What I can tell you today is that only primary VM vendors are able to find Log4j on systems remotely in these complex architectures other than just the kind of very simple use case of, hey, it's running on my particular computer or not. The distributed nature of this vulnerability is, I think, I won't say typical, but it highlights why this type of function is complex and critical. At this point, we're finding between 1 and 3 vulnerable systems per second. This is a big issue. Even if you can block one aspect of it or one part of it, we know based on decades of experience that this is gonna morph aggressively, right? We already have more than 9 checks. We're constantly looking for new methods for exploitation across various network protocols.
This is gonna be an issue which is gonna be with us for a long time. Oh, by the way, as I said, it's not just finding the logging infrastructure, it's embedded in applications. As we've led this market for decades, we have the relationships so that each and every piece of software, every software vendor, when they self-report, "Hey, we have Log4j, or we don't have Log4j, or this version of our software is vulnerable because of this version of Log4j," we auto-populate those checks, and we build those profiles so that our customers don't have to go have a complete bill of material of every library and every piece of software in their environment.
We're automatically building that and pumping it to their sensors, to their scanners, so that they can identify every single piece of software as it, as those vendors release new versions or update their software and say, "The old previous version was vulnerable." I think this has highlighted why Tenable is a absolute primary response tool and a critical response tool in time of absolute crisis for the internet and every single enterprise customer out there. With that, I'd like to thank our investor relations team for drumming up this great example of why best of breed and absolutely VM matters on the weekend, before our investor day. Thank you, Erin. I greatly appreciate it. Next slide. I won't spend a lot of time on this.
Customer use of technology has exploded, diversified in all sorts of different ways and all sorts of different capabilities, and all of these different compute types introduce vulnerabilities, risks, and they're all interconnected. Go to the next slide. Can't be a security company without a lot of headlines, but I think the thing to note here is these are not just IT breaches. There's all sorts of other stuff out there. Businesses now recognize that all of their use of technology, OT, cloud, all of these things, are susceptible, are vulnerable, and they need to understand, and they need to apply their VM discipline to these other areas of compute. That just becomes a very natural motion for Tenable and for our customer base. With that, we can go to the next slide.
Starting with OT. We're the only vendor that provides complete understanding of IT and OT converged environments with that deep understanding of exposure and risk. If you're running an OT environment, an operational technology environment, a factory floor, an assembly line, an automated inventory management system, a pipeline, right? These systems are not standalone 100% OT. A factory floor has lots of OT, and by the way, it also has lots of IT completely embedded and meshed into that environment. This is a critical issue. We've seen lots of outages in the OT world. We're gonna see lots more of them, perhaps even as a result of Log4Shell. Gartner and the analysts are seeing it, right?
50% of enterprises are expecting to substantially increase their spending on OT security in the next calendar year. This is no longer a nascent market, which is how we characterized it a few years ago, right? There's more and more focus on OT, on prioritization, and understanding cyber risk in those environments, which by its nature has to have that complete understanding of OT and IT. We're seeing lots of momentum in our OT business, and, you know, as the picture there highlights, right? We're recognized as an absolute market leader in the OT world. What I'd say is if you look at all these examples, you can't secure OT in a silo, right? Think about the high-profile examples like Colonial, JBS. Those were IT attacks which shut down OT operations.
If we go to the next slide. We've extended our capabilities into Active Directory, right? This is the VM use case, as we've done for OT, into Active Directory and securing digital identity infrastructure. Active Directory is ubiquitous. 90%+ of enterprises rely on Active Directory as their source of ground truth for identity and directory services. It's critical. It's even more critical when you think about work-from-home environments, when you think about cloud environments where you don't have all those anchor points for trust. It is the number one target. Active Directory is the number one target for ransomware and hackers, right? Think about any piece of ransomware that you've read about over the last couple years. Think about the manual breach. Attackers absolutely go after AD as the first target. Why?
Because they want access to the data, which means you have to have more access, which means you have to have an account that has access, and they want persistence. They wanna be able to get back into your environment when you discover them. In order to do that, they wanna create additional accounts and backdoor accounts. The AD is woefully underserved. 86% of enterprises are expecting to increase their spending on AD security in the coming years. Terrific market. We have the absolute leading technology. Again, it is something that can't be secured in a silo. You have to understand AD security in the context of your broader IT deployment and vice versa, the IT around the Active Directory, which will dictate and contribute to your understanding of AD security.
If we'll go to the next slide to talk about our cloud capabilities with Tenable cloud security. Right? We've been a leader in VM, and we've been a leader in cloud-based VM for years. Cloud-based capabilities require web application scan, deep understanding of containers. We've had cloud-native connectors, and recently we had introduced Frictionless Assessment. A lot of momentum building in our work with customers to help them assess their cloud environments. Recently, we extended our investment into code, into understanding Kubernetes posture management, into understanding security posture management. When I say into code, let me give you a little bit of context for that. People like to say cloud, but there are multiple generations of cloud at this point, right?
The first generation of cloud was basically taking your hardware environment, virtualizing it, and moving those virtual machines, those virtual networks and load balancers into the cloud. It was very much traditional IT virtualized and executing in the cloud. That's where our cloud-native connector, where our Frictionless Assessment and ability to assess in the cloud, you know, I think was and remains market-leading. In the second generation of cloud, right, people are defining their systems, their networks, their load balancers, their entire environment, and they're defining those in code and in script, right? They're defining Infrastructure as Code. That opportunity allows Tenable to get into the build process to help identify issues before they're deployed.
It allows us to define, as we do now with the Accurics acquisition, remediation as code and check it into the build process so that we can prevent these problems from ever occurring. Enforce policy and security as code. Our purview and our ability to help customers in this infrastructure as code and cloud-native world is even greater than it has been in the traditional cloud environment. As we build out our full portfolio of cloud capabilities, it takes us all the way from the far left, from building and assessing vulnerabilities and fixing them at time of production, all the way through the far right, where we're discovering assets, we're identifying their misconfigurations, we're fixing those assets. Across that entire life cycle, we're identifying drift from how those assets were originally set up and where they're exposed.
We're taking that core expertise, the decades of experience that we have, the market leadership that we have, and applying it to the entire life cycle of cloud capabilities. As security teams are looking to assess risk across this full suite of cloud capabilities, Tenable becomes the natural place to go to because it's not just in the code development piece, we can really help them understand risk across that entire portfolio. Oh, by the way, that portfolio is impacted by the systems connecting to that cloud. Again, Tenable is a leader in assessing those systems as well. If we'll go to the next slide, talk a little bit about Tenable and the evolution from VM to a full cyber exposure platform, right? Our conviction stems from being the market leader.
Many folks from pre-IPO have been asking us, "Well, are you gonna go into that market? Are you gonna go into, you know, this other market?" I've said, "No." We believe we have very strong conviction in our vision and where and how the world is evolving to. Our conviction stems from being the market leader in assessing system risks, measuring, discovering assets, assessing their configuration, their integrity, identifying the vulnerabilities they have, taking those massive numbers of vulnerabilities and problems, and prioritizing what are the things that matter most to our customers, and how do we focus them on addressing and mitigating and assisting in the mitigation of those risks. We are absolutely the leader.
That customers need to do this in the broader context, in their new operating environments, continue to drive our vision and our transformation from a bunch of siloed capabilities from VM and Active Directory and OT environments into an integrated, unified workspace. Right? If you wanna assess cyber risk, if it's your job to assess cyber risk for the audit and risk committee, for the CISO, for the CEO, for the board of directors, Tenable.ep platform not only leads the market, it's the only platform in the market today that can help you understand cyber risk in the broader context of your business. It's easy to see how our vision and our capability and our market leadership in vulnerability management for assessing and addressing cyber risk historically are evolving naturally with our customers into these new environments.
If you go to the next slide, talk a little bit about our addressable market. It's something that we've also probably had many conversations about over the past few years. What does it mean from a Tenable perspective? Yes. Since the IPO, as we said, as we committed, we're focused on the VM market. We are winning in the VM market and believe that will remain the case, and that many people underestimate the size and the growth rate of that market, but most importantly, the strategic-
Wonderful. Hey, welcome back everyone, and good afternoon or good morning. Let's talk about products. Who am I? Nico Popp. I'm the Chief Product Officer. I've been on the job a little bit less than a year, so somewhat new, but not really new to cyber, right? 20 years in cybersecurity. Notably, I was running the data protection and cloud security franchise at Symantec prior to Tenable. Super excited to be here today to build on some of the ideas, right, some of the strategy that Amit presented before. In fact, I'm gonna talk about, like, the three mega opportunities ahead of us and provide maybe more details. Opportunity number one, this idea of extending VM to the always extending attack surface, right? I call it VM everywhere. Big opportunity.
Number two, cloud security at a time where cloud security is shifting to the left, a big industry trend. We think we have a special role to play in cloud security, so I'll develop on that. The third opportunity, last, certainly not least, right? This idea of transforming Tenable into a data analytics platform. Here we go. Let's start with the first one, VM everywhere. I want to start with the problem. If you're a CISO today, right, one of your main concern is deciding that the attack surface keeps expanding. The question, the Tenable question, how secure are we? Is still a very powerful question. It's just getting more and more difficult because, you know, it's a very multifaceted question. If you think about it used to be simpler.
All you had to answer is my traditional on-prem data center, my traditional IT infrastructure, is it secure? Then COVID, you know, some of these laptops went home. A lot of them did. You know, now is my remote workforce secure? Then, you know, we have public cloud now. In fact, we may have two or three public cloud because you wanna have a multi-cloud strategy. Is that public cloud secure? I think you also realize quickly that digital identity is one of the biggest vulnerabilities, so you're gonna worry about that. Finally, if you have critical infrastructure, right, you're gonna wonder whether your OT infrastructure is secure as well. It's very complex because the attackers, they leverage the entire attack surface, right?
You can find solutions, you can find a lot of vendors, but what it means is more vendors to manage, more solutions to deploy, to integrate, more complexity. Okay, that's the problem statement. To every complex problem, there is a Tenable solution, pun intended. That's what we call VM everywhere. I decided to take our core competency and extend it across that growing attack surface. By the way, we've been on that journey for some time, right? You know, we're our roots, our DNA, right, our know-how is anchored in traditional IT infrastructure, right, private infrastructure. Then we expanded, right? We did expand with Indegy, where we got into OT infrastructure and we built a muscle. We didn't stop there. I think with Alsid, we did something very interesting.
We realized that, you know, identity access is probably one of the most largest vulnerability, and I think the industry acknowledges that. You all heard about the zero trust movement. Then finally, public cloud, right? With the Accurics and I'm gonna develop all that. Now, the question that should come to your mind is: Tenable, why do you have position to move across the attack surface and still be relevant and still win, right? There's actually a very simple answer. If you think about that world, right, that entire attack surface, the reality is that there's only three types of vulnerabilities out there, and they're all relevant. Software vulnerability, number one. Access, right? Entitlement vulnerability. Usually, you over-provision access. And third, configuration vulnerability that are really important in the cloud. So here's the secret, right? A vuln is a vuln is a vuln.
This really leverages the same core competency around vulnerability management. It leverages our DNA. It leverages all our know-how, right? By the way, what's also interesting, it's directly feeds our business model, right? Think about it. As we expand the attack surface, we discover more assets. More assets under management, right? Drives our bookings. Very simple, right, flywheel, like, powerful flywheel. Surface expansion means asset expansion, means more growth. It's a very natural strategy, right, for us at Tenable. I wanna drill into the why we win, give you a little bit more color. There are really three magic ingredients. The first one is the technology, right? The technology matters. You know, scanning technology actually is a big deal.
You know, we have all the scans, all sons or daughters of Nessus, you know, agent-based scanning, network-based scanning, API-based scanning, frictionless scanning, you name it, right? IaC scanning, we have all of them. I know sometimes it sounds like words in a slide, but Log4j is a very strong reminder that tech matters, right? You know most of the VM players, the new VM players out there will only do static scanning, right? While we also have dynamic. With dynamic, you're gonna unveil and cover way more faulty systems than with static alone. The tech matters, keep investing into that tech, right? When the going gets tough, you go to the professionals. We are the pros. Tech alone, not enough, right? You need content. You need security content.
You know, one of the reason I was really excited to join Tenable is the reputation of the research team. You can look at the richness of the content, right? That content can never get stale. You gotta keep on working on it. There's a third magic ingredient. That's the go-to-market, right? You know, so many unicorn would be happy with 300 customers, right? We're talking about 35,000 customers. The reach. More importantly than the reach, it's the trust, right? The trust that these customers are placing into Tenable to deliver one of the most important aspect of cybersecurity today. Now, that reach, that trust is super valuable because when comes the time to decide who's gonna secure their OT infrastructure, who's gonna secure their cloud or AD infrastructure, right?
The first intuition will be to basically employ the one that you already have, the one you already trust, the one that already performed for you. That gives us permission, right, to upsell and move across the attack surface very swiftly. That's super important. Having said that, yep, very strong wind, very strong positive winds because it's a solution, right? Because of this vendor consolidation trend in the industry around cybersecurity. As Amit put it, these products, right, these individual product, they stand on their own, right? Take OT. The market is strong. Everybody has noticed the Colonial Pipeline breach, right? Everybody has heard about President Biden's bill on critical infrastructure cybersecurity. The market is very vibrant. Then you heard about the accolades that we are receiving from Forrester, basically declaring Tenable as a leader.
You could build a company around that business alone. It is the same, right? Everybody has Active Directory. All the bad guys leverage AD, right? That's the lateral movement because of Active Directory that led to the paralysis of this Israeli hospital for a month, where they had to use paper and pen because their network was basically infected with ransomware. Opportunity is there, but with the asset people, you cannot hire these people if you wanted. You cannot find these people. The innovation they keep delivering, we're gonna talk about cyber attack pathway in a second. The point here, the mega point is, yes, there is a suite, there is a halo effect from Tenable, but these products are really, really, really good on their own, and that's important. That's what makes that whole thing exciting, right?
That VM everywhere is really a powerful opportunity for us. By the way, even more exciting, I think we only scratched the surface. It's not like we are opportunity bound or opportunity constrained at this point. If I look on the left, more opportunities if we decide to do so, right? Third-party libraries, open source, API security, cloud security, you name it, and that's on the left alone. On the right, same thing. External surface management, SaaS security posture management, third-party risk management. All these things are part of the attack surface. All these things could leverage our core competency. We're not at the end. We're only at the beginning. At most, at the end of the beginning. All right. From one exciting opportunity to another. Cloud security. I think everybody agrees it's a large opportunity.
Just read that, you know, AWS alone is probably around $50 billion. So take your favorite percentage, 8%, 12%, 15% of the spend on cyber, the IT spend on cyber, and you get to a very large number, whichever way you use. So why, you know, what problem are we solving and then why Tenable? I think that's an important question because it's a crowded market. Well, we are seeing a very important disruption that gives permission to come in. Let me explain. The first wave of cloud adoption was all about legacy application moving to the cloud, right? That's what you all heard about lift and shift. We're lifting and shifting applications to AWS or Azure. For that, traditional security work well. The first generation of cloud security work well.
Now, when we talk about the digital transformation, these are very different applications that are being built and deployed. We call them cloud-native applications. There are three things you should know about this application. They are very different than their predecessors. You'll hear things about like microservices, container, mesh network, right? We used to talk about three-tier application. Here, we're talking about like 500 microservices from three to 500. Totally different architecture. The deployment model is completely different. You heard about continuous integration, continuous deployment, Infrastructure as Code. Because of that, they change all the time. Their rate of change is actually defeating kind of the first approach to cloud security. Let me explain again, because I think this is very important to understand that it's a new game in cloud security. It's a new opportunity.
The first problem that you have with the traditional approach to security is that the applications are changing so quickly that the whole idea you can detect security flaws in production is ludicrous. It's too late. In fact, I think Palo Alto last week published a study where they deployed some misconfigured workload with vulnerabilities. Within minutes, they were compromised. The guy on the right, you know, in his CSP console doesn't have the time, doesn't, you know, can't react in minutes, right? That's the essence of that shift left movement. There's gonna be a premium on doing security on the left, closer to the developers before production. By the way, it's not just that it's better to detect on the left. You see that guy on the right? You know, remember, 700 microservices.
He has no idea what that developer on the left is actually doing. Imagine I'm in my CSP console, and I find containers that have an open port that, you know, sounds dangerous. Should I close that port? Yes, no, maybe? I really, I don't know, right? Because I don't have the context, right? The security guys can't make decision, right? The blind leading the blind. Lastly, the security emperor is naked. Even if I felt powerful enough to make such decision, right? Close the port. Three minutes later, the DevOps guys are gonna redeploy and override all my changes. Think about that. It's too late for me to detect on the right. I cannot make the right decision, and by the way, I cannot fix everything. That's the essence of the shift left movement.
By the way, you'll hear it from everybody in the industry. It's simple. The next generation of cloud application basically are defeating the first generation of cloud security. It's a disruption. Carpe Diem, we seize the day, and we acquire Accurics and integrated Accurics, and we're gonna launch a new solution, Tenable.cs or Tenable dot cloud security. We're gonna launch it in February at SKO very early. Sales conference is really where we like to launch this new product. What will you have in there? You will have Accurics, so infrastructure as code security, CSPM or container security or frictionless assessment in one solution, in one SKU.
I want to pause for a second here because you're probably asking, "Yeah, another vendor in cloud security." Everybody, every security vendor in the industry will tell you security has to shift left, cloud security has to shift left. Think for a second what it means. What kind of security can you do on the left? Can you do EDR? No. Can you do file? No. Can you do XDR? No. What can you do? Well, you can find software vulnerabilities. You can find configuration vulnerabilities. You can find access vulnerabilities. Yeah, that's VM everywhere. That's what we do. What I'm saying is we have birthright to be a leader in that market. Now, what else can we do beyond birthright? How can we win in that market? One word, integration, integration.
Well, if it's VM, let's use the most powerful VM management tool or Tenable.io console, right? 1 console is better than two console, seven console for multiple acquisition, right? The simple idea to basically give you a single pane of glass, right? To see all your assets, private cloud, all the public cloud, AWS, GCP, Azure in one place, same search, same workflow, 10 years of reporting, right? All the maturity of that tool versus the new startup, right? You get all the maturity. That's the product guy talking. Think about the go-to market. Hundreds, thousands of customers who already trust Tenable. They have the tool. They use the tool. They know the tool. They love the tool. You're one click away to doing cloud security. Upsell, cross-sell is much easier than new sell. Very simple sales play, right?
Finally, I think there's a long-term advantage. I think if you talk to the top Fortune 5,000 in the world, they all tell you, "My future is hybrid. I'm gonna continue to be hybrid for a long time." This is the perfect solution for a hybrid enterprise, for a hybrid cloud. One VM program, all the cloud, private and public. Okay, we got product leverage, we got go-to-market leverage. There's one more thing. How about some technology leverage? You may remember last year we introduced frictionless, right? Or Frictionless Assessment. What we had heard from customers is, we don't want a Nessus agent in our workload. What we did, we leveraged an existing agent, the existing management agent, and that's what we call frictionless.
Now, what we learned from customers is that the DevOps guy, they actually, they don't want any agent because, you know, they're always afraid that their precious container, their precious microservice is gonna slow down if you're running a scan on that, you know, on in production on that server. We invented a new way that doesn't even require that agent. The idea is to basically use this API, find your workload, snapshot them, and then we do the scan. We're not doing the scan in the running workload, which is the beauty, so no performance impact. We're gonna launch that after cloud Tenable.cs in the first half of next year. You know, by the way, I was trying to google, you know, how I'm gonna call, you know, something that's zero friction, right?
I found that Teflon and Hyperloop, so I think we're gonna stick to frictionless. That's much better. Here we go. That's the cloud security opportunity. Obviously significant. We get the opportunity to be a leader in one of the most exciting market of our generation. But you haven't seen nothing yet. Let's talk about the platform. We already have a platform, right? We call it Tenable.ep exposure platform. By the way, it's a great offering. It's working. No surprise, right? Compelling value proposition at the product level. We're covering the attack surface in one solution, compelling pricing. You know, ROI, you get a significant ROI with a discount. Then finally, you know, the mega trend of, you know, security is too fragmented. I want to consolidate around a few trusted vendor. We're checking all the boxes.
This is good. You know, we are not happy with good. We want great. We thought that's a platform, but can you make it something more powerful? Can we make it a unified platform? That's where we are today. Let me ask you the question. You know. The idea here, by the way, is if you buy one or two products, you know, the platform is actually gonna make these two products better, right? It's one plus one equal three. How to create a network effect, a platform effect. You know, we improve the security posture. The more products from Tenable you use and you deploy, that's the network effect. That's what we're trying to create. How do we do that? How do we bring this product in a more meaningful way? How do we do that?
It's the data, of course, right. What if we bring the data together? What could we do if we brought the data together? We could do very powerful analytics. In fact, you know, we build on our Lumin experience, and we realized that with Lumin we applied analytics on VM data, and we made VM better, right? Risk-based VM. The first inclination, and we did that, is let's apply Lumin, right, to AD data, to OT data, to cloud data. We're doing that. A light bulb popped up. We realized, what if, what if we could correlate that data and it would yield new insight that were never there before? Come on, right? Correlating that data, and that's what we call attack pathway. I'm going to give you a full example in a second.
We think it is a game changer. Hold that thought. I'm gonna give you a full explanation. There's another kind of analytics that we like. It's the analytics that basically appeals to the buyer, the chief buyer, right? The CISO. You know that powerful question, Am I secure or am I more secure than the last quarter? The board keeps asking that question, and it's really hard for CISOs to answer. We're gonna give them a higher level analytics. Think of it as the BI of cybersecurity. They can basically answer a question like, what's my ransomware risk? Am I doing better than last year? You know, what's my grade overall? Maybe I'm a B plus, but where should I focus? Oh, you're a C minus in cloud, or you're a D in OT. You have to spend more time there.
You got to raise your SLA. Then, you know, who's doing well in the company? Is North America better than Europe? Right. Who's trending better? How do I compare to my peer? All these very powerful, you know, cyber management questions. We'll give you the analytics for that as well. Let's go back to the data. If we are really a platform, you know, what we think is important to do is ingest more data. Look, the attack surface is huge and keep expanding. You know, we're not gonna be able to do everything and be everything to everyone. We need to be able to ingest external data. We'll ingest external data from our customer that basically drive more insight, that refines these two types of analytics that I mentioned before.
All right, I want to talk about this attack pathway because, you know, every platform needs a killer app. We think it's the killer app. I'm gonna give you an example. I'm gonna bring, you know, let's look at something very familiar to us. We have Joe. Joe is working from home. What do we know about Joe? Well, Joe is under attack. Organized crime is going after Joe because he's basically at home alone, and they want to spread ransomware. They want to compromise Joe to spread ransomware. Let's bring our first data set. Let's bring VM data. What do we know about Joe? Well, we know that Joe has really bad hygiene. Unfortunately, Joe never, you know, patched his laptop, and he's vulnerable to a ransomware malware attack. Right?
Vulnerability that the bad guys are using to basically break in. We know that Joe is toast. Joe is gonna be compromised. That's the first data set. Let's now add the Active Directory data set. What else do we know about Joe? Well, we know that Joe works from home, so he's part of a group called the remote user group. Unfortunately, what AD also tell us is that, you know, well, there's a slight misconfiguration because we put all the users that can do remote access in one group. Which means that Joe, therefore the bad guy, can access my very critical Windows server. Now, this is really bad because other admins, domain admins access that server. In memory, I'm gonna go different techniques.
I'm gonna be able to steal this admin credential, elevate myself as a bad guy, and now I can take over the domain controller. I'm king of the castle at that point. Bad guy has taken over the network. By the way, that is a traditional ransomware attack, right? Two data sets, you can see the insight of correlating that data together. Now, one data set cannot do it. You needed to do this. You needed these two data set together to drive such insight. Can we do better? Oh, you bet we can. What else do we know? Let's go back to that critical server. I'm gonna check my Nessus scan and then what do I know about it now? Well, I know that that server is a special server. It's a VPN server, meaning it enables remote access to something else, another domain.
From the AD data, the same two data set, I know there is a trust relationship between, you know, the current domain and that new domain. Oh, boy. That means that the bad guy who's master of the first domain is now a privileged user on that second domain. What's in there? Oh boy, oh boy. This is my critical infrastructure. Great. Let me bring the OT data. What's in there? Now with the OT data, I know the assets. I know they can communicate to each other. Unfortunately what I'm discovering is that Mr. Bad Guy can now put ransomware not only in the IT network but all over the control network, right? That remote workstation, the historian, he can put malware everywhere. Wow. Three data set, two major attack pathway. Of course, you know, it's the product guy telling story.
These kind of things would never happen, right? Oh, but it did happen. Yeah, it's pretty much what happened with the Colonial Pipeline. I want you to reflect for a second here. This is really powerful stuff. The first power here is I don't know anybody else who can do that. It's simple. You have the data or you don't. We have the data, so we can drive this insight, right? This attack pathway, it's huge information. Now, the more subtle aha, if you want, is like this insight of bringing the data together actually make every single product better. I promise you, there is no other OT product in the world that would be able to say, you know, my biggest vulnerability in my OT network is actually that external server, VPN server, right? Because you don't see it. Right?
My AD, right, fix that trust relationship, please. You know, don't go home. Then my VM data, right? If there's one thing you do tonight, right, before leaving the office for the weekend, fix that MFA vulnerability, right? You would not know that without putting the data together. Very powerful. Where are we? Well, we've done a lot of work already. We're almost there. In fact, we're gonna launch the new EP again at our sales conference early February. Since the data is better together, well, there is no reason not to put all the product, all the data into EP. We're gonna add Tenable.ad, Tenable.cs, the new cloud security solution, and Tenable.ot to the EP platform. We'll introduce the first attack pathway-based analytics based actually on Active Directory pathway.
Middle of the year, we will enhance the analytics, extending them to the entire data set. We'll also introduce attack pathway for the cloud. Remember the context? We see the attack pathway, the context for cloud security. Finally, by the end of the year, we'll select very strategically, you know, external data feed, right? External data that can really enrich and improve our analytics. That's the plan. Which brings me to the conclusion, right? Three amazing opportunities. I told Amit I would join the company that only had one of those. They're all synergetic. They're all complementary. Like Amit, I would like to leave you with one thought, right? That thought is data as a platform. See, technology ages. Content, people can copy it, imitate it. Data, data is hard to come by. Data never age, right? Never ages.
Data is a powerful competitive advantage. Think about that flywheel. The more we're successful, the more we grow, the more data we have. By the way, we are successful. We are growing. The more data we have, the more differentiated, the more competitive advantage we have. The full flywheel. Maybe I'll use the kaleidoscope in another way. Take that kaleidoscope and look inside, right? That Tenable kaleidoscope. I hope that you now see something new, something really powerful, something really unique. Tenable as a cyber data platform. Thank you.
Thank you, Nico. We will take a 10-minute break, and then you'll hear from Mark Thurmond, our Chief Operating Officer, and Dave Feringa, Senior Vice President, Worldwide Sales, on our go-to-market and customer success update.
Hello. Welcome back. Mark Thurmond here, Chief Operating Officer of Tenable. It's great to be with you today. Very, very excited to give you some insight and to give you some visibility on the evolving go-to-market from IPO to where we are today. Just a quick little bit of my background. I've been with Tenable coming up on two years, in February 2022. Before that I was with a company called Turbonomic, which was in the application resource management space, recently acquired by IBM. Before that was with a company called Qlik in the visual analytics space. I actually spent 15 years at EMC, close to seven of those years running field marketing and sales for RSA Security and started my career off at Parametric Technology, PTC, in Boston.
Super excited to kinda give everyone some visibility here. I think hearing what Amit and Nico said, I just wanna emphasize this whole platform discussion is amazing on many different levels, right? First and foremost, when you heard from Amit and from Nico on the technology side and all the benefits that our customers and end users are gonna see from actually unifying the platforms and our technology. From a go-to-market perspective, it also simplifies and unifies the buying decisions for our customers. We are expecting significant leverage from this. What I wanna do is kind of walk you through in some detail on how we are actually going to market here at Tenable. The first thing that I want to start off with is really walk through the three very distinct specific sales plays that we drive consistently around the globe.
The first one is the Nessus upgrades. You heard Amit and Nico talk about Nessus. It is such a cool platform to jump off from in regard to the ubiquitous nature of Nessus. If you think about it, pre-IPO, there was over 10 million downloads of Nessus. Since the IPO, there's been over 3.5 million downloads of Nessus. Year to date, we're tracking over 1 million downloads of Nessus. That does a couple things for us. A, it gives us a tremendous flywheel to go upsell and be able to upgrade from Nessus Essentials to Nessus Professional, then onto the platform. What I have found since being here is what's really exciting is the credibility and the brand recognition that we get with Nessus.
I can't tell you how many customer calls I've been on where we're talking to a CISO or talking to an executive on the security side of the house, and they will say the first product they configured, that they programmed, that they used at university or maybe their first job in cyber was Nessus. That gives us an unbelievable amount of credibility with our customer and with our install base. That is a very specific motion that we drive. The second one is being very, very aggressive on new logo acquisition. We range anywhere from 350-400 new logos a quarter. We very much focus in on driving those new logos in very, very specific areas.
When you look at how we go and attack those new logos, it then allows us after we get those new logos and they start off with us, it then allows us to then go into the expansion. When we look at new logos, it's really greenfield, so customers that haven't owned any VM before. When you look at greenfield, it then goes into competitive displacement, someone that might already own a VM solution before. We've got two very distinct selling motions going after those specific new logo motions. Once you get a customer, this is where the exciting part here at Tenable happens. If you think about it, right, over 35,000 customers, this is one of the largest installed bases of all cyber, right? What it allows us to do is expand into those installed base and into those customers.
Two different avenues here. It allows us to expand the asset, so discover more assets. Right? When we close our first new logo with a customer, typically they don't cover all of the assets within their environment, both on-prem and in the cloud. We have an opportunity to now go back with a bigger attack surface and be able to look for and identify incremental assets within that install base. The second part is really exciting in regard to the net new use cases. If you think about the acquisition strategy with Active Directory, operational technology, and now cloud security, this gives us unbelievable opportunity to go back in and have new unique discussions with our customers that are absolutely resonating. We'll talk about the buyer evolution, and we'll talk about how the decisions are actually getting made around these technologies.
You will see it comes back to the platform, simplifies it on so many different levels. When you take a look at those selling motions, Nessus, new logos, and expansion into the install base, that is all underpinned by world-class customer retention. 95% of our revenue is recurring revenue. When you take a look at our net dollar expansion rate, which Steve will cover in the finance portion, is outstanding. This is really one of the key pillars on the success and how we drive the go-to-market here at Tenable. Next slide, please. You think about it. Why do we win? Why does Tenable win? Right? First and foremost, having been in technology for a very long time, what I can tell you is successful sales organizations need technology.
They need unique, differentiated IP from the competition, and that is what we have here at Tenable. Incredible amount of innovation and incredible M&A strategy building out our portfolio. The reason, the number one reason we win is technology, technology. Right? The second one that is extremely powerful is that install base, right? That cannot be understated, the leverage and the opportunity we have going back to our existing install base and driving opportunities as the portfolio continues to get built out. Number three is something that myself, and you'll hear from Dave Feringa, Senior Vice President of Sales, have spent a massive amount of time on here at Tenable. Right? I think we have one of the most highly trained, execution-oriented sales forces on the planet in cyber. Right?
We have spent a huge amount of time training and enabling our core sellers along with our specialist sales organization, which I'll give you more color on. We are extremely metric-driven. Right? There's very specific productivity metrics that we are now driving with sellers. We're looking at how do we qualify deals, right? We're looking at how we identify what the use cases are, who's the economic buyer, how do we move deals through pipeline and through the funnel faster. Very rigorous on qualification. We look at how can we improve productivity. As we hire new sellers, how can we get them to be productive faster with training and enablement? How do we improve our competitive win rates? Something that we are laser-focused on beating the competition, and we are seeing our competitive win rates increase. Improving the average sales cycle.
How can we shrink and get our deals done faster and quicker? All of that is centered around simplifying our marketing message and positioning. Right? We are very much focused on selling what we call value drivers and simplifying the language that we use when we talk to our customers. That has been able to pay off in spades for us as a company. Obviously, you heard recognized leaders, right? The analyst recommendations that we get at this company are phenomenal. What I wanna highlight for the investors and for the analysts, when you see Gartner or you see Forrester or you see Frost & Sullivan or you see IDC ranking us number one or as the leader in those categories, A, it's phenomenal validation.
When you go to the international markets and you're selling in EMEA or you're selling in APAC or Latin America, a lot of the decision-makers will look at those analyst reports before they bring any vendors in. As we continue to drive that type of awareness, and we uniquely differentiate on the technology, that gives us a driver's seat approach in some of those international markets. One of the things when you look at the international markets is we are 100% committed to the channel. We have arguably one of the most incredible partner organizations on the planet, where we have over 1,900 partners globally, allowing us to get footprint, allowing us to grow and expand into new countries, into new geographies very quickly.
Also, the significance in public sector and some of the things, obviously, that, you know, you look at the $1.2 trillion infrastructure package that was recently done, a lot of that money was gonna be earmarked, right, for cyber. Cyber within the public sector or for federal government, but also for state and local government. We have a deep history in the federal government with significant market share. Obviously now with FedRAMP cert for IO, we wanna be able to go to that SC installed base and introduce IO to them now that we have FedRAMP. Now we also have all of those incremental use cases, those opportunities to talk about operational technology, Active Directory and cloud security. Now, when you look at us, we are an enterprise software company.
One thing that we do here very well is look at these four categories as professional services. Again, think of Tenable professional services in two distinct areas. A, we have professional services globally that allow us to deploy once we sell our software, to deploy our software very quickly so customers can see a very quick time to value. The second is we very much want them to get what we call positive business outcomes. Making sure that we use our professional services to drive those positive business outcomes when we're talking about our solution with our customers is critical. The second part is that ecosystem. We do not, and we will not compete with our partners in regard to professional services. Our PS team actually trains and enables a lot of our partners around the globe. We create quick start programs for them.
We create queued up services for them to go to market with, right? That is where we're able to get a lot of loyalty within the channel because we do not compete and we do not fight with our channel. We've got tremendous global support all around the globe. You take a look at that ecosystem, which I hit, and our customer success group, reaching out and having constant dialogue with our installed base are big differentiators from an enterprise perspective. Next slide. Focus areas, right? Dave and myself, we love this. We love to be able to be very direct with our selling organizations and with our partner community. We try to simplify things at every stage of the process. In our view, our go-to-market focus areas and growth drivers break down to five distinct areas.
The first one is we will be adding, and we have been adding sales capacity quota carriers around the globe. We not only are adding core sellers, so core sales reps that represent all the products, but also driving specialized sales force. When you look at the acquired companies around OT, AD, and cloud security, we are building out sales reps and SEs that are true subject matter experts around those distinct areas. While we have phenomenal relationships with the CISO, who is still the primary economic buyer, and when I say economic buyer, he is the executive, or she is the executive that has discretionary control over the security budget. We still have a very tight link into the CISO.
Now with our specialist sales force, we are able to go drive a bunch of influencers, a bunch of folks that can influence a technology decision around OT, AD, and cloud security. This drives overall productivity because our core sellers can continue to sell the core offerings. They can continue to build relationships, navigate purchasing, navigate procurement, work with legal, and then get technical wins done by the specialist organization. You know, you heard me talk about it, right? 86% of those customers that were polled are gonna spend more money on Active Directory. So we want our Active Directory, our AD sales force, targeted to get those technical wins to identify where those opportunities are and then be able to drive those deals with the core sellers. Big productivity enhancer for us. The second one, obviously, we've hit on this, and we will continue, right?
Everyone needs to know how incredible that install base is. Now that we have new technologies to go talk about, and as Nico continues to innovate the platform, this is just gonna allow us to expand within those customers at a faster pace. That is very exciting based on where we are headed from a technology side. Right? Obviously, common sense, maintaining this unbelievably high renewal rate, right? Making sure that those customers stay with us for the journey, which they do. That is a big focus. We will be, along with adding quota capacity, we are hiring across the globe, customer success managers to make sure that we're keeping very high touchpoints with our install base, leveraging the partner ecosystem, absolutely critical. Making sure that we're getting geo-expansion, which I'll touch on when I talk about the ecosystem.
The last part is maybe a little bit tactical, but it is really important, right? I am a big believer, Tenable is a big believer, that compensation drives behavior. So we've taken a lot of effort and time to make sure that we align our compensation plan, so there's no friction internally at Tenable. Then we also look at incenting and giving accelerated commission rates on areas that we wanna drive into our install base and into our net new logos. A lot of time and effort has gone into that. All of this is centered around world-class execution from a go-to-market perspective. Next slide, please. We talked about the global presence, right? We talked about the 35,000 customers. We have boots on the ground, right? In 35 countries. We're adding resources at the country level.
When you look at 2021, we've added employees into Austria. We've added employees into South Africa. In 2022, we're looking at adding headcount and bodies into Korea. We're gonna be expanding our presence in Taiwan. We've added significant headcount in Japan and in India and in Germany. We will continue to build out our quota capacity and headcount globally. Based on that ecosystem, we do business in over 160 countries with that amazing 1,900 partner organization. One thing that I wanna highlight too, when we talk about the partner organization, based on our acquisition strategy and now having the most differentiated technology in regards to OT, AD, and cloud security, we've been able to recruit 200 new partners into our partner organization that was specialized in those areas.
Now they are part of our larger ecosystem, but focused in on those specific categories. That is allowing us to get significant leverage. One area of the business that is really growing, it's arguably from a go-to-market perspective, one of the fastest-growing areas that we are seeing, and that is the MSSP business. By the way, this is global. We've added over 300 MSSPs, and I'll touch on this in a little more detail on another slide, but this is a super fast route to market for us. There are certain regions of the world, say, for instance, LATAM that want to buy, and the majority of their bookings and revenue come through MSSPs.
They could be smaller in size, or they might not have the number of cyber professionals within their companies and enterprise, so they go to an MSSP to cover multiple parts, right, of the security stack. We are doing extremely well within those MSSPs, and we expect that to continue going into 2022. Next slide. Okay, how do we segment the market, right? This is one of those things that might have shifted a little bit since the IPO. It's one of the things that we do. I will give a lot of credit, right, to our sales operations team. We are spending a huge amount of time doing analytics and analyzing our territories, our opportunities within the install base, and obviously our new logos. When we look at it, right, we are predominantly an enterprise software company, right?
We segment our enterprise, which is 3,500 employees and above, and we have direct touch, so SEs and sales reps and channel employees and specialized sellers going into that enterprise customer and working very closely with them. We then have the commercial segment, which is 500-3,500 employees, which is all about inside sales, gaining velocity, making sure that we're communicating with them frequently via our inside sales model. The last part is the velocity in e-commerce. Again, this is a special part of Tenable, right? When you talk about that Nessus install base and that brand awareness, right, we absolutely crush it in that e-commerce and velocity business, right? These are a lot of times we're not touching these transactions, right? They're either coming through e-com or going through our partner community.
All of that is underpinned with a global marketing organization, which is incredible in regards to building pipeline, doing field marketing events, and driving activity. We also have sales development reps that are consistent throughout the globe. Then you can see on the side of the pyramid there, we have CSM coverage, professional services coverage, and channel coverage consistently, again, throughout the globe. This is one of the reasons that we are able to deliver our message around this platform and our technology consistently around the globe. Next slide, please. We talk a lot about the ecosystem, right? Again, when you look at all the different competitors out there, they're in my opinion, in my humble opinion, right, we have the best channel in the ecosystem in cyber, right?
We do a phenomenal job at working with our partner ecosystem, and we think about it in three very distinct categories. The first one is tech alliances. We've got tremendous relationships with Splunk and ServiceNow and IBM and Google that we have deep integrations with to help support our installed base. We're now doing a lot of work with AWS on their advanced technology partner. This is one area that's seen triple-digit growth, and we're gonna continue to drive and execute there. We've got hundreds of integrations into hardware and software platforms to make sure that we can be deployed seamlessly within our customers. What I love to do is measure and track. When you look at tech alliances, how is it contributing, you know, to the bottom line?
When we look at those tech alliances, we have over 20% of our sales and pipeline being built by influence coming from the tech alliances, working with some of those big partners we talked about, like Splunk or ServiceNow, and allowing us to get into accounts and being able to help us influence some of that business. The middle area there, the channel, we hit on this one, right? We are 100% committed to the partners, 1,900 partners growing. Again, you've got to measure it, and you wanna see how you're doing. One of the biggest measurements, right, you wanna look at is channel in. What does channel in mean? Channel in means deals and opportunities that the channel is bringing to you. They're bringing into Tenable, right?
Right now, when we look at year to date, 40% of our business is channel, meaning 40% of our business is coming to us from our ecosystem. That is awesome. Like, that is world-class. We have aspirations to grow that to 50% over time, but that is incredibly high. It is significantly up from the time of the IPO. So the investment and the money that we've done with our partners has paid off. When you look at the Assure program, all you have to do is look to the CRN Annual Report Card, which we were one of few cyber companies that got five stars, right?
Those five stars are all centered around driving incentives and training and enabling your partners, making sure that you're able to help them drive services, and making sure that they have the right benefits and incentives to be able to go grow that business. We have over 8,000 unique product certifications in our ecosystem. Again, think about that a little bit. Rationalize that a little bit. We have an army, right, of partner sales reps and SEs that are certified, trained, and enabled on Tenable. They lead the charge. When they're comfortable and confident in being able to understand our technology and articulate it to their customer base, if they have 50 different products on their data sheet, they're gonna position and sell Tenable because they're comfortable, they're trained, and they're certified. We take a lot of pride in that.
We've also done a lot on the Assure program on automating and simplifying the way they use the portal and the way they engage with Tenable. Very, very powerful. The last part I hit on, right, is the MSSP business. I do expect this business to be unbelievably fast growth, not just for Tenable, but as an industry, I think you'll continue to see MSSPs doing very well. We focus in not just on the top of the pyramid, we focus on the entire pyramid with the MSSPs. We have eight of the top 10 MSSPs are using Tenable. seven of the top SIs are recommending Tenable to their customers. I talk about rapid growth areas, right?
When you take a look at it, not only is it one of the fastest-growing areas from us as a category at Tenable, it is also allowing us to go into countries faster and quicker. The one thing I will highlight here is if you think about our MSSP business to date, it has traditionally been focused on core VM, because that's what we have. Obviously, there's some WAS, some container, right, some Lumin in there, but the bulk of it has been with core VM. When we start now integrating, and we start putting into the MSSP community OT, AD, and cloud security, again, there's an opportunity for significant leverage globally, right? Early, early innings there.
Still growing unbelievably quick, but once the platform plays out, which it will, and we get that, the platform out on that next thing with OT, AD, and cloud security, we're expecting acceleration there in that business. Super, super excited around that part of the ecosystem. Hopefully that makes sense. What I wanna do now is I wanna give an opportunity to Dave Feringa, who's our Senior Vice President, Worldwide Sales. He's gonna walk you through it because he's very close to it. What does that buyer evolution look like? How has it changed and morphed? Then actually give you some examples of actual customer success stories. It has been an abolute privilege and an honor working with Dave over the last couple of years. I'm gonna pass it over to Dave. All yours, man.
Thank you, Mark. My name is Dave Feringa, and yes, I am the SVP of Worldwide Sales for Tenable. I've been here three years, and prior to Tenable, I ran the global sales organization for Trustwave. Prior to Trustwave, I spent 11 years at F5. The last four years, I was their EVP of Global Sales as well. As Mark mentioned, in my section, I'm gonna discuss our approach to the buyers within our customers and how that's evolved. I'm gonna follow up with some real-world customer examples. One thing that's remained. Thank you for the next slide, Anna. Yes. One thing that has remained consistent is our core executive buyer is the CISO, and our most influential technical buyer remains the vulnerability management team. We've successfully worked with both over many years, selling our best-in-class VM solutions.
From these relationships, we've been able to launch into other areas of the security business. As companies adopt digital transformation, the attack surface expands in other areas. The VM team often introduces us and certainly works very closely with us as we go into the operational technology, the Active Directory, and the cloud security spaces, as companies have to assess risk across these areas as well. This has really expanded the number of use cases that we can address. One common theme we've heard from many of our customers is they want a single vendor that can assess and remediate vulnerabilities across the entire attack surface. Companies are trying to reduce the number of security vendors they deal with. They get operational efficiency, and they get a better way to handle risk as well.
One of the main reasons we've invested in the specialist sales organization, and also a specialist engineering team as well, is that within the OT, AD, and CS spaces, we wanna make sure that we understand their unique requirements within these spaces and then tie it back and how it ties back into the overall risk and the overall vulnerability management strategy of the customer. The CISO stays involved. They're the executive buyer, and they want to have a consistent view of risk across all areas of the business. One other positive impact we have seen with new logo customers who currently are not with Tenable is that if we don't have a VM opportunity, you know, they could be satisfied with another vendor or maybe their subscription doesn't run out for a couple of years, we now have other avenues to approach those customers.
We can now talk to them about industrial security, talk to them about OT, Active Directory, and/or cloud security. You know, in the past, we might have been shut out of these deals. Now we've got multiple doors that we can go through and multiple different approaches for those customers. Next slide, Anna. Okay, I'm now gonna go through some real live customer examples. The first one is a very large manufacturing conglomerate up in Canada. Background on this is they were an existing Tenable.sc customer, but they were very, very concerned about the recent attacks in manufacturing and energy, especially the Colonial Pipeline attack. Their objectives were, first of all, they wanted to make sure they secure their assets in their manufacturing facilities because, listen, if you shut down a plant, that could be massively costly for them.
They also wanted to have better risk visibility across not only the manufacturing environment, but they wanted to match it with their current visibility in their IT environment as well, so they have both. Ultimately, they wanted to prevent what happened within the Colonial Pipeline situation. Who was the buyer? The buyer primarily was the CISO. We had many influencers. We talked to plant managers. We talked to the Active Directory team. Also, the vulnerability management team was involved throughout. What did they end up buying? Well, first of all, they expanded their Tenable.sc relationship with us. They bought Tenable.ot for many of their key industrial sites. Finally, they bought Tenable.ad to reduce risk laterally across all their businesses. Why did they choose Tenable?
Well, first of all, we're the only vendor that can provide a unique and unified visibility of both their OT and their IT environments. They love Tenable.ad because Tenable.ad prevents lateral movement across all their many different businesses in case there's a breach. You know what? They've been a very happy customer for a very long time, and that certainly could play a role in us winning this business. The total ACV value of this deal was about $1 million. Next slide, please. Another example, financial institution here in the U.S. This is a very rapidly growing bank who's using multiple vendors for risk-based vulnerability management. Their objectives were they wanted to reduce risk by consolidating multiple vendors into one, and they wanted to make sure they did business moving forward with a vendor that could scale with their growth.
They wanted to make sure they improved operational efficiency. They wanted to make sure they had a predictive cost model for future growth. As we talked about a little bit earlier, as Mark mentioned, technical integrations were really important, and our integrations with Splunk and ServiceNow were critical to this opportunity. We primarily dealt with the CISO and also the VP of security strategy. What did they end up buying? Well, they ended up buying Tenable.ep, the exposure platform that Nico talked about earlier. Why did they choose Tenable? Well, first of all, we're the only solution that can provide a complete RBVM solution for them across all of their businesses. They consolidated three vendors into one. They love Lumin.
Not only could Lumin help them improve the way they look at and remediate vulnerabilities, they also could now look at all of their individual banks and all of their individual business units, and they can assess risk and the different risk profiles and how risky they are throughout their entire organization. If a certain bank, certain business unit, was not doing as well from a risk profile, they know where they can apply resources, and that was something that was really important to them. EP provided them a predictable cost model for assets, including future solutions. We're actually talking about WAS right now. One final point. A partner actually brought this deal to us. The partner had both executive relationships and also technical relationships within this account.
They literally were with us from the beginning of the process to the end of the sales process. We never would have gotten this deal without the help of the partner, and I think it goes back to what Mark talked about a little bit earlier. We've made a ton of investments in the partner community. Here's a great example where those investments paid off. Total annual contract value was about $200,000. Next slide, please. The last example is a very large U.S. federal agency. As Mark mentioned earlier, we've got a very large and trusted brand within the federal government. This agency was using multiple vendors for vulnerability management. They also had a very large global footprint.
They were looking for a single vendor to basically look at all of their vulnerabilities across their global footprint and to be able to help them with risk across all the different advanced threats that were out there. They needed to have the flexibility of an on-prem solution. They also needed a FedRAMP cloud offering for here in the U.S. Integrations were critical here. Again, Splunk, CyberArk, and ServiceNow. Because they're global, they needed somebody that could support them seven by 24 globally. Who's the buyer? The executive buyer was the branch chief and the CISO. We also worked very extensively with the vulnerability management team. What'd they end up buying? Well, they bought Tenable.sc for on-prem locations, and they bought our FedRAMP version of Tenable.io for cloud. We're also talking to them about Active Directory in 2022. Why did they choose Tenable?
Well, first of all, we're the only vendor that could give them the flexibility of having an on-prem solution as well as the FedRAMP cloud solution. They love VPR. VPR allows them to prioritize how they're gonna remediate critical vulnerabilities. The integrations were really important. Finally, we've got a very long-standing, very strong, trusted brand within the federal government, and I think that played a big role in helping us win this deal. In addition, the seven-by-twenty-four global support was critical as well. The total annual contract value of this was $2.3 million. Next slide, please. I'd like to take a minute and just talk about the Log4j situation. As many of you know, Log4j hit us late last week, and Amit touched on it quite a bit earlier in the presentation. This is a significant security issue that affects everybody.
Tenable's response to our customers has been awesome, from rapidly deploying and developing plugins over the weekend to making a number of videos educating our customers on the steps they need to take to reduce the effects of this, to beefing up our global support to take and answer a number of customer calls. Our response to our customer has really shown the power of Tenable and the power of our solutions. We've truly differentiated ourselves from our competitors. Our competitors don't have the focus, they don't have the breadth and depth of our VM solutions to handle a crisis like this in the way that we handled it. Our customers have been thrilled with our response, and it's great to have a positive impact on their business. Finally, sales team is excited. Like I said, I've been here for three years.
The sales team has never been more excited than they are right now. The innovations that we've made to the products have really expanded the number of places that we can go sell, the number of use cases. In short, the sales team's got a lot more stuff to sell, and they're excited about it. The net result is we're a lot stickier, we're a lot more strategic, we're a lot more valuable to our customers. Finally, as Mark mentioned, we're rapidly expanding our sales team. That creates an incredibly positive vibe throughout the sales organization. It also creates a lot of promotion and other types of opportunities for the people on our team as well. For that and other reasons, we're all really excited to be here at Tenable. We've got a tremendous opportunity in front of us. Thank you, and I'll turn it over to Erin.
Thank you, Mark and Dave. We will take a 10-minute break, and then you'll hear from Steve Vintz, Chief Financial Officer, who will cover our financial update and outlook.
Welcome back, everyone. My name is Steve Vintz. I'm the Chief Financial Officer of Tenable. I've been with the company since 2014. That's over seven years now. Since our life as a public company, I've talked to many of you along the way. I know we have a lot of registrations and attendance for today's event, which is great to see, and I look forward to having even more conversations going forward. I'd like to make a few comments today about the past, present, and future of Tenable that I think will frame the conversation or in the slides ahead. We've been a public company since 2018, and since then, we've reported 13 quarters of growth.
We've accomplished a lot, and a lot has changed for us over the years, but the one thing has not, which is our unwavering commitment to the market and helping our customers solve what we believe are their most pressing security challenges and answering the question, how securely? For us, all of this starts with the vulnerability management market, which we said at the time of the IPO, we wanted to become the undisputed leader. Since 2018, we were not the largest player in the market, but we are today in terms of revenue, and we're the leader on many other fronts, such as total number of customers, number of new customers added in a given year, device coverage, zero-day research.
We've won numerous awards and distinctions and continuously receive recognition from the industry analysts such as Gartner, Forrester, and IDC for our leadership and innovation. Our mandate was never just about VM. It's always been about a larger opportunity in front of us that we call cyber exposure. I'll talk a little bit later about our progress in evolving our business and expanding beyond what is traditionally defined as VM into high growth markets that our customers want us to address, and we are well-positioned to serve. That said, VM is critically important today, and it's our ability to assess exposures across the attack surface that makes us such a value partner to our customers and allows us to expand the relationships. Log4j is a great example of this, as we highlighted earlier.
In terms of financial results, we believe the secular tailwinds in this market will continue to create compelling and durable growth for us. All of this puts us on a solid path to achieve over $1 billion in revenue with very attractive operating and free cash flow margins. I'll cover this in greater detail today. If we turn to the next slide, let's first talk about some top-line metrics that we provide that aid investors in understanding the health of the business. I'll start with Calculated Current Billings or CCB for short, which is a close but not perfect proxy of the underlying bookings in the business. Bookings, specifically ACV bookings, is how we manage the company, how we set and believe quotas, how we analyze performance at the company level.
Now, for our business model, we believe CCB is currently the best metric to determine the future growth trajectory of the company. Alternatively, ARR, annual recurring revenue, doesn't quite capture the full picture as it's largely on an LTM basis and does not properly reflect changes in growth rates in the current quarter. Also, we do disclose the percentage of recurring revenue on our public filings, and we also disclose short-term and long-term RPO on our filings, which tends to align more closely with CCB. That said, CCB does have its limitations and can be impacted by a number of factors, such as the percentage of early renewals invoiced in a quarter. But for now, CCB still makes sense, even with its limitations. Plus, we know investors will calculate it anyway, and we want to provide meaningful context for investors around it.
In terms of new enterprise customers, net new six-figure deals, and net dollar expansion rate, collectively, these metrics, three metrics together, not so much individually, but together, are informative and tell an important story. Let's go to the next slide and talk about our performance since the IPO. As you can see here, we have some historical performance for you, which is notable. Now this starts with a few declarations we made at the time of the IPO, which have influenced our financial results over the years. The first one we've already discussed, which is our market leadership.
In terms of product, in 2018, we said that we expect that Tenable.io, our cloud-based offering, which we launched in 2017, just one year prior to the IPO, will one day become our flagship product and represent over 50% of our new sales. As we've discussed on our last earnings call, that has indeed become a reality. We also said market leadership and product side, we will become free cash flow positive by the time we exit 2020, and we would turn profitable in 2021. We've done precisely that, in fact, earlier than anticipated. Today, we're gonna make a few more declarations that will influence our growth in the years to come.
In terms of historical financial performance, as you can see here, we've 2.5x CCB grown to what we expect on a full year basis to be over 600 million. We've grown revenue 30% and have significantly improved the operating leverage of the business with more to come. In short, we've taken a very balanced approach to growth and profitability. If we go to the next slide, you can see here over the years, we've amassed a sizable base of customers. It's one of the largest in the entire security industry for any company today, which stands over 35,000 paying customers. This doesn't include, it's important to note, it does not include the millions of free downloads of Nessus.
The huge community of Nessus creates competitive mode and is a flywheel into the paid versions of our products such as Nessus Professional or the enterprise products. In terms of new customers, though, we've added hundreds each quarter since 2019, 360 on average, with many greenfield opportunities, and the value of these relationships is expanding. I'll say here, you know, the size of our customer base is really a reflection of the investments we've made to date in adding sales capacity, leveraging our massive network of resellers and distributors. This will figure prominently in our ability to sell our unified exposure platform going forward. It's our history, our intimacy, our credibility, and our knowledge of our customers' needs that allowed us to earn their trust and expand the relationship with them over time.
Speaking of the product platform, let's go to the next slide. Let's discuss how we've evolved the product capabilities over time to help customers in their digital transformation journey and help them secure new areas of the attack surface. Evolution is a big theme for us today, and Tenable's done a lot over the years. As we mentioned earlier, our roots are in traditional VM. Years ago, we sold primarily a vulnerability assessment tool in Nessus, which has become the gold standard in assessing vulnerabilities. With a backdrop of high-profile data breaches, we have invested aggressively in the business, adding sales capacity, becoming 100% committed to the channel, expanding our network of partners, marching into new countries, all of which has allowed us to successfully scale the company.
This was a major evolution for us, going from a 2,000-$3,000 vulnerability assessment scanner to selling an expansive VM enterprise product with $50,000 ASPs closing six-figure deals in the enterprise market. Innovation did not stop there. As we've highlighted for you today, and as Nico said earlier, vulnerability is everywhere, evolves. Over the years, we've launched Tenable.io as well as new products and new features such as web app security, container security, Lumin, and frictionless assessment. We've also been active on the M&A front, acquiring new technology and new expansionary markets such as OT, AD, and security.
While we successfully sold many of these products standalone as an add-on sale to address a specific use case, all these products, when integrated, help us solve a bigger problem for our customers, which is the ability to manage exposure holistically, which we productize in Tenable.ep. It is that commitment to innovation and the expansion of our product portfolio that has positioned us for our next major evolution, which is selling a unified exposure platform. Tenable.ep helps our customers secure more of their attack surface. With an asset-based pricing model, EP today includes Tenable.io, WAS, Container Security, and Lumin, and has an average selling price that is 60% higher than our standalone VM product. EP will expand next year to include AD and cloud. We believe this is what our customers want.
Just like we foreshadowed in 2018 about Tenable.io, we can say today that Tenable.ep, our exposure platform, will be our primary go-to-market motion and become our flagship product in the years to come. We feel really good about making that claim. Let's go to the next slide and take a look at our mix of business and see how it's changed over the years as we broaden our focus beyond traditional VM. Now, as you can see here, you know, we have evolved and considerably expanded and diversified our base of business over the last 5 years as traditional VM, which we define as Nessus and Security Center, is expected to represent 60% of our CCB this year.
While we have a sizable base of customers who use traditional VM offerings, and that base is growing, customers are increasingly choosing our cloud-based products, Tenable.io and Tenable.ep, and related exposure products to secure more areas of their attack surface. It's that 40% of our business that is growing 50%+, which offers a very attractive growth opportunity for us going forward, characterized by what we believe will be higher asset counts, more six- and seven-figure deals, even seven-figure deals, and healthy net dollar renewal rates. Now, this is important. It's not to say that Nessus and Security Center is not important because they are.
These are beloved products that have been in the market for years that has created a clear tech and go-to-market advantage for us that enhances the value of our exposure solutions, which, with hundreds of thousands of plugins and warm leads from Nessus, not to mention the margins here are very attractive, for these products. Perhaps more importantly, it does provide a flexible deployment option for our customers, as most of our customers have hybrid compute environments. Securing traditional assets is critical for our customers, and we will continue to do so, and that will continue to be so, for our customers in the years to come. That said, we have a compelling upgrade path for traditional VM customers who want to cover more areas of their attack surface.
It all starts with Tenable.io, which is the foundation of our unified exposure platform and allows our customers to either purchase other exposure products individually or purchase EP itself. The takeaway here is securing the cloud is a massive opportunity for us and will drive higher mix of business for our exposure solutions as workloads continue to move to the cloud. Let's go to the next slide and talk about M&A. Given the size of the opportunity we are addressing, M&A has a major role to play, not only in terms of our ability to expand into highly complementary adjacent markets and add incremental capabilities, but also with regard to timing, because M&A can and has accelerated our time to market, and time matters in the dynamic markets in which we operate.
We firmly believe that we will continue to need and keep pursuing a combination of organic innovation and targeted M&A to achieve our strategic objectives. Close observers will have noticed a few common patterns in our M&A activity. First and foremost, you know, we've focused on strategy. We have brought in offerings and capabilities, technologies, IP that are focused on specific and priority pain points for our buyers and pain points which our buyers have budget, responsibility, and availability. Second, we have targeted enterprise-ready IP, and we can immediately bring to market with our huge army of sellers and sell back to our base of 35,000 plus customers.
Third, you know, we've had conviction that the capabilities in which we have invested represent an important presence in a secular trend that we believe will drive demand in the years to come, such as the convergence of OT and IT, which we were the first to market with in early 2020 when we launched the OT and IT security platform, or Active Directory, which is a major pain point for our customers and a challenge for them to secure at scale. Or in the case of Accurics, the shift left infrastructure as code, security as policy, and unifying that with runtime capabilities in public cloud environments with automated remediation. Fourth point I wanna make here is that we recognize that Tenable strength comes in the power of its combined portfolio.
We have ensured that acquired capabilities will integrate with and enhance the value of our exposure platform. Finally, it's important to note that we are focused on earlier-stage companies with no or limited commercial capability and no significant base of business. To date, we have not acquired any meaningful revenue. With the leverage that Tenable is demonstrating, you know, the success in sales comes from the combination of strong capabilities and market-leading distribution that we have. While these deals are modestly dilutive initially, you know, as we assume the incremental OpEx of the acquired company and we work to build pipe and close deals and eventually recognize the resulting revenue over the contract term, we are very confident they will be accretive to cash and earnings over time. As you can see here, we've provided CCB dollar thresholds for the full year.
I think the big takeaway is not so much the specific amount of sales that we're doing, but rather we are having success selling the newly acquired tech, not to mention WAS, Container, and other products back into our base. Some of the products, such as OT, our sales force has been selling for, you know, two years now, and others are very new for us, such as Alsid. In terms of top line, the takeaway is we're selling these products with success with our sellers to our customers who have a clear need to address other areas of exposure, and we are just getting started. Let's spend some time looking ahead and talking about the path forward. Let's go to the next slide and talk about growth strategy.
Our strategy for continued growth and success is fairly easy to understand and predicated on a few basic concepts. First, expand relationships with the existing customers. We've talked about the sizable base of our customers and our ability to expand those relationships over time. You know, invest in sales capacity, you know, expand the sales org, and drive higher levels of productivity, lead with obviously the exposure platform. We've talked about how our business has evolved and expanded to address more areas of the attack surface. Of course, M&A, which we just covered more recently here, will continue to play a big role in accomplishing our strategic objectives.
Now that you have a sense of as to how we plan to generate growth, let's go to the next slide and discuss how we expect that to impact the numbers and our expectations of growth going forward. In terms of revenue, it's hard to believe that only a few years ago, we did 188 million in annualized revenue, and today we're talking about a path to one billion in revenue, 1.1 billion to be exact, which we believe we can achieve in 2025, based on 20% annual growth. On a CCB basis, we would expect to achieve the $1 billion mark in 2024, just 36 months from now. In terms of how we're managing the business, we are investing to achieve 20%+ growth.
This is a floor, meaning the minimal growth we would expect, not a ceiling, and I wanna make this very clear. There are a number of factors that give us high confidence that we can achieve this level of scale and growth. Some are secular trends, such as the proliferation of assets and connected devices, the expansion of the attack surface, the adoption of cloud, driving the need to unify infrastructure as code with production runtime capabilities and automated remediation. These represent major shifts in the market for our customers, and Tenable has evolved to help them secure their critical digital assets wherever they may be.
Evidence of this is our ability to transact more six-figure deals, the mix of business and strong growth from our exposure solutions, which have allowed us to grow over 20% even during more challenging economic times, such as the global pandemic. This has also been a catalyst of growth for us in recent quarters as CCB has increased from 20% growth in Q1 to 23% growth in Q2- 25% growth last quarter. In terms of the algorithm of growth, our business model is fairly straightforward. 95% of everything we sell is recurring.
ACV expansion from existing customers, which we have a long history of doing, expanding asset counts, selling more back into our customer base, then add sales to new, you know, to new customers, which is driven primarily by increases in sales capacity, higher levels of productivity, more channel and business, as Mark commented earlier. All of this should give you a very good way to frame our revenue growth going forward. We assume the mix between expansion sales and new sales will not change meaningfully going forward. There's clearly interplay between the two. For example, we're moving to more of a platform sale, so we could see bigger lands than what we've done to date.
We could that could impact expansion rates if EP is indeed a catalyst for capturing more of the customer opportunity up front or EP could in fact be a catalyst for even more expansion as it facilitates an easier way to expand into new asset classes. The point here is the growth algo we are seeing in 2021 is the same growth algo we expect to see going forward. Again, it's worth reiterating that 20% growth is not a floor, it's not a ceiling. We're investing in growth and focus on executing to deliver 20%+ growth. Let's go to the next slide. Now that you better understand our growth trajectory, let's spend some time on the margin profile of the business because it's very compelling.
With 95% recurring revenue, 80%+ gross margins, and high renewal rates, I have a lot of confidence in our ability to expand the margins, both in terms of the operating margin and the unlevered free cash flow margins well beyond current levels. Now, before I make some forward-looking comments, you know, let me address our historical performance because operating leverage to date is commendable. As you can see, in 2019, we had negative operating margins, and we were burning cash while spending 60% of our revenue in sales and marketing. This year, the full year, we expect our operating margins to be 9%, which is up 300 basis points from last year. Our current Q4 guide reflects 5% operating margin, which, how we look at it, is our current run rate operating margin.
As we've previously discussed, it reflects the incremental OpEx we assumed throughout the year in connection with the Alsid and the Accurics acquisitions, which we believe will positively impact revenue growth. In terms of our 2022 margins, worth noting, I'm not gonna go into that today. Consistent with past practice, I'll cover that on our earnings call in February. Now, looking ahead, we are confident in our ability to drive good growth at scale and increase operating and unlevered free cash flow margins in the business. We're not gonna put a timetable to reach our target margins because when we do so and the rate in which we expand the margins each year generally depends on a confluence of factors such as growth, you know, opportunity for investment and the expected return, health of the broader market, et cetera.
That said, investors should take note that we have delivered major operating leverage over the years. Over the last 24 months, we've increased the operating margin by over a whopping 20 points. This has very little to do with savings in sales and marketing and due to travel from COVID. We've built density in key markets over the years, which we've been able to leverage and drive further efficiency in the business. Now, we have always done a good job balancing growth and profitability, but we are focused on growth given the confidence we have in the business and the expanded product portfolio. At the same time, what we are providing you today are higher long-term margins than what we previously anticipated.
Specifically, we have confidence in our ability long term to increase the operating margins to over 25% and increase the unlevered free cash flow margins to over 30%. There's a lot of margin left in the business. We've demonstrated good margin to date. We have confidence these margins will expand over time, despite further investment in the business. In closing, I'd just like to say here if you go to the next slide, that you know we have a clear line of sight to 20%+ growth on a path to one billion. We have expansionary TAM due to the expanding product portfolio, and we're leveraging our huge army of sellers, expansive network of resellers and distributors to capture greater share in this market. We're targeting a rule of 50.
Overall, we feel really good about the business and our long-term outlook. We're excited to be here today to deliver this compelling message. Thank you.
Thank you, Steve. We'll take a 10-minute break, and then we'll finish our day with QA. Please remember to submit your question using the question bar below the presentation window. Welcome back, everybody. We will go ahead and jump into Q&A. Our first question is, are we correct in interpreting that if your vendors don't tell you what to scan for with Log4Shell, we still won't know and won't be able to find related vulnerabilities?
No, we're still gonna be able to identify vulnerabilities on your assets independent of vendor. What will be happening over the next several days and weeks and quarters is that we're expecting thousands and thousands of software vendors, thousands of software products to report that their products are vulnerable based on them embedding Log4j into their product, and they're gonna provide those updates. What we do is automate the process of their notification, automate the building in of those checks into our product, and automate the distribution of those checks in real-time down to our customers, so that when they look at their systems, they'll know, "Hey, this vendor just notified that they've got a vulnerability.
Oh, by the way, here's where those systems are." We can anticipate in the coming days and weeks, there will be thousands of new vulnerability disclosures from different software vendors based on Log4j. We automate that entire process for our customers.
Next, it is clear to me that a web application firewall is not a good solution to block remote execution related to Log4j. However, why do you think CISA recommended organizations to deploy it? Why didn't they tell agencies to deploy a best-in-class VM solution to combat this?
Great question. This issue is pervasive, and just about everybody in the security community has a role to play. I don't wanna say WAF is useless. It isn't useless. It has a role to play. It just has a limited capability. You can stop some stuff using your WAF. You can also block some outbound traffic, but it's not gonna solve this issue, especially as this issue continues to evolve. Hopefully, I think what CISA is saying is, buy yourself some time. Deploy your WAF, deploy these updates. Hopefully, you buy yourself a little bit of time. You can hustle and fix the systems that need to be fixed.
We've been working very closely with CISA on this, and if you look at their vulnerability guidance page for Log4j, you can see that Tenable's highlighted and they link to us, and we're definitely part and integral to how the government's approaching Log4j.
Great. Given the importance of Log4j, how do you see the vulnerability impacting either near term or medium-term growth rates? What products would benefit most from the vulnerability? Maybe Steve can start, and then Amit, you might wanna jump in there. Steve, you're muted.
Well, Log4j is certainly driving higher levels of conversations and engagement with our customers and our partners. We believe overall that, you know, there's a strong spending environment. We're excited about heading into the fourth quarter, which is usually a strong quarter for us, and we'll talk a little more about growth expectations and margins on 2022 on our February call.
Yeah. I'll just add to it and say, listen, we're focused on our mission to help customers understand the security and integrity of their environments. You know, that said, you continue to do the right thing and sometimes things work out in your favor. We have phenomenal capabilities to identify these types of exposures as they emerge. We've got more customers that are both using and trying our web application scan and security check capability as an additional and alternate method for finding this in their environments and also EP as part of their broader protection.
Each of these types of vulnerability announcements for Log4j and the thousands that will follow, we feel, can be a significant catalyst for driving people to mature their VM practices, driving them to mature how they assess and understand, cyber risk, expand to get the full coverage of assets and systems in their environment. It's too early to tell, but I think this is a very different story than we saw from like a SolarWinds type of breach announcement. This is fundamental architecture that really needs assessing and we think that we are best in class at doing that.
Amit, can you expand more on the AD opportunity, the level of customer awareness as to how vulnerable they are and what the competitive landscape looks like for other protected solutions?
Yeah. Listen, I'd say with the rise in ransomware, people have started to realize how at risk and how critical their AD environments are, right? It is critical to the enterprise, it is pervasive in the enterprise, and all of your activities, work from home, cloud, all of those types of initiatives rely on that ground source of truth for identity in Active Directory. We believe our approach is technically superior to anything else on the market. We conduct the deepest audit possible, the best ability to detect new attacks as they emerge against Active Directory. We do it in a very sophisticated and elegant way. You don't have to deploy agents and impede performance on your domain controllers.
We don't rely on Windows logs which, you know, have been falsified or bypassed through things like, you know, example would be like the Mandiant breach or any sophisticated adversary. We think we bring the right approach, the technical rigor with the product, the ease of deployment, the ease of use. I would not be surprised, you heard it here first, if within the next few days you start reading about Log4j being leveraged by ransomware attackers going after Active Directory. This is, you know, again, tidal wave of stuff coming and we think we're front and center in assessing, understanding and helping protect against it.
Next is Infrastructure as Code. Do solutions in this market require a different channel to market? Talk about where you fit versus the DevOps platform providers or traditional code scanning solutions and newer DevOps security-focused solutions versus your broader risk management approach. Is there a difference in enterprise versus mid-market here?
Yeah. Listen, I'll jump on that one, Erin. It's actually, you know, one of the things that we're seeing. There's two things to take into account in regards to this question, right? A, we are still seeing very similar. When you look at infrastructure as code and cloud security, you are seeing obviously similar buyers. We're still starting to see obviously CISO very, very involved in making these decisions and still continuing to have oversight. Again, when we talk about the platform approach and what we're doing around the platform, it's really centered around the CISO having budget control and really making sure that they're involved in a lot of these decisions.
On the DevOps side of the house, one thing that people need to keep in mind when we acquired Accurics, they've got a phenomenal thing, when you take a look at their Terrascan technology, with over 500,000 downloads, which is an open source cloud native application scanner. With over 500,000 downloads already, the dev community already is familiar with this. If you think about Tenable's DNA with Nessus, right? With over seven million downloads, we understand how to communicate to communities, we understand how to gain leverage, and we do think, as Nico highlighted, a vuln is a vuln is a vuln, with our relationships that we've got back at that CISO level, you know, that we'll be able to continue to drive this business at a very effective rate.
We also, you know, picked up a bunch of great subject matter experts with Accurics, and they will continue to help enable our selling organization and the customer base. Feel fairly comfortable with this one. Thanks.
Great. Does having IaC in your CNAPP platform provide substantial differentiation for you? Who do you compete with there? I believe some vendors have invested to have a complete CNAPP platform, others have not.
Okay, Nico here. I'll jump in. Simple answer is no, we don't think IaC scanning is a long-term differentiator. In fact, we think it's table stake. For us, it's an enabler, right? Because the idea is once you can scan IaC, you actually can understand the infrastructure that is going to be deployed. It allows us to understand the infrastructure on the left. What do we do with that? Well, we bring all our know-how, right? All our knowledge, all our tools. Now we can find configuration vulnerability. Now we can find access vulnerability. We're gonna find container and workload that are gonna be deployed, so we're gonna go scan them before deployment. It's really an enabler.
By the way, what's kind of interesting is a lot of people are buying IaC scanning or building IaC scanning from other controls. I think the missing point is these are vendors that started on the right, and I think they can just bolt on IaC scanning, and they are done. The answer is actually you need to start on the left and then build the runtime security from the left because you need. Remember that context, the guy sitting at the table? You need that context, you need that baseline, because otherwise you're gonna have what we have today, which is alert fatigue. You wanna know. You only wanna focus on what changes. You only wanna focus on what's risky. So you want that risk assessment, that baseline to come first before you can do effective runtime security.
That's the way we naturally extend into CNAPP, right? Of course, there's a lot of cloud security vendors. There are big, small, you know, unicorns and the rest. The adoption, the disruption is you gotta start on the left. It's your anchor, it's your foundation. That's what we're doing with Accurics.
Somewhat along those same lines, there are a number of shift left existing cloud and Kubernetes best of breed standalone players. How do you convince the market that you have the right solution approach?
Remember, right, you start on the left, right? Because then we bring everything that Tenable does so well, right? A vuln is a vuln is a vuln, right? This has value because there's a premium on doing security for the cloud early, right? Because in production it's too late. Now you're bringing the best of breed to the left, right? Then you drive this integration. With this integration, you remember we talked about the strength of the go-to-market, right? We're going to our base and basically giving, you know, telling them you're one click away to do cloud security. And by the way, modern future-proof cloud security, cloud security that's done on the left. It's that whole leverage, right? That's the way to compete. It's the go-to-market, it's the customer base, it's the trust, it's the know-how, that on the left.
taking it out of the silo, right? I mean, it's not just, yeah, we've done it on the left, but then through the life cycle of the application, the deployment, the drift, the all the things that are, I'd say, uniquely Tenable capability, best-in-breed capability, and uniting those is just compelling.
Does Tenable need to be integrated into the DevOps developer tools or CI/CD pipeline in order to reach the developer audience versus traditional security professionals? How do you solve that tension between those two groups?
Absolutely. This is why we bought Accurics, right? First of all, the buyer is the same. The buyer is still the security buyer. It's the CISO. DevOps, however, is a very strong influencer. You need to appeal to DevOps, you need to appeal to developers, right? What Accurics brought to us was really, and why we fell in love with Accurics, they brought really two fundamental things. First, they brought Terrascan, right? Developers, they love open source. Terrascan is one of the most successful open source projects around IaC scanning. 500,000 downloads, I think, plus actually. 100,000, you know, developers adopted it. Developers, you want developers to love what you're doing. The open source is super important. The second thing that's important, you don't wanna ask these developers to come to CSPM console, right?
To go find the issue that they have to fix them. What Accurics brought to us are all these integrations. Integration in the code repository, GitHub, GitLab. Integration in the pipeline, right, in the CI/CD pipeline. You know, Terrascan, you know, CircleCI. All these things. Now we have this integration, we can bring all the know-how, all the scanning capabilities to the left. These two things are core, and that's why we acquired Accurics. We wanted that enablement.
Can you give more color on the go-to-market strategy for the IaC service and how you plan to shift left? Are you selling to DevOps or is the buyer similar to Core VM? Do you think the popularity of Nessus gives you any strategic advantage in terms of adoption?
Yeah, I'll take that. It's very similar to, you know, the question I had before, right? I don't think there's any question about it that this is definitely, you know, in our DNA. We know how to deal with obviously these massive communities. You know, when we were going through this process and we were evaluating Accurics and talking, you know, to our customers, a lot of our customers, especially at that CISO level, as I highlighted on, were now having significant amount of input and responsibility, right? This was now significantly much on their radar screen. I think it actually fits very, very well, you know, with our go-to-market. I think it fits very well with the DNA of Tenable based on what we've done in that Nessus community, being ubiquitous and being everywhere.
I do think, you know, from a dev perspective, you know, Tenable's got a lot of credibility. So, you know, I view it as something that is natural. There is some enablement and training that we need to do, but I think it's something very natural from a Tenable perspective. It aligns very well with our buyer, which to me is one of the most important things.
Do you envision Tenable.cs deployed as a standalone solution or will it be typically added on with a Tenable.io purchase? How is it priced relative to Tenable.io? Lastly, can customers that still run Tenable.sc also deploy Tenable.cs?
Yeah. All of our solutions can and will continue to be sold as point solutions for very specific use case. Tenable.cs, you know, recently recognized, you know, by Gartner on the CNAPP side or OT by the very, you know, the slides and the things that we highlighted earlier. We're recognized as best in class by almost every single analyst in just about every single segment that we operate in. Right? We are very aggressively going after these market opportunities. It's really that power, it's the power of that platform, the EP, unifying the user and the directory services, data, insights, and exposures with the understanding of what's happening in the Kubernetes, in the cloud, in the DevOps environments, in the drift.
Tying all these things together in a way that is uniquely empowering Tenable to deliver differentiated insights to our customers and a real understanding of how cyber risk operates and how exploits operate in the real world. We wanna bring that higher level of analytics and differentiation on top of best-in-class products, and you'll see us continue to do that.
How much of the $25 billion TAM can your products address today? Where do you need to make acquisitions to make a larger portion of those TAMs addressable?
Yeah. We're able to address all of that TAM. If you look at we cut back the size of the total identity market to that percentage which we feel is addressable using for our current set of products and capabilities. The same thing on the identity and the clouds piece. We have broadened our TAM. We have best-in-class capability to go after each of those specific TAMs and growth rates. You know, we're very excited, very confident in the addressable market that's in front of us right now.
Great. How will the revised EP be priced with all of this new capability? Are you giving away too much value?
Hi, this is Steve. I'll take that. We have an asset-based pricing model, so when we include more capability in our exposure platform, keep in mind that means we're covering more areas of the attack surface. Since it has an asset-based pricing model, allows us to cover more areas of the attack surface. Today, EP includes Tenable.io, WAS, Container Security, and Lumin, and we're getting a 60% uplift in EP relative to standalone VM. As we add more capability to EP, our expectation is that asset counts will go up and consequently, so will ASPs. Long term, what we could see is even more larger deals here with EP or EP itself since customers are allowed to use licensed assets among different asset classes, could facilitate even more expansion within the customer base.
Either big bites or more expansion or a combination of both, over the course of time.
Can we also get a little more color on how the core VM capabilities allow Tenable to compete effectively expanding into these new areas where there are standalone competitors?
I will take that one. Let me try to give you three answers to that. Answer number one, remember all integration, right? Remember, vuln is vuln is vuln. You know, these three types of vulnerabilities exist everywhere in all environments, right? Integration comes, you know, is really a huge value add for customers. I'll give you a couple examples. OT. Usually in an OT environment, the way you do security, you deploy a network device, and that network device will discover your OT assets, and you will find, you know, it will detect threats. Well, guess what? We integrated our scanner, right? So we can find all the vuln in the same device. Integration adds value. Cloud is another example. Think for a second.
If you have a container, right, and you have gazillions of containers, you want to see all these vuln in one place. You don't want to go to a console to find the software vuln, another console to find the access vuln, and then another one, right, to find the configuration vuln. That integration is a huge benefit for people. Integration, number two. Number three, it is the data, remember? You know, today's security is siloed, and the bad guys are taking advantage of it. What we're doing by bringing the data across the attack surface together is we're breaking these silos. You know, I promise you the next cloud attack will be because of Joe, not because, you know, the cloud has a vulnerability. You know, I will compromise Joe. I'll use AD vulnerabilities to become Mr. Super DevOps. Once I'm Mr.
Secure DevOps, I will go after your cloud asset to vulnerability. You know, that view, bringing the data together, right, I think is the third argument. Again, something that if you don't have the data, you cannot do.
On M&A, which product areas are you looking to expand upon? Also, to be clear, is incremental M&A assumed at all in your long-term outlook?
Yeah, without going into specific, you know, M&A targets and products, I can tell you that M&A is clearly part of our strategy. You know, we love the organic development, the work that Nico and his team are doing. We also feel like we made some great acquisitions that tied very closely to our strategy. We didn't go way out in left field. It's very closely aligned with our view of the world and our conviction and acquisitions which create great leverage and alignment from a technology perspective, the ability for this portfolio to really drive leverage from a technology perspective for our customers. Also leverage and go to market, right? They're aligned with our buyer and that core use case is still the same.
Help me understand my cyber risk, help me understand what to do, how to better manage it, and how to more efficiently reduce it and help me execute on that. M&A is gonna continue to be part of our strategy. That said, we didn't assume any benefits from future acquisitions in today's discussion and outlook.
Yeah, I'll just add to that, which is, as Amit mentioned, the outlook we gave today includes the current capabilities of the company, not future M&A. Also the growth rate that we gave you, the 20% minimal growth, while we're shooting for 20%+, is not a gag. If we over-deliver in one year, you know, our expectations, we wouldn't come back and lower it in the following year. We feel really good, given spending environment, given the expanded product portfolio, and given the size of the opportunity, our ability to grow 20%+ over the course of time without any future M&A capability. Thanks.
How should we think about the pace of your sales and marketing investments over the next 6-12 months?
Well, we talked about this on earnings calls earlier. You know, during the pandemic last year when we had less visibility, we moderated the investments in sales and marketing. At the start of the year, what we mentioned is that we plan to add sales capacity, and we plan investments in sales and marketing. As we made our way throughout the year and growth has accelerated from 20% CCB growth in Q1 to 23% in Q2 to 25%, what we said more recently is that we are planning even more aggressive investment, you know, the second half of the year. This goes along with the increasing confidence and visibility that we have in the business. We certainly don't want to undershoot the opportunity here.
We have a lot of confidence in our business, our expectations that we're gonna continue to invest, and help drive incremental growth.
Yeah, I'll just piggyback on Steve's comment, right? As I highlighted in my presentation, you know, this is something where we are expanding into different countries and new opportunities and adding not just core capacity quota carriers, but also specialist quota carriers to improve overall productivity and be able to get more technical wins. Definitely from an investment perspective, adding go-to-market resources is top on the list. Just wanna add that.
Great. Current gross margin is well above the long-term target. I assume the expected decline in gross margin is due to the increased investment in cloud infrastructure, or is there more to it than that?
I'll take this one. Yes, we're very pleased with our gross margins. You know, something we foreshadowed at the time of the IPO, our gross margins were like 85% plus. We said, "Look, we expect Tenable.io or cloud-based offerings represent a higher percentage of our total sales." I think it was 20% or so of our sales at the time of the IPO, maybe high teens. Today, it's well over 50% of our new sales. Even despite dramatic increases in the mix of business towards cloud, the growth margins haven't moderated all that much. Over the years, what we've done is a really good job spinning up points of presence all around the globe. Initially, these are what we call semi-fixed costs. As we go into new markets, there's an incremental cost.
as we drive additional sales in those markets, they get fully absorbed over time. There's been a lot of efficiencies here that we've been able to deliver over the course of time, despite the expansion, despite the higher mix of business. I think our gross margins have certainly exceeded expectations, and we're very pleased with them overall.
Can you help us think of the uptake for Tenable.ep in recent quarters? If this is expected to be your primary go-to-market and flagship product in the coming years, can you talk the current penetration of your enterprise customer base? I would think the platform helps streamline, simplify the upsell and cross-sell of your portfolio to customers. Do you have evidence of this you'd be willing to share?
Yeah. Listen, I'll take that. We definitely have evidence, right? If you think about it, the cool and exciting thing is it's still early in the journey for EP, right? If you think the way EP is today, as Steve already highlighted, right, a 60% uplift from core VM, right? That's outstanding from a financial perspective. When you then look at it, really, within WAS, Container, Lumin from an EP perspective, that was very limited. Now as we start integrating more of it, and we start talking about AD, we start talking about cloud security, this will be definitely a big part of our selling motion. As all the things that we've highlighted throughout the presentation today, it absolutely is the way customers wanna consume and buy the technology.
It allows them to break down these different silos, not just from a technology perspective to make better security decisions, but also enable them to buy and procure technology at a simpler, quicker, faster pace. This will definitely be part of the go-to-market selling motion. It's something that we talk a lot about with the platform and are very, very excited at the prospects of EP. Thank you.
Great. Our last question for today is, many enterprise software companies have struggled with delivering both growth and profitability. What are the pitfalls you watch out for, and what gives you confidence you can continue to do both?
I'll take that. You know, we have a history of balancing growth with profitability, and over the course of time, we've shown major leverage in the business. If you look at just a couple of years ago, we were spending over 60% of our revenue in sales and marketing. We were burning cash, and we were not profitable. Over the last 24 months, we've improved the operating leverage by over, as I mentioned earlier, a whopping 20 points, and this is despite absorbing the costs of the acquisition. We feel really good about the margin leverage in the business with 95% recurring revenue, 80% plus gross margins, high expansion rates, good levels of productivity. Our expectation is that we're gonna continue to invest. We do know where we invest, there is a clear return.
We historically have delivered good achievement rates and participation rates. That's not the only point of leverage in sales and marketing, more channel business, and more maturing sales force. We got a lot of confidence in the margin profile of the business. Our focus and certainly running for share, capturing more of that share, and investing in the business while we continue our march towards our target margins.
Great. Thank you all for your time today, and I will turn it over to Amit for final statements.
Great. Thanks for joining us today for our Investor Day. We're absolutely thrilled to be able to give you an update on our business and insight into our strategy and financial outlook. We continue to be the absolute best in class in VM, and we're particularly excited as we establish our leadership position in a VM everywhere, inform me about my risk everywhere world. We think we have a unique ability to do so. We hope you found today informative, and we hope you have a wonderful holiday season. Thank you.