I cover software here at Barclays. I'm honored to have the team with us here from Tenable. We've got Steve Vintz, Chief Financial Officer, also have Head of Investor Relations, Erin Karney, here in the audience as well. So we've got about 30 minutes together. Let's spend maybe the first 20 or 25 minutes doing some fireside chat here with Steve, which I know is gonna be fun. And then we'd love to make this interactive. Anyone that's got any questions, just pop up your hand. We've got a mic runner in the back, and again, we'd love to make it interactive. So with that, Steve, thanks so much for taking the time.
Thanks for having us.
Steve, it wouldn't be a Barclays conference without you. Let's just maybe a level set for us here, Steve. Could you just spend a couple minutes recapping some of the points from last quarter that you were most proud of? I know there were some moving parts, but there's some really good things, too. Why don't you tell us what some of those were?
Sure. Well, we're proud of a lot of things. Pleased with our performance in the third quarter, over $200 million in revenue. Revenue grew 15%. Notable outperformance in the operating margins, $10 million beat. We're on a glide path to expand the margins by over 450 basis points this year, which would bring the operating margins kinda close to 15%. So considerable expansion in the margins on higher levels of productivity. Also really pleased with customer velocity. Even in this market, we're adding 380 new enterprise platform customers. We announced a record number of seven-figure deals, record number of $500,000 deals. Our traction in the enterprise market continues to gain steam. 45% of all of our new sales in the quarter was non-VM related.
VM's a good market, but over the years, we have demonstrated ability to deliver incremental value above and beyond VM in areas like cloud security, OT, identity, which is certainly, you know, making a big, a big difference. 20% of our new enterprise sales are Tenable One, which has higher selling prices. The last thing I'll say here is that our strength in the public sector continues, specifically U.S. Federal, which has a 9/30 year end, and arguably, U.S. Federal Government is one of the most sophisticated cyber consumers in the world. Approximately 15% of our revenues come from public sector, and you know, helped us transact larger deals.
Created a little bit of headwinds with CCB, 'cause not all of those deals are billable in advance, but certainly, gives us the opportunity to sell more software down the road. So trends in public sector was also a major highlight.
Yeah, absolutely, especially being outside the Beltway. No, no surprise there. Definitely a leader in the public sector. Maybe just to zoom out a little bit here, Steve. I mean, Tenable has always kind of talked about the traditional definition of vulnerability management or VM, as being kind of narrow, right? And this idea that sort of assessing risk exposure is really a much bigger market than an IDC or a Gartner, for example, would size. Can you just maybe go one level deeper into that, and kind of how Tenable views this broader risk exposure market, if you will?
Sure. Well, cyber exposure is an outgrowth of the vulnerability management market. And if you look at what we do today, we help companies understand and reduce their cyber risk and answer the question: How secure are we? IT environments are much more complex today than they were years ago. It's no longer about securing servers, desktops, and laptops in traditional compute environments. Today, companies are far more complex as they continue to embrace digital transformation, and we're helping customers secure assets, discover and assess assets across a very broad surface of attack, whether that includes, you know, traditional compute, but also includes today now cloud security, OT, external internet-facing assets, web applications, now even identities, which is a really important problem, not only in cloud but also, in traditional environments.
And really answering the question, as I mentioned before: How secure are we? So, if you look at the VM market over the years, it certainly has evolved. Years ago, if you were an organization that collected personally identifiable information, whether it was credit card data, Social Security numbers, whatever it is, you were required to do an assessment of that system or net server to achieve or meet PCI compliance purposes or HIPAA, perhaps. But given over the years, companies, there's been a proliferation of assets and systems. It's expanded the attack surface. We're seeing more high-profile data breaches, not just on servers, but across web applications. Remember Equifax, across the even SaaS applications, external internet-facing assets.
So as a result, VM has become taken on broader meaning, and so we have broadened the product portfolio over the years to not only assess those traditional compute environments, but also do, you know, newer asset types, whether it's cloud, OT, identity, whatever the case may be. And we also believe, finally, that our strength in VM gives us the opportunity to address a much bigger problem. Security, we believe, is a big data problem. Security is not done in a vacuum, and what we're attempting to do is combine all of the insights that we're able to collect across these different systems and devices, combine the threats, the vulns, the digital identities in a way that helps customers understand their risk more broadly.
Yeah. Yeah, absolutely. Definitely a broader definition there that you guys have been so successful with. You know, I think that one strategic highlight this quarter, you know, I think was the acquisition of Ermetic, which really brings Tenable deeper into cloud security, right? This area of CNAPP. Maybe without getting too deep into the technology, could you just maybe walk us through the strategy behind that deal and why there is synergy between, you know, such a strong sort of cyber exposure business and CNAPP?
Sure. Well, cloud security is, you know, it's certainly a large market opportunity for us.... I'll say first, TAM expansionary. That expands our TAM to well over $30 billion a year.
Wow!
So, customer-driven. You know, we're helping customers understand their exposure across the attack surface. And we're strong in infrastructure as code. We also have an agent base and an agentless solution to help customers that helps monitor runtime environments. But where Ermetic is strong and where it's expansionary is that they have a unified CNAPP solution. And specifically, they automate the asset discovery, the risk analysis, the compliance, and the remediation in these public cloud environments. And they have also solved one of the biggest challenges in cloud security today, which is managing all the identities and the entitlements. That's a big task, both discovering and visualizing both human identities and service identities.
They provide context-aware prioritization that reveals these toxic combinations of privileged access, with public-enabled vulnerable workloads, in a way that drives remediation and helps them reduce risks. So clearly, the two offerings are very complementary. We're strong in areas where they're not. They give us a much broader footprint in cloud. It's one of the largest and fastest-growing TAMs, and we're seeing certainly a lot of customer pull in that regard. We believe that going forward, we'll be able to sell it a number of different ways, sell it standalone, and go head-to-head with, you know, any provider in the cloud security market today on a feature-for-feature basis-
Mm.
but also sell it as part of a broader offering in Tenable One.
Yeah, absolutely. I definitely want to come to some of that pricing packaging later on. But, I want to go back to some of the things that you mentioned earlier. I mean, Tenable has always been such a strategic vendor to the public sector, particularly U.S. Federal. You know, I think you touched on this a little bit, but what are you seeing from the public sector on their willingness to invest in security? And are they looking at broader products now than, you know, from Tenable than they have in the past? Talk to us a little bit about that.
Yeah, I mean, the public sector is a tremendous opportunity, and it not only includes U.S. Federal, but also public sector and government really all around the world. We talked about our footprint over the years. We've been fortunate enough to win some pretty sizable programs in U.S. Federal alone, both on the DoD and the civilian side. As I mentioned before, certainly, you know, one of the most demanding cyber consumers. And success in the public sector, we've seen over the years, has translated to success, in the commercial and the enterprise environments. Over the past couple of years, we've seen mandates from the administration to strengthen cyber defenses, both at the federal level as well as the state, and even encouraging the private sector to do the same.
There's also a number of geopolitical events, as we're all certainly, you know, well aware, where cyber has now become part of military operations and cyber warfare-
Mm.
- and with concerns specifically about protecting critical infrastructure. So given these mandates to spend and strengthen cyber defenses, one of the things we've talked about is, look, we know there's going to be a flow down of dollars, specifically in public sector, U.S. Federal, more particular. But companies, you know, didn't always have perfect visibility at how those dollars would flow down at the agency level. We this year are seeing tremendous, you know, tremendous momentum here closing large deals. And we're not talking about just. You know, these are deals north of seven figures and well above that. These deals are much more strategic in nature. They're part of one phase of a multi-phase project to spend, and our success here is not just really in VM.
As we talked about on this last call, we're seeing, like, a particular emphasis on OT security. And not just at the federal level, but the fed's also back stopping a lot of these states as well, where the states are starting to spend more, whether it's on critical infrastructure like manufacturing facilities or power plants, things like that, or even operational technology, which has been an area of emphasis for us, where we're helping U.S. Federal government really understand their exposure with regard to industry, you know, some of these industrial control systems, designing programs around that, securing critical sites, where we're landing here, and there's an opportunity to spend much, much more. So federal government's an exciting opportunity for us.
There'll be tailwinds of growth, and certainly, we're seeing a lot of momentum this year, transacting larger deals there-
Yeah
... beyond VM.
Yeah, for sure. That definitely came through in the last quarter. Maybe that's a good segue to just touch on some of the moving parts in the last quarter, to understand the, you know, some of the components of CCB. I think what we said on the call was that about $12 million of business didn't get recognized into CCB this quarter, which kind of made that just a little bit less helpful of a metric than it has been in the past. I know you talked about CRPO, and we'll get to that in a second, but can we just break down that $12 million a little bit more, and why, maybe from an accounting perspective, that didn't flow into CCB?
Yeah. Certainly a lot to explain here, and certainly not our favorite topic when we have to talk about professional services and perpetual licenses. But as we said before-
Sorry, Steve.
No, next time you should ask me that question. I'm sure I'll give you a very thorough answer. But as we said before, certainly a sizable footprint in, you know, in the public sector, and historically, they've had a recurrent bias towards perpetual licenses. We sell both subscriptions and perpetual licenses. Perpetual licenses isn't a big area of focus for us, and our sellers actually make less money selling licenses. But what we saw in the third quarter is the level of perpetual licenses and professional services was higher than anything that we've seen before, you know, more than double. The mix of business, public sector, in terms of the public sector mix, was more than double than what we've seen historically, which is really good.
Speaks to our momentum in the public sector and the opportunity to close larger deals. But perpetual licenses for us, under the accounting rules, we recognize not upfront, which is what most customers do. We recognize over five years. That means four-fifths of the contract value for perpetual license is not included in CCB, it's included in long-term deferred revenue. And also because these deals, as I've talked about before, are more strategic, well below above the seven-figure threshold, where we're doing program design and implementation, includes not only the perpetual license, but also higher levels of professional services, which we know makes the product stickier, drives higher renewal rates, more expansion opportunity. Unlike our enterprise customers, where we'll provide professional services, we're able to invoice upfront because a lot of these are productized.
Our arrangement with the federal government is that we can't invoice those until the work is completed.
Right.
So consequently, the higher levels, the outperformance in public sector, which is impressive, resulted in higher levels of perpetual licenses, resulted in higher levels of professional services, which consequently minimally contributed to CCB. And CCB historically has tracked within 1-300 basis points of the underlying growth of the business. We manage the company in terms of ACV bookings, but this quarter was just such a big disparity, you know, because of that public sector dynamic.
Yeah, absolutely. I mean, I think the way that I would think about it is, this wasn't a fundamental demand problem, it was really just kind of how the accounting behind, you know, how some of those contracts came in, which I think is interesting. Maybe the follow-up question there, though, is, you know, do we think that more of this is gonna happen in the future? And, you know, should we start looking more at CRPO as just a more important metric going forward? Or are we still gonna really be focusing on CCB again, as that better long-term indicator-
Mm-hmm.
of the health of the business?
You know, Saket, we try to be, try to provide a level of visibility that, you know, that's important to investors. We disclose CCB, I do it on an annual basis, and we guide to it. I'll come back to that in just a minute. We disclose number of new enterprise platform customers, number of large deals. We disclose our net dollar expansion at the exact rate for the quarter, well, in the quarter, we disclose, which is on an LTM basis. So, excuse me, a lot of data points that we provide that give you the ability to monitor and measure the overall health of business. And we know in a subscription business, the focus sometimes moves from the P&L, but to the balance sheet, right?
Mm-hmm.
People take the change in deferred revenue, current portion of deferred revenue, add it to revenue recognized, and that is a close but not perfect proxy of what you invoice. Again, we manage the company in terms of ACV bookings. There is no one single indicator here that closely approximates the underlying performance of the business. In the past, CCB has been a close approximation. This quarter, a big disparity. We said current RPO, which grew 15% this past quarter, was a closer approximation of the underlying performance of the business, AC growth and ACV bookings. CCB growth came in at 8% because of some of the mix in public sector. I think going forward, we'll continue to monitor and determine what the best leading indicator is.
We know that if we don't talk about it, investors will still, you know, tend to focus on the balance sheet. We rather help shape that narrative, but at the same time, we want investors to know that CCB growth or even if current RPO growth may not reflect the underlying performance of the business. It's one of the reasons this quarter that we raised our guided revenue, we raised our guided free cash flow, and, you know, despite some of the headwinds we saw in CCB-
Yeah.
due to the mix issues.
Absolutely. Absolutely. Let's get some of that accounting stuff behind us now. I wanna talk about a really fun topic here, which is Tenable One, which, I mean, I would really call a game-changing go-to-market strategy for Tenable. And I think this past quarter, I think we said Tenable One, or you mentioned, represented about 20%-
Mm-hmm.
-of new sales in the quarter, I think grew, like, 100% year-over-year.
Yes.
I mean, you guys correct me there if I'm wrong.
Correct.
Right? But can we just recap why this is so compelling for customers, and how it's also driving additional value to Tenable as well?
Yeah. Well, historically, if you look at, you know, the security market, it's fairly fragmented, right? I think there's tens of thousands of private security companies in the world, or total or number of security companies, period. Maybe 80% of them, 90% of them, are less than $20 million in revenue. So it's always been best of breed and characterized by point solutions. And, there'll certainly always be a need for kind of best-in-class solutions, certainly in some markets. But we're seeing more recently, there's a little vendor fatigue, and, we're a big believer in operationalizing preventive security. And it's, yes, our ability to secure maybe traditional compute environments or secure these industrial control systems or maybe external internet-facing assets, public cloud environments.
But increasingly, what customers wanna understand is the intersection of all, all that data, of all those insights that we collect. So we've broadened the product portfolio to help assess different assets across the attack surface, but we've also been hard at work building, you know, this massive data lake and integrating all of the insights, all of these vulnerabilities across all these different systems, combining this with the threats and the identities, who has over-provision access, who can make lateral movements, to come back and provide a likely path of exploit for customers to drive recommended remediation.
And so I think that's a really important problem that we're helping our customers solve, which is, hey, there's no shortage of data in security, but understanding kind of the intersection of all these vulnerabilities and threats with the identities, with all these different asset types to help drive remediation. So, you know, it's Tenable One is a product that we launched last year. We know that when we sell Tenable One, the selling prices are 70% higher, and the growth there has been very notable. And going forward, you know, we're landing increasingly with Tenable One, and it's a way to cover more assets and secure more of those different systems.
Yeah, absolutely. You know, I wanna loop Ermetic back in here. And just for context, I mean, you know, I think there have been other acquisitions that Tenable has done where that have been very natural adds back into Tenable, into Tenable One, right? Sort of that packaging. Maybe the question is on Ermetic: Is this also something that you think gets folded into Tenable One, or is it maybe a little bit of a different sale? Talk to us a little bit about the go-to-market, you know, as you think about Ermetic and Tenable One together.
Well, our go-to-market is really twofold. Number one, for a customer that has a specific cloud security use case, we'll sell you the unified CNAPP solution. Or if it's a, call it a larger customer, perhaps more mature customer, where maybe they have a CNAPP offering that they've built or maybe they want that they bought from a third party, we can sell a standalone cloud security offering specifically to address identity as market-leading key capabilities, cloud identity, and entitlement management. So for a customer that has a standalone use case and a specific need in cloud security, we can address that via CNAPP or the standalone identity product. But however, we also recognize that cloud security is a very important part of your attack surface.
If customers want to understand risk more broadly and aggregate that cloud security data with these different systems and devices across the attack surface, then obviously they would have an inclination to buy Tenable One. We believe cloud security is another layer in security. Tenable One, for us, going forward, represents kind of our mandate since going public, which is to help customers understand and reduce their risk. It's an outgrowth of the VM market, where we're the clear leader. Also going forward, that also means for us that we wanna be able to ingest third-party data. We don't, nor can any security company, secure all these different asset types, right?
It takes a bit of a different approach to the ability to ingest data, whether it's at the endpoints or firewalls or otherwise, and combine that with our own massive data lake to provide deeper and richer insights with regard to risk is, you know, really important. So, we think this is where security is going. Again, we answer the question, how secure are we? Which is, for our customers, a really important one, and this is certainly something that we own with the customer.
Yeah, absolutely. I think it makes a lot of sense. The last 10 minutes, I want to shift to some maybe forward-looking financial questions, right? So I think that I think on the last call, we talked about sort of mid-teen CCB growth for next year as a starting point, right? Let's not call it a guide, maybe as a starting point, right? And I think that what we're doing is we're including some inorganic from Ermetic there. I think let's call it about 2 points of contribution. You correct me there if I'm wrong. And so I think we get organically, let's call it low teens, 13% CCB. You know, you tell me from out of the range.
That growth rate isn't terribly out of the zip code of what Tenable has been doing, has been growing CCB historically. But I think I think it almost implies just a little bit of acceleration in 2024 compared to what we've guided to for year for 2023. Plenty of reasons for why that could be. What are your... You know, what do you want us to know about that? What are you trying to say with that guide or outlook?
Good question. Let's unpack that a little bit. First, I wanna be clear that we're not assuming a stronger demand environment next year. We're not assuming things change, and we're not assuming acceleration. So if you're gonna unpack the guide on this call, 'cause normally we give guidance in February, you know, for the full year after Q4. The fourth quarter is, you know, in terms of absolute dollars, is our largest. That's an important data point to have in hand, so we'll talk about the business, you know, for the full year, next year, in more specific terms on our February call. However, we wanted to provide some directional comments. We said mid-teens growth, whether that's, you know, 14% or 15 or whatever, that, like, we'll figure that out after we have Q4 behind us. So we said mid-teens growth.
If you unpack that a little further, 2 points of growth is expected in terms of CCB growth is expected from Ermetic. So that could be 12% or 13% growth. And if you look at the kind of the compares year-over-year, obviously, we have number one more favorable compares just because of what we saw in CCB in the third quarter, that's roughly a point of growth. And so we kinda look at it and unpack the growth, it assumes the same or slightly or more modest growth on a year-over-year basis. We're trying to set the expectations at the right level, and I think that's really important. And I think we feel good really good about the guide. And obviously, we'll talk more about next year in February.
And also, you have to understand, we've done a good job over the years, you know, at setting expectations and then over-delivering specifically, you know-
I agree
... on the bottom line. So there'll be an ability to hopefully drive margin leverage higher and hopefully gives us the ability to also over-deliver on the top line. This time last year, first half of last year, we were growing 30%. Second half of last year, we're growing 20%. Obviously, this is a new budget cycle, and the macro is tougher, and our growth has been, in terms of performance of the business, kinda mid-teens, and we certainly have an ability to drive higher levels of growth. Don't wanna set that expectation, but we think we're doing all the right things to put us in a position to do that if there's a better macro.
No, absolutely. And I think that really, as you look back historically, a lot of good, prudent approaches to, you know, to forward-looking growth. So totally appreciate the strategy. I wanna spend some time on margins and free cash flow because I think it's just really been an impressive shift that we've seen in the model. So maybe first of all, talk us through what you said about operating margin and just unlevered free cash flow, you know, from sort of a long-term perspective.
Yeah
... or reflection.
Yeah. Long term, we're very confident in our ability to drive continued margin expansion, which is long term, which we haven't put a timetable to, that our operating margins will be 25%+, free cash flow margins will be 30%+. I have, you know, every confidence that we'll be able to achieve it. Our operating margins this year probably be 14%-15%, based on the guide. You know, we're increasing the operating margins by 400 basis points this year alone. We expect the margins to continue to increase, and I actually believe that we have the ability to drive higher levels of growth above and beyond what we priced it previously for our long-term target model. So certainly good, more leverage to come.
Wow. Well, that's really impressive. Now, of course, Ermetic is still a growing business, right? I mean, really big market opportunity, as you said. Just remind us how much that's impacting margins here in Q4, and how do you think about that impact kinda going forward as you drive some synergies from, you know, from the combination?
Yeah, certainly super excited about Ermetic. As I mentioned, their capabilities in cloud are very complementary to ours. In the fourth quarter, we're hard at work at integrating these capabilities and launching a new version of our cloud security offering, which we'll more formally bring to market beginning of next year. So the impact to the top line from Ermetic will be somewhat nominal in the fourth quarter, as we work to close our Q4 pipeline opportunities. In terms of the margins themselves, we expect, you know, the impact on the operating margins in the fourth quarter to be $4 million-$6 million, call it $5 million, dilutive, in the operating margins the fourth quarter.
On free cash flow, roughly, I think we said $14 million-$16 million, so call it $15 million, because it includes the, you know, the lost interest income, 'cause it was a cash deal, and some of the transaction expenses. And I said in terms of next year, it would add 2 points of CCB growth, 1 point of revenue growth due to the ramp. And the activity levels and the engagement from our sales force and customers out of the gate has been overwhelmingly, I'll call it phenomenal, it's been really strong. And then in terms of the bottom line, we said it would impact, call it free cash flow, to the tune of, call it $10 million-$15 million. And we expect it to be accretive in the fourth quarter and,
Mm-hmm
... break even, I'll say, in the fourth quarter in terms of free cash flow, then accretive to free cash flow and operating income through the full year in 2025.
Got it. So kind of short-term pain for long-term gain, basically, right?
Yeah.
And, and-
Again, highly strategic and one of our fastest and growing and largest markets.
Yeah, absolutely. You know, when you kind of put all that stuff together, I mean, you get some really nice free cash flow generation. Maybe the question is: How does the board think about capital allocation? We just saw a nice little-
Yeah
... you know, a nice share buyback here recently. Maybe touch on that as part of the answer. But just broadly, how are we thinking about capital allocation here, given that cash flow that we're seeing?
Yeah. And, you know, one point on the cash flow before I get into the capital allocation is that despite that, with the Ermetic deal, where it comes with some initial dilution, this year, the unlevered free cash flow will be roughly $170 million. Like, our directional comments on the third quarter said point it to $213 million, call it $215 million in free cash flow, despite that dilution, growing the free cash flow, and certainly with the ability to drive even higher, depending on, you know, how, you know, on how the year plays out. And in terms of capital allocation, the good news is, you know, we're a balanced grower, and we're generating increasing levels of cash flow and expanding the operating margins.
We announced a, you know, a stock repurchase plan or program here, a couple of weeks ago, to the tune of $100 million, indefinite time period, but that represents, as I mentioned before, we'll generate over $200 million of cash flow next year or so. I feel like it's a fresh start, dipping our toe in the water, offset some of the share creep and just, you know, over the course of the next few years, as we mature and grow here, you know, we will look to use some more of our free cash flow to offset the full share creep. The market's fragmented. I think we have our head down right now with the Ermetic acquisition, committed to making it accretive.
But certainly, you know, the balance to a share buyback is making sure that you're continuing to add to free cash flow, and you're in a position to, you know, to do things strategically, should you need to do so. The last thing I'll say is, we do have public debt and a credit rating, and recently, S&P upgraded us from, I think, single B to double B.
Yeah, I saw that, yeah.
Um-
Mm-hmm.
Because we considerably delevered the business over the years, so we have a much stronger credit rating, puts us in a position to do some good things-
Mm-hmm
... if we so choose.
Oh, got it. Got it. Maybe another minute or two left here. I've got a couple last questions, but any questions here from the audience? You know, Steve, one question that we didn't touch on is just the competitive backdrop. You know, you've got a competitor that's, you know, maybe going through some of their own sort of exercises, if you will. You know, any comments you wanna make just on sort of the competitive backdrop here, you know, in the business?
You know, we have a lot of respect for our competitors, but when it comes to VM, we believe that we're the clear market leader, largest in terms of customer base, number of new customers, added a quarter, device coverage, a whole host of measures. VM is a really important market that has translated to opportunities in other adjacent markets, such as cloud. And some of these opportunities, whether it's AD, cloud security, you know, ASM, you see slightly different competitors. And so for us, there's a tremendous opportunity ahead, and, we've grown the product portfolio, we play in a much larger sandbox, and, certainly, we have the ability to have attractive levels of growth here, sustainable levels of growth with expanding margins, and, have confidence in our ability to drive price appreciation.
Absolutely. And some great big customers with deep budgets like the federal government, to your point, right? All right, well, I think that's about all the time that we have. Steve, thanks so much for the time. Really enjoyed it, as always.
Thank you, Saket.
Yeah.
Congratulations on your II rating, number one.
Thanks, buddy.