Great! Well, good morning, everybody. Thank you for joining us. My name is Hamza. I'm the cybersecurity analyst here at Morgan Stanley, and with me, I have the pleasure of having the team from Tenable. We've got Steve Vintz, the CFO, and Erin Karney, head of IR. Steve, Erin, thank you so much for joining us.
Thanks for having us.
And before I begin, just a brief programming note. For important disclosures, please see the Morgan Stanley Research Disclosure website at www.morganstanley.com/researchdisclosures. With that, let's get into it. Steve, maybe before we get more into the weeds, I was wondering if you could briefly talk a little bit about how Tenable as a company, as a platform, has evolved over the last few years. You know, you started in vulnerability management, now you're this broader cyber exposure platform. What does that entail, and what are some of the use cases, you know, that you've added on?
So Tenable is the cyber exposure company, which means we help organizations understand and reduce risk. Our roots are in vulnerability management, and that's a really important market, and that's foundational to an organization's overall security program. You know, we're the unequivocal leader in this market. We believe, number one in device coverage, zero-day research, revenue, number of new customers added per quarter, we're adding hundreds, and certainly, size of customer base. But since going public, we've had a broader mandate, which is exposure management.
That's an outgrowth of VM, and today we continue and to win and take share in some of the biggest markets in security, not only VM, but also cloud, identity, OT, and the intersection of all those things that we call our exposure management platform, Tenable One, which is helping customers understand and reduce risk and delivering context-aware prioritization with regard to risk reduction. I think, in short, the right way to think about us is operationalizing preventive security, which can reduce risk and prevent attacks. The specific use cases can vary. We can sell our products on a standalone basis to address a specific use case, whether it's in cloud security or even OT or, of course, VM. But increasingly, you know, we've had success selling the platform, which is the integration of all these capabilities and helping customers really prioritize risk.
Got it. Got it. And definitely want to dig more into the platform, but, maybe just high level, what are you seeing in terms of the security demand environment? There's been some of your peers who spoke about spending fatigue, others saying different things, but I'm curious, you know, what, what Tenable has been seeing.
Well, you know, lately, there's been some focus on platformization and certainly vendor fatigue, and we agree, those are certainly, you know, themes that play out in customer conversations and partner conversations. But the security market historically has been very fragmented, been best of breed, and over the past couple of years, we've worked hard to integrate a lot of these datasets and a lot of these offerings, and have had success selling a broader platform. You know, I think it's fair to say that the selling environment can be very fluid. We're all running agile companies and, you know, we just announced a successful Q4. We added 500 plus customers a quarter. We saw good demand, strength in Fed, which has been a major tailwind of growth for us this year.
Certainly a stronger selling environment in the mid-market, success with larger deals. So overall, you know, the demand environment remains healthy. Each quarter is different in its own right. But, you know, some of the themes that we've talked about early in the year will continue to play out and are catalysts of growth, potential catalysts of growth, such as FedEx and Cloud Security and continuing to take wins and win share in some of these important markets.
Got it. Erin, maybe to bring you into the conversation, you know, obviously a lot of focus on platform consolidation. I think Tenable has been pretty thoughtful about expanding out its platform, really starting from its core capabilities around exposure management and risk reduction. So when you think about expanding into cloud security or OT or identity, what have you, how is that different from, like, you trying to go from VM into an entirely different market altogether?
Well, I think alignment's really important. So whether you're talking about buyer alignment or just an understanding in general of vulns. So we come at it from an area of strength, coming from VM. So as we've gone into these other areas, we've kept that, that exposure management vision, that understanding of risk, and whether you're applying, you know, OT, identity, cloud, whatever it is that you're focused on, we can bring that, that understanding.
Great. Great. So a lot of tailwinds right now in cyber, and it seems like you're seeing a pretty healthy demand environment. When you think about some of the drivers, whether it's AI, new SEC regulations, maybe for you, Steve, as a CFO, right, you're responsible for... A lot of your responsibility is risk management. So when you're talking to CFOs about cybersecurity, especially in light of these new regulations, you know, what are you hearing from them? What is the spending appetite looking like?
Well, I think there's several drivers of growth in security, and will be over the course of a couple of years. Number one, geopolitical considerations. It's fair to say there's more malicious activity, more targeted and attacks, and more bad actors, and often nation-states are behind those. If you think about the threat landscape and how that's played out over the course of time, years ago, a successful breach was really about, you know, taking credit card data, and today, you know, it has the potential to disrupt our way of life, and there's great civilian impact.... think about the breaches with regard to JBS Meat Packing Company, a utility company in Florida, Colonial Pipeline, even Change Healthcare, which Amit talked about more recently.
And it has the ability to impact how we bring food to civilians, how we, you know, impact our drinking water, the flow of fuel, be able to get medicine in the hands of consumers. So the stakes have never been higher, and certainly it's been an area of focus for our customers, securing critical infrastructure. I would say number two would be AI. AI certainly will quicken the pace of innovation, but it also has the ability to disrupt a lot of things, and it's gonna create major reliance on tech, even more reliance in the future. Companies are embracing digital transformation. There's been a proliferation of assets, more devices and connected systems than ever before, and we're just starting that.
So this reliance on the ability to, you know, for transportation going forward, and even things like medicine and restaurants and food prep. You know, it was once said that 40% of all jobs, potentially over the next 15 years, will be replaced by AI. And so with AI comes opportunity, but it also comes responsibility, because we do think attacks will become more targeted and more sophisticated as a result. And the other thing would be certainly regulation, which you mentioned, which is a potential, certainly tailwind of growth here. We have the SEC's new mandates to have greater disclosure and awareness about a company's risk posture with regard to cyber. And you know, we think it's certainly early in terms of the kind of regulation that's still yet to come.
AI presents a lot of opportunities, but certainly some challenges, and there'll be continued focus on governance and risk frameworks and how companies are doing AI more properly. But certainly lots of potential tailwinds of growth and security. Compute has become much more complex. The attack surface has expanded, so consequently, we believe it's certainly early innings for a lot of security companies and certainly a long tail of potential growth here.
Got it. Got it. So Tenable's been a leading share gainer in the vulnerability management for a long time, as it expanded out its platform. An area that you recently expanded more significantly into with cloud security, with your acquisition of Ermetic. Talk to us a little bit about how that came together, and do you think there is alignment between the buyer of vulnerability management and the cloud security buyer?
Well, we certainly do, but Cloud Security as a whole, it's a, you know, one of the largest markets in security and certainly has, it comes with, with higher growth potential. If you think about the security market as a whole, Cloud Security market, should I say, I think, whether it's IDC here or some others, the estimates for TAM today range from anywhere from $7 billion for Cloud Security total spend to up to $17 billion. So let's call it $10 billion, plus or minus. I think the largest Cloud Security providers call it $350 million-$400 million, and there's a handful of others that obviously, that do Cloud Security, many other private companies as well. So certainly big market penetration, relatively low. There's not gonna be a zero-sum game where there's one company that's going to win here.
There's gonna be several share gainers, and to us, it's, you know, who wins here in this market is ones that have critical mass, that have addressed a very critical problem, you know, whether it's could be endpoint security, could be vulnerability management, it could be, you know, someone coming from the network side, has a massive customer base and extensive distribution. You know, as we look at the cloud security opportunity, where we're really strong and historically is our infrastructure as code, assessing, you know, the, you know, on the pre-production side. But with the acquisition of Ermetic, we now have a couple of things, and accelerates our roadmap. Number one, powerful CIEM, CIEM, should I say, cloud identity and entitlement management.
We think Ermetic, hands down, addresses one of those complex problems in all of cloud security, which is managing your human and your service identities across your public cloud infrastructure, across multi-cloud, and then visually detecting, those identity vulnerabilities with these public-facing, vulnerable cloud workloads. Number two, unified CNAPP. Both a unified and agentless solution that automates asset discovery, risk analysis, and automates, compliance and remediation, whether it's pre-production, container runtime, or even looking at the configuration of those workloads, so broader CNAPP. And then the last thing, if you kind of step back, you know, we don't... You know, security is not, done in silos, so being able to secure these public cloud environments, is really important. But at the same time, our mandate is to address kind of the broader problem, which is helping customers understand their risks.
So more broadly, helping customers understand their software vulnerabilities, identity vulnerabilities, their configuration vulnerabilities across on-prem environments, as well as these public cloud environments, to help reduce risk and prevent attacks is really important. So it's the intersection of all these things and the ability to ingest third-party data. No security company can assess all these different systems across your attack surface, but to be able to ingest all this data that you do on the assessment side, as well as ingest third-party data across other areas, certainly is very compelling. And we think we're early in our journey, with regard to certainly AI and the ability to drive greater insights with all the data that we aggregate and collect.
Got it. And then how does that offering fit within your broader Tenable One platform, is that, are Ermetic now included in that? And can you remind us what the typical uplift looks like when a customer moves from your standalone VM product to Tenable One?
Yeah. So for us, we have the ability to sell cloud security standalone, and that's really important to address a specific use case. The use case is typically twofold. Number one, as we talked about, kind of the broader CNAPP offering. And so market, certainly very sizable, penetration is still relatively low. A ton of greenfield opportunity for us to continue to take and win share, selling a broader CNAPP offering. If a company has, you know, an offering, we have the ability to sell market-leading key technology on the identity side. And so while the acquisition of Ermetic is still fairly new, we closed the acquisition in October, and in Q4, we are focused on migrating customers to this new, more expansive cloud platform.
We've already seen opportunities, a ton of opportunities, and have had success to date, selling market-leading key identity and the entitlement management solution, and also having wins with the broader CNAPP offering. So being able to sell market-leading technology in a big market like cloud security, and using that as either tip of the spear to acquire customers or having success selling back into your customer base, is really important. However, as we talked about before, you know, we look at the market through the lens of risk, helping customers answer the question: How secure are we? And so we believe, principally, that cloud security has to be part of a broader offering.
Being able to integrate all these data sets across, you know, and being able to identify assets and threats across all these different systems, whether it's traditional compute environments, servers, desktops and laptops, whether it's industrial control systems via OT technology, whether it's internet external facing assets via ASM, whether it's web applications and certainly these Active Directory environments, being able to integrate all of these vulnerabilities, all of these identities, and integrate that in a way to help customers drive recommended remediation and reduce risk, is really important. So platform is gonna be a continued theme for us. We're getting great traction, larger selling prices, and we're helping assess and secure more of these asset types.
Yeah, and then the other area that you spoke a little bit about was OT security or operational technology security. There's obviously that's been a big area of exposure for a lot of companies, you know, think medical devices or, you know, critical infrastructure. What are you seeing there? And how are some of these recent partnerships? I believe your partnership recently with Siemens, if I'm not mistaken, how is that driving more pipeline?
Yeah. OT, we think, is a big opportunity for us, and if you kind of look at. When we say OT, we're talking about these industrial control systems. A lot of companies today have an OT footprint, and so whether it's, if you're, you know, you know, if you're FedEx and you have all these planes and the mail sorting equipment, which has a digital footprint, whether you're Starbucks and have coffee roasters and, you know, your supply chain is all very digital, you know, being able to assess those systems and devices for vulnerabilities and exploits is really important. These companies take a very different approach in terms of how you do the assessment. They have different operating systems, different security protocols, and if you look at how the market has played out, years ago, it was analog.
None of these systems were digital. You know, more recently, they became digital, but air-gap, not connected to a network. Now they're all digital, you know, connected, all interoperable, and certainly has created some challenges for a lot of our customers to help secure those. More importantly, if you look at the responsibility of securing those environments in OT, it has shifted to, you know, the de facto responsibility of the plant manager, which doesn't have particular expertise in cyber, to one where we're seeing, you know, this convergence between OT and IT, where increasingly the CISO has the responsibility to secure those environments. So for us to be able to sell a compelling OT technology, either standalone or part of the broader offering, and we've had success doing that, and being able to leverage our distribution and our massive customer base is important.
And look, more recently, we announced the integration of our OT technology into Tenable One, and I can tell you with some degree of certainty, we're gonna have success closing large deals, in part because of the integration of OT into the Tenable One platform.
Interesting. And Erin, how can—what are some of the metrics that investors can look at to track the broader platform traction that you're seeing? Is it large customer adds? Is it net retention rates? Just remind us, what you're seeing there.
Yeah. So we put both of those out there. Certainly, customer adds is notable for Tenable One and broadly. Each quarter, we typically talk about how much of new business is Tenable One. It was over 20% this past quarter, and we talked about that. So we do try to put those numbers out there. But net retention, of course, we do look at CCB as our top-line metric. Now, there was a nuance in Q3, for those of you that understand, because of FedEx business, but generally speaking, that is a top-line metric for us. And yeah, I think... Oh, large six figures, that's the one I want to come back to. So we are landing larger customers, and so it's not just the six-figure customer, which we put out there.
We're seeing more seven-figure customers, which is a figure we don't put out there. We're talking about whether we should start putting it out there, but it is notable, and we do talk about it each quarter, that we are landing these large customers and these really large deals, and that traction is just continuing to build.
Wow, that's, that's really impressive. And then when you think about, like, the penetration within your install base, you've got the enterprise customers, then you also have, I think, something like over 3 million Nessus users or Nessus downloads, and Nessus is the, you know, the, the freemium version of the Tenable product. How do you think about the penetration rate of your, of your solution, just more broadly?
Yeah, and I would say, so we're unique in the sense that we have a product in Nessus that is, so ubiquitous and so loved in security. It's one of the most iconic brands in all of cyber in Nessus, and it's the gold standard to doing vulnerability assessment, to being able to do these scans on your networks. And so there's a free version of Nessus, and there's a whole community of users that use Nessus to identify these vulnerabilities, and they, if it's a zero-day, then they'll write a plugin using the whole Nessus language itself. So 3 million-plus users, we have 40,000-plus customers, and we have our own data science and research efforts. So we're able to scale down from doing something that's free to a paid version, a freemium version of the product. We sell a...
You know, Nessus is, there's a paid version of it that's $3,000, you know, represents about 20% of our total sales, and then consequently, 80% is what we call the, you know, one of the enterprise solutions, which is, you know, the expansive VM solution or one of our exposure solutions, Tenable One or Cloud, Identity or OT. So, connecting the dots on kind of free to freemium to enterprise has been very helpful for us. It's allowed us to scale our customer base and acquire customers cost-effectively, and consequently, investors, I mean, customers can land with Nessus, and then the quantum leap up to buying a larger enterprise platform.
Once they become an enterprise customer, we have success renewing and expanding that relationship anywhere from, you know, our net dollar expansion rates, which we disclose on a quarterly basis, can be anywhere from 110%+ -120%. So, certainly being able to sell more back into our base has been allowed us to acquire customers and certainly drive margins higher.
So one other thing I would say about Nessus, beyond the talking about penetration levels, is the amount of data we can get from this massive customer base, including Nessus, really helps to build that data lake. And with AI, data is... I mean, data is really important for many reasons, but certainly with generative AI, it's becoming increasingly more important, and we, we have more of that data than anybody else, thanks in part to Nessus.
Got it. Got it. Very interesting. Maybe speaking on Gen AI, how are you guys thinking about integrating LLM technology within your product suite, especially when you think about, you know, looking at vulnerabilities and trying to prioritize which one are high risk or low risk?
Yeah, it's certainly, it's gonna create a lot of opportunities and challenges in, in cyber. You think about the power of generative AI, it has the ability to consume and ingest anything that's ever been published on you, your family, your business relationships, your company, and create more targeted, more sophisticated attacks. And, we're already starting to see the use of generative AI in malicious activity. You know, it, it's always, you know, I think broadly understood that bad actors will more quickly adopt AI, and we'll see the potential for attacks to increase. You know, but a lot of companies who are sitting on vast amounts of data, like such as Tenable, right?
Leveraging the power of the community with our customer base, with our own data science and research efforts, and the data that we collect across all these different asset types, and being able to apply AI in a way that helps solve a bigger problem, you know, we think we have a competitive advantage. And the right way to think about Tenable is kinda breadth in terms of the areas of the attack surface that we can discover and assess and secure these different asset types, but going deep in terms of the analysis and the insights that we can deliver for our customers.
AI is gonna play a very critical role here, something that we plan to roll out sometime during the course of the year, something called Cyber Asset Management, which takes all of these assets and devices and systems that we're able to discover, also combining that with third-party data that we're ingesting from other providers, and through the power of AI, kinda leveraging that with the context of these vulnerabilities, these misconfigurations and these identities to help customers prioritize remediation and reduce risk. Certainly, we're in the early innings, but certainly companies who have vast amounts of data, sizable customer base, and are gonna be certainly in a position to see higher ASPs and hopefully more pull-through rates on the platform itself.
Great. Last one or two questions, then I'd love to open up to the audience. But, profitability, there's been some pretty significant improvements you've made to your operating margin recently. What is the right balance for you now going forward? I mean, Tenable obviously has a big opportunity ahead of itself, but, you know, your forward growth rate now is sort of in the, the low teens from a revenue perspective. So is it rule of 40? Is it... You know, how do you think about, about that balance?
Yeah, so balancing growth with profitability is really important to us and, you know, we're not, we're not a grow-at-all-costs company. I think over the years, if you look at kind of where we started and the investment as a consequence of that, you know, years ago, we were not the leader in VM. We were not number one or even number two in market share. We were a distant third. So over the years, we've invested in the vulnerability management market, have become the clear, unequivocal leader, which is where I started, kind of our talk track at the beginning of this session. And the outgrowth of that, certainly, we've been able to leverage to, to address other, other market opportunities. So for us, investment has been really important. However, we have a responsibility to walk up the margins.
Our growth has moderated, probably like a lot of cyber companies. We've got it to kinda, you know, kinda mid-teens growth. At the high end, it was, like, 44% on the most recent call. I have a ton of confidence in our ability to continue to drive margin leverage. We have 95% recurring revenue. We have 80% plus gross margins. We have a massive customer base, high gross and net dollar renewal rates. For us, we want to strike that right balance. I think the right way to think about us is a rule of 40 company, or a rule of 40 company before. We will be a rule of 40 company again. If you look at the margin leverage over the past couple of years, it was kinda mid-single digits in 2020.
Last year, it was 15% operating margins, higher free cash flow margins. That 15% is up from 10% a year, a year ago. We just guided to 17%-18% operating margins at the beginning of the year, which we think is a great place to start. Certainly, we're gonna continue to focus on expanding the operating margins. You know, our growth strategy, perhaps, is a little different from some of, some of the other companies in, in, in the VM space, in the sense that, you know, we're focused on some of the largest opportunities in all of cyber with cloud, identity, and OT, and of course, the intersection of all those things that we call Tenable One.
But for us, we certainly have the ability to drive growth higher, given the investment we're making in some of these major market opportunities. We're not assuming that will play out this year in the guide. But if our growth continues to stay, you know, at these levels, and we think this growth is certainly sustainable, expect continued margin expansion for us. Our long-term target margin is 25% operating margins. We have not updated our long-term target model, and we plan to do so at our next investor day. But in short, I have confidence in the margins.
Okay, great. Any questions from the audience? No-
There's one right there.
Oh, okay. Thank you.
Hey, guys. Appreciate the time with you here today. I just wanted to ask, you know, as you think about, kind of the relative priority that customers place on their, you know, exposure management investments, right? It's in conversations that I have, it sort of varies on in terms of where it is on the list, right? But generally, there's a few things above it, in terms of, you know, identity or EDR or whatever. Stuff that is really kind of, like, bursting at the seams with attacks and, you know, board-level attention, and things like that.
And I just wonder if you could kinda update us on how you feel about the relative prioritization that you see from customers, how those conversations go, how you try to encourage them, I presume, to, you know, be more proactive, more preventative, instead of only, you know, working on tools that are kind of addressing attacks and things after the fact. Thanks.
Sure. Well, there's a couple. If you look at some of the top spending priorities in cloud today or even for, more broadly, CIOs, it's, you know. Certainly, AI is probably top of the list. It's cloud, which includes cloud security, and or, or cloud, and then cloud security. So those are clearly the three top spending priorities. We talked about our roots are in VM, and so VM is a spending priority. Clearly, if you look at the number of new customers that we add each quarter, I think last quarter was 500+. We're very intentional with the metrics that we give investors, as Erin talked about earlier, but, you know, this is not a switching market.
Sure, we're adding and landing new customers with cloud, identity, and OT, but a big part of our new customers come from vulnerability management. So certainly lots of untapped opportunity in VM and, you know, the penetration, even though the market continues to evolve, we're certainly having success there. So certainly VM we think offers good, sustainable, durable growth. If you look at cloud security in particular, certainly that's an area of focus, and we talked about that: sizable TAM, low penetration, and we're getting more at bats, and certainly have a much broader offering, and we believe we'll continue to be successful there and take and win share. And then kind of all these things, which is AI, which is delivering greater insights to our customers.
You have to acknowledge, you know, the buying behavior of customers today, and usually, it's like, okay, when RFPs come in, it's often not like: Give me... I need exposure management platforms. I wanna compare your exposure management platform with some of the others. Exposure management is what we do. It's the intersection of all these things, and we think we're uniquely positioned to do it, and this is a market we believe we own. But usually, these RFPs come in as like, okay, cloud security or identity or OT or even VM. And so our ability to sell the broader platform is grounded in belief that you have to have market-leading technology, have to be able to compete in your, in your own regard, be able to take and win share in some of these markets.
But at the same time, you have to be able to solve a problem that's much greater than just a siloed function, than just cloud or just identity. And that's what, you know, Tenable One is, is helping solve. So for us, we believe that our product offering addresses some of the top priorities in all of cyber, but at the same time, it creates something that's exponentially greater in terms of the, you know, the problem it solves with Tenable One.
Any other questions? Okay, great. I think we'll leave it right there. Thank you so much, Steve, Erin, for your time, and everyone for joining us.
Thanks for having us.
Thank you.