All right. Good morning, everyone. Thank you for joining us. My name is Brian Essex. I'm JP Morgan's security software analyst, and with me today, I have, Steve Vintz, CFO of Tenable, and Erin Karney, VP of Investor Relations. I don't know if you guys need to read anything before we get started or no?
No.
No.
We're good? All right. So maybe, maybe the most important question is, how is Amit doing?
Amit's doing well. Some of you may know that Amit recently disclosed that he's been diagnosed with cancer. He started his treatment first week of April. The good news is that he has likely finished his last treatment this past Friday, so he was able to ring the bell, which is great news. We're excited and looking forward to his return to work, subject to confirmatory tests. So pretty, pretty exciting news.
That's amazing, and, he's had a phenomenal outlook, so good, good for him. Glad, so glad to hear that. Maybe with regard to, you know, the company, a good place to start, would be, you know, on the results of the quarter. Just to kind of recap, yours were meaningfully better than your peers. And, you know, how do you see demand in your markets when you encounter your two primary peers? What are win rates like, and what kind of factors drive competitive wins?
Sure. Well, first, for those of you who are not familiar with Tenable, we're the exposure management company. We help organizations understand and reduce their cyber risk. So we have technology that discovers and assesses systems, devices, for vulnerabilities and exploits. And then, across not only the network but also public cloud environment, OT, industrial control systems, external internet-facing assets, and then we're able to aggregate all that data, vulnerabilities, and threats, and the identities, and the access to those systems, and the configurations of those systems, into a singular platform that we call Tenable One, and where we can identify, recommend remediation, and provide a holistic assessment of risk. We answer the question: How secure are we? You know, with regard to Q1 and the demand environment, we're off to a good start for the year.
CCB revenue and earnings all exceeded estimates, which is a good thing. Our expectations, more importantly. We added 400 new customers in the quarter, and we're seeing strength in a lot of areas in our business, but one of which is vulnerability management. We believe we're the unequivocal leader in vulnerability management. It's a foundational market, and you know, we're seeing good demand there. I would characterize the demand in VM as stable. This market tends to be very fluid. Things can change from quarter to quarter, but where we're seeing strength, in particular, is really in the enterprise market. About 60% of our total sales comes from large customers. These are, you know, companies with employees 5,000 and above. And then we also...
About 25% of our sales is in the mid-market. Our definition of the mid-market has changed a little bit over the years. It's roughly, call it 250 employees up to 5,000. Ever since COVID, one of the things we've learned is that we can cost-effectively sell and transact large deal sizes to mid-size organizations over the phone and close even 100,000+ deals. Where we're having success, specifically in VM, Brian, to your question, it's not only in the enterprise market but the upper end of the mid-market, so we're seeing good traction there. Our close rates continue to be very high. We've disclosed publicly before, our close rates generally range between 60% and 70%, closer to the 70% threshold.
So win rates tend to be good as, as our close rates in the quarter, which we've talked about on our earnings call.
Mm-hmm. Yeah, and with that, one of the interesting things you just noted was 400 new customer adds. I think logo adds have been really challenging across the board, not just in VM, but across the board in our, in our space. Is there anything in particular about some of the new customer wins, like any kind of trends you can point to that's leading to some success there?
Sure. Well, you know, our ability to add customers really depends on the core use case. So we have, as I mentioned before, we sell an integrated and unified platform. Includes everything from VM to web application security to cloud security, both pre-production infrastructure as code to runtime environment, and within those public cloud environments, to things like OT, external internet-facing assets. So the ability to sell that as an integrated platform has helped quite a bit. And there's no secret that in cyber, you know, it's a very fragmented market. There's tens of thousands of private security companies all calling on large, established organizations, trying to sell their offering. But we found, principally, that you have to be a leader in a market that matters, of which we're one. You know, VM's a really important market.
And then when we went public in 2018, one of the things that we talked about was really the outgrowth of that market, what we call exposure management, which is the ability to assess these systems, not only just in traditional network environments, but across a broad surface of attack. So selling the platform has paved the way. It results in higher selling prices, and we cover more asset types. We have an asset-based pricing model, so as customers look to place more assets and systems in their environment, increasingly, they turn to us and look for us to help secure and assess more of those systems and devices. We also sell products standalone, so if someone has a, you know, like, a cloud security mandate, we have a standalone and a very broad and unified CNAPP offering-...
that automates the asset discovery, risk analysis, and the compliance and remediation aspect of it, and solves one of the biggest problems in cloud, which is the entitlements and identities. So we sell products standalone to address a specific use case, or increasingly, we sell it as a broader platform, and we're having good success as customers increasingly look to consolidate a lot of their spend. And just as example, our largest deal in the quarter was a, you know, a sizable six-figure deal. It was a European manufacturer. It started off as an RFP for cloud security, and we went through the POV, and we won that. And then the conversation turned to, it's like: Well, okay, well, you're strong in VM, so if we're gonna buy Tenable One to do cloud security...
Well, the customer then said: "Okay, well, then you have the ability to displace the current incumbent VM," which we did, and then we also sold OT. So that's a great example of something starting with a singular focus, in an important area such as cloud, and then closing a sizable deal that covers not only cloud security, but also OT, VM, and other assets.
Well, it's interesting that you led with cloud.
Yes.
Who are you, who are you competing with in that case? And, you know, how do they decide on, you know, Tenable to include in that RFP process?
I guess it really depends. Cloud security market is arguably, what? $10 billion ±, depending on what TAM you read or market study you read. Anywhere from $7 billion-$17 billion, so call it $10 billion. You know, the largest player is a private company that's roughly $400 million in revenue, so big TAM, relatively low penetration rate, and there's probably a handful of us that have any level of scale in that market. So when the RFP came in as a cloud security mandate, it can really depend. You know, within cloud security, there's multiple categories. There's infrastructure as code, which is some customers need help assessing, you know, doing the assessing the Terraform scripts.
We do Terra scan, making sure that the programming language to push out the application into a public cloud environment is compliant with their policy. So some customers focus on pre-production-type activities. Other customers focus on identity and entitlements, which we believe is one of the most important problems in cloud, as I mentioned earlier. Understanding the toxic relationships between the configuration of your public cloud environments and the access and entitlements of those, understanding the toxic relationships between access to a public cloud environment and the publicly facing vulnerable workloads. So for us, you know, the mandate, it can vary, but for us, it was a broader CNAPP RFP, which we've won and then was able to displace some of the other incumbent vendors.
Great. Great. And then, maybe on Tenable One for a minute, how often are you leading with your analytics platform? And as you look at your install base, how penetrated is Tenable One into your install base? How much room to run it do you have, just on customers that you've established already?
Yeah, with regard to the latter, we have about, call it 44,000 customers. So we have one of the largest customer bases of any security company, you know, public or private, very sizable customer base. About a third of those are enterprise customers that use one of our enterprise offerings. It could be, you know, Tenable.io, Tenable Security Center, or Tenable One. And so, if you look at our penetration of Tenable One into our enterprise customer base, it's roughly about 10%, so still lots of greenfield opportunity and, you know, lots of runway for continued growth. We've also mentioned that when we sell Tenable One, the selling prices tend to be higher because it's a desire for our customer to do not only VM, vulnerability management, but also something else.
That's usually what compels the purchase, would be VM plus. It could be WAS, it could be cloud security, or OT, or some other types of assets. And so when we sell Tenable One, on average, we see higher asset counts because there's more capability and feature functionality, but also because of the ability to deliver greater insights with regard to risk, the cost per asset is slightly higher. So that results in, what we said, roughly a 70% higher selling price. Now, for us, one of the problems... You know, the problem that we're helping solve is, you know, when there's, you know, a likely path of attack, it's not just usually, "Okay, what was the vulnerability that led to that breach?" It's a combination of understanding the gaps within your security stack.
So yes, we can assess and secure various domains like the network, such as the cloud, such as industrial control systems and other types of assets. But what typically happens is you have to be able to connect the dots between vulnerabilities, threats, identities, and the context of those assets, so you understand the likely path of exploit, and that's usually where bad actors tend to focus. It's usually a path of attack that usually occurs that leads to a security incident.
Got it. And then how should we think about Tenable's ability to consolidate share across your platform, you know, establish a platform, and, and how does that compare with maybe they're not even competitors now, but those that have also evolved from, like, a VM origin? You know, how would you differentiate Tenable versus what you're seeing with, you know, for example, Rapid7 or Qualys, that also originated from VM and have kind of tried to push into adjacent markets?
... Well, I think it really depends on your focus and your origin as a company. So for us, you know, our roots are in vulnerability management. What we do really well is the ability to assess these systems and devices, and there's a lot we learn about that: the operating systems, the configuration of those devices. But we always believed that there was a bigger opportunity, which is to be able to do that across different asset types, so to go broader across the attack surface, and in terms of the things that we can discover and assess. And then also, in deeper in terms of the analytics and the insights that we can deliver. And I do think there is... Consolidation has been talked about a lot in cyber over the years.
You know, we're certainly starting to see more of that as rates have gone up. You know, corporate spending tends to pull back, and you know, customers look at the security and say, "Hey, what we wanna do is drive more utility around vendors that have real scale, that solve an important problem, and that address a critical need for us in a really important market." So why go out there and buy a standalone, you know, whether cyber asset management solution or web app security, when you can get a lot of that feature functionality out of a platform? With regard to our other, you know, VM companies, who are strong competitors, you know, we have different focuses.
For us, our focus has always been helping customers understand their risk and reduce their risk and expanding on that core VM value proposition, whereas, you know, another company may have more of a downward focus, serve a different-size customer. And, you know, different-size customers lend itself to different opportunities, where you can go into things like SIEM, where we partner with a lot of the enterprise SIEM companies, or you can do incident response. So there's things that are not natural for us, for our enterprise customers, that may be more natural for a different-size customer. So we all started in a similar place, but we have slightly different strategies.
Got it. Maybe real quick on the macro. You know, we're halfway through the quarter. I understand that you guys have an extremely back-end-loaded quarter, typically. But, you know, any view you can share on budgets and spending as you've seen it so far? How does it compare to last year, when maybe some were worried about a greater p- greater probability of a recession happening, by the end of the year? And, maybe we'll just start with that, and then, we've got some others to follow.
Sure. So look, in a market like this, we're all running agile companies. Markets can be very fluid, and demand's not monolithic, and so I think that's just something you have to be mindful of. So in Q1, as Brian mentioned earlier, out of the gate, we have a strong start to the year, and we beat expectations. You know, every quarter's different in its own right. You know, some economies are doing better than others. U.K. largely has been in a recession since, you know, since Q4 of last year. Middle East has historically, you know, has been strong. Spending environment remains healthy there. APAC continues to be really good for us. You know, we have real scale in North America.
So overall, you know, we're pleased with what we're seeing out of the gate. The close rates in Q1, close rates on average for us tend to be slightly lower in the first quarter relative to others, just historically speaking. I've been here for nine years. That's just, you know, the historical patterns of the business. But we had some of the highest close rates in the first quarter that we've seen in several years, dating back to Q1 even stronger than Q1 of 2022, when growth was, call it, circa 30%. We also commented on the call that, you know, growth from new logos was also particularly strong this quarter. Look, in this market, new business is tougher to transact, so we're pleased that we added 400 new customers.
But the growth from those new logos results, the ACV growth was over 30%. So every quarter, you know, pipeline opportunities between new and upsell can vary, but this particular quarter, new was strong, which we think is a positive sign. But we see lots of untapped opportunity as we look, you know, kind of into the year, you know, public sector and other areas, we would expect to be strong.
Great. And then we had you on the road in, what, I think March, and, you know, I think you were positive in March. I think you sounded really positive on the earnings call and with federal spending in particular. I think one of the words you used was spectacular. You know, what are you seeing that's making it so strong? I mean, is it, is it the level of visibility that you may have into the pipeline? Is it regulatory drivers? Maybe something else? Would you say there's a greater probability of this spend materializing than other segments of the business? Like, how should we think about the federal vertical for Tenable?
Sure. Well, spectacular is a strong word. I'm not sure if it's in my lexicon. If it was, maybe I had too many Red Bulls before the earnings call. And this is about as excited as I get, as our CEO often says. But I will say that when I would characterize public sector, certainly that's an area of focus for us. For those of you who don't know, about 15% of our total sales come from public sector. That includes federal, state, and local, and certainly higher ed. Over the years, we've won some pretty sizable contracts, both on the DoD and the civilian side, and, you know, U.S. Federal is arguably one of the most sophisticated cyber consumers in the entire world, so success there often translates to success in the enterprise and the commercial space.
Last year, we saw a really strong Fed. Specifically in Q3, we talked about closing very sizable seven-figure deals with a couple of large agencies. And what we saw this year, what we're seeing this year, is that it has the potential to be even better.
Mm.
And not just in Q3, but potentially, you know, the rest of the year. Now, I'm not saying it will be, but it certainly has the potential. One of the differences this year is, you know, where we saw strength in a couple of large agencies on the defense side last year, we're seeing sizable pipeline opportunities and dollars slow down with lots of large federal agencies, both defense and civilian. We're also seeing early signs that fund flows, dollar flows could flow down to the agencies for some of, for some of the smaller agencies. We'll call them even non-essential agencies. So that is certainly a major opportunity for us, and I would characterize the spending environment as healthy.
CR was a little bit of an overhang in Q1, just because there was budget uncertainty, did not get resolved until March, late into the quarter. And the other thing I would comment would be state and local, where we're seeing whole of state opportunities, and states are often backstopped by the Fed. And last year, we talked about winning a sizable state deal with, you know, one of the southern states, where they standardized on Tenable across all of their agencies and municipalities, and there's many more of those. So certainly, we're seeing opportunity there at the state and local level, as well as U.S. federal.
Great. And, you know, AI is something I wanted to touch on if we talk about the platform, and, you know, obviously, at RSA, it didn't disappoint. AI was everywhere you looked. And just thinking about that whole kind of like, you know, risk profile or, exposure level, when you add AI and expand the attack surface, you have to think about the data environment, you have to think about the model environment and the inferencing environment, the usage environment, and the infrastructure that supports all three of those kind of categories. What's Tenable's AI story? You know, outside of leveraging it for your own business, but in terms of the expansion of the attack surface and your ability to address the threats across that surface.
Yeah, well, certainly, you know, AI has the potential to create a dramatic impact on the security industry. Not only, I'll talk about the product in just a minute-
Mm
... but, you know, not only does it help you or can help you become better and smarter in how you identify and close opportunities, we're leveraging AI in a way that says, "What opportunities have a higher likelihood to close?" Is it with large companies or smaller companies? Is it product-based? Is it geo-based? Is it based on industry? Looking at those corollaries, and then obviously, how you support customers and how you do other things. I believe that companies long term will be more profitable because of AI and the ability to leverage data and insights and do things in a much faster and better way, including bringing new products to the market, you know, rapid, more rapid development cycles.
You know, on the product side, I think you're seeing adoption of AI, you know, more so with bad actors and nation states. I think we've even seen our first attacks leveraging AI, you know, as recent as a couple of weeks ago. But imagine a technology that can read anything ever written about you as a person, your family, your business relationships, your company, and be able to ingest that in a way to create a very targeted and sophisticated attack. So, you know, that's where we're seeing adoption out of the gate.
Right now, you know, AI is being leveraged in a way where there's a lot of data that security companies can deliver to a security professional or an InfoSec team, volumes of data, and it's really hard to sort through it and understand what's important and what's not. So, driving higher levels of prioritization, looking at corollaries between unusual usage patterns across asset types, configurations, combining that with access and identities, all the things that we've been talking about today that connect the dots and vulns and threats and identities across a very broad surface of attack, AI is gonna allow us to do that much smarter and much more efficiently.
And we announced our more, you know, more recently, AI capabilities, which is the AI, call it a bot, if you will, where you're entering questions in natural language processing, and you're getting very simple answers as a result. So certainly, there's short-term use cases and long-term, but AI certainly is here to stay. I think companies with large language models are sitting on vast amounts of data. We disclosed more recently that we have over 900 billion aspects of data in various threat, identity, configuration, other data that we've collected over the years. 40,000-plus customers, over 3 million customers, or 3 million users of our free version of Nessus.
So between the sizable community of Nessus users, our paying customer base, all of the data that we've collected over the year, we think AI will be a force multiplier in helping us better secure and customers' environment.
Got it. Super helpful. Wanted to ask you about, you know, one of the kind of themes that's been around the industry for decades is best of breed versus platform, and obviously, you guys are building out your exposure management platform. But when you... Maybe it's, you know, to reference the manufacturing deal that you were talking about before, how do you view Tenable, competing as a best of breed or a platform or both, versus maybe other larger platforms that may also be in those, in those deals? Like, how do customers think about, "Do I go with Tenable, or do I go with a larger platform that, oh, by the way, they also have maybe like VM or cloud security or both?" You know, where does Tenable fit in?
Sure. It's a good question. Look, platform has been talked about for a very long time. It's not new in security. I know this new word that's been thrown around is platformization. And, but, you know, you know, security's been a fragmented market. Increasingly, customers want more capability, more feature, more functionality, more utility out of their incumbent providers. And just given the rapid pace of innovation, there's gonna be new technologies that come in, and new security opportunities. You know, but for us, our mandate is very, has been very simple: leveraging our leadership in vulnerability management to address a bigger problem, which is exposure management, which is the ability to discover and assess assets and devices across a very broad surface of attack, and then ingest all that data.
We're here to help answer, you know, one really important question, which is, that the customer often asks, which is: "How secure are we?" You know, "What is my risk profile? How has that trended over time? How does my risk profile compare to others?" And so, you know, they used to call it years ago, single pane of glass-
Mm-hmm.
Right? Now, it's platform, and now, more recently it's platform, now it's platformization. So for us to be able to integrate more capability into our exposure management platform, deliver greater risk and insight to the customer, help them understand their risk, and not certainly eliminate it, but prioritize remediation actions, we think is a really compelling opportunity. Not necessarily another layer in the security stack, even though we do, we can do that very well for certain technologies. But sitting, you know, on top of and inventorying all of your identities, both human and service, and to be able to combine that with you know, with these critical systems that have really important data, to drive higher levels of assessment and help reduce risk is important.
Platform will continue to be a theme going forward, as will vendor consolidation. But we think we're positioned well to deliver more capability to our customers.
Okay. I have one more, and then I'll open it up for questions if anyone has one, has any from the audience. But, you know, specifically around cloud security, you recently acquired Ermetic. I understand that technology's very good and very competitive, particularly against some of the larger, established, you know, CNAPP vendors in that space. How are you managing that integration, with respect to, you know, integrating that technology and maybe organizing the sales force around that technology? And how worried are you about the potential to disrupt what, what Ermetic has organically?
Yeah, so we're certainly excited about the acquisition. It's very customer-driven for us, which is customers want us... We already do, you know, active scans and in these public cloud environments and look at configurations, but customers very much wanted us to have a broader capability. So we closed on the acquisition of Ermetic in the fourth quarter, and this quarter began integrating. There's some areas where Tenable is just its core is naturally stronger, which is infrastructure as code. And whereas Ermetic has an agentless solution, as I mentioned earlier, that's able to do the risk analysis, the asset discovery, and to drive accelerated remediation and compliance. And where they're particularly strong is really on what they call CIEM, cloud entitlement or cloud identity and entitlement management.
So looking at who has access to what cloud workloads, and to identify, in a very visual way, these toxic combinations. So identify first your most vulnerable public-facing cloud workloads, and then tell me who has access to those, and what are the entitlements to those, and can people move laterally within these public cloud environments, not only with AWS, but Azure? So, the acquisition of Ermetic now gives us a much broader and fully integrated, more, you know, because of the integration that we've done out of the gate here, CNAPP platform. And, for us, you know, we'll be able to sell it tip of spear, to be able to win, or, you know, win deals in their own right.
But increasingly, we'll sell it as part of a broader platform, which we call you know, the Tenable One platform. It is a big opportunity. It's not gonna be a zero-sum game, where there's just gonna be one or two cloud security winners. That's never really happened in security or even in tech more broadly. So, for us to be able to leverage our customer base, drive more utility, and sell more back into our base, as well as continue to land new deals, is gonna be our mandate going forward. So certainly a big opportunity for us, and not to be underestimated, and, we're very pleased with the customer engagement and the response we've been seeing out of the gate. And we did say Ermetic would add two points of growth for us.
We said most of that would be in the back half of the year. There's seasonal patterns to every business, but, you know, in the case of Ermetic, most of, you know, most of the business is, second half of the year, specifically in the fourth quarter. So there's some base of business that we've acquired, but we also have an expectation we'll continue to, you know, be able to sell more into our customer base.
Great. With that, any questions from the audience? Oh, we've got one over... Do we have a mic?
Yes.
Yeah, so we'll have a mic come over, and maybe you can use that.
Hi, just wondering on the CNAPP platform, do you use a runtime agent for workload protection? If not, how do you compete with the likes of Wiz that have that more real-time visibility and threat detection?
Yeah. So look, I'm the CFO, and I'll stay in the shallow end of the pool here. But, you know, what I will say is, our CNAPP offering is both agentless and agent-based. The agent-based is just basically what we do. We, you know, we assess, you know, and scan in these public cloud environments. On the agentless side, we do have it. Now, our ingest engine is, you know, roughly, what is it? I wouldn't call it. I wouldn't characterize it as real-time. I'd characterize it as near real time, which is kinda like roughly 10 or 15 minutes. So yes, we have the capability to do that, ingest in near real time, do it in an agentless way.
We also have frictionless assessment in our core VM capabilities that we also apply into these public cloud environments as well. So, and for those of you, you know, this acronym soup in CNAPP. CNAPP includes everything from infrastructure as code, the pre-production, pushing applications out into the environment. Then CSPM, which, where a lot of the spend in cloud security has been to date, looking at the configuration of these public cloud environments, then monitoring runtime, and then looking, you know, doing detection and response really at the perimeter. So, a very broad set of capabilities, and of course, you know, we believe one of the important problems here is, is CIEM, cloud identity and entitlement management. So, a broad set of capabilities within CNAPP, and no one's done innovating. Well, everyone's gonna continue to develop new capabilities organically and inorganically.
Mm-hmm. Great. I think we had another one over here.
Thanks for taking my question. You guys have obviously had some impressive organic growth, and was wondering if you could give any color around the breakdown of that growth rate in terms of, you know, new customer adds, wallet expansion of current customers, and any pricing you guys take. Thank you.
Sure. Well, a simple way to look at us is, and we disclose a lot, so there should be a lot of transparency and visibility into our business. We disclose the number of new customers. Last quarter, we added over 410. We also disclose the, on a quarterly basis, the net dollar expansion rate, which is calculated on an LTM basis, but historically, it's been roughly around 110, plus or minus. This most recent quarter was 109. And then we disclose the number of net new six-figure customers, and about 96% of our revenue is recurring. So the simple way to look at it is just take our net dollar expansion rate times 96%, and that's growth from your current customer base, and then add...
And then, look at our total growth, and the delta of that is really coming from new customers. So in short, you know, about roughly half or a little more is coming from our current customer base, and the other half is coming from new customers, new opportunities, customers we've never had a relationship with.
Great. Any others from the audience? I have more. Maybe just we've got a couple minutes left. I wanted to ask about the cost rationalization that you've done. I mean, you've done a great job delivering margin expansion well over expectations for the past few years. Where would you say the cuts have come from primarily, and do you feel as though the focus on margin is a growth constraint as you look out to, you know, potential growth for the company?
Well, I would. First, we're a balanced grower, and so we've always done, I believe, a good job balancing growth with profitability. Look at the free cash flow margin, unlevered free cash flow guidance that we gave this year. We said $220-$230. That's roughly, what is it? 20%+ unlevered free cash flow margins. We're growing our guidance for CCB somewhere around the mid-teens, and that's where, call it in the teens, and that's where revenue's growing. And so, if we look at it, we've invested in sales and marketing over the years, which is important to do. We have very sizable distribution. We sell in 160 countries. We have feet on the street in 40. And then, as I mentioned, we've broadened the product portfolio over the years.
So doing traditional VM, now doing web app security, OT security, cloud security, ASM, external internet-facing assets. And sometimes when you go bring new capabilities to market, there can be slightly different market dynamics and slightly different competitive set, and so that can necessitate what we call overlay sales reps, specialty reps. So over the years, you know, we've invested in these specialty reps to help us sell and be successful selling some of these products, whether it's part of the platform or, or more so standalone. But more recently, what we've seen over the past year and a half, two years, is that there's been less reliance on a lot of those specialty reps, that some of these specialty products, cloud security, OT, things like that, are now become more mainstream, where our core rep is having success selling and placing less reliance on those.
So the cost actions we took at the beginning of the year reflect our ability to mainstream those products. We are now moving kind of away from having overlay reps in all these different products to having more specialty reps. And so that's been created some efficiency for us.
Mm-hmm.
We said this year that we expect sales and marketing expenses as a percent of revenue to be roughly, call it 36%-37%. That's creating some natural leverage in the business. Look, our long-term margins, we haven't updated our long-term target model in some time, but it calls for 25% operating margins and roughly 30% unlevered free cash flow margins, and I have a lot of confidence in that, and we have the ability to potentially even exceed it higher.
Great. I think we're out of time, but I want to, one, maybe one last rapid fire. You know, is there a one-liner in terms of the, what you think is the most underappreciated aspect of investors' perception of Tenable?
The core VM market is much stronger than people realize and creates opportunities elsewhere.
I think that's great.
All right.
I completely agree with that.
Okay.
I think it's the core VM that allows us to do the broader Exposure Management as an outgrowth of it, and continues to be strong.
Excellent. With that, thank you very much, everyone, for joining us, and thank you, Steve and Erin, for joining us as well.
Thanks for having us.
Thank you.
Of course. Thanks.