All righty. Why don't we go ahead and get started? Yeah, perfect. Hello, everyone, and thank you for joining us for our Growth Stock Conference, and today's session with Tenable. My name is Jonathan Ho, and I'm the Cybersecurity Analyst for William Blair. Our speaker today is the CFO of the company, Steve Vintz. Before we begin, I am required to inform you that a complete list of research disclosures and conflicts of interest is available at our website at www.williamblair.com. With that, I'll hand it over to Steve for a brief overview of the company, and from there, we'll proceed to the actual fireside chats.
Great. Well, thanks for having us today, Jonathan. Tenable is the cyber exposure company. We help organizations understand and reduce their cyber risk. Companies today are embracing digital transformation. There's a proliferation of assets and connected devices. It seems like everything today has a digital footprint, from manufacturing facilities to mail sorting equipment to even traditional compute. And, we have technology that allows you to discover and assess these vulnerability systems and devices for vulnerabilities and exploits, and we're able to do that across a very broad surface of attack.
So our history is really in Vulnerability Management, and we're able to do that in traditional compute devices, server, desktops, and laptops, but we're also able to do that in web applications, cloud environments, public cloud environments, everything from infrastructure as code, assessing the Terra scripts to monitoring runtime and drift, a lot of these applications, looking at the configuration of these public cloud environments. We're also able to do that with industrial control systems. And these industrial control systems, years ago, these complex systems, whether it's manufacturing facilities, or critical infrastructure, were analog, and now they're, and they're more recently digital, but air-gapped, and now they're all interconnected.
So we're able to do that, discover and assess vulnerabilities and exploits across traditional compute, web apps, public cloud environment, external internet-facing assets, and able to do that really across these public cloud environments in a way to connect vulnerabilities and threats to help customers understand their risk. If you look at the security market, historically, spend has been in detect-and-respond type of technologies. Where we're particularly strong is in this proactive, preventative security. And, you know, more recently, Forrester published a report prior to RSA that said, proactive, preventative security is gonna be one of the big themes this year, not only at the conference, but out throughout the year, over the next few years. Gartner has come out and said that Exposure Management is an important practice and discipline.
I think they may even be coming out with an MQ, a little, sometime over the next couple of years. But they said that companies who prioritize their security investments based on Exposure Management are likely to see two-thirds less breaches and incidents. We're seeing security teams create Exposure Management practices, partners and resellers, and try to hire Exposure Management engineers. And so, Tenable, what we're able to do is to assess all these systems and devices, ingest third-party data, combine that with external threat data, as well as data from other security vendors, and connect the dots and highlight a likely path of exploit. So we're the cyber exposure company. This market has evolved quite a bit over the years. Years ago, Vulnerability Management, which is kind of the core to Exposure Management, was largely compliance-driven.
So if you were a company that collected credit card data or personally identifiable information, you were required to do the occasional scan, pen test, or scan of that server or that asset, you know, once or twice a year for PCI or HIPAA compliance purposes. But given the proliferation of assets, the cloud and connected devices, VM has become more foundational and has been center stage into your security program, and the outgrowth of that, of Vulnerability Management, is what we call Exposure Management, which is the ability to do that across a very broad surface of attack. We're very much a global business. We have, we sell in 160 countries. We have feet on the street in 40 countries. We have a subscription model, so 96% of everything we sell is recurring.
You know, healthy gross margins, and net dollar and gross dollar expansion rates. And, you know, we're adding on average, you know, 400+ new customers a quarter. We have 40,000+ customers that we serve, it's one of the largest customer bases in all of security. More importantly, you know, we have a network of partners that help us resell, actually, you know, almost 40% of our total sales are inbound from channel partners. So we're excited about the opportunity. Our mandate, more broadly, is Exposure Management, and Tenable is the Exposure Management company.
Excellent, excellent. So this morning, Tenable made an announcement of an acquisition in the DSPM space. Can you give us a little bit of color in terms of the rationale for the acquisition and any financial details, if possible?
Sure. Yeah, so this morning, as Jonathan mentioned, we acquired a company called Eureka, which is a data security posture management company. And if you think of more broadly, the moniker that Gartner has given cloud security, the market, it's called CNAPP, Cloud Native Application Protection Platform. And data is an important domain within the broader security, cloud security landscape. And what Eureka does is they discover and continuously identify all of your organizational data stores, whether structured, unstructured, managed or unmanaged. And then they also classify and codify that data according to standard data types, as well as custom data types, to truly understand your environment. And then where they're particularly strong is unraveling the access around that data, in your public cloud environment, to identify the access paths, the roles, and the identities that all have access to that data.
And then they analyze that data in real time to determine if users and third parties are using it correctly, if they're using it in a malicious way, if they have the right roles and access around that data. And then they can also identify, you know, threats and incidents in near real time and drive automated remediation. So, data security, we think, is gonna be really important going forward. It's a big problem. Gartner's come out and said publicly that 20% of all organizations in 2026 will have deployed a DSPM-type technology. You know, market's expected to grow at, you know, an annual CAGR of 14%-15% per year.
And for us, you know, data is not only an important domain and a broader security offering that we have, following on the heels of the Ermetic acquisition that we announced in October, a few months ago, but it's also gonna be an important part of our broader Exposure Management platform, which is our ability to secure not only traditional compute environments, but web applications, cloud, industrial control systems, external internet-facing assets. So securing data is gonna be really important, and it's also kind of an important part, an important component to AI as well. The roles, the access, the entitlements around the data, understanding the types of data that you have and the privileges that go with that. So we're very excited. Financial terms of the deal, you know, this is a tuck-in acquisition. Purchase price is approximately $30 million.
So what we're really buying is access to IP and know-how, and we'll be working to integrate it into our broader CNAPP offering. We will not be selling it standalone, as a standalone offering. We think it's best served part of a broader security offering. And we're excited to welcome the Eureka employees into the Tenable family.
Excellent, excellent. DSPM is certainly one of the fastest growth areas within cloud and within the overall cybersecurity space. You know, speaking of threat Exposure Management and the platform that you've built, we've seen, you know, sort of the CTEM moniker, you know, that Gartner's been talking about as a key opportunity, and part of your story. Can we step back a bit and maybe help us understand how the Vulnerability Management has sort of evolved, and, you know, what is involved in sort of the CTEM space today?
Yeah, I think foundational is Vulnerability Management itself. So, you know, we've been talking about Exposure Management for some time, and it really starts with this strong foundation in VM. And we are the, we believe, the unequivocal leader in VM in terms of device coverage, zero-day research, scan time and results, customer base, growth, things like that. So VM is a really important market, but it was largely compliance-driven years ago, and given the proliferation of assets and devices, it's become more foundational, and it's a central part of any broader security program. You know, the outgrowth of that is being able to apply that technology across a broader surface of attack.
So there's a lot that we learn when we do an assessment of a device or system in terms of how it's configured and the type of operating system it has and what version it is. We're able to aggregate all of that data, and the right way to think about us is in terms of breadth of the systems and devices that we're able to assess and secure, right, of the areas of the attack surface. More recently, we've been on this journey in terms of the depth, the insights that we can deliver to a customer.
Helping our customers answer the question, "How secure are we?" By connecting the dots on all these vulnerabilities and threats and combining that with, you know, our identity solution, which helps identify those who have privileged access, who have over-provisioned accounts, those who can make lateral movements. But to be able to connect the dots on files and threats and identities and access, and to highlight a likely path of exploit, that's really important for our customer because it's not... Security is not done in a vacuum. It's not just securing one domain or one type of asset. It's to be able to understand the likely paths of exploit by leveraging a combination of factors. And so for us, leadership in VM has translated to leadership in what Gartner now calls CTEM, Continuous Threat and Exposure Management, which is gonna be an important practice and discipline going forward.
If you walk the floor of RSA a couple of weeks ago, what you'll see is there's probably three pervasive themes this year. One would be of AI, of course. Another would be data security, and third would be really risk and the exposure piece of it. More companies talking about a category that we, you know, created and began evangelizing for some time now, and it's nice to see that it's finally, you know, coming to fruition, and there's a lot of traction here. So a lot of opportunity here for Tenable going forward, and we're very excited about kind of where the market's going, and we believe it's turning directly to companies that are able to help customers understand the risk in a very proactive and hopefully preventative way.
Yeah, if we continue along this evolution journey for the company. You know, we, when we think about Tenable as a platform, what are some of the new components that you've added, and what are the new opportunities that you see ahead, like things that maybe you need to add in the future?
Yeah. So, security is very fragmented. There's probably about 20,000 private security companies in the world. 80% of them are less than $20 million in revenue, and historically, security has always been best of breed. But more recently, what we've seen is that companies are increasingly turning to organizations that solve an important problem for them and asking them to provide more value, more utility, and more functionality. And companies, I think, that have real scale, a sizable customer base, and you know, an important and a good relationship with the customer are we think are the ones that are going to be able to consolidate categories. So we see the opportunity and that we've brought, you know, to consolidate a lot of these different capabilities.
Over the years, you have to understand, too, that we've broadened the product portfolio, delivered more capability to our customers, and began selling it standalone. So selling things like web application individually, or active security individually to serve a specific tactical purpose or even, you know, cloud security and some of its components there. But about a year and a half ago, we launched our exposure platform, which is the integration of all of these data sets, and allowing us to deliver a more expansive platform that serves a broader problem and is able to address a lot of these adjacent security markets. So, you know, Gartner, Forrester, and IDC will, may have market studies and TAM estimates for Vulnerability Management, but separate from that is OT and cloud security and all these things that we're able to address.
So, we've had success being able to sell a broader solution. Matter of fact, 50% of all of our new sales come from our non-VM SKUs, and half of that, so call it 25% of all of our new sales, are with the platform. And the platform for us, we're seeing, because we have an asset-based data license model, we're seeing 70% higher selling prices. So when a customer buys the platform as opposed to buying Vulnerability Management standalone, we're seeing selling prices that are about 70% higher, and that's because customers are using us, using the Exposure Management platform to secure more of these different asset types. And they're also realize that we're able to deliver greater insights, deeper analytics with regard to risk.
So the price per asset that we're able to charge and what customers are able to pay for is higher as well 'cause they're getting the incremental value. So we think platform's here to stay, right? There's not going to be one company that in security that has one platform that addresses all the needs from customers. There's lots of innovation, markets moving rapidly. But where we're really strong and where we've had success is helping the customer understand the risk and answering the question, how secure are we?
Yeah, that makes a ton of sense. And along those lines, how do we think about the expansion of the total addressable market, as well as, you know, does this allow you to tap into new types of budget pools, new types of customers, you know, relative to traditional VM?
Yeah. So, you know, as we broaden the product portfolio, the opportunity has expanded along the way. So today, our TAM, and we haven't updated it for the more recent, DSPM acquisition, but today, our TAM's roughly $35 billion a year. One of the biggest portions of the TAM is cloud security. And if you look at cloud security as a whole, I think, depending on which market study you read, it's anywhere from, call it $7 billion-$17 billion, so call it $10 billion± . There's a, you know, Wiz, I think, is kind of the largest player in cloud security, roughly $400 million of ARR. I think there's a handful of us, maybe half a dozen of us, that have real scale in this market.
So big opportunity, low penetration, early days in cloud, and, you know, and so that's an important part of the TAM, as well as OT. As we talked about earlier, operational technology, industrial control systems. And you know, and if you look at over the past couple of years, bad actors and breaches, they've changed a little bit. It used to be the goal was to steal your credit card and maybe your Social Security number, but these attacks have become more sophisticated, more targeted, and they are more disruptive, and to disrupt your way of life. So JBS meat packing company, right, disrupted you know the supply chain for and for a lot of the products we buy in grocery stores. Colonial Pipeline disrupted the flow of fuel and largely on the East Coast.
Florida waterworks, utility companies. So the attacks are becoming more severe, more sophisticated, and more directed, more recently, at critical infrastructure. And if you look at the Biden administration, a couple weeks ago, they signed a national security memorandum, acknowledging a heightened threat environment for critical infrastructure. The agencies, you know, there's a CISA, the Cybersecurity and Infrastructure Security Agency, they've empowered them, giving them more, more responsibilities, and empowered them to work more closely with the private sector and the intel, agencies to share threat data more broadly. So, OT is a really, you know, big part of that, of our total addressable market. And we think it's early stage, and we think it's a, a, a great extension of our core Vulnerability Management offering and part of a broader Exposure Management offering.
For us, we'll continue to evaluate opportunities to expand the addressable market to better serve customers and ones that are complementary to kind of the core vulnerability VM use case here.
... That makes a ton of sense. You know, I think as we've seen, Tenable help define this category, you know, with the vision to cross, you know, multiple disciplines. One of the core challenges that IT organizations face is having to understand their exposures over this broader attack surface. So you can't just deploy it in one attack vector. You truly have to be able to, you know, understand that the attackers will pivot, to cloud or to SaaS applications or identities. You know, where are customers today, you know, from your perspective, in terms of understanding this platform value proposition?
I think there's recognition that security, you know, that largely best of breed often means siloed security, and that integrating a lot of these security capabilities can create a force multiplier on helping customers truly understand risk and understand, helping them prioritize and remediate areas that are more risky. And so, selling the platform allows us to do a couple of things. First, deliver value we couldn't otherwise have done if these were standalone products. Number two, help customers understand what is the correlation of vols and threats and identities and access, and where is a likely path of exploit.
It's one, you know, it's, you know, some companies are able to secure one vector of the attack surface or one particular asset type, but to be able to connect the dots on that is really meaningful for our customers. And, you know, one of the other things too, I'll say, selling, you know, the platform is this recognition that the security market is going under a little bit of change, and that is, you know, years ago, when interest rates were low and capital was free and spending was high, you know, security, you know, the growth was much higher in the security market as a whole.
What you're seeing is that there's little questions about new technologies that you're able to deploy, but every time you're deploying a new technology, a new comp, with a new company, a new vendor, there's a new UI, a new relationship, and it can create complexity. So what you're seeing now is that security is undergoing a little bit of a change where, you know, it's a great market. Companies are doing well, and executing well, especially companies that have platform, taking a platform approach and have scale and a good customer base to leverage. But they're asking questions, customers, about: "Hey, what's the ROI?
What's the payback?" And if you're able to deploy something in a way that's an extension off of your core offering, that obviates the need for a new product or a new capability, you know, we're finding that lands really well with a customer. So it's a little bit of a change the security market is undergoing from kind of best of breed. I'll, you know, the average large company or a CISO of a large organization may have anywhere from 1 to 200 different security vendors in their supply chain. So it's very fragmented.
It's best of breed, and to be able to drive more utility, provide more capability to a customer, to kinda shrink their security footprint, you know, I, I think it's landing well, especially in a market like this, where ROI, you know, certainly is a top of line.
When I look at sort of the still nascent growth opportunities, particularly around expansion, you know, how do you balance the need to take advantage of these new markets while also, you know, the desire to show more profitability?
We've always been a balanced growth company. I think that's really important to be able to kind of make investments in opportunities that will drive the long-term success of the company. And because security is a big market, and you know, we are playing in some of the biggest categories in all of cyber when you look at it, which is not only VM, but also cloud security, OT, identity. You know, these are really important markets. There's big opportunity here, large TAMs and low penetration rates. So that's the good news. We're playing in some of the largest opportunities in all of cybersecurity, but we also have to do it in a way where you don't...
You know, you want to invest, and you want to invest as much as you can, but at the same time, you got to balance that with cash flow and profitability. I'm very proud of the leverage that we've been able to demonstrate to date. Our operating margins, you know, are roughly 18% are unlevered, free cash flow margins are north of 20. This year, we guided to $220 million-$230 million of unlevered free cash flow. So we continue to drive higher levels of cash and increase the margins. Our long-term target model, which we have not updated in a couple of years, which I'm sure we'll likely to do sometime soon at an Analyst Day.
But our current target model calls for 25% operating margins, and I have every bit of confidence we'll be able to do that plus some more. And, and so we wanna be able to do it in a healthy way, invest, but at the same time, be able to drive increasing levels of cash. And so I think that's really the name of the game for us. It's always been kind of our moniker. The good news is we have a great financial model, which is lots of recurring revenue, high gross and net dollar expansion rates. When customers renew, they spend on average anywhere from 10%-20% more.
You know, we have a go-to-market model that's able to leverage hundreds of channel partners who are increasingly referring us business, and we're able to put reps in markets that have high achievement rates, and so certainly lots of leverage left in the model, and certainly untapped opportunity to be able to grow.
Yeah. Just speaking of some of the sales productivity opportunities that are there, can you give us a little bit more detail on, you know, maybe where we are in terms of the sales force, their ability to sell the platform value proposition, and to drive some of this operating leverage through the model?
... Yeah, you know, we've demonstrated a fair amount of leverage over the years. So if you look at our operating margins, like last year, so we talked about 18% operating margins this year, 15% last year, the year before it was 10%. So we've been able to gradually walk up the margins in a very healthy way. A big piece of that is really on the sales and marketing side. Years ago, we were spending 60% of our revenues in sales and marketing. I think today, what we talked about publicly for the year is roughly 36%-37% of our revenue will be in sales and marketing. And so over the years, we've invested a lot in our sales organization. We've added a lot of sales capacity, but we've gone into new markets. Years ago, we were in 4 countries.
As I mentioned today, we have feet on the street in 40, and we sell in 160. That, you know, that was a substantial investment to be able to expand our distribution capability. And what we found over the years is that as we've began, you know, expanding into these adjacent markets, and a lot of these, you know, the expansion and the capability of the company, the product portfolio, was very much customer driven. But as we began putting more product in the hands of our sellers, we've been able to drive more leverage. So initially, if you go into some of these newer markets, that may necessitate sales overlay or sales specialists.
Over the years, what we've learned is some of these specialty products that we are selling standalone to address a specific use case that now more recently has been integrated into the, you know, the Exposure Management offering, we've become less reliant on some of these specialists and overlays. Still require subject matter experts, and overlays and specialists play a very important role, but what we've learned is that these products have become more mainstream, and that's driven a lot of leverage. The productivity and the achievement rates in the sales force has been healthy for us, and also over the... What we believe, I believe, that we can double the quota of these sales reps over the next 5-10 years. That's a traditional enterprise playbook.
We'll also be able to optimize some of the other investments that kinda goes with the quota capacity and become more efficient with regard to others who touch it, whether they're, you know, people in the channel or how we qualify and, you know, and develop these leads and the broader go-to-marketing piece. So, we look at all aspects of sales rep productivity as a big part. What we've done, we've been able to walk the quotas up. Sales and marketing as a percent of revenue has come down as we've grown and scaled the business, and that will continue to do so.
It sounds like there's still a tremendous amount of opportunity left to get more productivity out of the sales force. You know, just talking a little bit about the U.S. federal government and maybe some of the opportunities that are there. You know, we've seen, you know, the U.S. government, you know, come out with a number of very large programs that are out there. Like, when we think about Tenable's opportunity to grow in the government space, is it tied more to these mega programs? Is it more sort of steady Eddie penetration? Like, can you just maybe give us a little bit of, you know, color in terms of how you think about that opportunity?
Well, yes and yes, is the short answer. So public sector is a big opportunity for us, specifically U.S. federal and even state and local. So public sector as a whole is approximately 15% of our total sales. I think the average, public company, you know, may have, like, 4% or 5% of the revenues come from public sector. What's notable here is that... You know, success in public sector translates, and leadership there, which we have, translates to success in enterprise and other customers. U.S. federal government is arguably the most sophisticated cyber consumer in the world, and, we have won major programs with, U.S. federal government over the years, both on the DoD and the civilian side. And we're starting to also...
What we saw last year was, you know, really strong growth in U.S. federal, closing some sizable deals within a couple of large agencies on the DoD side. This year, we're seeing that more pervasively in terms of the spending environment. We think the spending environment is potentially gonna be stronger this year than it was last year. Last year was particularly strong for us. So U.S. federal is a big opportunity, and, you know, they also will continue to buy more capability from us. And so we've won these major programs over the year, and this is really a function of sometimes expanding, you know, more spend within those programs, as well as serving different types of agencies for different use cases.
Great, great. Unfortunately, we've come to the end of our time, and so we'll continue the discussion in the other room. Thank you.
Thank you.