Piper, Manager of Security and Cybersecurity and Software Infrastructure Practice, and pleased to welcome the management team from Tenable, Amit Yoran, who is the Chairman and CEO, and Steve Vintz, who's the CFO. So gentlemen, thank you very much.
Thanks for having me.
Nice to see you.
Good to see both of you. So you noted in Q2 that deal scrutiny is still evident, and maybe expand on what you're seeing in the macro and how we should think about demand drivers, both back half, and you have a federal quarter coming up, obviously, which has been meaningful in the past. And then, you know, maybe a little bit into next year without Steve slapping me for asking for guidance. But, you know, just kind of where we're at in all this.
So I guess the short version is, you know, covering a handful of those topics. You know, we feel really good about the federal business. Federal's been about or public sector overall has been about 15% of our business, and our expectations are in line, it'll continue to be that. Obviously, we're in Q3, which is the seasonally high quarter for the federal market, and we feel like we've got a, you know, healthy pipeline with six and seven-figure deals, and feel like it'll, you know, should be a strong part of our quarter. All that said, we're in an election cycle, and, you know, Q4 and Q1 almost regardless of which administration comes in, might be challenging from a public sector perspective, you know, anticipating continuing resolutions and things of that nature.
So, you know, the federal market tends to behave that way, and we feel like we've got good line of sight into where we wanna be. You know, we talked a little bit about the second half of 2024 on the last earnings call, but, you know, I've got a lot of optimism around 2025. I feel like if you look at, you know, the strength in vulnerability management and a lot of analysts calling for double-digit growth, that seems to be how our own conversations are playing themselves out with respect to our own customers and how they're planning for 2025.
So I think there's, you know, tremendous opportunity in VM, but even more broadly, you know, in cloud and some of the newer product lines that we're operating in.
Relative to VM, help us understand your view that this is cyclical pressure, not secular pressure, that you're seeing in the VM space?
Yeah. I think a lot of that is driven by, you know, we saw a strong period of, you know, procurement from 2020 to 2022. And then with the challenging economic environment, a little bit of a slowdown, a digestion period, if you will. But at some point, those licenses are being absorbed, and at some point, customers are coming back and saying, "Okay, my budget is looking healthier for 2025. I wanna plan on a program expansion. I want a greater deployment." So, you know, from our perspective, all of the data points seem to be leaning in for healthier opportunities in the out periods.
Yeah, I think we heard a little bit last night, and, you know, sometimes on the street, we get reminded how big some organizations are and what a challenge this truly is. We had a CISO talk about 56 ,000 different systems that he would have to maintain and patch, and how important it was, especially given where attack cycles have gone, and they can be almost instantaneous. So I think we lose perspective of there is on-prem and there's cloud, and we all get cloud. It's a big growth opportunity. We're obviously probably gonna talk about it with Ermetic, but help us with the kind of that traditional market and help us think about it. Are people still formalizing around programs? Do people still need to have better visibility of their infrastructure at this point?
Yeah, I think cybersecurity is a lot like regulations. They never actually go away.
Mm-hmm.
All the systems that you had, you bring forward with you. People are still operating mainframe environments. A lot of banks still operate mainframe environments, plus you've got all of the PCs that people have deployed, you know, the client-server architectures, and they've got tens of thousands of applications in these legacy environments. And now they've expanded into cloud, and at first, a lot of lift and shift, but also a lot of cloud native. Every application being developed today is cloud native, and so whether it's, you know, the cloud native environments, the embrace of AI and new applications and new technologies, the mobile workforce, and all of the legacy things that they bring to the table, the attack surface, you know, continues to expand. It never actually shrinks.
And a lot of the, you know, the bad actors out there are able to operate faster and faster, weaponize vulnerabilities faster, conduct more sophisticated exploits faster, and so that is the challenge that's facing CISOs: Where and what do I have? What does my attack surface look like? How do I project risk and express risk to regulators, to audit risk committees, to the, the leadership team? And how do I most efficiently manage and reduce the risk?
So why isn't that a component of what some of these platforming companies might offer versus exposure management being a truly independent space? Help us, help us think about consolidation and possibly exposure management as a bigger category from here.
Yeah, we are firm believers in vendor consolidation. Part of what we're doing with Tenable One as a platform is helping people understand their broader attack surface and what it means to them from a risk perspective. So it's not just, or it includes traditional VM, but it also includes cloud security. It also includes operational technologies. It also includes your user base and directory services and identity stores, and really understanding how these things tie together and how they might be exploited by bad actors. What does the blast radius of a particular issue or problem look like? How do you minimize that? How do you prioritize what you're gonna fix? Our belief is that customers are going to gravitate toward platform-based approaches, but they're not gonna consolidate on one platform.
As much as we and every other larger vendor wants to say, "We're gonna be your platform," it, the truth is, customers are gonna go from three hundred and forty-seven individual products to five, six, or seven platforms, because some security problems and issues are easier to see and identify in one platform or using one perspective of technology, and other issues and emerging problems will be easier to spot using a different set of compensating technology. So we think there's gonna be this gravitation toward platform-based approaches, but best of breed platforms. And from our perspective, we offer the best of breed solution for assessing, identifying what you have and assessing risk there. And that growing discipline of exposure management, you know, we couldn't be more excited about it.
I think our CMO—or no, we just got a Gartner insight that came out about two weeks ago that said by 2028, threat exposure, understanding threat exposure management solutions are gonna grow twice as fast as attack detection and response technology. So, you know, we're starting to see that in our own conversations with customers, but we think we're in the early innings of this transition.
Still early from an enterprise customer maturity perspective relative to that opportunity.
Yeah.
Then how do we think about adjacencies? And obviously, you guys went all in on cloud last year for you. Are customers looking to kind of consolidate that exposure management with cloud under one umbrella versus, say, what a Wiz might bring to the table, at this point? And help us understand your purview and your right to win in that market.
Yeah. Well, first of all, I'll say, you know, Wiz. I think Wiz is doing a fantastic job. I think they've got a great product, they've got a great company, they're off to the races. I don't think this is gonna be a one-winner-take-all market. I think there's tremendous market opportunity. I also think it's a market that is changing so rapidly and so dynamically. You know, since you've been in the security space, I won't say forever, but.
Thanks for that.
You know, you saw the, you know, the in the logging, in the SIEM world, ArcSight was the early dominant player, and, you know, you never thought they would be dethroned. And then along came Splunk and just kind of, like, ate their lunch, and now that market is being turned again. I do think this is a dynamic market. The first mover is not gonna win necessarily long term, and is not gonna win everything. I think outside of Wiz, I think other vendors out there are extremely exposed. I mean, they've got expensive solutions. I think the solutions are, you know, the products they have are very disjointed, they're not speaking to one another, and they're ripe for displacement.
We've got a great solution, I think the top three solution on the market, and we've got something that works hand in glove with your legacy and on-prem environment. So when you want to assess risk, when you identify a problem, or you want to know where a problem exists in your environment, you wanna know where it exists, whether it's in the cloud side, on the on-prem side, and we can help answer those questions for hybrid enterprises.
Is it expansive enough at this point? I look at IoT and OT and understanding bring your own device type of implementations. As I look at your portfolio, is there more you think you guys should be doing?
Oh, there's always more that we think we should be doing, and, and, and our customers are coming back to us and saying, "Hey, it would be great if you could also do..." After the acquisition of our CNAPP platform, our cloud security platform, we recently acquired a data security posture management solution, Eureka, which so we can not only identify, you know, who has access to your cloud environment and, and, and what level of access they have, and how the systems are configured, and how they work together, and what's externally facing and what's exposed, we can also, also tell you what data exists and who has access to that data, which we think is a very important part of the puzzle.
Again, the cloud environments and the requirements around cloud are changing very rapidly, and so there are things we feel great about our solution, but there are things that we're continue looking at. I think, SaaS security posture management's another key area, that is, you know, a very logical expansion as people want to assess risk. So there's you know, there's lots of ways we think this platform can continue to expand, including covering more of the attack surface and more sophisticated analytics.
And Steve, given some of the unevenness just in the security markets in general, how do you think about forecasting the business, giving us guidance around all of this stuff? And, you know, to you guys's credit, while it's been a difficult demand landscape out there, you've really done a lot from a profitability standpoint to, you know, throw that throttle forward. So maybe talk at a high level relative to your forecasting, kind of how you're thinking about the story, how you're communicating the story, and then just what you guys have done from an OpEx and cash flow standpoint.
Sure. Good question. So the demand environment has been very fluid, something we talked about on the earnings call. You know, top of the funnel remains very strong for us. Win rates are very healthy. I think we threw out 60%-70%, so that remains unchanged, and we look at the VM market, as Amit talked about on the last earnings call. We do believe, you know, there is certainly a cyclical nature to it. Software perhaps, specifically cyber, was a bit overconsumed in prior years, and then as rates started to go up and corporate spending started to moderate, you know, we, like a lot of other software companies, saw our growth rate moderate as well, and so for this year, we're pleased to see that we're adding 400+ new customers a quarter.
Many of those are greenfield opportunities, as well, not only in VM, but also in cloud, ASM, OT, and other areas of the business. How we think about our business is that we do see good durable growth in VM. We have conviction around that, and we think growth—there's lots of catalysts to see growth inflect higher. We're not setting that expectation with Wall Street. I think for the full year, CCB guidance was kind of low double-digit growth. That would imply growth of second half of the year, kind of high single-digit growth. So we continue to see outsized growth in some of the newer products.
50% of all of our new sales is coming from non-VM SKUs, such as cloud, web app security, ASM, and then the intersection of all those things, including the exposure management platform. Selling prices are 70% higher when we sell the exposure management platform relative to standalone VM. So we have 40,000 + customers, fifteen thousand of which are using one of our enterprise solutions, and our exposure management platform continues to get great traction, as well as our standalone cloud security offering, and you know, at least on the exposure management platform, we're only about 10% penetrated back into the base.
We've demonstrated ability over the years to bring new products to market, sell those successfully back into our customer base, and we think we're in the early beginnings of continuing delivering incremental value to customers and expanding the deal sizes.
As we talk about optimism around VM coming back and it being more cyclical than secular, is that the major driver then to reacceleration, or is it more around the mix shift? Because you've got a lot of other stuff going on in the model as well.
I think it's a number of different things. Number one, you know, monetary policy, higher interest rates, but we don't control that. Number two, I would say regulatory environment. There's things like PCI compliance that require broader scans and more pervasive scans of critical infrastructure, where you're collecting personal identifiable information, specifically credit card data. You know, there's a repatriation of these, has been touted in a recent survey from another investment bank of these workloads in these public cloud environments back to private cloud. As you mentioned earlier, we live in a hybrid world, and we're one of the few companies have the ability to secure devices and assets and workstations, both in traditional compute environments, but also in some of these newer areas, different areas of the attack surface.
So overall, we feel really good about, you know, how we are positioned competitively, and we think it's early days, and we're pleased with the traction we're getting, specifically in cloud, as Amit called out. It's a, you know, $14-$15 billion TAM. Largest player is probably 500 million of ARR. We're one of a handful of vendors that have any real scale there, and we have a much broader solution, and we're getting certainly notable enterprise wins as well.
And Amit, following up on some of your earlier comments around consolidation, obviously, we had a major outage that occurred two months ago, I guess, or nearly two months ago. What's that say about consolidation and just vendors getting too big with an organization? Or is this just... We live in a very interconnected world, and if things happen that create a disruption in service, they're gonna be incredibly pervasive. And I ask you, not about another vendor, but given your background in security and everything you've done historically, I think you've got great perspective here.
Yeah, I think that there are, you know, certain vendors, given their market share or their position within the enterprise, that, you know, they can create a challenge from a resilience perspective. And that's one of the reasons, one of many reasons why you'll see multiple platform deployments, why enterprises won't deploy a single platform and say, "I'm done." They'll say, "I wanna have best-of-breed platform capability around EDR. I also wanna have best-of-breed platform capability around internal audit and risk assessment. I want best-of-breed cloud capability." And we think the consolidation will be from, you know, 350 vendors that you deal with to several, which are mission-critical, which are best in class, and which are interoperable.
Great. And touch a little bit on Tenable One and just how important that is to the portfolio. Obviously, it's driving a lot of the incremental opportunity, but why isn't it more pervasive within the install base at this point? Because it kind of seems like a no-brainer.
Yeah. Well, first of all, we're extremely pleased with the momentum we've seen with Tenable One. That's our platform play, where we integrate our various technologies to assess risk, so you can get a broader swath of your attack surface, but also where we've introduced a series of analytics. The platform has been out for about 18 months, and at this point, we've got 10% penetration of our enterprise customer base, which is, you know, ± 15,000 customers. So you know, we think for a platform which has been out for a limited amount of time, that's tremendous momentum. We've also disclosed that it accounts for about 30% of all net new sales, which is quite healthy, again, for a product that's been out 18 months.
That comes on the backs of two different ways of measuring that. The first is, we charge more per asset for Tenable One than we do for traditional VM, because we introduce more compelling analytics, benchmarking relative to peers, all sorts of dashboarding. We not only assess vulnerabilities, but we assess asset criticality and translate to risk, and a lot of, you know, inventory capability that we've introduced. So for all of those added analytics, we're able to charge a 25% premium per asset. Tenable One commands, on average, a 70% higher ASP. And that comes on the backs of not only a higher price per asset, but the fact that people are deploying Tenable One more pervasively. They're including some of the new asset types like identity, like web application scanning into Tenable One.
Only over the last month or two have we integrated OT, our operational technologies into Tenable One, and our cloud security, our Ermetic acquisition, is only going to be integrated in over the next month or two. So we believe that we've got tremendous momentum with it. It's not only our highest selling ASP SKU, it's also our most strategic conversation with CISOs and our shortest sales cycle. So we've got a lot of conviction around, and a lot of confidence around our momentum with Tenable One. 85% of our sellers have sold at least one Tenable One deal, and so, you know, they're gravitating to it, customers are gravitating to it, and we think it is foundational to our future beyond and outside of VM.
Conversationally, where are things around OT and OT security right now? You know, I think that it's been more, if I look over the last decade, probably media hype for the first part of the decade, and then we're dealing with the reality of possibly an oh, shit moment at a lot of different places. Curious where the enterprise customer is, where the federal customer is.
Yeah, it's, you know, it's kind of like a dirty little secret in the cyber world, how exposed our operational technologies are and how, you know, candidly, how slow and irresponsibly so many-
Yeah
... organizations are moving to protect those environments. And I don't mean to trivialize it because it is, you know, these are complex environments, and they're also just culturally slow-moving. They deploy a lot of operational technologies-
And again, these are critical services and critical-
These are critical services.
... infrastructure that are gonna impact everyday citizens.
As we saw with Colonial Pipeline, and-
Yeah
... you know, just a few weeks ago, a compromise of Halliburton. We have yet to see how that may or may not impact folks. We've seen it in the compromise of water systems. So you know, these environments are regulated, but they're extremely slow-moving. You know, we, over the last, you know, six to twelve months, have seen a pretty significant shift in these enterprises, where CISOs, the security teams, are now picking up responsibility for OT, which going back two years, three years, four years, a decade, a lot of these organizations and a lot of the people that operate these physical cable plants have said, "No, you know, keep your, keep your IT hands off this. This is a manufacturing operation. These are industrial control systems." Today, the tune is radically different.
CISOs are now responsible, and they have very little insight into what these operations actually look like, what systems are deployed, how these systems are configured. And so we're seeing, you know, an increase in demand and a lot of interest in, and even now, some significant size deployments and follow-on purchases in the OT world. We think it's a slow-moving, but a great market.
Relative to your portfolio there, maybe just help us understand the opportunity that you see for OT.
You know, it's one that I again, I would say has phenomenal long-term opportunity, but it's one that is lumpier. We see six and seven-figure transactions happening in OT, but they're slower moving. They're much more deliberate. They want to do a deployment into two factories before rolling out, and they wanna work out the operational kinks and processes before rolling out to a hundred and twenty locations globally. So this is very much, you know, in the early innings, but a market that we believe is a very logical one for us to, you know, to operate in, one that our customers are asking for. And if you look at OT environments, they're almost never strictly OT environments.
They're control systems, but they have a lot of IT, a lot of legacy IT in them, a lot of interconnectedness to the IT environments for all the efficiency and operations reasons you might imagine. So if you want to assess an OT environment, you have to understand IT and the convergence of IT and OT, and we think we're the only vendor that does that really well.
Great. I'll pause for a question if there are any. Go ahead, JP.
What's your take on the remediation portion of your business? So a lot of clients that we run into, they have great asset inventory vulnerability, but it's the remediation portion. Have you guys got any thought about automating that, especially with Tenable One?
Yeah, we do, and it's a great question, and I think it's one where the market has and continues to evolve. I think if you rewind the clock back even two or three years, the team that was doing assessment and looking internal audit, looking for vulnerabilities, doesn't have the authority, and candidly, they don't want to make configuration changes to the environment because they're gonna cause an outage, and there's problems. A lot of enterprises have already deployed, you know, BigFix, SCCM, or, you know, what have you, to do their configuration. And so our strategy on this front has been, we don't wanna do the configuration changes and the patching. We want to integrate with the best-of-breed technologies that our enterprise customers have deployed.
I'd say there's now a new contingent of operators which say, "Hey, in certain circumstances, I want to be able to make those changes." We've also evolved our own strategy, where in the world of OT, in the cloud world, in the identity world, we not only identify problems, but we help people make those configuration changes, reduce the permission sets that a user might have, reduce their access, make changes to a cloud environment to reduce risk, change how the routing works in cloud to reduce risk, and increasingly believe that we're gonna be doing that in the on-prem world, as well, through Tenable One and other mechanisms.
But step one comes through integrating with ServiceNow and BigFix and SSCM and the other things that people have deployed, making their workflow easier, automating their workflow, and then over time, we may choose to play a greater role there.
One quick one.
Yeah, I just wanted to ask on capital allocation. I think about half your unlevered cash has been on buybacks over the past few quarters. As we kind of lay some of those longer-term free cash flow ranges you've set out, how should we expect, you know, your thought process on spending a marginal dollar of cash to change or stay the same?
Yeah, we have a strong net cash position, and we provided initial unlevered free cash flow target for next year of $280 million-$290 million, which is higher than where the consensus was. We have a lot of confidence in our ability to continue to drive margins higher. As you know, last year we did a $100 million buyback, and we've been methodically repurchasing about $25 million per quarter. And I think going forward, the expectation as the cash flows continue to build, there's effective uses to deploy cash. M&A has been one, where we've, you know, brought new products to market-
Great
... and expanded our relationship with our customers. The other would be looking at, you know, potentially more expansive buyback opportunities to take shares out of the market. So we see a logical, natural progression, good use of cash and confidence in our business to put that to work.
All right. Well, with that, we'll wrap. Thank you, guys.
Thank you, Rob.
Thank you.