We're going to get started. I'm Jonathan Ruykhaver. I cover the cyber security names at Cantor. With us, we have Steve Vintz, who is a longtime CFO, but also co-CEO currently. I think, you know, first off, I just want to mention it's really tragic what happened to Amit. Really, you know, people who've known him, you know, to the industry, it's a huge loss.
Yeah. Thank you.
To that point, just talk briefly about the search, you know, the type of individual that the company is looking to hire, the type of experience. Does the person have to come from the cyber world? We've seen some CEOs, like Nikesh at Palo, pulled from not necessarily cyber, but he's doing extremely well. Just what are the requirements that the company is looking for?
Sure. Thank you for your condolences. Amit was our longtime CEO. He is certainly an icon in the industry. He and I worked very closely together. He was here for eight years. I have been here for ten. We spent a lot of time together. The board is doing a search right now. Mark and I, Mark Thurmond is our Chief Operating Officer. I am the Chief Financial Officer. Together, we are co-CEOs, and we still carry our current titles as COO and CFO, respectively. The board has retained a firm. They are doing a search. They are considering a number of external candidates, as well as internal candidates, including, you know, Mark and myself. I think they have a lot of confidence in Mark and I. At the same time, look, we are a company that has a vision.
We have confidence in that vision and that mandate, which has not changed since 2018, which we can talk a little more about. The board wants someone with a strategic mindset, someone who can continue to execute on that vision, continue to focus on growth, and certainly be able to take and win share in this major market opportunity that we call exposure management. Thank you for your condolences. We appreciate it.
Yeah. No, no problem. I just want to start off with a discussion on the, you know, the vulnerability management marketplace and the two other public companies that compete in the space. You know, it's well known that VM is kind of a foundational layer to understanding risk on premise. But, you know, the three public companies seem to be going in, you know, three different directions. It seems that Rapid7 is focused more on security operations, which is a big problem, but not maybe as synergistic intuitively to VM. Excuse me, Qualys seems to be building up this kind of broad risk analytics and risk assessment platform. You know, they're trying to do that internally for the most part, but it seems like real innovation has been lacking to some extent. Tenable is moving from VM to this exposure management category.
Just talk about that strategic shift, why it makes sense for your company.
Sure. Tenable, first and foremost, is the exposure management company. We help organizations understand and reduce their cyber risk. Our roots are in vulnerability management, which is discovering and assessing network-based devices for vulnerabilities and exploits. Ever since 2018, when we went public, we said our mandate was really on the outgrowth of vulnerability management that we call exposure management. Gartner now calls it continuous threat and exposure management, which we can talk a little more about because Gartner, a little later this year, is coming out with an MQ for exposure management. It is a category that we have created. You know, years ago, our goal was not just to become the unequivocal leader in VM, which we are today. You know, we were not the market leader years ago. We are now. We have invested in this market. It is a strategically foundational market.
The outgrowth of that is what we call exposure management. A simple way to think about Tenable is in terms of breadth and depth. Breadth in terms of the other assets, systems, and devices that we can assess across the attack surface. Taking that core exposure use case on the network and then applying that into web applications. Over the years, we've brought new products to market, such as web apps. Think about Equifax. We have a dynamic scanner that allows organizations and companies to scan web applications. We also apply that to public cloud environments, looking at the configuration of those public cloud environments, looking at vulnerable code in a publicly facing EC2 environment and combining that with identity. Securing workloads in the cloud is really important.
Also apply that to OT, operational technology, industrial control systems that were analogged and then more recently became digital and then were air-gapped and now are all interconnected. Think critical infrastructure like manufacturing facilities, you know, wind turbines, power plants, the flow of water and oil across, you know, the U.S. and outside. Those are all things that we assess. We are able to expand across the attack surface to assess vulnerabilities and exposures for different asset types, breadth. When we have done so organically and inorganically, we have gone deeper in terms of the insights that we can deliver. All along, this mandate was not just to be able to do assessments across various asset types. It was to integrate all that data across all those different systems and devices into a single platform to help customers understand risk holistically.
More recently, we've brought to market our Exposure Management Platform, which is seeing great traction, higher selling prices. We believe that cyber is a big data problem, and we're helping companies operationalize preventative security.
Yeah. Yeah. No, it makes sense, you know, from a strategic standpoint. I'm curious, when you look at, you know, how the, you know, the competitive set will develop over the next couple of years, you have, you know, Zscaler who announced a capability just recently, but that will take some time to get off the ground, I would assume. Palo Alto was talking about exposure management. Talk about the importance of on-premise vulnerability management to that broader capability. Do those companies need to also understand risks on-prem? Can they compete with just the cloud portion? How do you position relative to them with that broader footprint you have?
Yeah, we think we certainly position very well. We certainly have, if you look at kind of the core VM market, it has evolved from something that was largely compliance-driven to today, it's something foundational. It's a foundational part of your security program. And it's one of those things that customers have to do. That's not changing, right? Yes, workloads are moving to the cloud. We can help customers assess, you know, those publicly facing vulnerable workloads. We live in a hybrid world, right? Most large companies, any company of consequence, is going to have, you know, connected devices and assets that hang off their network, or they're going to have assets in public cloud environments. They're going to have web applications. If you talked about the traditional VM incumbents, we all started roughly in a similar place, but have very different strategies.
Rapid has a bit of a downward focus in the market. They are going broader in terms of the things they can do more on the managed server side, whether it is, you know, on the MDR piece or in the incident response side of it. Qualys is a little bit of a different profile, just given the higher margin, certainly less investment on the R&D side and maybe even the go-to-market pieces. This is a market, quite frankly, that we have not seen a lot of new entrants in the market. We get questions often about CrowdStrike. We got them, you know, we have been getting them for years. Even years ago, about Tanium, right? We just do not see CrowdStrike in our win-loss studies. CrowdStrike, what we see more is they have the ability to impact deal sizes because we are focused on selling to mid and large-sized customers.
If a customer's looking to license, say, 300,000 assets from us, they may have an agent on their endpoint that's a Tier 2 or Tier 3 asset that's outside of their compliance policy that doesn't have sensitive data. Maybe they'll use CrowdStrike to do VM contacts for attack detection and response, not necessarily full-blown vulnerability management. Our win rates are very high. Whenever there's a VM opportunity, there's 68%, we talked about this, 65%-70% win rates when there is a VM opportunity. It's our deal to win. We have, and we're continuing to.
Yeah, I think George Kurtz's first company was Foundstone, right?
Yeah.
Which was a VM company, which he sold to McAfee. People who know that history always think that he's going to be more.
That is why we have been getting questions about CrowdStrike. They play in a lot of different spaces, CrowdStrike.
Have you disclosed, if you look at exposure management, what that represents as a percent of current calculated billings, how that's changed over the last couple of years?
Yeah. In our Q3 earnings call, we've talked about it. Like, we provided a new growth algo for investors. Keep in mind, this journey that we've been on over the years, right? Roots in vulnerability management, but over the years, have brought new products to market to be able to assess vulnerabilities and exposures across different systems. Then going deeper in terms of the insights that we can deliver. All that culminated in the launch of our exposure management platform. Over the years, more recently, over the last 18-24 months, we've began selling and assessing other devices, cloud, web applications outside of traditional VM. About 20% of our business today on an asset basis, because we have an asset-based licensing model, is kind of the non-traditional VM. We call that exposure solutions. That's seen outsized growth, roughly 30% growth.
Cloud is within that, growing 100%. A lot of traction selling the platform, a lot of traction certainly helping customers assess their public cloud environments. Consequently, we have certainly a good percentage of our business that's seen high single-digit growth in VM. You know, that growth that we're generating today in vulnerability management is growing slightly faster than the market, certainly faster than our VM competitors. The VM market certainly is foundational. It gives us the right to be able to assess these other assets and systems and gives us the right to be able to sell this broader exposure management platform.
Yeah. I mean, it's, you know, platform is the, you know, word du jour across the public companies. It does seem like what you're trying to address is really a data problem and having the data to be able to provide the insights to act effectively and quickly.
Yeah.
Maybe we could just talk about fiscal 2024, Q4. You ended on a positive note. I think large deal activity was strong. Tenable One was strong. Just, you know, talk about the overall execution through the year, the demand trends you saw and, you know, how that is playing out as we move into 2025.
Yeah. We saw good stable growth the second half of the year. We did a little over $900 million in CCB and revenue. The prints were clean both in the third quarter and the fourth quarter. In the fourth quarter, more recently, we had over 400 new enterprise platform customers, right? That speaks to green shoots and certainly lots, strong demand for customers that we've never had a relationship with. Certainly adding lots of new customers each and every quarter. We have one of our best quarters ever for large deals, transacted a number of six and seven-figure deals. The size of the opportunities are getting bigger for us. That corresponds with the breadth in the product portfolio, the ability to play in adjacent larger TAMs, right, such as cloud, and sell the exposure management platform.
We also had a considerable beat, certainly in the bottom line, both in terms of operating income and cash flow. Overall, we've been a balanced grower. We've seen good stable demand. If you want to peel the layers back on the top line, we had 11% CCB growth in the fourth quarter. Same thing in the third quarter. That's high single-digit growth in VM. We're talking about 30%+ growth in what we call the exposure solutions, next-gen solutions. As we look out into 2025, we see a lot of continuation of a lot of those trends. Our guidance did imply a high single-digit growth. We were one of the first cyber companies to announce results. Sometimes we're the canary in the coal mine.
One of the things that we said on the call was, you know, we're very pleased with the print itself in the fourth quarter, you know, following strong results in the third quarter. We are remaining certainly cautious about our outlook in Fed. Roughly 15% of our sales is U.S. public sector. About half of that is federal government, the other portion of that state. Within Fed, we serve a lot of three-letter federal agencies, both on the defense, on the civilian, and the intel communities. We think we're expecting lower levels of contribution from Fed the first half of the year as, you know, that situation continues to remain very dynamic. We think it's the right approach to take. We are certainly hands down one of the clear leaders in Fed when it comes to security. We have a great relationship with the Fed.
We know this administration is committed to strengthening our defenses. We are very bullish on Fed long-term, but short-term, certainly a little less visibility. By the way, some of that may abate because today the Trump administration announced a new director nominee for the CISA agency, the Cybersecurity Infrastructure Security Agency, which was an agency that the Trump administration created in 2018, many years ago. Certainly long-term, big opportunity for us, and we'll continue to be so.
It's the highest single-digit growth you forecasted for 2025 relative to the double digits you did in Q4. Does that really reflect that conservatism around Fed for the most part?
Yes, correct.
Okay. Specifically, are you seeing constraints in terms of these funding vehicles currently, or you're not sure how it's going to play out and hence the conservatism? Or are you seeing some tightness, maybe some reshuffling of people that's, you know, adding to concerns on whether deals can close?
Yeah, fair to do so. First, I'll say just more broadly speaking, we're in a CR, continuing resolution, which means, you know, you're not going to have a new federal spending budget until the CR is resolved. Continuing resolution, which expires this week, by the way, that means mission-critical applications and projects can continue to renew under the CR. Certainly there's less likelihood of new spending for new projects unless there's puts and takes within budgets. A CR is likely this week. I doubt that a new spending bill will get passed by Congress. We're likely to see another CR either in April or possibly more likely until September. I think that'll just give the administration a little more time to work on kind of a new spending bill. There, you know, certainly we've operated under CRs before. Tenable has done exceptionally well under CRs.
I think you're just having some of the, you know, some of the pieces, you know, move around a little bit on spending priorities. No leadership really in CISA, right? And CISA itself is, you know, certainly major projects not only as a part of CISA, but outside of CISA for us. We're not seeing deals get canceled. We're not seeing deal sizes shrink. The question is really on the timing and the execution of those opportunities that we're more cautious about. I think we're likely to see some of that. A lot of the quarter comes together, the back half, right, the last two weeks of the quarter. It certainly does have the potential, whether it's on the defense side, on the civilian side, certainly for that to happen. We're certainly remaining very bullish about Fed long-term.
Yeah, okay. Just going back to the core VM opportunity, you know, excluding what's going on in Fed, I think you've talked about, you know, the possibility over time of returning to double-digit growth. And I think you've made comments more near-term that there are some compliance requirements that could drive that and also repatriation of workloads from cloud to on-premise. Just talk about that, what specifically you're hearing or seeing as it relates to those two dynamics.
Yeah, I think there are certainly a number of potential tailwinds to inflect growth higher in vulnerability management. That's not the expectations we're setting, certainly with investors, just given the outlook, which I think is certainly the right approach to take. Certainly within vulnerability management, we'll continue to see growth there in VM, right? The environments are very dynamic. There's been a proliferation of devices and systems. As customers place more of those servers, desktops, laptops, peripherals into their environment, they increasingly look to us to help secure more of those. We consequently, you know, have a very healthy net dollar expansion rate. With regard certainly to, you know, more specifically on VM, there's a number of things that certainly can help drive growth higher. Number one, I would say repatriation of public workloads, which is something that you mentioned.
According to a recent CIO survey, 80% of all CIOs are planning to repatriate some form of workload. What does that mean? First of all, that means that as workloads move to the cloud, certainly, you know, that secular dynamic will continue. What we're seeing, and this resulted in two sizable opportunities for us in the fourth quarter, both pure-play VM opportunities. You know, we're seeing a lot of companies, especially larger, more sophisticated companies say, "Hey, look, I live in a hybrid world. Certainly, workloads are continuing to move to the cloud, but there's some workloads here that are not really critical. And you know what? I have less visibility in the cloud. It's perhaps a little more expensive.
I want to move them from public cloud back to network or private cloud, where I have greater control. Again, we live in this hybrid world. We're one of the few companies that can secure both your public cloud environments as well as your network and those hybrid compute environments. That is one dynamic that we're seeing that certainly can drive growth in VM. The other thing is greater compliance requirements. Last year, we saw what went into effect is greater PCI compliance requirements. Historically, if you were a company that was collecting personal identifiable information, you were required to scan that server or that asset, that system, certainly periodically throughout the year.
Now what we're seeing as a result of those compliance requirements for PCI is more frequent scans and more pervasive scans, not just on the system itself, but around the infrastructure that's related certainly to that system. We're certainly seeing a lot of that. That gives us the confidence. We're investing. We're the market leader. Any new opportunity in VM, we think, is ours to lose. We have high win rates. This market is here to stay.
Right. I mean, despite, you know, if this repatriation did not happen, you have an opportunity to sell into those workloads that are in the cloud with your EM strategy, I would assume. Is that a similar dollar amount, or is there a trade-off? Is it more lucrative for you to, you know, secure those workloads that are on-premise versus cloud? How does that look?
Yeah, as you start looking kind of beyond kind of our core leadership in the vulnerability management market, as we've talked about before, this evolution from VM to exposure management, which includes the ability to ingest all this data from all these systems that we're assessing. We'll talk a little more about the Vulcan acquisition, but now we have the ability to ingest third-party data, including the findings and the metadata. No security company can possibly assess everything, right? We're not a firewall company. We're not an EDR. We're not a lot of things. We do assessments really well for the things that we do assess. It is this realization that security is a fragmented market. We want to be able to ingest data from other security providers, right, across all these different categories, and then be able to enrich it and then drive the remediation workflows.
Your point about really, okay, cloud, cloud is very complementary to VM because if you look at the exposure management platform, and over 60% of our cloud sales are in the platform itself, the exposure management platform, which is an overused term, I get, but it's the integration of all these data sets into a single unified place that allows customers to understand risk. It's the integration of traditional VM, web apps, cloud security, OT, ASM, which is external internet-facing assets, all these different things that we assess as well as now third-party assets to be able to help customers drive greater mobilization, greater remediation.
That's where we think the securities market is going, evolving from what we've talked about over the years, which is this system of record, to helping customers assess risk and understand risk, to the system of action, which is driving remediation, mobilization, to helping customers reduce risk. This is where the market's going. Gartner would agree with us. If you look at their Magic Quadrant that they're coming out with later this year, one of the things that they've defined about exposure management is the ability not only to discover and ingest third-party data, discover assets and ingest third-party data to drive the prioritization. They also want you to be able to drive the remediation ops and the mobilization. That's a big part of the value prop for exposure management.
Yeah, yeah, makes sense. You know, I know I cover Tenable, and as I'm reading a lot of your material, I get confused sometimes around Tenable One and exposure management. Can you just talk specifically about what is in Tenable One and how it might facilitate the success with your exposure management strategy?
Yeah, we use them sometimes interchangeably, but, you know, platform Tenable One, the exposure management.
They wanted the same.
Almost wanted the same. What it is, is the integration of all these things that we assess now more recently with the acquisition of Vulcan, the ability to ingest data from other security providers, enrich it, drive the mobilization, and automate a lot of these key workflows on the back end to help reduce risk. The Vulcan acquisition, by the way, is a pre-position to going deeper and wider in AI, which I'll be happy to discuss.
Yeah, we'll get to that. I just wanted to get a sense. You have a base of, I think, approximately 45,000 customers. Can you just talk about the adoption of Tenable One within that base?
Yes. If you talk about, we have 45,000 customers, one of the largest customer bases of any security company, public or private. We have about 15% of our sales comes from a paid version of a product called Nessus, right? That's roughly about 30,000 customers, if you will. It is a $3,000-$6,000 annual recurring subscription. It is one of the most ubiquitous brands and products in all of cybersecurity. There is a free version of Nessus that's been downloaded over three million times cumulatively. It is a paid version that's 15% of our sales. It is a cost-effective on-ramp into a larger enterprise platform sale. You are talking about consequently over 15,000 enterprise customers that we have using one of our enterprise solutions, whether it's the VM solution or the exposure management platform or the ability to sell cloud and some of the other products standalone.
Within those 15,000+ enterprise customers, about 10%, a little more than 10%, is using the platform. Why do I mention that? Because we have, you know, this great relationship with our customers in VM, right? Customers in VM increasingly have this desire to assess other asset types, understand their risk in web apps and cloud, as we've talked about. Right now, about 10% of our enterprise customers are using the platform. When they move from standalone VM into the exposure management platform, should I say, the ASP increases anywhere from 50%-100% higher because the catalyst there is to assess other systems, which we do a really good job of. Consequently, 90% is greenfield within our own enterprise customer base.
Let us not forget the ubiquity of Nessus, the 30,000 roughly customers who make the leap from the paid version of Nessus into one of our enterprise solutions. It is a cost-effective on-ramp to a larger platform sale. Selling back into our base is certainly a big part of the growth strategy. Yes, we are landing 400+ new customers a quarter that we have never had a relationship with, green shoots there, but the success that we have had certainly to date is a lot of the opportunities within our own customer base.
Yeah, yeah, yeah, it seems like a big opportunity. Vulcan Cyber, I think it was a deal you announced this quarter. Just talk about why that makes sense, the strategic rationale and the financial impact.
Sure. It is really back to this notion that we believe that cyber principally is a big data problem, and we are focused on helping customers operationalize preventative security. If you look at spend historically in the cyber market, it has really been on detect and respond type technology, certainly [Megatem], a lot of large cap companies in that space, whether it is, you know, EDR, firewall, whatever the case may be, putting a wrap around something. Over the years, what we said, what we have talked about is really the opportunity to help customers think more proactively about security. Yes, the term platform can be overused quite a bit, not only within security, but outside of it. Our mandate has been very clear all along. Let us help customers reduce their risk by integrating a lot of these data sets to help drive mobilization and prioritization.
What Vulcan helps us solve, it helps us accelerate a lot of our roadmap. It's very customer-driven for us. It's this notion that, look, we want to be able to ingest data from all these different security providers. If someone uses Wiz for cloud, that's great. We can assess these public cloud environments, or we can stand shoulder to shoulder with Wiz and that and ingest the data that the customer has using Wiz. We can ingest data from CrowdStrike. If someone wants to use VM, such as Qualys, we can ingest that data, combine that with our own assessment data. It gives us hands down one of the largest exposure data sets of any company in the market. We think going, you know, in the future, the real competitive moat will not be just features and functionality.
It's the ability to train data, to be able to train data in a way that delivers greater insights to the customer. Again, back to this notion that cyber is really a big data problem. Vulcan accelerates our roadmap, allows us to ingest data. There's a lot of technology here that normalizes the data, identifies unique assets, duplicate assets to be able to drive license counts higher for us. On the back end, there's a ton of enriched mobilization that automates some critical workflows. For example, the combination of Vulcan and Tenable, we can discover an external unmanaged domain as part of your attack surface. It can automatically launch a scan using our web application product.
We can discover a vulnerability and then integrate bidirectionally with JIRA, assign responsibility for remediating that exposure to a specific individual, and then they can close loop it and come back into the platform. This is really important workflow. These are really important pain points for our customer, evolving from just understanding risk to reducing risk and this notion about the system of action in cyber.
Yeah, yeah. Before I proceed, any questions from the audience?
I mean, we talked a fair amount, Steve, about the CR effect right now in the federal part of your business. Just speak a little bit more just about the sales motion in the private and the citizen world as well, just how that differs with just go-to-market, and if there's also a distinction between Cloud Legacy, which is the wonderful Nessus customers and that brand historically, but then also selling . How do those go-to-markets differ between Fed and other markets?
Yeah, I would say certainly Fed new and then upsell from existing, they're very different. And look, with regard to the latter, we have high gross dollar renewal rates. They're exceptional. So when we land the customer, we keep our customer on average for 15 to 20 years. You know, our expansion rate's anywhere from 10% to 20%, depending on which macro, because we sell more. You know, they're assessing more assets using Tenable. And so certainly high gross dollar renewal rates, the upsell, the sales cycles tend to be much shorter. We have a trusted relationship with that customer, and so we certainly have higher visibility into those sales, just given the history with the customer. Then you have new opportunities. New opportunities depending really on, you know, where you sit and where you're playing.
On the VM side, certainly in a market like this, they're fewer in number, but when those opportunities do come to market, we have high win rates, roughly 70%. For cloud and other areas, we're seeing a lot of exit velocity there, a lot of market pull with cloud, OT, and other asset types. When it comes to public sector, it's a little different. Certainly much longer sales cycles. There's usually programs from which that gets funded, certainly multiple stakeholders. We can be part of a broader solution, or certainly they could look to us to sole source something. We spend a lot of time qualifying those, working to close those. You know, some of these opportunities are across agencies, across lots of agencies within the defense side, across multiple agencies within maybe civilian.
We're seeing also a lot of traction too, which is a similar dynamic to U.S. federal, on the state side, local side. We're seeing a whole of state opportunities where there's a number of agencies within a state, a number of municipalities where they're increasingly looking to us to standardize across all these different agencies and municipalities. We've gotten some major traction there, and we've continued to get traction here. That's why the selling motions can be a little different, but hands down, we have the best tech in that market. One of the reasons why we do a sizable percentage of our sales in federal and the state level is just because they're arguably one of the most sophisticated cyber consumers in the world. They're very demanding and expect a lot there, and we have delivered for them over the years.
Steve, are you guys looking at any non-U.S. governments, U.S. friendly governments? If there are some.
Good point. When we say 15.
None left.
Yeah, none left. I'll say, first of all, when we say 15%, that's U.S. public sector, state and federal. That does not include the public sector agencies that we serve outside the U.S. We serve many. Our largest deal in the fourth quarter was a seven-figure deal, a sizable seven-figure deal, cloud standalone within a public sector agency in Europe. Yes, this is exposure platform, management platform. Cloud in particular is a global problem, and certainly we got great traction there.
When you, oh, go ahead.
Hey, Steve, congrats on Vulcan. Will you continue to be acquisitive, and if so, in what areas?
Yeah. You know, we have been acquisitive more recently. We just announced the Vulcan acquisition, roughly $150 million in purchase price. One of the other acquisitions that we announced in 2023 was cloud, certainly going deeper and wider in cloud, and we have a very broad CNAPP offering. You know, it was roughly $250 million in purchase price. We look at the market and say, okay, certainly security is fragmented. Lots of opportunities on the private side for us to be able to accelerate roadmap. It has to offer or provide a unique secular trend like growth in cloud or the convergence of IT and OT in the case of these industrial control systems that we're trying to secure. More importantly, we want strong go-to-market alignment. We know our swim lane. We know our buyer. We want the same buyer, roughly same budget.
It has to expand the utility of the exposure management platform. We will continue to be able to pull on all these levers, both organically, where we are continuing to innovate, obviously inorganically with some of the acquisitions, and then also partnership. All three will be important to us. We have done a good job walking the margins up. We generate nearly, what, over $200 million, $290 million of unleveraged free cash flow this year. We are in a strong net cash position, and we are doing a good job balancing growth with profitability.
That was my final question, just growth versus profitability. I mean, that operating margin gap has really materially increased this last 12 months. Do you feel that, you know, you're leaving some on the table, especially when you look at CNAPP and some of these hyper-competitive categories where the market is so nascent? I mean, why wouldn't you be better served spending more for those opportunities?
Yeah. First of all, we do not think we are doing anything unnatural to drive that kind of leverage in the business. 96% recurring revenue, exceptionally high gross dollar renewal rates, really good expansion rates within our own customer base. Some of that is really a natural evolution and a continuation of what we have been doing over the past couple of years. If you look at how we are managing the company, you know, we are certainly leaning in on growth. Over the years, we have added a lot in terms of go-to-market. In 2023, we spent 43% of our revenue in sales and marketing. Last year was 36%. We have added a lot of capacity. This year, we are adding quota capacity for the first time in probably 18 months. We have confidence to be able to lean in and add more capacity here.
Yet we're becoming more efficient, and sales and marketing spend as a percent of revenue will continue to tick down even this year. We're taking a lot of that efficiency there, and we're investing it back into R&D. We grew R&D 25% last year. This year, we'll grow at 20%+ . We're innovating. We're walking the margins up. We're doing it in a very balanced way. That feels really natural to us. M&A will certainly provide a means to, you know, provide even enhance the growth profile as well.
Yeah. Okay, we've hit our time limit. Steve, thank you very much.
Thank you, Jonathan, for having us.