Okay, thank you for joining us. My name is Rudy Kessinger, cover security and infrastructure software here at D.A. Davidson. With us from Tenable, we have Co-CEO Mark Thurmond, SVP of FP&A, Chris Fritz. Thank you guys for joining us.
Our pleasure.
For sure. Thanks for having us.
Mark, I think if you could start off by giving just a quick [audio distortion]
[audio distortion]
[audio distortion]
[audio distortion]
[audio distortion]
[audio distortion]
[audio distortion]
[audio distortion]
[audio distortion] overview of Tenable and maybe what I don't know if you guys call it this, maybe kind of Tenable 2.0, if you will.
Sure.
Really how you've expanded from the core vulnerability management market into the broader exposure management platform that you are today.
You betcha. Absolutely. And we do, we talk a lot about exposure management. If you just go back and look at the history of Tenable, I mean, Tenable really was started from what was called the Nessus scanner, which was one of the most widely deployed cybersecurity tools on the planet. Literally, we still do over 1,000 downloads of the Nessus scanner every single day. There are over 4 million copies out there in the marketplace. One of the most widely deployed cyber tools out there. From Nessus, we then moved into kind of what we called on-prem vulnerability management with Security Center. We migrated to cloud-based vulnerability management with AIO. From there, we really started pivoting to what was called risk-based security and looking at all of the different risk scorings that you could do from a vulnerability perspective.
From there, we've truly migrated over the last two and a half years to be an exposure management company. Based on a bunch of internal innovation and acquisitions, we have expanded our total available market from just core-based VM. We now assess assets in the OT space, in the identity space, in the cloud security space, attack surface management, the web application security space. Most recently, we acquired a company called Vulcan. For the first time ever, Tenable is going to be able to ingest third-party asset types. Think about if a customer has CrowdStrike, Wiz, Palo Alto, Qualys, or Rapid, we'll now be able to ingest those third-party assets into our Tenable One platform.
What we talk about with our customers every single day is really this category of exposure management and being able to migrate and move multiple asset types to one platform, which is Tenable One. That's the big market dynamic. That's the big shift that we've done. On top of that, moving our install base and our new customers to exposure management into Tenable One, we now are getting very, very involved and have been for the last four or five years in the AI security space. We just acquired a company called Apex that allows us to look at and evaluate how you're using AI from a generative AI perspective.
What are employees and what are partners doing with, say, enterprise ChatGPT or Gemini or Grok, being able to not only assess within five minutes who and how they're using it, but what data sets, what LLMs is it sitting on, how are they using it, and other data sets. As we make this journey to an exposure management platform, the two big themes that I think are really important for people to understand is it's going to be all about consolidating multiple asset types onto Tenable One and then being able to leverage AI not only for the software that you're using from a generative AI perspective, but also the software that you develop internally within your code. We'll be able to assess that also.
That's a very helpful overview. You guys are coming off what was generally a strong Q1 to start the year. If you look at the numbers, you beat on all metrics and guidance. You did lower the 2025 outlook specifically on current calculated billings growth by a couple of points at the midpoint. Can you talk about just what drove that reduction and what you're seeing in the market that had you take things down a bit?
Yeah, I can tackle the numbers piece of the question, Rudy. We had guided at the beginning of the year to 7-9% top line growth. We, at the end of April, on our call, took that down to 6-8%. It was a reflection really of two things that we saw in the market. First and foremost was the federal sector, some uncertainty around the DOGE activities. That was really the height of the budget negotiations at the end of April when we did our call. About two-thirds of that reduction was related to the U.S. public sector. Around 15% of our total business is related to the federal sector. Our DNA comes partially from the NSA, and we're headquartered in Columbia, Maryland, in the D.C. area. We have a leadership position there.
To us, that's really a question of timing. These roadmaps and programs that we're embedded in with our federal government customers remain a priority, and they're going to happen. We were facing some less visibility than normal in light of all those activities. That was the main reason for the reduction on the top line, to set ourselves up to succeed, and it wasn't necessarily that we'd seen anything canceled, just to ensure that the timing could match the guide. To a lesser extent, around the global trade and the tariffs, as a bottoms-up analysis, as we prepared for the call, we saw instances where customers were putting more scrutiny. It might be a European auto manufacturer who's uncertain of what their top line looks like, and so evaluating investments in cybersecurity a little more carefully.
Those were really the two aspects that went into it.
As we started to hear, I guess we were kind of done hearing from the April quarter-end companies. A lot of them talked about things kind of screeching to a halt post-liberation day and then to a certain degree getting back to normal. I don't know, fully back to normal, but things improving in May relative to April. Have you guys seen that? Any material shift as some of the tariffs have been rescinded since then, or is it still the same general dynamics as you were seeing?
It's still the same general dynamics. We definitely have had a first good two couple of months. Also, our linearity has been very strong. We are a back-end loaded software company, so we do a lot of our business here in the last three to four weeks of the quarter. We felt good about what we saw in the first two months. I would still say the themes and the overarching, A, the federal business still kind of coming together and understanding when some of the leaderships will actually be in place. Some of the leaders of these big organizations, because that was another big factor of the federal government. They lost a lot of cybersecurity leadership. That means a lot of the projects were put on hold. Now that's starting to get played out.
From a macro perspective, we still see countries that have negotiated and countries that have a set plan with tariffs with the United States. We're seeing relatively good strength there. For a lot of the countries that are still up in the air in regard to how the tariffs are going to play out, like the example Chris brought up, if you're over in Europe and you're a big country, say Germany, and you're trying to figure out from an automotive perspective how and when and how many cars you're going to ship to the U.S. based on tariffs, until all those things get negotiated, there's still going to be a little bit of gray area. Our outlook hasn't changed. We do see in the federal government, though, every week things are getting a little bit clearer.
We're getting some better visibility there, but the outlook still hasn't changed.
Could you maybe just on federal, maybe a finer point on what did the guide assume in federal for the second half? Did it assume any downsell? Did it assume just minimal upsell? Was it dependent on certain people getting into seats at the various agencies? What did it assume on federal?
Yeah, for the year, we're continuing to assume a moderate pace of growth within federal. Not grounding to a halt by any means. I think the proof point in Q1 was we had a record number of million-dollar deals across the company. One of those was in federal. I think the key there was helping our champion position the consolidation effects that Mark mentioned under a modernization heading. Bringing cyber in a very large organization centrally and doing it more efficiently, we bring to the table a lot of prioritization and analytics that helps our federal customer do more with the same resources or potentially less resources. I think part of the constructive nature of the Fed that Mark mentioned that we've been seeing more recently is our ability to help position Tenable One into that efficiency mandate. It really does deliver.
Those are some of the proof points.
Yeah, the thing I'll add to that, which I think is very important, it might sound like a small detail, but it's not. A, the leadership getting into place in the federal government is super important. NSA having a leader, CISA putting in a leader, really critical because those two organizations really drive a lot of the themes around what the federal government's going to do from a cyber perspective. The other great benefit for Tenable is we do feel very optimistic about our business in federal government. We have a huge amount of market share there. One thing that we do now have is we have FedRAMP moderate. We did not have FedRAMP moderate coming into this year. We just got that done here in Q1.
What that allows us to do is with all of the install base that's sitting on core-based VM with us, we now have the opportunity to go do the consolidation discussions that we've had with public and private companies over the last 18 months to two years. We haven't been able to do that in Fed because we didn't have FedRAMP moderate. With that, we now can go to the install base. We can talk about consolidation. The one thing that you will see during this administration and what Trump is really pushing down to all of the different agencies is cost-cutting and efficiency.
By now having this consolidation story that truly resonates, meaning you can literally go into an organization and say, "Hey, if you have four or five different tools from independent software companies, you can get rid of those renewals, migrate that asset type onto Tenable One, the platform, get better visibility to your attack surface, get better visibility to what your risk profile looks like." We feel like that story will resonate. We're seeing pipeline build increase. We feel optimistic about what is going to happen in federal and state and local, but we just want to get better visibility and get some of these leaders in place and then get some of these procurement and contracting positions cleaned up. We do not think those positions will be backfilled. We think DOGE kind of took a hammer to them.
Figuring out how you actually move deals forward, how you negotiate contracts, how you get purchase orders out, we just want to get a little more clarity from that perspective.
Obviously, the relatively higher federal exposure obviously weighed on you guys, I think, more than other companies in cyber. I do think investors clearly have some concerns around the VM market. I want Mark, if you could, maybe just address some of those head-on. Firstly, I think it was a year or two ago when Steve said VM had been deprioritized a bit. If we look at Q1, you guys cut your outlook again, two-thirds from Fed, understanding that, Rapid cut their numbers, Qualys implying lower growth in the second half. As a group, you can see how investors get some concerns about the health of the market. What are you seeing in the core VM market? Is there still greenfield opportunity? Is it still a priority for customers? Just what does that demand look like?
Yeah, no, I think there is still definitely opportunity. There's no question it is definitely moderated in regard to the growth rate for VM. A lot of the positions and the larger deals that we did in Q1 and even Q4, VM played a central role, but it was really more about the exposure management, Tenable One platform, where VM still plays a huge percentage of those deals that we do. It's literally securing and making sure you have world-class VM and then picking up those incremental asset types. The guide that we built, it calls for just the basic kind of growth rate, that single digit, mid-single digit that Steve referred to. If there is any upside to it, we feel we're going to be in a really good spot.
If you look at Tenable, what's interesting comparing us to, say, a Rapid or a Qualys, we average anywhere from 350-450 brand new customers every single quarter. You look at us with 44,000 customers, and then you look at Qualys, which is whatever, 10, 11, 13,000, Rapid, 11, 12,000. We're 44,000. We attract new customers every single quarter. Roughly on average, when you break out those 350-450, roughly 40%-50% is what we call greenfield, meaning they've never owned or bought VM before. They're coming to us, and they're becoming a Tenable customer. Now, they could join Tenable from just a base VM perspective, so Tenable VM, or they could go full on with exposure management and come on board with Tenable One. The other 40%-50% is rip and replacing a Qualys and a Rapid 7.
We've gotten a very efficient, effective motion going after those two competitors. We referenced in Q1, we did six, seven-figure deals, and a couple of those deals were replacements of Qualys and Rapid7. I think some of the reasons you're seeing Rapid especially struggle is they're having a very difficult time hanging on to that install base. We're able to go in there and be able to move them onto Tenable One or onto our VM and be able to keep them. Our compete level, we have some of the highest win rates we've ever had against our competitors. We think that there's still greenfield opportunity. Our hitting of our guide for 2025 is not dependent on VM having this massive big rebound. It's about continuing to execute on exposure management and on Tenable One.
It's very helpful, and I appreciate the granularity on some of those things.
You bet. Sure.
The other investor concern, I think, around VM is, or maybe exposure management, if you will, is just some of the competitive dynamics. Obviously, CrowdStrike, some other larger platforms in the space have come out with some products. They have talked about displacing legacy VM tools. Investors ask about that all the time.
They do. Yep.
How often do you see them? Have they become a relevant competitor or not? Are the concerns way overdone or about right?
Yeah. I think when you look at it, you put that kind of the number one competitors would be like the Rapid and the Qualys kind of from our historical perspective. We do see CrowdStrike. We do see Microsoft. We see Palo Alto more on the cloud side, the CNAPP, Prisma Cloud offering against our CNAPP technology. Do not see really anything, obviously, from a VM perspective from Palo Alto. With CrowdStrike and Microsoft, A, we've been seeing them for a couple of years. We do not see a lot of them. To be fully transparent, when you look at our win-loss ratios, we're not seeing a significant amount of losses to CrowdStrike and Microsoft.
Where they are able to go in and compete is if they're a large CrowdStrike customer or Microsoft, then they can say, "Listen, based on the big spend you have with us, we can look at your tier two, tier three." Very rarely, very rarely do they ever try to go in and rip and replace all of Tenable because they know where they're going to get leverages on pricing. And it's really for those tier two, tier three assets. What we then do is we come in and we feel like when you look at exposure management, exposure management, this big trend that you're seeing in this category, it's driven off world-class VM. At the end of the day, Microsoft and CrowdStrike don't have world-class VM. We do. We've been in this space forever.
When you look at organizations that are changing the name of their VM practice or VM program office to exposure management, it's happening with the VM team. We then technically explain to the customers exactly the differences in our tech compared to Microsoft Defender and CrowdStrike. I'll give you as an example. When CrowdStrike rolled out their new networking vulnerability technology, we obviously have it in a lab. We work with it. We literally were able to find 40% more vulnerabilities than CrowdStrike could find in this environment. We explain to customers that 97% of all breaches and ransomware attacks happen on known vulnerabilities, so think about that, 97% are known vulnerabilities that haven't been patched, haven't been remediated yet.
If you're willing to save a little bit of money, but then not find 30%-40% more vulnerabilities, as a CISO, you're exposing your company and exposing your enterprise. We go in there and we do that technical selling, and we've got very, very good win rates. We do see them, but we do not see them fractionally as much as they talk about that they're going after legacy VM and they're winning all these hundreds of millions of dollars. We do not see that at all.
Yeah. Yeah. So it's very helpful.
Yeah.
We've seen, and this plays into maybe some of the investor concerns, of course, just over the last few years, this shift away from best-of-breed vendors to more of a platform approach. I've spoken to Palo , CrowdStrike customers, many investors have, who will purchase some products that they know are not the best out there, and they're okay with that for whatever reason. Talk about the 20% of your business that's non-VM. What are the components? What's the fastest growing? And kind of assess Tenable today and your ability to compete with some of those larger platforms and the areas you've added.
Yeah. We feel extremely confident on our compete level. Really, the strength of it comes down to Tenable One because we are not seeing as much competition or individual bake-offs, demos, and POVs on independent cloud security or independent operational technology, independent WAS, attack surface management. You are really starting to see this discussion with CISOs about consolidating. I think the value that Tenable has as a company, which is extremely differentiated, is being the biggest and the fastest growing from a historical VM perspective. VM is really hard, and it has been around for a long time. It is really difficult to do at a world-class level and have the accuracy, the scalability that we have.
When you look at our business, it is really about transforming that install base of 44,000 customers onto exposure management, consolidating those multiple other asset types that we refer to like OT, like cloud, like web application scanning, identity onto one platform. The other big part that we're doing is we acquired a company called Vulcan that now, for the first time, Tenable, in the history of Tenable, we will be able to monetize, charge for third-party assets. As this integration with Vulcan into the Tenable One platform continues to mature, we launched integration on May 15th. We're starting to work white glove a bunch of customers. We'll be able to go to customers to your point that you brought up. I know this is long-winded, but I think it's important.
When you're looking at a CrowdStrike or a Microsoft or a Palo Alto, obviously, no company is going to rip and replace those big players. It's just not going to happen. We view Tenable, though, where we can be very strong and really start being able to grow from an exposure management perspective, is we can consolidate asset types that are natural from an exposure management perspective. Things like OT, web application scanning, cloud, those are natural fits. Now with third party, we can say to customers, "You don't need to replace CrowdStrike or Palo Alto or Wiz or Prisma Cloud." We can now ingest those third-party assets. We can look at what type of vulnerabilities, misconfigurations, and exposures those assets have, be able to charge for them, which we've never been able to do before. We are not forcing customers to rip and replace.
We can say, "We can give you better visibility and be able to judge and look at your risk profile at a much deeper level now and be able to monetize it." That is going to, I think, be something that's pretty exciting for us. We've been talking about it as a company for over 18 months. Now with the Vulcan acquisition, we'll be able to deliver on that vision of ingesting third-party assets and automated remediation.
Just to follow up on that, the ingestion of third-party assets, obviously, it does not require you to displace those other competitors in areas where they are strong. What kind of pricing can you charge for that? If I take a typical VM customer who adopts Tenable One and is doing that third-party ingestion for Wiz and Cloud or these other vendors, what kind of upsell could that be?
Yep. The way the upsell, it definitely would not be for the same price point, the same margin, the same price point that you would be for a tier one vulnerability or exposure management Tenable One asset. It will be definitely at a cheaper price. The beautiful thing is we're not getting anything for that asset type today. This is something we'll be able to monetize. We'll be able to ingest it in and be able to charge for something we've never charged you before. We definitely will not be charging for that asset type at the same premium that we do for a Tenable One asset that we do today.
What's the willingness of the customer? Just talk to me about kind of the customer conversations, the pipeline build around that, and the customer willingness to spend more. What's the improvement in the risk reduction standpoint?
Yeah. I mean, when you take a look at it from internally, our pipeline build ever since we acquired Vulcan has been unbelievably strong. The key thing to keep in mind is we just literally announced the full, not even the full, we announced the integration on May 15th. We are just literally rolling out. We are white gloving a bunch of customers right now, pipeline is building. I think we have got over 150, 160 customers that want demos and POVs. There is absolutely demand. It is now about integrating. We are doing the initial integration now with certain companies that we already have the integrations done. Wiz, CrowdStrike, all of those asset types are integrated at an API level to be ingested. Those third-party integrations are done. There will be roughly 40 integrations that will be done mid-Q3 of this year.
Going into 2026, we'll have close to 100 different apps and infrastructure that we'll be able to ingest into Tenable One. This is, I think, going to be a big mover for us. We also, in Q4, will be announcing mobilization and automated remediation and workflow, which is another big area that customers are looking towards. We're excited. We want to get success. We want to get a bunch of victories. We want to get a bunch of customer examples that we'll be able to share with the street. There is definitely demand and very strong pipeline build.
I want to come back to cloud security. Obviously, that's a component of that 20% that's non-VM. I know you said you don't have a ton of deals that are coming in that are standalone cloud security. Maybe you have a bit more in OT, I'd imagine. Just talk about your cloud security portfolio. Where are you strongest? Where are you adding? Do you have a full CNAPP suite? As a follow-up on that, the Google acquisition of Wiz, how has that been a tailwind or not in the competitive environment?
Definitely. A couple of things. You look at it, we have a full-blown CNAPP solution. We acquired that company, Ermetic, roughly two years ago. We have a full-blown CNAPP. We have got CWPP. We have got JIT. We have got DSPM, all of those capabilities. When you look at it from a competitive standpoint versus like a Wiz or a Palo Alto Prisma Cloud, very, very similar solutions. We are very confident there. Where we win the majority of deals is in our install base. Where we differentiate versus a Wiz, which is really good tech, there is no question about it, Wiz has a really good product. They built a great company. They had a really good run for the last four and a half, five years.
In our install base, though, when you tie in our CNAPP capability, which is very similar to Wiz's, but then you're able to have it in one platform, meaning you can have it in a hybrid environment. If you're Wiz, you can't look at and assess any on-prem assets. It's just strictly cloud-based CNAPP capability. The majority of customers in the world are hybrid. We have a very strong story when customers are with Tenable today. We migrated them over to Tenable One. Now we can assess all of their different cloud assets. That is where we get the majority of wins. To your point, we don't really look for, and we don't have our selling organization and our channel focused on independent, standalone, cloud-only deals. We did that consciously because Wiz was doing very well.
We said, "Let's focus on that install base of 44,000 customers that trust Tenable, that know Tenable." With the Wiz Google acquisition, it has definitely created a different dynamic that was not there before, common sense. We are getting invited now to RFPs. We are getting invited now to bake-offs where they might be very happy Wiz customers. I want to be very clear. It is not like customers are just ripping out Wiz because that is not happening. You are seeing big customers that have been with Wiz for three or four or five years that two things. A, they are spending a huge amount of money. If you talk to any customer that has been using Wiz, it is one of the most expensive cyber products they have in their stack. Some CISOs have told me they are spending more on Wiz now than they are on CrowdStrike and Zscaler.
Customers, CISOs do not want to do that just to protect their cloud environment. If you think about how broad and how wide-reaching CrowdStrike and Palo and Zscaler are, price is a big issue. We are getting invited. There are environments where the majority of Global 5000 customers have multiple cloud hyperscalers. Not no one, a lot of companies. When you look at the biggest customers, the majority of customers have Azure. They have AWS. OCI is doing extremely well. We are starting to see a ton of OCI out there in the market, by the way. They are really, I think, doing a nice job. You see Alibaba. You see all these other players that are there.
Customers are saying, "If Google owns this CNAPP cloud security technology that we rely on solely, and if Google now owns it and we're an AWS shop, are they going to prioritize AWS features? Are they going to be able to support the AWS roadmap? Is AWS really going to want to share their 6-month, 12-month roadmap with Wiz that's now part of Google in regard to collaboration and building new capability?" That is all to be determined. Customers are inviting us to the dance more often. We're getting involved in more RFPs. This is a net positive. How much of a net positive will be determined over the next two or three or four quarters and how much business we're able to win. We are getting openings that we did not have before.
On maybe just, and look, I hear that too about the Wiz pricing. Even at your guys' pricing, on your cloud security deals, what is the average deal size of a cloud security deal versus a typical VM deal?
Yeah. I would say it's on par. There's an advantage of volume. If you're consuming a lot of different asset types within Tenable One, then you get a volume discount based on all those asset types. That kind of can give us some pricing advantage. The cloud security asset part of Tenable One is substantial.
Yeah. Okay. I want to shift gears a little. At RSA the other month, all we heard about was AI security across the board. You guys just made an acquisition. Firstly, you came out with a product, AI Aware.
AI Aware, yep.
I think not too long ago.
Yeah, but that's.
You also made the acquisition of Apex Security.
You bet.
Tell us a bit about your guys' AI security product roadmap. And specifically, I guess, how is it different from every other company that says they're going to secure and solve the AI security problem?
Yeah. When you take a look at it, a couple of things when you think of Tenable. Tenable has actually been in the AI game for seven or eight years. When you look at when we created our VPR scoring, when we created our ACR capability, we were heavily involved in using machine learning and using AI. We then came out and launched what was called AI Exposure that sat across all of the Tenable One platform to leverage AI across all the different asset types. To your point, we announced AI Aware, which had one of the fastest pickups in adoption, looking after and looking for shadow AI. Where are people using AI? How are they using it? Are there any misconfigurations, any vulnerabilities that are going on from an AI perspective?
I think we have over 6,400- 6,500 customers that are leveraging that capability today. When we then took a look at what was happening in the market, because what you really want to get is specific use cases, AI is being talked about at a high level across the board. I was just in the Middle East and over in Europe a couple of weeks ago. Every government and end user discussion at the executive level started off with an AI discussion. What they're all struggling with is, what is that specific use case? How can we bring AI into our environment, into our cyber stack, but get and solve problems? When we were looking and we looked at a bunch of different technologies, we continue to look at numerous technologies and companies.
We will continue to be acquisitive and innovate on an AI journey that Tenable's on. We found Apex and some of the most intelligent founders, world-class investors with Sequoia, unbelievably bright engineers. When we found them and then the kind of the product and technology they were building, we felt like it was the best asset that was out there. It is going to be very specific to be able to go to our install base. It will be built into Tenable One, so we're not going to sell it as a standalone. It will be a capability feature set that we will monetize and charge for.
At the highest, simplest level, think of going to customers and saying, "We're going to look at AI, a generative AI that you use." Think about enterprise ChatGPT, Gemini, Grok, all those other different types of generative AI tools. We will, within five minutes, can come in and we can assess and look at your entire environment. We can tell you what generative AI tools are being used. We can tell you who's actually using them. Out of your employee base, who's using what? We can then say, "What data set is being used with AI?" Meaning, if you have an enterprise GPT license, you might not know that one of your employees is using it on a specific data set that might not have been authorized. It might not be governance. That's happening a ton.
With this technology, we're able to go in, leverage it. They can get all of the different visibility of who's using what. They can audit the environment. They can put in specific governance and remediation to stop the usage, to be able to look for vulnerabilities from an AI perspective. We think it's a very succinct, clean use case that maps in very well with what we're doing with AI Aware. We're excited. We're also going to be able to leverage it to get better AI capability throughout all of Tenable. We're going to use them as a center of excellence from an AI perspective for the entire company.
Got it. Shifting gears a little, you guys have done a great job expanding margins and free cash flow margins. You'll have mid-20s free cash flow margins, high 20s, I think unleveraged free cash flow margins this year. Investors, I think, obviously would like to see higher growth. What is the strategy? What gets you to a stabilizing or reaccelerating growth rate over the next few quarters or next year? What needs to go right for that to happen for Tenable?
Yeah. The growth algorithm, which you alluded to in your questions, about 80% of our business is vulnerability management. That's going mid to high single digits, depending on the quarter. The 20% that's exposure solutions is growing around 30%. It's putting all the right investments in place, like Vulcan that we closed in February. We took our free cash flow for the year down to reflect that investment. That's a proof point of where we feel like we're not capital constrained or margin constrained from putting all the right pieces in place. If you run that growth algorithm at those growth rates, you get to double-digit growth in the medium term. What we're doing is trying to execute on putting all those pieces together within Tenable One to make that exposure management piece of the business grow even faster.
Yeah. Got it. On the free cash flow, you're generating a lot. I think you spent $60 million-ish on buybacks in Q1. I know M&A remains a priority, but I guess in the interim with the stock where it's at, should we expect that pace of buybacks to continue? Is M&A a higher priority? How should we think about capital allocation?
Sure. I would say that M&A is opportunity dependent, but always ranks above EPS and share buybacks. We have authorization to continue at the pace that we did in Q1. I would think of history as being the best predictor of our outlook for the future. We have plenty of capital to deploy within our M&A opportunity set. It is not a constraint.
Yeah. Yeah. Mark, back to you. You and Steve are co-CEOs a couple of months into that role. I know operating in that kind of dynamic for a bit longer, of course. Investors, sometimes you see a startup with a founder, and then more of a business-oriented mind comes in, co-CEOs. You do not typically see co-CEOs with the business of this scale and maturity. How should we think about kind of the split of duties here? Also on the CFO search, just any update on where you guys are there?
You bet. Just, yeah, totally. It is like when you look at it from the outside, having co-CEOs for a publicly traded company is somewhat unique. The situation, though, for Tenable was unique also. With Amit going through two different pretty significant rounds of chemo, Steve and I were really running the company kind of in this way for quite a bit of time. We were very used to building out and working collaboratively, communicating on exactly how we were going to run the company. We were very used to it. The employee base and our customers were very comfortable with Steve and I leading the organization.
With the passing of Amit, we felt like when we looked at it strategically, it's a huge benefit when you have two leaders that literally, we use this term at Tenable all the time, can check their ego at the door. Meaning Steve and I do not have egos in regard to making and having final decisions. We make them together. What you have is very unique. You have two very detail-oriented subject matter experts. My function as co-CEO is to run all of the different customer-facing go-to-market functions of Tenable. I've got the sales org, I've got the marketing team, I've got the customer success team, the professional services, the tech support. All of that aligns into me, which I've been doing for almost 30 years. Steve obviously was CFO, still is CFO as we continue the search.
Very astute in regard to the finances, obviously very detail-oriented on the product side of the house, on the M&A side of the house, and the office of the cybersecurity team rolling into Steve. It allows us to divide and conquer. This is a great example where I am here today at this conference, and Steve is at the Gartner Conference presenting to four or five different customer forums, meeting with a bunch of executives. You are able to have the co-CEO model where you can divide and conquer. We talk four or five times every day. We always make our decisions together collaboratively. It is something that has been very effective and efficient. The other two points is we can execute in this way in regard to strategic initiatives. We have acquired two companies as we have been co-CEOs, Vulcan and Apex. We are able to recruit.
We recruited a brand new Chief Product Officer, Eric Doerr, who is a highly respected Google Cloud executive and at Microsoft for 18 years, one of the predominant, most foremost thinkers in execution machines in regard to building out cloud-based cybersecurity tools. He has now joined Tenable. I think it's going to be a model that's extremely effective. It is unique, but it happened under a unique situation. You get two leaders, in my view, that know how to run it and be able to effectively manage the team this way.
Got it. That's helpful. That's good clarification. Mark, Chris, that's all the time we have today, but appreciate the conversation. Best of luck going forward.
Thanks, Rudy. Good seeing you, man. Appreciate it very much.
Thanks. Thanks for your.