Excellent, well, hey, good afternoon, everyone. Welcome to day one of the Barclays Tech Conference. My name is Saket Kalia. I cover software here. Honored to have with us the team here from Tenable. We've got Steve Vintz, Co-CEO, as well as Matt Brown, new CFO. Also have Erin Carney, head of investor relations, there in the audience, so we've got about 30 minutes together. Let's spend the first 20 or 25 minutes just going through some fireside chat with the team, which I know is gonna be real fun, and then we'd love to make it interactive. If anyone's got a question, just pop up your hand. We'll get a mic out to you for the benefit of the webcast, so with that, Steve, Matt, thanks so much for being with us here today.
Happy to be here.
Thank you.
Yeah, absolutely, so you know, I think that there's so much to talk about from last quarter, right? I mean, Steve, Matt, maybe just to help us level set, can you just spend a couple minutes kind of recapping some of the points from last quarter that you were most proud of? Maybe, Steve, you talk to us about some of the strategic points in the business that we've made some really good progress and some good things, and Matt, maybe from a financial perspective, you can highlight some of the points you wanted us to take away.
Sure. I'll start here, and you know, we're pleased with the results in the third quarter. Matt can get into this a little more, but we exceeded on both the top and bottom line and gave a strong outlook for the year. That's always a good thing, but kind of numbers aside, one of the things I'm particularly proud of is the momentum and the traction that we're getting with our exposure management platform, and just to level set, exposure management, and you know, in its most basic form, is a unified, business risk-based business contextualized view of your entire security program, so you understand your entire digital footprint.
So whether it's assets and connected devices on the network or workloads in the cloud or even, you know, industrial control systems, these things that are on your factory floor, to understand all of that, do that in a very unified way. So you're identifying the most important vulnerabilities and exposures on your most important devices that have the most sensitive data, with lots of entitlements and access, both human and machine. So you're identifying likely passive exploit for the organization so they can look at the company through the lens of threat actors. It's a big problem. It's one of the most important, we think, in all of security, and we had great traction this quarter with our exposure management platform. Over 300-plus new customers we added. A good number of those were new lands with the platform.
We're also seeing, certainly significantly higher ASPs, which is great to continue to get traction there, and one of the important attack vectors, if you look at our exposure management offering, which includes traditional assessing traditional network devices, it includes cloud, it includes web apps, it includes ASM and other areas of the attack surface, but moreover, more recently, we announced over 300 integrations as part of the platform, so we're now able to ingest data from other security companies, whether it's web app, you know, data from security companies and web application and AppSec cloud, endpoints, whatever the case may be, ingesting that data, combining it with our own, enriching it, scoring it to be able to drive higher levels of mobilization and remediation, so the traction there has been notable.
And AI is also creating tailwinds for us where we brought to market and announced AI Exposure, where we're now able to identify, as part of the platform, vulnerabilities, misconfigurations, and flaws in a lot of these AI applications and the cloud environments in which they run in.
Yeah, absolutely. Matt, maybe on the financial side, you could round that out.
Yeah, so much to be proud of in Q3. I was very happy that we were able to come in over the high end of the guide on all of the metrics that we guided to for the quarter, which was fantastic, and that also allowed us to guide up for full year at the midpoint on our guided metrics, so felt really good about.
Mm-hmm.
About the solid execution there. We saw 11% revenue growth. I was super happy about the incremental margin growth that we saw. So year over year, in the quarter, we saw a 350 baCISA point increase year over year for op margin, which is especially impressive given that at that same time, we increased our R&D spend by 18%. So we were able to generate that much incremental margin while still investing heavily in product development. That made me very happy. So put us on solid footing for the rest of the year. It's encouraging to feel that momentum building. And yeah, looking forward to continuing that trend.
Yeah, absolutely. Steve, maybe back to you. I mean, you know, the way that you talked about the business before just around sort of exposure management, that's so much of a broader category than what we've historically called, you know, VM vulnerability management. How do you think about that sort of expanding the TAM? Do you see that out there? I mean, you know, do you think exposure management kind of expands that definition?
It does. You know, we've been on this journey for some time now. We went public in 2018. We were not the market leader in VM, but one of the things we said is that our mandate was, in short order, to become the unequivocal leader in vulnerability management. VM is really the ability to discover and identify exposures and network-based devices and servers desktops and laptops. Over the years following, you know, we brought new capabilities to market to address other domains of the attack surface. One of the things that we talked about, early on, you know, during at the time of the IPO was the outgrowth of VM for what we call exposure management. Exposure management's a category that we've created. It got very little recognition and fanfare by the industry analysts.
And we saw it as certainly a big problem given all the vendor sprawl. When I talk to CEOs, CISOs, and even CIOs, you know, one of the things they tell me is that they're, you know, there's not a lack of data. And, in fact, there's an avalanche of it, and they're having a challenge managing all of it. So they're drowning in alerts and starved for insight. In fact, if you look at organizations today, you know, most reasonably sophisticated organizations have over 80 different security vendors and technologies deployed, across their environment. And, that doesn't create clarity. It creates a lot of noise. And so given the proliferation of all these devices and systems, we need a unified way to really understand risk, because cyber risk is not a technology issue. It is a business issue.
We need to be able to quantify risk and to be able to trend it in a way that others can understand the impact on the organization. We were pleased to see Gartner release an MQ for CTEM, their first one, specifically exposure assessment platforms. We were, you know, the top right. IDC also came out with a MarketScape report in exposure management. We were the top right. Forrester came out with their report this quarter on VRM, which is their precursor to exposure management. We were, you know, the top right there. It's nice to see a category that we created, you know, kind of, and a market turning to us.
Gartner says one of the biggest opportunities in all of security is exposure management, is CTEM, continuous threat and exposure management, in part because a lot of the spend in the market, if you think about it over the years, has been in detect and respond technologies, actively searching for breaches and then responding to them. 96% of all spend in security today is on detect and respond. Think about that. That's basically looking for fires. What we advocate at Tenable is what we call proactive security exposure management, which is the shift from fire fighting to fireproofing. And, Gartner, it's, we think, one of the biggest opportunities in the market. So we're early on it. It's a journey. We're getting great traction with customers.
Certainly, it's nice to see not only the independent industry analysts recognize it, but we're starting to see other companies now talk about exposure management, which I think is healthy because certainly it's a big opportunity, one of the largest TAMs. It's the intersection of cloud and network and identity and all these other things that help customers to really understand risk. But it's really the mobilization and the remediation pieces that I think are gonna continue to create an inflection point for us, which is what do you do with all that data? How do I look at all this data in a way where I can proactively reduce my risk? Because there's no shortage of vulnerabilities in the world. There's 300,000 unique vulnerabilities today that's been identified. According to our research, there's roughly over 500 billion unique instances of those vulnerabilities.
AI is leading to more vulnerabilities, more threats, and more breaches. It's demanding a secular shift in security, this shift to proactive, which is what exposure management's all about.
Interesting. Always love that analogy of firefighting versus fireproofing. Really brings it home. But maybe we'll use that as a stepping stone to talking about Tenable One a little bit. And, Matt, maybe the question is for you. You know, the way that I was viewing the mix shift in this business was that maybe VM was 80% of the business and exposure solutions was the remaining 20%. But that doesn't really tell the whole story because Tenable One, of course, includes VM. So I was curious, right, just as you come in with fresh eyes, how do you sort of articulate the mix shift that's happening in the business right now?
Yeah, it really does sort of start with that difference between EM and VM. And as you mentioned, there's more value in EM for the customer than there is in traditional VM, referencing back to that Gartner magic quadrant. It was very interesting. One of the, I think, most interesting stats that was identified in that piece talked about how companies that adopt exposure management solutions, those companies in the not-so-distant future, just in the next couple of years, will experience 30% less downtime as a result of exploited vulnerabilities compared to companies that have VM only. That just tells you the value proposition that you get from EM instead of VM. And for us, our Tenable One platform is our exposure management platform, right?
The super encouraging thing there from my point of view is, there is a tremendous amount of value that customers get when they go to Tenable One. We see an uplift in price. Tenable One grows faster than the rest of our portfolio. Those customers are stickier, so retention rates are better. All of that goodness, we're seeing momentum building and moving towards that platform, and the good news is we're fairly early days still, right? There's a lot of runway ahead of us. There's, you know, roughly a third of our business today of our enterprise business is in Tenable One. That means we've got two-thirds that we still have an opportunity to go get, which is really nice.
That was gonna be the next question on runway. So thank you for that. That's great context. Maybe, Steve, then this one could be for you, you know. I think we disclosed last quarter, right? We just said, right, Tenable One is about a third of the total business. And we've talked about sometimes how we've talked about sometimes the parallels between Tenable One and Tenable.io, for example, right? And so maybe the question is, how do you compare and contrast that adoption curve of Tenable One to Tenable.io? It seems like it's steeper. This feels steeper from what I remember Tenable.io, but I'd love to hear how you would compare and contrast those two.
Yeah, and so Tenable.io is our cloud-based VM offering, so historically, the roots of the company have been vulnerability assessment. We have a piece of technology called Nessus, which is one of the most ubiquitous pieces of technology in all of security. It's been downloaded over three million times, you know, represent, you know, virtually anyone who's a security professional has used it or is using it, and over the years, we've kind of built some enterprise-type capability around it and then delivered a more expansive VM capability as part of a cloud offering, which we've been in market doing for some time, but when we went public, it was somewhat of a newer offering for us, not the subscription model, but the cloud-based version.
And, you know, in short order, in three years, I think following the IPO, it became over 50% of our total sales. So we said it would take five. We did it in three. If you look today, Tenable One, as Matt talked about, highest selling prices, highest close rates, highest renewal rates of any of our products. It's where, what customers certainly it's how customers wanna buy, and it's how we're going to market. You know, it's roughly about 30%-40% of our total new sales. We think that'll be 60% plus. Also look for new pricing and packaging for us to continue to evolve. We have an asset-based pricing model. So as customers place more assets in their environment, increasingly, they turn to us to help assess those. And even in terms of total sales, it's about 30% of our total sales.
And, you know, we think that can more than double over the years. So feel really good about where we're going. One of the reasons why is what I talked about earlier, which is this shift from the detect and respond reactive to more proactive security, which AI is necessitating, right? There's no shortage of vulnerabilities. There's gonna be more vulnerabilities in the world with AI threat actors or weaponizing it. So, there's been more, you know, more zero days discovered this year and more incidents, and mean time from vulnerability discovery to vulnerability exploitation has shrunk dramatically. You used to have two weeks to be able to apply a patch. Now you have days and even, you know, seconds. So it's important not to necessarily understand vulnerabilities and manage all of them and patch everything, but identify likely paths of exploit.
So that's what this is really about. So consequently, 4% today spent on proactive security. Others have indicated a lot of the other industry analysts say that 4% will go over the next five to 10 years to 50%. That's a dramatic increase. So whether you think it's 4 going to 50 or 4 going to 20 or 25 or 30, you know, that's where this market's going. We're talking about a secular shift in security in terms of how we need to think about cyber risk as a whole. And certainly, exposure management can doing that in a continuous way is the epicenter of all that.
Yeah, absolutely. Matt, maybe for you, just staying on Tenable One, I mean, you know, you talked about kinda, you know, the ASP uplift that you get, the additional value that a customer's receiving. Just walk us through some of the drivers of that and what's kinda the uplift that you're able to see from some of the data that you've seen?
Yeah, it's a significant uplift. And at the same time, the customer's getting significant value too, right? And so it's quite a significant uplift when you look at a customer that is doing VM standalone only today into Tenable One. It can be as much as 50%-80% of a price uplift when they're using the full breadth of the features within Tenable One, which is important. And ultimately, that's where we want them to be and where we see just this enormous opportunity. Ideally, you're taking a standalone VM-only customer and helping them on their journey to a more sophisticated exposure management solution.
You know, part of the way of getting them on that journey is to get them into that platform so we can get them into the platform, land on the platform, expand from there, and it's a pretty significant price difference taking them from just core VM into the full breadth of our Tenable One platform.
Got it. Maybe, Matt, just to stay with you just on Tenable One 'cause we've talked a bunch about the product and we've talked about the market a little bit as well. I wanna and this is clearly the future of the business, right? That's what's kinda coming through. But I'd love to dig into how a growing mix of Tenable One could maybe impact the model.
Mm-hmm.
And so one of the things that we've talked about in the last couple of calls has sort of been this growing divergence or this divergence between CRPO and CCB, right?
Mm-hmm.
Calculated current billings. Can we just touch on, on that as it relates to Tenable One?
Sure.
If you could start us off, Matt.
Yeah. What we're seeing is increasingly, we're engaging with our customers on larger, more strategic, longer-term deals, which is exactly what we want. We love that. We've got, you know, a bigger seat at the table, and it is nice to be locked in with a customer for multiple years and free up capacity, all sorts of reasons why we want that. At the same time, though, whereas in the past, we may have required upfront billing, say, for a multi-year agreement, we're allowing our customers to pay annually, so what we're seeing is as more of these deals are happening, contract duration is going up, which is impacting RPO, and at the same time, billing's duration is actually going down because we no longer have a policy of requiring upfront billing. When that happens, you start to see some distortion in the numbers.
So CRPO is benefiting from having this outsized growth of long-term RPO, which is then feeding short-term and increasing that number, and conversely, CCB is being negatively distorted because the long-term billing portion, it's showing up in the contract, but it's not showing up in long-term deferred revenue, right, so there is this disconnect, where we know that they're both being distorted somewhat, and so that, you know, that's a dynamic that we wanted to make sure that folks understood because CCB is a metric that we have historically guided to and tracked, but it's something to just be aware of.
Yeah, absolutely. I think that's a really important point. I mean, and maybe we'll come back to that. But, Steve, maybe for you, just to kinda stay on the economics of Tenable One because I think they're just so much more compelling. As you build up a bigger base of Tenable One customers, what's keeping a customer on Tenable One or even expanding versus moving to another solution? And maybe relatedly, Matt, I mean, you touched on this earlier, but how different are the gross and net retention rates on Tenable One versus other Tenable products? Maybe you could start us off.
Sure. And we talked about the kind of our growing mix of Tenable One, higher selling prices and close rates and certainly renewal rates. Look, one of the reasons why customers are using Tenable One, it's you can't do Tenable One includes all of the individual domains that we assess, whether it's, you know, traditional VM, network-based devices, cloud, you know, cloud security, OT, which are the industrial control systems that are now digital and all, you know, interoperable and also suffered exploit. We're seeing more attacks there on critical infrastructure. Think manufacturing facilities, municipal water systems, think, telecommunications, all those things, right? You know, are create significant exposure.
And now even AI, which is an important part of the attack surface, shadow AI that, you know, applications that are downloaded or created that employees use not maliciously, but as a means to do their job faster, but it creates real risk because they're prompting things in these public LLMs, such as, you know, customer data, financial data, sensitive information around strategy. That's all part of the attack surface. We manage that. We can monitor at the prompt level and tie it back to your, your policy. So, and, and then now more recently, ingesting data from others. So when customers use Tenable One, selling prices are higher. It's a stickier product. And we're still very early in that journey with the customer because they don't buy and assess everything within their environment, but what they wanna do is they want more insight.
It's really all about, you know, unified visibility, right? Right now, visibility's fragmented with all of the vendor sprawl, and we're able to bring that together in a way where customers understand their entire digital footprint, right, by ingesting third-party data, which sounds seemingly simple, but it's more than APIs. It's normalizing it, deduping it. It's doing a whole bunch of things with the data so we can drive higher levels of prioritization. It's about visibility, it's about insight, right? All the contextualization that goes with it. And then, it's all about action too, which is how do I reduce risk? So this has been a journey on that we're on with customers. We're proud of the fact that, you know, more than 15% of our enterprise customers are now using the platform.
Even within those customers, those cohort of customers, the usage there we still think is modest in terms of our, you know, our ability to grow with them over the years. So it's a journey. And, you know, we feel like it's, you know, it's starting to inflect higher.
Absolutely. Matt, maybe on gross or net retention rates, the extent you can comment.
Yeah, so we don't publish the specific breakdown, right? And I won't do it here, but it is higher and it's higher than any individual product that we have as well. It's something that we're actually thinking about. There's a lot of interesting things when you start diving into Tenable One. And we give some Tenable One-specific metrics, but certainly as we're thinking about, you know, hey, you know, CCB, maybe not as meaningful as it used to be. What are some other metrics internally that we're looking at? Some Tenable One-specific metrics are certainly some of the things that we're thinking about.
So, boy, that's a great segue into the next question that I wanted to ask you, Matt. I mean, you know, to your point, right? Like, as we change, as the billing's duration here changes, that might weigh a little bit on CCB. You still grew at 11%, but then, of course, you know, RPO might also feel that impact of longer contract duration. So, I mean, how could those focus metrics change? Like, does it make sense to go to, you know, talk about other metrics? You know, a lot of our companies talk about ARR. I mean, you know, how do you sorta think about the future of the metrics here as the business evolves? Because the economics here are improving. Those metrics don't necessarily reflect it properly. So.
Yeah.
What would be a good way to think about that?
It's something that we're thinking a lot about, and there are a lot of different options and there's pros and cons to many. ARR is something that we look at internally, but lots of folks have different definitions of what ARR is and so different ways of measuring it. So I'm not sure that that's the best either. It's absolutely top of mind. We know that revenue is solid, right, in terms of a metric. That gets reported all the time.
Yep.
We know what that is. It's a gap definition. Everybody knows how to calculate it, and it also falls right in the middle now of what I would consider your upper and lower bounds of CCB on the one end and CRPO on the other. Revenue's right in the middle, so that might be the best metric, but it's something that we're thinking about.
Yeah, absolutely. I wanna go back to some financial questions in a second. But, Steve, maybe for you, obviously U.S., Fed, and public sector have been, you know, nice, large, stable businesses for Tenable for years now. Is there any area within the large public sector that you and the team are particularly excited about as we head into 2026?
Yeah. Well, I think it's notable that we're able to deliver good quarters despite the sizable market leadership we have in the Fed. We serve a wide range of three-letter federal agencies. U.S. public sector's 15% of our total sales, so we have major market leadership there, and the good news is that, you know, we've been able to close deals despite somewhat of a selling environment where there's far less visibility. Look, we've had to deal with everything from DOE early on at the beginning of the year where there's disruption in personnel. You know, we lack real leadership in security within Fed right now. Like, there's Sean Plankey. Well, first of all, there's, you know, CISA has been completely right-sized, right? It's back to their focus over the years in a prior administration. Politics aside has been on election security.
The Trump administration now is refocusing the kind of their center of gravity into critical infrastructure and network security, which is the original congressional mandate. We hear Plankey. I don't. It's been some time. He has not been confirmed. We're told now he's out. So we don't have leadership at CISA. I think new business has been tougher. Well, I know new business has been tougher to transact within the government. But that's transitory stuff. That's all short-term stuff. Public sector major leadership has created talent and growth for us over the years. It will create talent and growth for us in the ensuing years. Right now, there's just a little less visibility. Deals are a little tougher to get across the finish line. But despite that, we're able to deliver good results, give a good outlook.
The best days are still ahead for us in Fed because they wanna modernize. They wanna consolidate. Those are all things that we do really well. Obviously they also wanna focus on things like cloud security where we're now FedRAMP authorized. Things like exposure management where we're now FedRAMP authorized. Look for bigger deals, more traction there.
That's great. That's great. Matt, maybe back to you. I mean, just to talk about growth, headwinds, tailwinds, it's obviously very early to guide for next year. But with all the different dynamics that we've talked about, what are some puts and takes that you want us to think about for the model next year from a growth and profitability perspective?
Yeah, I think so yeah, definitely too early to guide. We're feeling really positive about obviously how Q3 went, our then renewed optimism for 2025, where we were able to take up a guide, so feeling like that's providing some nice momentum and stability, and we've had a history of being able to grow while continuing to expand margins. That's also something that we're gonna continue to focus on, so you know, look for more of that. We remain committed to making sure that we can grow with profitability and at the same time making sure that we're investing in all of the areas where we're seeing growth out there on the horizon.
Yeah. That's a really helpful framework. I mean, Steve, maybe last one, as we wrap up here, I mean, you know, to Matt's point just around still being able to invest, I think you specifically highlighted investments in R&D on the Q3 call. You know, the team has just done a series of great tuck-in acquisitions over the years to really build that breadth of product right across exposure. Should we expect that to continue? Maybe open-ended question for you.
Security's a fragmented market, and the deals we've done in the past are used, were used as a means to accelerate roadmap, and there, you know, there's a lot of customer pull with respect to those, but they're also a journey. They've been a journey for us. Like, for example, we acquired a company called Apex Security early in the year, and even Vulcan Cyber, which is more on the third-party data side, but with those acquisitions, they require time. They require investment. You know, the products have to mature. We're also very focused, as you heard today, time and time again on, you know, selling and going to market with a unified platform, and so sometimes they necessitate, you know, rewriting of technology and code into the platform. The short answer is, yes, we'll continue to evaluate acquisitions, but we have a full plate right now.
We're hard at work and bringing, if you think about the growth that we've been able to deliver today with certainly no tailwinds from Fed, and historically there have been and there will be, with quite frankly, you know, we only have been in market with third-party data for a very short amount of time. And next year we'll have a full year of selling that. We now have 300-plus integrations into the platform and more to come. And more importantly, the mobilization, the remediation pieces that are now coming to market in the fourth quarter from the Vulcan Cyber acquisition. So these are all things, and then AI security. So these are all things that quite frankly we haven't gotten the benefit of this year. We've been able to transact newer business. We've been able to deliver, get momentum with the platform.
We've been able to get validation and recognition from the industry analysts as the leader in one of the most important markets. Our best days are still ahead. We think we have all the capability we need to be able to drive growth to the levels that we want, and we're committed, and that's what we're focused on for now.
I don't think I could have thought of a better way to end right there. So, Steve, Matt, thanks so much. That was a really enlightening session. So thank you.
Thank you, Saket.
Take care.
Appreciate it.
Thanks, Matt.