To get situated, I'll start with the disclosure. For important disclosures, please see the Morgan Stanley Research Disclosure website at morganstanley.com/researchdisclosures. If you have any questions, please reach out to your Morgan Stanley sales representative. I'm Nina Marshall . I cover cybersecurity here at Morgan Stanley. We're delighted to have Tenable here with us today. Steve Vintz and Matt Brown, Co-CEO and CFO. You guys have done a great job over the last year or so of kind of pivoting the business more towards Tenable One and exposure management over the last couple of years. Just how did you guys put yourself in that position to capitalize on this transition?
I would say it's really comes down to three things. Number one, it's recognizing early on that exposure management is a larger expansionary opportunity to vulnerability management. If you look at our roots over the years, we're really strong, historically have been in discovering and assessing network-based devices. Over the years, we've applied that core use case into other domains and other areas and brought to market an OT capability. We also look at like cloud, both on the pre-production side, looking at misconfigurations, identity security, as well as web app scanning. Over the years we've expanded that core use case to other asset types. Now today we also assess one of the largest threat vectors in security, which is the AI attack surface, which we can talk more about.
Over the years, kind of going broader across the attack surface, a larger, more expansionary opportunity. The second thing I would say is understanding that to be a successful EM platform, yes, you have to do VM, and you have to do much more, but you also have to have an open platform and allow yourself to ingest data from other security companies, which we do. We have over 300 connectors.
Mm-hmm.
The real goal here is to be able to correlate risks to identify leaky S3 buckets that have misconfigurations with lots of entitlements and access, and then go to a customer and say, "Hey, this is what you need to be able to prioritize. This is what you need to be able to focus on." Contextualization is really important, and AI will actually allow us to go even faster there. I think the third thing would be our North Star here is not just helping customers understand risk, but helping them reduce it. The orchestrated remediation, tying vulnerabilities and threats and entitlements and access to risk reduction on the back end is really critical. That means we can do bulk configuration changes in multi-cloud environments.
That means that we can spin up a fleet of agents that interact with a lot of the players on the tooling side to be able to reduce risk, whether it's applying virtual patches or taking other action. Helping customers reduce risk, remediating risk, and driving higher levels of mobilization is one of our, you know, is a big endgame for exposure management.
Got it. I mean, that's a much broader value proposition to customers. You know, how does that change either the sales cycle or like the proof points necessary to close?
Well, if you look over the years, we've become, we've demonstrated the ability to drive ASPs higher. If you look at sales of our Tenable One platform, which is our flagship product. We have a standalone VM offering that does traditional VM when it comes to looking at exposures on network-based devices. Over the years, we spent a lot of time integrating a lot of these capabilities across these different domains into a single unified platform. That's important because more often than not, customers recognize that security is very siloed. Most large organizations or enterprises today have 80-plus vendors in their supply chain.
To be able to develop a unified view, to be able to take all the things that you assess, all that data, and correlate it with external third-party data and develop a single unified view of risk and your entire digital footprint is really important. ASPs are higher. When we sell the platform, they're anywhere from, you know, 30%-80% higher. Higher ASPs, higher selling prices, higher close rates, and the platform is now roughly 40% of our new sales. We've become more strategically relevant to customers. It's also recognized as one of the biggest problems in all of security. Gartner's come on record and said, "CTEM, continuous threat and exposure management, is one of the major spending opportunities." Today, 96% of all spend is on detect and respond.
Exposure management is really about proactive security, helping customers reduce risk. Consequently, they expect outsized growth and spend in proactive security. You know, this notion that I'm going to look for incidents and breaches and try to detect those and then respond to those, that thinking, those resources, that investment needs to shift to proactive security, and that's what's inflecting deal sizes.
how does... Sorry.
Yeah, I was just gonna add on. One of the ways that that's showing up for us is that we are seeing this increase in the number of large multi-year strategic transactions with our customers. We're being elevated within our customers' security environment to where we're having those higher-level strategic conversations, which of course, is driving more loyalty. Where we're seeing within the platform, churn rates are lower than they are for customers that are outside of the platform. Increasingly we're seeing more customers moving onto the platform, which is very positive.
Okay, perfect. Before we kinda dive more into that, obviously there's been a lot of discussion over the past few weeks around cloud security and this impacts to cybersecurity. I'm sure you might have even had many of those conversations today. You know, most of this started kind of after your earnings, just wanted to hear from you what you see as competitive moats from AI natives and Kind of how you think that this discussion is kind of disconnected from the reality that you're seeing?
Sure. I would say if you look at what Claude does today, they announce capabilities that scans publicly available open source software on a pre-production basis. If you look at where we play. Code scanning, the code scanning capabilities we have, A, is small, and B, it's very different than what Anthropic announced. Where we're strong is really on the data side. We are post-production infrastructure runtime, which means we're behind the firewall. The relationship we have with our customers that's built over the last 20 years is based on trust. We're able to, when we assess, detect things that others can't, no LLM can do. It's things like an inventory of your of all your software libraries, an inventory of the configurations of the device.
It's understanding if your password's 6 digits and your policy says 9 digits. It's built on a level of trust. It's based on assessment and real capability that others don't see. It's certainly very deep, and that's a little different than certainly where Anthropic plays. I would say also the second thing here is the ability to be able to correlate things. That's really important, based on the data that we do have, and deliver insights to customers that, quite frankly, LLMs can't do. I say that because, right now, we see ourselves as the contextualized truth to be able to orchestrate fixes. Yes, can some of the AI labs deliver enhanced capabilities and security and allow us to assess risk faster, to be able to correlate risk sooner?
Absolutely. Taking action unilaterally without context creates risk. The big opportunity for us is doing that in a very deterministic way. A lot of the AI labs are probabilistic, and they're undeterministic. The contextualized truth to have the confidence for customers to be able to take action, to be able to reduce risk is really important. AI, we believe, is creates incredible opportunity for us. We're still in a world where customers quite frankly, don't want to deploy patching automatically. They believe it creates too much risk. They want a human in the loop. The capabilities that we have allows customers to take action based on their maturity, where they can do things with a human still in the loop, where they feel safe.
They can also do it autonomously with guardrails, where it's safe, where they think the exposure is minimal. Over the course of time, more automated remediation is one of the big value props for us.
You kind of mentioned that seeing AI as an opportunity. How do you benefit from that kind of increased surface area? Is it what drives people to look for exposure management? Just how do you benefit from AI versus kind of what we've said is that it's not a headwind?
Well, what's played out in the market over the last couple weeks has really been on, okay, what risk does AI create for SaaS companies? Certainly, you know, there will be some levels of disruption, probably more for SaaS-based businesses that have seat-based license models or have workflow that's repeatable that possibly, vibe coding can help solve, or even things like businesses that are built on data models that where it's publicly available, and we saw a good example of that with, you know, with the scanning of open source code. If you look at our opportunity here, we have the ability with AI to discover Shadow AI applications. The proliferation of AI applications has been dramatic.
most customers have no idea what applications they're using in their environment, whether they're downloaded, whether they build them internally, whether they're browser plugins. There's a lot of talk about Claude bot. Discovering things like use of ChatGPT, Gemini, internally developed applications is really important. More importantly, we have the ability to monitor at the prompt level, what information that's going into a lot of these LLMs. Is it sensitive customer information? Is it proprietary code? Is it financial information? More importantly, tie that back to use cases. AI, we believe, is going to be a big opportunity for us, and will create tailwinds.
We actually talked about closing a seven-figure deal with a customer last quarter for their use of AI exposure, where we're helping them discover Shadow AI and then tie it back to governance and policy. It's questions that boards are increasingly asking, which is, how secure are we? What's our risk with AI? Obviously, these are questions that we're able to help our customers answer with clarity.
Yeah.
I think, I look at it as a massive opportunity because it really plays to our strengths.
Mm-hmm.
Right? If you think about what we do in exposure management, it is about getting visibility, insights, and actions. Every company out there is trying to adopt AI for lots of really good reasons. More efficient and effective, and you wanna get all of these different operational benefits out of it. From a risk perspective, what companies need to understand is, what models are in use? How are they being used? The first step is visibility, and that's what Tenable One can provide. Next, okay, how do you contextualize that? How do you get insights into that visibility? Last, of course, how do you take action? For us, it's an opportunity because you now have a new and emerging
Category that we just didn't have before. Increasingly, companies are looking at, of course, how do you adopt AI to make yourself more efficient and effective, but also they have to understand how do we secure that.
Mm-hmm.
That's really, really, really important, and that plays to our strengths.
Got it. Okay. I wanna jump back into just kind of Tenable One. You know, you've referenced kind of an 80% ASP uplift when customers translate or transition from standalone VM to Tenable One. Just where do you think we are on that migration cycle, and just what is that gating item to kind of converting the install base?
Yeah. We're I would say fairly early-
Mm-hmm
... but far enough along that we can see that it's working.
Yeah.
To give you some numbers, We closed out last year in Q4 with the highest percentage of new and expansion opportunities that were closed and won in Tenable One in the platform at 45%. That's the highest in a quarter that we've seen. In terms of total, when you look at both new and renewal, it represents about a third of our business today. We're seeing customers increasingly moving into the platform. And whether that's from standalone VM or other standalone EM solutions, what our customers are finding that is within the platform, they're able to have just a far more effective exposure management experience. The reason I say we're fairly early is because the opportunity out there is still massive.
Yeah.
We've got two-thirds of our enterprise customers then that are not yet on the platform. Our expectation is as those customers move over, they're going to see, yes, the price uplift. We also know already that these are customers that are expanding more, they're churning less. All of the good things that you would wanna see are happening in the platform. Those are the types of things that we're seeing underneath the surface right now.
There's no intent to, you know, try to force people to Tenable One or some sort of upgrade path, incentives to kind of speed up that transition or...
There's a couple of things that we're doing that are very customer friendly. Number one, we'll very soon have pricing and packaging that reduces quite a bit of friction for customers.
Okay
... to go and adopt the platform. That's coming soon and is all good news for customers. The other thing we're doing is we're incentivizing our sales force to encourage platform adoption. There's an incentive there for our, all of our quota-carrying sales reps to go out and encourage sales in the platform. That's all good. We are not penalizing customers. If customers wanna continue to be on their standalone SKU, they may continue to do that. We don't have plans to end that.
Okay. You highlighted, you know, 300 validated integrations earlier. Just how do those integrations kind of impact win rates, time to value, you know, and where are we in terms of, you know, where do you want to get the number of integrations to?
Sure. Security is a very fragmented market, arguably there's probably 20,000 plus cyber securities in the world offering a wide range of capabilities, most of those companies are less than $20 million in revenue. Our view of the world is this: that if we look at the number of integrations, they pertain directly to a core customer use case. Customers may have a preference to use a certain provider for cloud, another provider for EDR. We're really strong at assessing devices across a wide range of domains, we also recognize that we're not going to have core IP in all domains. No, no security company can. The integrations is really important.
We acquired a company called Vulcan early last year that not only had those integration capabilities, but also the mobilization pieces that are really important because that's kind of the downstream benefit of ingesting data, is that we're able to deliver higher levels of visibility to correlate things that we previously could not, but more importantly, to be able to take action to reduce risk. We'll continue to add more integrations. Some of those integrations are bi-directional, and that's really important too because it creates a closed loop. Depending on the level and the maturity of the customer, some customers may want us, once we ingest data and correlate it, normalize it and dedupe it, because that's really the hard part here.
Ingesting data is one thing, but to be able to understand that you're ingesting data from CrowdStrike or Prisma or some of the other players that are out there, and then combine that with your own exposure data and then say, "This is a unique asset or a duplicate asset," and then to normalize it so customers understand and have an inventory of their entire digital footprint. More importantly, tie that back to devices that may have critical data, that have lots of entitlements and access, that's really important. It represents some of our largest deals. It's a big opportunity. It's one of the reasons why we think the expansion rate over time will continue to inflect up.
Obviously it's a more complicated sale, and it's one of the reasons why customers are also making longer term commitments to us. If you look at the growth in long-term RPO, I think it's up 35%-40%. Customers are buying more upfront, resulting in higher selling prices, making longer term contractual commitments, so you can see that in the RPO growth.
Got it. you know, you reported 500+ net new customers in Q4 and said the platform customer adds were the best in two years. What has specifically changed kind of in the execution to drive that improvement, and just how should we think about the sustainability in 2026?
I would say it's around a couple of key things. Number one, we're leading with the platform, a platform-first approach. I talked about the evolution of Tenable over the years, where we have brought new capabilities to market, taking that core exposure use case on the network and then applying that into different asset and different domain types. More recently, integrating a lot of those datasets into the platform. Historically, if you kind of look at how we've gone to market, it's really with individual products. Even in the platform, calculating different licenses for different asset types. One is platform at the center of everything we do, and we pay higher remuneration for a platform sale, because a platform sale means larger selling price, it means higher close rate, it also means higher renewal rate.
Second thing is also moving away, if you look at the innovation, shifting that innovation, not so much at the sensor level, but at the platform level. One of the big changes that we made last year early was we used to have GMs and individual products that had their own roadmap that was developing capabilities around individual sensors. It could be things like grouping and tagging or role-based access. It could be more enhanced reporting. We want sensors to be able to assess, and a lot of the capabilities, a lot of the correlation, has to be at the platform level. That was a big change that we made last year. Engineering's changed quite a bit in that regard. Number one, go-to-market has changed, and now there's focus on things more recently where we're removing friction.
Instead of selling individual asset types as part of the platform, we're gonna be selling tokenized access to the platform to allow higher levels of utilization and adoption.
Got it. On the federal side, you know, this has been a kind of meaningful portion of your business over the years. You implied that the 2026 growth rate would be in line with the overall company. Just what are you seeing in this market, and are there opportunities for you to kind of gain share in that environment?
Sure. Yeah, I think there are. As you know, before 2025, Fed was a tailwind for our overall growth, and in 2025, it was a slight headwind. As you mentioned, in 2026, we think it'll grow more or less in line. As we look forward into the future, we expect Fed is gonna continue to be a positive driver of our business.
Mm-hmm.
I do think that there's opportunity where, you know, rather than being a headwind as it was in 2025, we can start to see a tailwind again. I think that then, of course, improves our overall growth rate.
Got it. I mean, you exited the year at 10.5% year-over-year growth. You guided to fiscal 2027 to 7% at the midpoint. You know, understanding we are very early in the year. Just how are you thinking about kind of 2026 growth relative or the drivers of 2026 and if they're any different than what you saw in 2025?
I think the important things that we wanna see that are not necessarily evident in that headline figure are things like Tenable One adoption and growth as well as expansion. Some of the early indicators that I think we'll wanna be looking for are an increasing percentage of adoption in Tenable One, which we talk about every quarter and we'll continue to talk about. That's a very positive sign for us. Also looking at our net expansion rate, which has been coming down pretty steadily over the last several years. You know, we'll wanna look to that rate as we get to the back half of 2026 as evidence that expansion is picking up.
What we have seen, most recently is an increase in growth rate in new and expansion, which is exactly what you wanna see.
Yeah.
Renewal rates remain intact, churn is steady. When we can begin to see an increase in growth rate in new and expansion, that will ultimately show up in the top-line measure. Probably the first place it will be evident to everybody else is in that net expansion rate.
Okay. Steve, you mentioned earlier the seven-figure AI exposure deal. What was the core use case that made it kind of AI exposure versus kind of a traditional exposure purchase, and just kind of any context around that deal?
Sure. Well, the core use case there was Shadow AI. It's back to this notion, which is, like, how secure am I and what's my level of risk? That's, these are foundational questions, one that we're really good at answering, and we've demonstrated ability to do that over time. AI is the new threat vector, one of the biggest blind spots in security. If you look at the use of AI, it's been obviously prolific. We've all read the data points, but 1.5 billion monthly users between, you know, Gemini and ChatGPT. You know, yet that's only the, what is it? Arguably 20%, 15% of the world's population. Code today, you can, depending on what you read, is anywhere from 5%- 30% of all code is AI-generated or AI-assisted.
Without the ability to understand your risk, understand the applications, understand the deployment in your environment, and then be able to tie it back to policy and use case and governance models, it's really important. It really starts with visibility, and it was actually a sizable seven-figure deal. Sales cycle was very short, came in near the end of the quarter, and we're hard at work building pipeline, and we expect to continue to be successful there. We're early in that journey, but we are monetizing capability. We have a real role to play here in the AI attack surface.
Got it. I mean, AI risk kind of being this board level discussion, you know, and you guys having a way to kind of give people actionable insights into those environments. Just how do you determine, like, you know, what KPIs are gonna matter most internally? How do you know, just like, how do you better kind of optimize deals or better capture deals like the ones you just spoke about?
Is it, just to clarify your question, is it really, okay, what's our momentum and success in securing AI in this agentic world? Or is it, "Hey, how are we using AI internally to go faster?
No, no. It's more of the former of like.
Okay.
How do you capitalize on, you know, this large deal that you just signed and kind of the momentum that that can bring in how to kind of more package-?
Sure.
something to kind of be this, like, AI risk solution.
Well, you know, in terms of how we measure that, I would say there's different levels here of both qualitative and quantitative. Number one would be, okay, you have to look and think early. At the top of the funnel, are we creating opportunities here? Are sales reps having conversations with customers about not only our ability to secure AI, but also, or do customers understand our ability to correlate data? A, leading with the platform, B, with a particular focus on AI exposure. That's really important. Number two, I would say, you know, closing deals. Deals matter here, the size of those deals matter too. In software, companies can tout a lot of different capabilities, but the one thing that's undeniable are customers, and referenceable customers and sizable customers.
Obviously, we wanna see more momentum with customers, more closed won opportunities. The third thing is really, like, what's the impact on overall growth? I know it's hard for investors to try to figure out who's an AI winner, and who's not, who will be disrupted, and who's a beneficiary, but the easy way to cut the deck here is really on growth. We're focused on driving growth higher with the right product, right market, right strategy, and we have a big role here to play in this agentic world. The ability to help customers not only understand risk but reduce it is really important. I think it's all the usual KPIs that you would see, which is, you know, traction with the platform, utilization, and the assessment with AI exposure.
obviously on the back end, to be able to help drive expansion and higher renewal rates.
Got it. Matt, you mentioned the dollar net expansion rate earlier. You know, you guys found some kind of stabilization in the first half, or talked about stabilization in the first half. Just is it as simple as more Tenable One is gonna lead to a re-acceleration there, or are there other levers that we should be thinking about?
Yeah. It's specific to expansion. Expansion is a huge part of the Tenable One platform story.
Yeah.
Reason for that is once a customer is in the platform, it becomes very easy, and particularly with our new pricing and packaging, it becomes very easy to expand and begin scanning additional asset types. The more that customers are scanning, the better overall picture they get.
Mm-hmm.
-of their, exposure. Of course, that means for us then we're able to increase the size of that deal. Our expectation is with increased adoption of Tenable One, we will see increased rates of expansion, and that's obviously a big piece.
Yeah.
-of that net expansion rate. If you go back and just chart this rate over time, it has been coming down. What we're beginning to see underneath the surface is increasing rates of expansion.
Mm-hmm.
Our expectation then is that as we get to the back half of 2026, that'll start to show up in the, in the overall rate.
Got it. You know, we've also seen kind of some shift in the, in the billing terms. Just how are contract duration and renewal billing behavior changing? You know, just anything that we should be noting there?
Yeah. We talked a lot about this, last quarter and even the quarter before a little bit, where the push into the platform is driving larger, more strategic multi-year deals. In many cases, customers just don't wanna pay 100% upfront.
Mm-hmm.
They would prefer to pay in installment billings annually, which for us, we're okay with. As a result, while we have been seeing, contract durations increasing, the billings duration has been decreasing, which is driving this difference in Current Calculated Billings.
Mm-hmm.
which is being impacted by billings duration and CRPO, which is being impacted by contract duration. My expectation is that we're gonna continue to see contract duration continuing to expand. Where we saw a 5 percentage point difference at the end of Q4 between CCB and CRPO, my expectation is that as we make our way through 2026 and certainly into 2027, those rates will begin to normalize and converge somewhat. All the while, we will continue to drive larger and more strategic deals in the platform.
Got it. You know, in terms of operating margin guidance, you guided to 150 basis points kind of approximately of expansion into 2026. You know, where are you investing? Where are you seeing as the highest ROI investments? Then maybe that kind of circles back to the, you know, the latter part of that AI question, Steve, of, you know, are there ways in which you guys are using AI internally to find efficiencies?
Yeah. I'll answer the first part and then kick it over to Steve for the second.
One of the things I'm proudest of is our ability to continue to expand operating margin while at the same time investing very heavily in R&D.
Mm-hmm.
You saw that in 2025, where our R&D expense grew 23%. In that same period of time, year-over-year, we grew our non-GAAP operating margin by 140 basis points. That formula is the same formula we're gonna be taking forward into 2026.
Mm-hmm.
Which is we're gonna continue to invest very heavily in product development. We think there's just massive opportunities that are in front of us, and it's very important that we that we develop and invest heavily in the product. Where we're pouring those investments into is exactly where you'd expect. It's within the platform in Tenable One, and it's around AI exposure. Where we're gonna find the margin is basically everywhere else on the P&L.
Mm-hmm.
Little bit out of gross margin, more out of sales and marketing, and more out of G&A. I would say with regard to the latter part of that question, we look at AI as a horizontal enabling function that makes every area better. For example, in engineering, as you can imagine, the focus is on greater adoption of AI through the use of a series of tools. We wanna see more AI-generated or assisted code. We wanna see AI deeply embedded into the workflows. That's really important. In terms of things like on the sales side, understanding the opportunities and looking at data and say, "Okay, what opportunities have a higher likelihood of close? Is it large or small customers? US or outside?
What products? We're also leveraging AI to better support customers, where only a smaller percentage of calls and escalations actually will go to a technical support engineer. The frontline defense is that we feel like AI, we're leveraging AI to be able to get information in the hands of customers depending on their specific need, want, and need. It's all the things that you would think. I would say moreover, I think the margins in this business can, and for a lot of companies like Tenable, can go much higher than even anticipated.
The fact that we're over $1 billion in sales, we have 40,000 plus customers, we have massive distribution. More importantly, we're able to leverage AI to be able to make our business more efficient, more productive. I think the operating margins over the course of time will be very, very attractive, perhaps even above and beyond what we've committed to previously.
Got it. Then maybe just last question from me on, you know, capital allocation. You guys obviously, increased the share repurchase authorization, but just how are you kind of balancing buybacks, M&A, organic investment, you know, as you look forward?
Yeah. As we announced in the last earnings call, our share repurchase authorization now stands at almost $340 million.
Mm-hmm.
Our intention is to lean heavily into that and accelerate that, the repurchase of shares because we believe fundamentally, shares are undervalued.
Yeah.
We believe that's a good use of capital. We will also continue to be opportunistic and look at M&A where it makes sense. We have plenty of capacity should we choose to do that. We'll continue to look at those opportunities. Right now we're focused on going and building organically. We think we've got most of the right pieces in place, and in the meantime, at these levels, we can buy back shares.
All right. Perfect. Steve, Matt, this has been super helpful. Thanks so much.
Thanks, Nin..
Thank you.
Appreciate it.