Conference. This morning we have the pleasure of having the team from Tenable. We have Amit Yoran, CEO, as well as Steve Vintz, CFO of Tenable. Before I begin, just a brief programming note. For important disclosures, please see the Morgan Stanley Research Disclosure website at www.morganstanley.com/researchdisclosures. With that, Amit, Steve, thank you so much for being here today.
Great. Thanks for having us.
All right. I wanted to just talk a little bit about the evolution of Tenable in the last couple of years to level set the conversation. You know, it started off in core vulnerability management. You've added a number of use cases, and now you've got this Tenable One platform. Walk us through that. You know, why is it such a different company than it was, you know, when you IPO-ed back then?
Yeah. I would say the vision has been consistent. Our ability to execute on that vision has continued to evolve. If you rewind the clock back, you know, five, six years, we were one of three leaders in the vulnerability management space. We're the only one who thought that this is a space worth investing in, larger market opportunity, larger potential, higher growth rates than a lot of analysts had anticipated or were projecting. We invested heavily in VM, spending more in R&D than our primary competitors combined. Doing that over the course of multiple years just leads to a quantitatively and qualitatively different experience for our customers. Our vision...
Now I think at this point, we're kind of the undisputed leader in VM by just about any metric, you know, size, growth, customers, you know, coverage of. Our vision was not just to help customers determine where they have vulnerabilities and where there are regulatory drivers to have a VM program, but to really help enterprises understand what their level of cyber risk looks like. If you look at enterprise use of technology over the last few years, it's changed dramatically. It's not just desktop servers, workstation. There's cloud-based infrastructure. There's different types of identity environments. There are operational technologies. There are all sorts of different use cases and applications of technology which have introduced risk to their enterprise environment, but they haven't been able to get their arms around.
Through combinations of organic development and acquisitions that we've made, we've brought together market-leading capabilities in a growing number of these different asset types to help customers assess for vulnerabilities, exposures, and risks in those areas. What we're most excited about is the recent launch a quarter or two ago of our enterprise platform, Tenable One, which brings the data from these different products into a unified data lake. We're now enabling all sorts of analytics on top of each product area, which make our capabilities much more compelling on a number of fronts. This is a very long-winded answer, but it's worth it, I assure you. The first is we can deliver insights that other products can't. Other folks can assess cloud security.
We have market-leading capability from infrastructure as code, assessing assets, CSPM, cloud security posture management. Other folks can do that. We think we do it better. We think we do it best for a number of reasons. You can't assess the integrity of your cloud environment unless you also understand the permission sets of the folks connecting to that cloud environment because the cloud might be configured securely, but my DevOps person's connecting and has an escalated privilege level that he or she doesn't need. Oh, by the way, they're coming from a system that's totally hosed. That combination of things is a formula for catastrophe. If you look at, you know, the LastPass breach over the last couple of weeks, that's exactly what happened.
Even if their CSPM said you're great, unless they had this platform-based approach to understanding cyber risk, they wouldn't have been able to see things like that.
Got it. We're gonna have to get you a bigger room next year. Sorry about that. Yeah, I definitely wanna dig into the product and the market. Maybe just shift to you, Steve, on macro, which everyone's worried about. Tenable has fairly short sales cycles, I think four months on average. You were one of the first security companies to call out, "Hey, you know, this macro is getting a little bit tougher," right? "There's more scrutiny." This was the June quarter. That sort of consisted, or was persistent, excuse me, throughout the H2 of last year. What have you seen in the last three months that has perhaps encouraged you around the macro? Has it changed your view at all? Any color on that?
Sure. If you recall in Q2, we had just come off one of our best growth quarters as a public company. We grew CCB over 30%. Going into Q2 , we felt pipelines were healthy and other things, but in the last couple of weeks of the June quarter, we saw more levels of review, more levels of scrutiny. Obviously, interest rates were starting to creep higher. There's concerns about a long and protracted recession, et cetera. We saw that specifically in Europe. You know, I've been doing this for a long time, CFO of a public company. When you start to see something like that, you can't assume it's isolated. You have to assume that it's going to be more pervasive.
We took what we saw in the last couple of weeks of June, and we extrapolated it out over the rest of our business.
Did not lower guidance, but didn't raise guidance. You know, going into the H2 of the year, we saw things stabilize quite a bit. Yes, there were more levels of review, more scrutiny, but the big takeaway for us is that I think we've done a really good job learning where to hunt. You know, demand's not monolithic in a business, and we transact sales in 160 countries. We have feet on the street in 35, right? We sell not only domestically, but abroad, in lots of different verticals. One of the things that we've learned is that, you know, sometimes like things like tech, telecom, financial services, energy tend to have higher close rates. Larger, more established companies have more cybersecurity programs. They tend to have higher close rates.
When we MEDDPICC an opportunity, which is a kind of a sales framework, and spend a lot of time on our largest opportunities, close rates tend to go higher when we go to a POV. I think our sales team has done a great job adapting to this new environment, understanding where to have success, and we're really pleased with their execution over the last couple of quarters. Obviously this market's very dynamic. Things can change from week to week and month to month. Each quarter is different. I think we feel really good about where we are and the guidance that we gave on our last earnings call.
The only thing I would add to that is our platform-based approach, I won't say a bad market's a tailwind for us, but it certainly allows us to play to our strength. For instance, if we're helping an enterprise assess 70,000 assets in their VM program, we can now expand into their cloud environment, and they're buying from asset 70,001 to asset 90,000. It's far more cost-effective and far greater leverage for them as they consider vendor consolidation versus going out and procuring a separate product to assess cloud, with, again, starting at a much higher price per asset point.
Got it. Talk a little bit about that vendor consolidation. I mean, Tenable's got a lot of use cases now in their Tenable One platform. What's the appetite around that?
Well, we're seeing a lot of momentum. What we've said is that we now have. We've got about 45,000 customers, about 7,000 of which are on our enterprise platforms. We have about 10% of that are customers that are already on Tenable One. We used to sell a bundling of licenses over the last couple of years in different forms. We've now actually migrated all those customers onto the Tenable One platform. About half of the Tenable One customers that we see are new lands, so we're able to land with this new platform message, vision, and experience. That's super exciting on a number of fronts. One is we're seeing the shortest sales cycle of all of our products with the platform sale.
We're seeing the largest ASPs of all of our products on the platform sale. It's probably not surprising. We're seeing the highest competitive win rates. We're able to have those more strategic conversations, and they're really resonating. The other half of our Tenable One sales are coming to us from existing customers that are already using us for VM or for Active Directory or for, you know, cloud security. At renewal time, are flipping to the Tenable One approach because they have better analytics around their existing product. We can now do Attack Path analytics on top of their VM solution. We can give them asset inventory capability on Tenable One. They don't have to go out and procure a separate asset inventory technology or CMDB, if you will.
We're able to provide differentiated analytics and the ability to expand licenses. I think over time, we'll see more and more of the existing customer base move towards Tenable One, which of course has higher ASPs and price per assets.
I think, Steve, you talked about a 70% ASP uplift when a customer moved from the standalone VM to Tenable One. Curious just from a capability standpoint, what is the incremental services that are being offered, and how is it different from the prior iteration to the Tenable.ep? 'Cause I think the uplift there was a little bit less. Yeah.
Do you wanna talk about the capabilities o f Tenable One, and I'll chime in.
Yeah. When you buy or when we're assessing an asset on Tenable One instead of VM, we're providing additional insights on that asset. Its Asset Criticality Rating. Not just is it vulnerable, but how important is this thing? What type of thing it is? How does it fit in your environment? We also enable analytics that aren't available in a traditional VM program. If you look at benchmarking as a great example. If I'm a CEO, if I'm an Audit and Risk Committee member, if I'm a CIO, this question, how at risk am I? Am I exercising a good standard of care with my IT systems? Am I being negligent? Ultimately, from a legal perspective, is best answered relative to a benchmark.
I'm at the top quartile of my peer group, large enterprises, large manufacturing enterprises, global financial institutions or, you know, regional retailers. If we can give them an answer that says, "You're at the top quartile, you're at the bottom 17%," that becomes very compelling. If we're able to show them the paths from externally discovered, what is internet-facing to this critical internal resource, it's not just, okay, it's not externally facing, but what are the combinations of systems and vulnerabilities which could get an adversary from the outside to my accounting systems or to my code repos? Like, That's important. How do they apply compensating controls?
When they buy from Tenable One, or when they buy the license through Tenable One, there's all sorts of enhanced analytics for them, as well as the ability to combine these data sets, not only for unified reporting, but, analytics that, you know, I would say, really continue to differentiate themselves.
Well, in terms of the uplift, the 70% uplift, we have an asset-based pricing model. With Tenable One, we are covering more areas of the attack surface, as Amit mentioned, whether it's web application, cloud security, identity, via Active Directory, you know, even external internet-facing assets. It's an asset-based pricing model. We get a higher price per asset. Now, when you buy Tenable One, it's actually cheaper to buy Tenable One on a price per asset basis than it is to kinda cobble together these products individually via a bundle. It delivers much deeper and richer insights to customers, and, you know, some of the things that Amit talked about, which is consolidation of vendor spend, building better interlock among siloed security functions. It's what's really resonating with customers in addition to more so understanding their risk.
You know, one of the things I used to hear from, maybe investors who were less optimistic about Tenable's growth prospect, excuse me, is, look, you know, we find this is an important solution, but, you know, the market based on industry estimates is maybe $4 billion-$5 billion, and, there are a lot of competitors, there's open source alternatives, but the penetration rate for your service is still very low, both from a customer and an asset perspective. When you look at your installed base, you know, what percentage of assets are your customers even covering with a solution like Tenable?
Yeah. Even in VM, which so many you know, people are shocked when they look at the data and they see how under-penetrated the VM market is because it is, I'll call it a no-brainer. It is a no-brainer. Like, how can you operate in today's environment? We see about 30% of our VM sales coming to us from complete greenfield. They're not using us, they're not using any other VM solution. They're relying on an annual audit from a consultant or some other solution as their assessment of enterprise risk, which is, I don't wanna call it negligent, but it's just asinine to do in today's environment, knowing how dependent on IT systems modern companies are. There's lots of greenfield. It remains consistent at about 30%.
We feel like we also have the ability to do competitive takeaways, and we're very transparent about how many new logos we're landing on our enterprise platforms every single quarter. At time of IPO was, you know, trying to get to and then stabilizing around 300 now. Over the last couple of quarters, it's been closer to 500. Over 500 this past quarter. There's a lot of greenfield, there's a lot of room for expansion, and the existing account base is under-penetrated. I'd ballpark it at 50% of their assets that they're assessing from a vulnerability perspective. When you start looking at the cloud-based environments where developers are throwing things into cloud environments in Wild West fashion, it is far lower.
When you look at the number of folks that understand their risk around Active Directory and understand that we can help them there, it is far lower. Our ability to expand in the existing account base, you know, leaves us with great cause for optimism.
Steve, anything you've seen from a pricing perspective? Like has price per asset been stable? Has it been increasing? Like- for- like, without the bundling.
We haven't seen any changes in either competitive or market dynamics. That includes pricing. You know, I think we have good pricing leverage. We pass on price increases each year with customers. There is an incentive for customers to do longer-term deals. Our average contract term is about 15 months. It really hasn't changed month-month much. If customers want to do have a rate lock, then we'll do a three-year prepaid deal. A lot of it's annual prepaid subscriptions, and there really hasn't been a lot of change there in that regard.
Got it. I wanna ask one more question and then I'll open up to audience Q&A. Amit Yoran, you were on TV recently and talking about AI, and AI is not necessarily new in cybersecurity, but the mainstream adoption of these new generative AI models is certainly, you know, in the consciousness more than it ever has been. You mentioned, you know, being terrified at the prospect from the adversary perspective. How do you see AI changing the threat landscape in general, and how is Tenable helping to solve that problem?
So at Tenable, we use AI in a number of different ways, determining which pieces of software might have vulnerabilities, determining which of the tens of thousands of vulnerabilities discovered each and every year are actually exploitable. It's actually an amazingly small number. Making sure that we're spending our R&D dollars and focusing our customers on the things that matter most to them. Also a bunch of data science and modeling around what these things mean from a risk perspective. Great use of AI. There are a lot of horrible uses for AI in the cyber world and, you know, in particular, if you look at phishing, you know, everybody gets all these scam messages.
There is a concept called spear phishing, where someone may spend weeks or months researching an organization and an org chart and an individual and build a scam that is very specific, directed, and targeted toward them. When you see a lot of attacks against whether it's government agencies or large enterprises, you see these very sophisticated spear phishing campaigns. When you look at something like AI, which can take incredibly large datasets, which can ingest everything that's ever been published about you and your family and your business relationships and your company, and ingest those things and process them in ways to develop these highly targeted campaigns with laser effectiveness and efficiency at great scale and speed.
I think you can look at whether it's through spear phishing, through detecting and determining exploits in software and in gaps between different pieces of middleware and applications. You know, I think the threat use cases for AI, we'll see those leveraged and wreaking a lot more havoc before we see effective general purpose AI helping people protect themselves.
Okay. Any questions from the audience? Got one here.
Thanks for sharing. Everything is interesting. M&A, inorganic growth, you guys have a nice cash position improved last year. I know you've done a couple of smaller deals, but given macro and where the market is, do you plan to do more, and where would that be, broadly speaking?
We do. W e think this tough environment, it will create opportunities for us from an M&A perspective that might not have been reachable in previous periods, in previous market conditions. It takes some time for some of the public valuations to work their way down to the private companies. You have to wait for those private companies to realize they have to raise additional funds and test the waters and see, you know, what kind of terms those fundraisers would occur with. So that frequently warms them up to looking at alternatives and opportunities and being much more realistic about valuation. So we're definitely. W e've been active. We definitely remain and intend to remain active and look...
You're not gonna see us move dramatically outside of our vision for cyber exposure. That allows us to create great leverage from a research and development perspective when we look for exploitability, and understanding how exploits work. That research can be leveraged across all of our different product lines. When you look at our platform and the analytics available, each of our individual products can leverage the analytics in our platform. We wanna make sure that we're creating leverage from a go-to-market perspective, from a technology perspective. Of course, Steve, over the last couple of calls, has made some pretty strong commitments from an unlevered free cash flow perspective, you guys might not have noticed, to investors.
We will make sure that we are not doing things that would distract from the commitments that we've made.
Yeah.
Thank you. Two quick questions. One is, the Tenable One on the financial model. Is it accretive to net new ARR growth and margins, or is it just sort of offsetting some other product that's falling away? Could you talk about cyber insurance and if that's the growth driver for business?
Sure. I'll take the first one. Our gross margins on Tenable One are very attractive. They are the same, if not better in some cases. That's one thing I wanna make very clear. There is over the years as we've talked about the evolution of this company, we have evolved the product portfolio and become much more strategically relevant to our customers and, you know, expanded from having a singular focus on VM to one that now assesses risk holistically. We play a much larger market when it regards like cloud security, identity security, analytics. Those are the three top spending priorities with CSOs, and that's exactly what Tenable One addresses. We're seeing great momentum there. We did talk about some contraction in the gross margin.
This is investment that we're making out of the gate. It's not in any way, it's not tied to gross margins of Tenable One. The investment is we're launching a more expansive set of analytics. We just recently launched Attack Path Analysis, which connects flaws and threats, identities and all those things, and graphically depicts the likely path of exploit. Those are all characterized as semi-fixed costs that we are coming ahead of the revenue that we expect to generate with APA, with the premium price version of Tenable One. That's more temporary than anything else. We said long term, we expect our gross margins to be high 70%, low 80% range. We said this at time of IPO. We continue to reiterate this, and we feel good about our gross margins.
The gross margins on Tenable One are very compelling.
On the insurance side, I think that, you know, there's been the promise of cyber insurance or insurance really influencing and enhancing how people think about cyber for, you know, a long time. We came out with a report three weeks ago, three or four weeks ago, within the last three or four weeks, with our first partner that is offering differentiated insurance based on what the results of Tenable assessment and scores look like. We think that this is an area that is ripe for growth and disruption. You know, we, as probably, you know, every public company has some degree of cyber insurance. Those rates have gone through the roof. You've seen underwriters saying, "We're getting out of this business 'cause the data stinks."
We can tell people definitively w hat their hygiene looks like, how aggressively they're assessing their hygiene, how frequently, what their mean time to remediate and address issues that get discovered is, and that absolutely has impact on probability of breach and impact of breach when it does occur. We're still in the early days, but I believe we're getting to that tipping point where we can start quantifying and helping the insurance industry really understand cyber in a way that they haven't to date. To date, it's been, "Well, if you deploy these firewalls or if you deploy, you know, if you do an external assessment, you know, we'll give you a 10% or a 2% discount," and that's just throwing a dart in the dark. I think we can really change that.
Steve, maybe a profitability question for you. Tenable made the commitment to double unlevered free cash flow by 2024. You know, we did notice. Talk a little bit about what the levers are, the major drivers of levers there.
I think a lot of things like G&A will naturally just come down over the course of time but I think one of the big levers is sales and marketing. A couple of things to note there. First, feel very confident in our ability to drive margin leverage. I think we've been doing this in a very balanced way. We've been very deliberate about it. I think a couple things to note there. Number one, years ago, sales and marketing spend as a percent of revenue was 60%. Today, it's in the mid-40% range. Long term, we see it going down to kind of low- 30%. We are the only company in our space with regard to our core market, which is VM, that has made the commitment to the channel.
Years ago, 4% of all of our sales were inbound from the channel, sourced from the channel. At time of IPO, it was roughly around 20% we disclosed. Recently at the Investor Day, we said it was 38%, almost 40%, and we think long term it'll be 60%. The channel can open up a lot of doors for us, especially in international markets, and, you know, we're 100% channel committed. Second thing, this really goes hand- in- hand with product, which is we put more product in the hands of our sellers. Years ago, we were in a handful of countries. Today, we have feet on the street in 35. We transact sales in 160, as I mentioned earlier.
Our sales reps have done a good job with addressing like cloud use cases, things like identity, selling Tenable One. We made a massive investment in our go-to-market over the years, going into new countries, and we're just starting to get the leverage on that. I think sales and marketing is a big one. I have a lot of confidence in where we're going and feel really good about the margin leverage and feel very good about our commitments to the street, where we said that free cash flow midterm would go to $240 million-$250 million in 2024.
All right. I think with that, we're just about out of time. Amit, Steve, thank you so much for your time, and thank you everybody for joining.
Thank you.
Thank you.