Let's see. Oh, there we go. We've got a great day planned. We are going to start with Steve and Mark. They're going to give an update since our last Investor Day and tell us a little bit about what's happening in the market today. We have Vlad here, who's our CTO. He's fairly new, so it'll be exciting for you all to hear from Vlad, as well as Eric, our CPO. He's got some great things to show you about Tenable One. We've got Meg. Meg has spent a long time doing our brand update. I'm not sure if you guys have noticed, but we've made some exciting changes there, and she's done a fabulous job.
Meg is also going to do a customer panel so you guys can actually hear from our customers and what they have to say about our products and their journey with exposure management. Then we'll have Dino come up. Dino is very new to us, and we're really excited to have him. He's our new CRO. Then Matt will finish the day with the financial updates, which I know everybody is very excited for. Finally, we'll end with a QA. Before I turn it over to Steve, I, of course, have to make some statements. During our presentation today, we will be making forward-looking statements reflecting our beliefs and assumptions related future results, financial positions, and business strategy, and we disclaim any obligation to update these forward-looking statements or outlook. We caution that actual results may differ materially from our projections.
For a discussion of the material risks and other important factors that could.
Man, that was some safe harbor statement. I think the size of the safe harbor statement correlates with the size of the legal team, but that's just my personal point of view here. Okay. First, it's great to be here today. We are super excited with what we're about to share with you. We just concluded our first-ever exposure conference, security practitioners, CISOs, policymakers, all here in one room. Great conversation. Lots of announcements, in case you haven't noticed this week, many of which we'll talk about, but it's an exciting time. It's hard to believe that it's been 5 years since our last Investor Day. When I think back to December of 2021, our progress, our evolution, is striking. That year, we finished with roughly $540 million of revenue, $95 million in unlevered free cash flow, and today, we're a billion-dollar business in top line.
Revenue has almost doubled over that period. Cash flow has more than tripled, and more importantly, there's lots of margin leverage remaining, and Matt will go through that. The shape of the business has changed just as much as the size. Today, Tenable One represents over 33% of our total sales. More importantly, it's the engine driving enterprise growth and larger deals. The number of large deals, six-figure deals, more than doubled since our last Investor Day. Seven-figure deals, more than tripled. It speaks to the strategic value that we're delivering to customers. It speaks to the bigger problem we're helping solve for them. What we're doing, we're providing them with a platform, not siloed solutions, and they're buying outcomes that never existed before, but they exist now, and exposure management has never been more important.
Which takes me to the opportunity that's in front of us today, which is bigger than anything we've ever discussed from this stage before. IDC estimates that total security spend will exceed over $300 billion this year, and that number will grow over the next 36 months by $400 billion. More importantly, it's the velocity of those budget dollars and where they're going, which is towards AI. AI systems, application, models, and agents are now deeply embedded in critical workflows of a business, and they need to be secured, and we have a big role in helping them do that, which we'll talk more about today. We believe we're securing part of the AI attack surface. We believe that opportunity is an incremental $35 billion a year in 2029. That's above and beyond the $30 billion a year opportunity for exposure management, which we've talked about before.
This includes AI application, development, and deployment, securing agents and workflows and systems. Certainly, there's a lot there. As Mark will soon explain, we are evolving. We are evolving from providing a system of record to help customers understand risk, to a system of action, to helping them reduce it, and reduce it deterministically and with confidence. That's what this era demands, and that's what we're providing. Without further ado, I'll turn it over to Mark.
Steve, thank you, and welcome, everyone. Good afternoon. It is actually great to see the majority of you folks actually in person instead of on Zoom. Strap in. This is going to be a lot of fun. It's going to be very educational. We're going to throw a ton of content and information at you, lots to update this entire organization in regard to how and what Tenable is going through right now. I think the speakers, kind of putting together some of this content, because it has been a while, I think you guys will be super impressed with our strategy, our vision, and where we're headed. Let me kind of get into it.
I'm going to actually spend a few minutes talking about the world we're actually living in today, and a lot of what you're going to hear are the themes that we actually heard over the last two and a half days coming out of our incredible Exposure 2026 conference. I'll talk about the trends that are impacting the attacker-defender dynamic and how AI is changing that dynamic, and ultimately, how this sets us up for an exceptional opportunity for exposure management, and especially towards Tenable One
When Steve comes back on stage, he's really going to walk you through a bunch of detail on how we see that playing out. For two decades, we're talking a long time. For two decades, the cybersecurity world kind of operated in this cyclical cycle. We would go through and we would look and find vulnerabilities. We would then fix those vulnerabilities, and then it was all about reducing risk after you did those first two steps. During that period, however, the assumption was that the volume of critical exposures would remain within what humans could actually handle. Tenable evolved significantly through each stage of that market transition. You think about Nessus looking at and solving the visibility problem. You look at VM, which solved the prioritization challenges, and now exposure management.
Exposure management has emerged because cyber risk became interconnected across the entire attack surface. Think of OT, cloud, SaaS applications, totally transformed. Now with AI, it is accelerating that interconnected risk at machine speed. It has actually changed the economics entirely. CVEs grew from roughly 18,000 in 2020 to more than 48,000 in 2025. Keep in mind, these numbers do not include the impact that the frontier AI labs will have on those numbers. The question no longer is, can we find those vulnerabilities? That's not the big strategic question. The question now becomes, can we reduce the risk at machine speed before the attackers, before the bad guys? This is why exposure management in Tenable One, it literally is no longer just a best practice. We heard it in this conference. It's literally becoming a non-negotiable platform in this AI era.
Let's talk a little bit about that. Okay. AI is increasing cybersecurity pressure from two directions simultaneously. First, AI is creating more exposures. AI is dramatically accelerating how software is written, deployed, and interconnected. 84% of organizations are already using or planning to use AI in their software development process. Think about how fast 84% of these organizations, how fast that has happened over the last 18 to 24 months. Most security teams, though, still lack the visibility into how and where AI is being used across the SDLC. This problem and all these issues about having insecure apps entering production faster than the security team can actually govern them. The guardrails simply were not there yet. Most organizations still lack the visibility into where AI code, AI agents, AI apps are operating across the entire enterprise in their environments. The second big area is around discovery.
Frontier models now analyze massive code bases and accelerate vulnerability discovery at machine speed. What once required weeks or months, specialized effort, that manual effort is no longer scalable. Recent research, this is some crazy stats I'm going to start throwing at you guys in a second. Recent research from Google found early evidence that attackers are beginning to use AI to discover vulnerabilities to support these exploitation activities at scale. We actually heard some rumblings of this this week here at this conference. The window between exposure creation, discovery, and exploitation continues to compress at lightning speed. All right, let me go deep on some of these numbers to put some context to it so you can understand the ramifications and what we're going to be working with. The disclosure-to-exploit window has effectively collapsed.
If we take a look at 2021, the median time from a vulnerability disclosure to a known exploit was 771 days. You look at it moving forward and look at where we are today, it's 1.6 days. In February, Anthropic, Claude Opus 4.6 found more than 500 zero days in open source code, which is an order of magnitude increase than anything we've seen before. On April 7th, when Anthropic released Claude Mythos, it discovered thousands of software vulnerabilities that went as far back as 1999. According to Anthropic, which we had here at our conference this week, which was awesome, 99% of those disclosures still remained unpatched. The reality is, the attackers can find these old vulnerabilities with the power of AI to create sophisticated attacks. That is one of the waves we have not seen yet before.
This is a consequence of everything we've been talking about at this conference and over the last 15 to 18 months. AI is increasing the number of exposures entering our customers' environments. The result is an explosion of findings, but more findings don't automatically make the organization safer. In fact, the customers, our customers, are actually already overwhelmed with the amount of information they're getting. Last year, this stat is significant. Last year, more than 60% of organizations that had a breach or a ransomware attack, they actually had a patch available on the known vulnerability that was exploited, but they weren't able to put it into production. That's an unbelievable stat because it tells you the problem isn't simply finding vulnerabilities. The problem is understanding which exposures actually matter and reducing risk before the bad guys can operationalize them.
This is the trend that I think a lot of governments, a lot of organizations are going to start kind of going through. More findings, more noise actually brings less clarity for our customers. The answer is not going to be solved by AI alone. It is true that frontier AI models are dramatically accelerating vulnerability discovery. As we said, discovery alone does not reduce risk. Organizations still need to, let me run through this list. They need to understand what assets exist. They need to assess their exposure, and every organization is different, prioritize what truly matters, coordinate remediation, and validate that risk was actually reduced. That is the difference between vulnerability discovery and exposure management. Even when teams know where there's exposures, where they could be impacted, acting on it fast enough is absolutely the challenge.
Remediation still requires coordination across the teams, the tools, and the environment, and most of the processes remain fragmented and manual. Again, this was a huge theme we heard the last few days. The customers are really demanding a shift. They're not asking for more tools. That's why when Steve and I and Matt talk to the street, we always talk about how consolidation is one of the biggest drivers out there. They're asking for systems or platforms that help understand risk and that can actually take action. That is the opportunity. Literally, that's exactly what we built Tenable One for. AI, when you take a look at it, AI isn't a temporary disruption. This is a secular shift in how security operates. This is not a one-time event like Log4Shell. This is how business is going to be run moving forward.
The speed of both discovery and exploitation is accelerating, a fundamental shift is absolutely required. It'll be defined by what we view as three transitions. From discovery to taking action, from manual workflows to orchestrated fixes, and from isolated tools to an integrated platform, and one of a system of action. That requires a platform to be capable of understanding risk across the entire attack surface and coordinating action fast enough to keep pace at machine speed. Again, that's why we focused and centered and engineered Tenable One to do. With that, I'm going to hand it back to Steve. Steve will be able to walk you guys through more detail on how we're putting this plan into action. Thank you very much.
Okay. Hello again. What Mark just described is not a temporary disruption. It is a secular shift, a major secular shift to security and how it operates, and it's a shift towards Exposure Management. Speaking of the platform, investors often ask us, "What makes Tenable and its platform defensible, not just now, but over the long term?" The answer is that Tenable One is built on 3 critical layers. Each one is a moat in its own right, but together they compound. The first is our sensor layer. It's the data collection infrastructure inside of a customer's environment that the rest of the platform sits on. The second is our Exposure Data Fabric. It's where raw telemetry data becomes a unified model of risk and how it forms. The third is Hexa, our agentic engine.
It's where knowing within an environment becomes action with human oversight built in, that's important. Each layer is hard to build. All three together, we believe, are nearly impossible to replicate. Together, they're the foundation of how security gets done in the agentic era. Let's spend a little more time today going through each one. Okay. Everything starts with data because how and where you collect that data is important. How and where you collect that data determines what you can see. We believe we can see more inside a customer's environment than anyone. We have scanners operating in enterprise environments. We have agents on endpoint and workloads. We have passive network monitoring on OT networks. We have cloud configuration and workload analysis. We have identity telemetry both on-prem and in the cloud, by the way. We have external attack surface discovery.
Now visibility into the signals around AI applications, agents, and systems. In short, we're a data aggregator. We're a data compounder. We have one of the broadest sensor and telemetry networks in the industry, hands down. It's infrastructure. It's sticky and it's hard-won, and it's nearly impossible to replicate. That's what Tenable does directly to assess exposure. While it's comprehensive, we recognize that no one security company can assess exposure across the attack surface. The market is far too fragmented for that. That is why having an open architecture to ingest data from other security providers is important. We have 300+ integrations, and today we just announced an open connector so organizations themselves can ingest data from almost any source. It doesn't matter if you have an API or connector, they have the power to do that.
We connect with it, we transform it, and we make it actionable. In a world where the attack surface is expanding, the ability to unify data, normalize it, decorate it, and dedupe it is critical, and it's foundational. Data, even great data at scale, does not create clarity. In fact, it can create more noise for security practitioners, and it often does. That is why our exposure data fabric is so important. It creates insights from action. It's not separate data feeds sitting next to one another in silos. Instead, it's a unified model of how various domains interact with vulnerabilities and configurations, and it's how risk forms around them. That model, it's not powered by telemetry alone. It's enriched by the efforts of our Tenable research team. Yes, humans still matter.
It's important because our Tenable research team helps us understand emerging threats, help us understand exploits, and help us understand the exploitability of vulnerabilities and exposures. All of this intelligence becomes part of the reasoning layer of the platform, which our partnership with Anthropic helps us accelerate. We'll talk about that momentarily. The important takeaway here is, here, with our data fabric, customers understand which combinations of exposure are most important, and they understand how to prioritize those exposures, because prioritization in the agentic era is not optional. It's critical. It's also the foundational layer of how customers can take action and take it deterministically with confidence. Which takes us to Hexa, our agentic engine. Yesterday, we announced the general availability of Hexa, our agentic engine, which is powered by Anthropic's latest models.
Hexa sits on top of our Tenable Exposure Data Fabric and turns what it knows into action. It orchestrates the steps required to identify the fix, and then closes it and validates that the fix has been done. We do this all through a series and a fleet of coordinated agents that sit on top of 1 unified model, all operating with humans in the loop. Customers can also build their own agents. Instead of handing teams an enumerated list of vulnerabilities and say, "Here you go," Hexa can identify attack paths, can make recommendations, the best recommendations about the actions to take, and can orchestrate those fixes. You're going to hear directly from Eric momentarily. He'll show you some incredible things about what Hexa can do, and you're going to hear from customers today about how they're using Hexa to solve some really important problems. Okay.
We realize that not every customer is ready for autonomous action, at least not now, okay? That's coming, but not now. Environments are complex, governance models vary, and trust in automation, it happens over time. That's why Oh, am I missing a slide here? Yeah, I think I am missing a slide. Okay. That's why we think about remediation as a continuum, right? It's a continuum based on the size, the sophistication, the maturity, and the risk tolerance of the customer. On 1 end of the continuum is manual remediation. That's where customers identify risk, they figure out what actions to take, and then they go out and take those actions manually. That's where the market is today. That doesn't scale in the agentic era. You need to match machine speed threats with machine speed action. The 2nd phase in the continuum is assisted remediation.
That's where AI prioritizes the risk. That's where AI accelerates the decision-making, and that's where AI orchestrates the fix with humans in the loop. You've heard that a couple of times now. It's really important. The third phase is really autonomous remediation. Okay. We're not talking about every workflow or every action, but we're talking about autonomous remediation where customers have guardrails, where there's a repeatable process, and where the action is well understood. We're not there yet, but that's where the market is going. Hexa is meant to address the latter two phases, assisted remediation and autonomous remediation. Directionally, that's where the market is going. Hexa is leading the way, and now more than ever, that is important. Okay. Let's kind of bring this home here. Our work with the frontier AI models companies are strategically important.
Before I describe how we're working with them, I want to answer another question that we also get from investors because it's an important one. The question often goes like this: What happens if one of the frontier model companies decides to compete with Tenable? It's a fair question. The answer to that question becomes well understood once you understand what they're trying to build and what they're not, because there is a clear mandate with Anthropic and others. They are racing to build the most capable, the most efficient intelligence layer in the world. We're big fans. It's extraordinary, the reasoning engines.
The frontier model companies, though, are not in the business, because they have made that very clear today, of deploying scanners in a data center or dropping sensors on an OT network, on a power grid, on a municipal water supply, on an oil refinery. They're not in the business of auditing cloud configurations at 3:00 A.M. and then taking the support call. They're not in the business of scanning a container image before it ships. They haven't earned the right, not yet, and I say this in a very loving way, but they haven't earned the right, not yet, to be deployed on a domain controller at a Fortune 500 company. We have. It takes years of trust to build. That is infrastructure, and the infrastructure layer is what matters in the agentic era. The LLMs are only as good as the data they're reasoning over.
They require a data fabric and a trusted sensor layer underneath. All of our data is proprietary. We're running behind the firewall. LLMs are not able to publicly train on our data. That's why we're partnering with them, and that's why they want to partner with us. Okay. No model is designed to do security autonomously. Instead, we're here to help deploy AI safely and operationalize it. Okay. Yesterday, we announced, you may have noticed, a strategic partnership with Anthropic to help advance the next era of agentic exposure management. Anthropic brings the reasoning engine. Tenable brings the exposure intelligence, the operational context, and the infrastructure layer required to safely deploy those capabilities inside complex enterprise environments. Through this partnership, we're not only leveraging Claude to help power Tenable, but instead, we're collaborating closely. Hexa and Tenable, we're collaborating closely on joint research.
We have access to non-public models. We're advancing agentic workflows, and that's really important. Together, we're building the systems capable of understanding attack paths, determining the smallest set of actions that have the biggest impact on risk. Together, we're helping orchestrate the right fixes so defenders can move with confidence deterministically and ensure that risk has been reduced. This is a fundamentally different operating model than other security tooling. Okay? We're moving from isolated systems to an integrated system of action in one system to help customers reduce risk. In a world where the attack surface is expanding, we will see a proliferation of CVEs and KEVs, right? We're going to see more vulnerabilities, new vulnerabilities than ever before by 10 or 20x. This is how we win.
This is how we grow, and this is how we help our customers solve the most important problems in security today. Thank you. With that, I'm going to turn it over to Vlad, our CTO.
Right. Good afternoon. It's a pleasure to be here. As Erin mentioned, I'm fairly new to the company. I joined about 5 months ago, as the CTO for Tenable. I also lead Tenable research and manage Tenable's R&D center in Israel. Before that, I spent 11 years at Microsoft working on security as their corporate VP for cloud and AI products, working alongside Eric, actually. That was the previous time we did a bunch of things together, building products like Defender for Cloud, Defender for AI, the Microsoft Security Graph, Microsoft Sentinel, and a bunch of others.
We're here today to talk about exposure management, but I also want to start by showing what drives the pressing need and why, as an example, 1 month ago, the U.S. Federal Reserve chair and the U.S. Treasury secretary have convened an emergency meeting in Washington, D.C., with the CEOs of the U.S. major banks, Bank of America, Citigroup, Morgan Stanley, and a few others. They were there to discuss 1 single AI model that was Anthropic's Mythos preview and the significant risks it might create. Mythos was, of course, designed for defense, for software engineering, for security, but it also had capabilities that could threaten the stability of financial systems if it was to fall into the wrong hands. The CEOs were directed to treat that as 1 top threat to their institutions. Allow me to zoom out into 1 slightly global point of view.
Now, two weeks ago, I've attended the World Economic Forum's annual meeting on cybersecurity in Geneva. The goals of the Cybersecurity Center of the Forum is to coordinate the global cyber defense across the ecosystem, to partner in the fight against cybercrime and ransomware, and overall, to strengthen the cybersecurity and cyber resilience of critical infrastructures and businesses worldwide. The event was attended by about 150 of the top CISOs, CTOs, and CEOs across the private sector, government ministries, heads of national cyber defense agencies, and many others. At the closing session of that three-day event, the participants were presented with this question: What will define cyber risk in 2027? The answer was clear, with 46% of the votes going to AI as a threat multiplier. Now, a slightly distant second place went to the response of geopolitical escalations that could target critical infrastructures.
I think it is quite clear that AI in the hands of attackers is both a bad idea, but it is also a global concern in 2027, but for sure, it is also our current reality today. There's almost like a shift of mindset came up across every panel and every workshop at the forum. That is traditional patching cycle is no longer relevant. AI and the agentic economy is the next greatest vector of global risk, and that also needs a new operating model. I think that's the model we are also building our platform around. Let's take another look from the eyes of the adversary this time. Mandiant have been tracking attacker speed for about 15 years.
Looking at this chart that shows time to exploit, in fact, it presents the average number of days between patch availability and the first time we have observed exploitation of that vulnerability in the wild. You can see on the left-hand side, the slide starts at about 2018. You see 63 days, then goes down to 44 days, 32 days in 2022. It's kind of a linear reduction. Something happened in 2023. It broke the trend. The time to exploit collapsed from 32 days to just 5 days. In 2024, it went -1, and Google Mandiant's report from last month puts that number at a -7. The moment that line has crossed zero, that's that yellow dotted line. That's the moment the patch cycle basically stopped working. It means that adversaries today are exploiting vulnerabilities on average a full week before a patch is even available.
This also shows us it's not a snapshot or a point-in-time situation. It's a curve, it's a trend, it's quite clear where this is going. I've been doing cybersecurity for about 25 years, the rhythm was roughly the same. Mark and Steve touched upon this as well. Somebody, usually a human security researcher, finds an issue in code, finds a security vulnerability. They then traditionally use responsible disclosure to disclose it to the vendor, who then goes and tries to fix the software, eventually issuing a patch or a new version. Adversaries have operated on a similar cycle, although they're not in the habit of disclosing that to the vendors, they also look for issues in code. Sometimes they get the patch, they do reverse engineering to weaponize it and use it in the wild.
That window between discovery, patch availability, and active exploitation used to be measured in months. Traditional patching takes days. The last data point we have from a Verizon report released earlier this week was that on average, security teams take about 43 days to patch. It was actually better last year. It was largely fine because you had the time. The best teams today, by the way, can probably pull it off in anywhere between 5 to 8 days. It is a big improvement. It is still fairly off-mark. That compression of time is driven by 1 thing, and that is that AI today can do in hours, minutes, sometimes seconds, what it takes humans weeks and months. We've heard it here. We saw it in the news. We're living it with Opus 4.6 in February, finding vulnerabilities that have survived decades of human review.
A few months later, Mythos came along. It found a bunch of vulnerabilities as well. More so, it has chained logical flaws. It has found lower severity issues and chained them together in a way that previously only humans could do into critical vulnerabilities. It has also built autonomously working exploits of those security issues. About 11 years ago, we actually saw a similar watershed moment with AI. That was when Google's DeepMind AI, AlphaGo, has successfully defeated the human master Go player. For a very long time, Go was considered the ultimate challenge for AI. It's a game that was played for over 2,500 years, and experts believe that computers were still decades away from being successful at that game. The thing is, the game of Go has more possible board configurations than atoms in the observable universe. That's 10 to the power of 170.
To that point, AI used basically brute force to beat games like chess, which is a simpler game, and brute force was basically enumerating all the possible moves, all the possible possibilities. With Go, that was unfeasible. Google's DeepMind at the time has proved that neural networks can master human intuition. They can manage extremely complex domains without relying on human knowledge, without using brute force methods, and also to self-improve exponentially, basically by playing millions of games against itself. That was a huge moment about 11 years ago. If we go back to 2026, the frankly mind-blowing realization that the frontier LLMs today can run a 32-step reasoning chain to complete end-to-end simulated breach of a corporate network is astonishing. It also means the reactive security cycles we all have seen for the last two or three decades are obsolete.
Now, to be clear, this is not a single AI company story. I think this is actually a new rhythm of our industry. All the AI labs are racing on the same capability curve. Every model becomes better at finding vulnerabilities, doing so faster than ever in more sophisticated ways. We are seeing today that the volume of known vulnerabilities is having a step change, and I think that's going to keep happening, at least in the foreseeable future. The speed of exploitation is compressing and the unpatched vulnerabilities, the misconfigurations, the overprivileged identities, the shadow AI agents, the AI infrastructure, all of those are already running in every enterprise environment in the world. That's actually fuel that's going to ignite faster than the current operating model can probably handle of the model that the security teams have today.
Now, I'm a strong believer that security is a team sport, and AI labs are definitely not the adversary. In fact, AI and frontier LLMs are the best new tools the defenders ever had. We just have to start using them much more in the right ways. Now let's connect all of this back to Tenable. What I want to do is to go one level deeper, a bit more technical on three things. The first one is why our architecture is a structural moat and why it's also the right platform for exposure management with AI. The second, where AI and cybersecurity goes next, and why I believe that every step in that direction actually expands our opportunity. Last, what we're doing in Tenable as an AI-native company to become an AI-native company, and what that actually means for our ability to deliver.
If I had to summarize in one sentence what I've heard in Geneva two weeks ago, what I'm hearing from the industry, what we heard from Anthropic being on stage at the Exposure Conference earlier today, I think I would say and compress it into this one sentence that basically represents the core of our moat, that the defender's edge in the AI era is not the model. It's the data, it's the context, the harness and the guardrails that you need to build around it. Let me break it down layer by layer. The layer surfaces and signals that Steve has mentioned is the basic data collection on which everything is built. I'll add just one example to build on Steve's point. A model, we've all seen that through Opus 46 and others.
A model can successfully find vulnerability in the Linux kernel source code, for example. It can't really go and figure out which one of the 50,000 or so Linux hosts running in the corporate network, which one of those is actually running the affected version, whether it's in fact effectively network reachable, or maybe it has a compensating control in place, rendering that vulnerability irrelevant for the moment. Answering those questions can only be done through sensors that are deployed within the live customer environment. We have those sensors. That's basically a huge part of that layer. We have over 300,000 of the sensors. We call them plugins, and they are deployed across more than 40,000 of our customer base.
A way to think about that, they basically represent the codified knowledge and the deep expertise of our research teams, they've been doing that for 2 decades. This is a way for us to understand and see the real-world enterprise environment across the full surface. Everything we need to protect, data centers, IoT devices, OT infrastructure, cloud identities, AI apps, everything a company has. 99% of these plugins actually operate using non-intrusive techniques because you don't want to bring down production simply by checking if something is up or down or what's the version. We generate today about 100 new plugins every week to keep pace with the evolving threat landscape. Now our platform basically checks if an asset in the customer environment, whatever it may be, is vulnerable to whatever the latest thing is.
It checks the configuration, it checks all those things and delivers a deterministic answer with high precision. That precision effectively underpins the downstream actions and decisions that go all the way up to Hexa AI. Before that, what our security team had to do is things like open a ticket, calling your IT team to take a system offline, file a report, or God forbid, schedule a patch window. With Hexa, and you'll hear more from Eric, who goes right after me. Today this action can be done with AI agents, part of the Hexa harness working for defenders. The second layer is the Exposure Data Fabric. It is essentially taking 1.7 trillion security findings from all these sources across all the customer base we had.
These are deterministic measurements of real configurations, real environments, real assets, including historical data for sure, and that serves as the base for the agentic workflows we have with Hexa. Now Hexa is using that data to orchestrate action, providing it the right harness, the right guardrails for trusted and safe action. What's allowed and what's not. Things like role-based access, permission management. It has to have an audit trail and other enterprise requirements. Now we know this, and AI labs have been saying this as well, that AI agents without the right harness won't be able to complete the more complex security workflows. Actually, things might get even worse because AI agents have the tendency to go off rails doing things they shouldn't be doing, and this is happening as well. Now across the three layers, every action Hexa takes is grounded in observable and measurable data.
It has an audit trail. It gives defenders the levels of autonomy they need to protect their enterprise, both at machine speed but with human control. Now, as Steve mentioned, these layers, they compound and they create that structural boundary that we're talking about. The second thing I want to leave you with is what Tenable is doing to become an AI native company. Now, during my time at Microsoft, and specifically for the last three or four years, I've been part of the company's AI transformation at scale. In a sentence, that's basically the playbook we are running here. Now, today, 100% of our global R&D team is using AI tools day to day. We have built the right scaffolding, the checks and balances. We have usage metrics, we have token economy, and we've even added AI fluency, if you will, as a performance criteria.
We have also established new AI native operational structures. We call them acceleration squads. These are essentially small cross-functional teams operating on a startup-like cadence cutting across the company. We're using that model to aggressively close the gap between experimenting with AI to actually running the company on AI. We are treating AI agents as a new type of an internal software developer persona. We are adapting our product interfaces to be used by agents as well as humans, what's called a headless design, which is essentially decoupling the back end, the data, the logic, the APIs from the front end, the user experience and the presentation layer. When the consumer or the client becomes an AI agent rather than a human, the product in fact needs to be consumable by both humans and AI agents. We are not bolting on AI onto a legacy stack.
What we're doing, we're evolving ourselves, our product stack, our architecture, our team, and our platform with AI. Last but surely not least, thanks to our partnership with Anthropic as well as being part of OpenAI's Trusted Access for Cyber Program, we gain access to their early models that we're using both internally as part of our research teams as well as within our product through things like Hexa. We also have the privilege of working with the AI labs engineers and their technical staff to really fine-tune the LLMs to what we need within our product and our research team. The AI transformation we've driven internally is basically, it's a program that's structured across 4 themes, 14 work streams.
It goes across the work we do with our teams and talent, the tools we're using, and how we have them grounded on the data in our specific company, in our enterprise. We've also built metrics and ways to measure value, and this is an ongoing process. Of course, we have the governance for responsible and safe AI adoption and security in our CISO team. We are seeing some early productivity gains that I can share. We are seeing actually great improvements across velocity of delivery throughput per single human engineer went more than 2X, and the overall efficiency of every single person in the R&D organization has improved significantly. To take a small step back, I think probably every product or manufacturing company in existence roughly does these 4 things.
They build something, they sell it for a profit, they support it with their customers, and they support their enterprise functions, things like finance, legal, HR, and other departments. To break it down even further, product creation goes usually across this process of creation and distribution. You find the problem you want to solve, you write requirements, you architect a system, you design an interface, you develop it, you test it, you document it, release it, and then you work with your marketing and sales and operation teams to get it in the hands of customers and make a profit. These steps essentially remain the same, almost the same with or without AI. However, there are a few things that do change, and I believe that that something is speed, efficiency, or productivity, if you will, and the division of work. We're seeing that paradigm shift.
We're seeing that across the industry, but also from our own personal experience at Tenable and what I have seen happen at Microsoft a few years ago as well. The first change is that our workforce, in fact, now is hybrid. It has both humans and AI agents. Humans take the role of defining, directing, or supervising, with AI taking more and more of the execution cycle at machine speed. You can't only focus on code, so we're also working to streamline the process end to end, left to right. Some of these steps also need to evolve, such as the headless design I've talked about, where the consumer is no longer only biological. We know the product will be used more and more by AI agents along with humans, we need to adjust the design and the interface to that.
We need to have the right guardrails in the release cycle. We need to run the AI models within the right harness and invest in adopting the tooling to our specific needs. The last thing, and this is I think the holy grail that we're on track to achieve, is when this process, this cycle becomes autonomous and fully agentic. What that means is that we have successfully orchestrated agent-to-agent communication and agent-to-agent workflows. They can then go and iterate through these steps while preserving the context, the shared memory, if you will, which is not a simple challenge, the human intuition, and the intent of the creator with humans in the loop for direction, control and supervision. The last thing I want to touch on is where I think we're going next.
For me, there were a couple of sessions that really were eye-opening at the World Economic Forum. One of them was securing the agentic economy. I think it also provided a glimpse into where the market is going, and I kind of broken it down across 5 trajectories, and I think every one of those talks to the expanded opportunity we have. First, we're all seeing that the LLM capability floor keeps dropping. We are already seeing autonomous stack agents going mainstream, Opus-47, GPT-5 cyber. They show the trend, but others follow closely. What that means is that the frontier will become baseline quite fast, and that means there's a major shift that's happening. When Mythos came along, Anthropic predicted that others will catch up within 6 to 12 months. The reality was that it kind of happened in 30 days.
With GPT-5 being almost as good on many of the existing cybersecurity benchmarks. The second thing that's happening is that agentic AI becomes table stakes for both sides, both the adversaries that are way ahead, actually, they're early adopters, these guys. They're moving super fast, also for defenders. If you go to something like a HackerOne leaderboard today, you'll see a bunch of names. Some of them, maybe most of them will be AI agents or humans heavily augmented by AI. This is sort of our line of sight into that capability curve. There's also an interesting implication on regulation. One example I've heard was the European Union's AI Act next enforcement phase takes effect on August 2nd, 2026, in about 2 months. There's a discussion of what that actually means, where things like audit, compliance, cyber insurance, they all require reproducible, auditable, deterministic output.
What I think that means is that LLMs have to be part of a workflow in a way that ensures determinism as well. It needs a harness. It needs that wrapper. The agentic economy is definitely the new attack surface. Our own cloud and AI security report we've released a few months ago shows things like 70% of enterprises today have AI artifacts such as MCP servers or AI applications without proper security oversight. Eric is going to share some data points that are even scarier of what we're seeing from customers today. Last, the contextual value. For Tenable, that context is realized through our Exposure Data Fabric, and I strongly believe that becomes the most valuable real estate in the stack in this new world. I don't think success will be to the one who has the smartest LLM. All of us will have access to LLMs.
Depends on the price, that gets cheaper and cheaper as well. I think success will be for those who can ground those AI agents in the right data, in the right context, orchestrate them with the right harness, and build and run them with the right guardrails. I personally believe that every one of these trajectories are a tailwind for exposure management. That's actually what brought me to Tenable, and that's what we're building here at Tenable. With that, thank you for your time. I'll pass it on to my friend and colleague, Eric Doerr.
All right. Hey there. I am Eric, Chief Product Officer. Been here a little over a year. Before this, I was at Google for a couple of years. I led the Mandiant integration, Chronicle, Google Threat Intelligence. Before that, I was at Microsoft Security for quite a number of years with Vlad. I had a funny job there. I was, in addition to building security products, responsible for the Azure SOC and incident response for all of Microsoft. Spoiler, I wouldn't recommend doing both of those jobs at the same time to anybody. It did give me a unique insight into how one of the world's biggest targets is attacked every day, and that's been super helpful in my career since, and what I bring to Tenable.
There's a ton of innovation that has happened in the post-breach world, even before AI, but not as much in preemptive security, and that's a big part of what brought me to Tenable. I watched this pattern over and over. The breach happens, we clean it up. That was before AI. AI changes the math. If the attackers are operating at machine speed, as Mark talked about, you can't respond your way out of that with spreadsheets. The defender's edge has to move forward to preemption. You have to fix it now before they exploit it. This is me with a little help from Claude. My version was longer. What's happening? We talked a little bit about this earlier. This is a hard problem before AI, and AI is making the attack surface way worse. You see productivity rising. Of course, visibility is falling.
We've kind of seen this movie before in security. We saw it with cloud, where cloud adoption outpaced security. We saw it with SaaS, where Remember when Box and Dropbox came on the scene? All of a sudden, there's documents being shared everywhere, and security teams are saying, "I have no idea how to keep my hands on this." Same kind of trend, AI is running this tape at 10x speed. These are two curves moving in opposite directions. The business is sprinting. Every business unit is shipping AI models, training data, agents, MCP. The workloads are going live faster than security can spell them. The CISO is effectively flying the plane blind. Every platform shift creates a new security category. Cloud gave us CNAPP. The dissolving perimeter gave us zero trust. We believe shadow AI accelerates the trend toward exposure management.
The average enterprise has 50-plus security tools. You can't solve this problem in a siloed way. The answer isn't a 51st security tool. We think it's Tenable. How do we do it? 3 steps. I'm going to go a little deeper than Steve and Vlad here. Step 1, you have to have continuous discovery. You have to see everything. You could think of this like the senses. You not only just have to see, you have to hear, you have to taste, you have to smell. You need to pull in all of that context because the enterprise is alive. It's not a static thing. It has cloud, it has devices, it has web apps, it has identity. Of course, now it has AI infrastructure, as a critical piece of the new attack surface.
That whole attack surface is constantly changing, and the threat landscape is constantly changing, continuously, not monthly, certainly not quarterly. It's hard to do that at scale. This sensor fabric creates a network effect. 1.7 trillion real-world findings, 113 billion on average a month, new findings per month. That's deep scanning inside the operational environment. As Steve mentioned, no one can scan every interesting piece of data in the enterprise. The 300 data integrations we have, and growing more every day, allow us to bring in context from other security tools, but just as important, from the infrastructure and business systems that help create the context that allows you to know what matters. Zooming into AI, in the last 30 days alone, in our customer base, we found 457 million AI security findings. Finding is a problem or a potential problem.
That's across 7,000 customers in 57 countries. This is a globally growing shadow AI problem. We're built, and if you think about it, we've been training for 20 years to outscale the attackers. Last year alone, we shipped 70,000 plugins. Vlad mentioned this. You can think of this as detections for different kinds of issues that our customers have. We have hundreds of shadow AI detections, they're live today, and more shipping every day. We cover about 25% more than CISA with the Known Exploited Vulnerabilities Program. You may have read in the news that CISA is sadly scaling back some of their activities because they can't handle the increase in volume. We're scaling up. The enterprise is alive. Tenable One helps you discover it in near real-time. Step two, you have to prioritize what matters because every enterprise is different. We had about 48,000 CVEs.
This is the funny, unique number for every unique vulnerability. Maybe we'll have 100,000 this year, maybe more. The last thing security teams need is another fire hose. You got to bring that data in, you have to de-duplicate it, you have to correlate it, enrich it, decorate it. You have to make it useful, because the raw data is not useful. You have to do that synthesis at the center rather than inference at the edge, because the data needs to be a graph. With this exposure data fabric, we can tell you on average the 3.3% of those unique vulnerabilities that matter to you. We do it faster. Again, looking at CISA, we discover exploitation, we overlap in about 64% of the times that CISA discovers vulnerabilities. The median time we discover that exploitation is 7 days earlier. The average is 37.
You have to move beyond CVEs, because as we see from the most recent Verizon Data Breach Report, which we contributed to, about a third of findings are not CVEs. These are identity misconfigurations, infrastructure hygiene, exposed secrets, and two-thirds of the breaches come from those non-CVE issues. A third of your risk, but two-thirds, or a third of your findings, two-thirds of your risk. With our Exposure Data Fabric, this all becomes context. Context, as Vlad mentioned, is extremely necessary for the orchestration of both humans and agents. If the sensors are the senses, you can think of the data fabric like the brain. Let's talk about number 3. The third step is obviously fix the problems. Unfortunately, this is where historically the industry has broken down and moved at the speed of spreadsheet, which is not machine speed.
Great visibility and prioritization is obviously critical. It is necessary, but it is nowhere near sufficient to solve the problems of today. You can see in 2025, about 26% of the worst vulnerabilities, the commonly exploited vulnerabilities or Known Exploited Vulnerabilities, were fully remediated, 26%. You can see the patch cycles, 43 days on average. Vlad showed the trend line, but they're actually going in the wrong direction. The year before, the industry average was 32. That's terrifying. Spreadsheets can't keep up. Only a machine can fight the machine, and this is why we built Hexa, which went generally available yesterday. If the sensor fabric are senses, and if the Tenable Exposure Data Fabric is the brain, Hexa is the body. Hexa is our agentic engine. It's in Tenable One. We announced it at RSA a few months ago.
We've been in early access with a few dozen customers, including some in this room, for the last few months, and we went generally available yesterday. It is built on the Exposure Data Fabric. It enables automatic patching and remediation. You need the brain to coordinate those actions. It moves security teams from manual security to agentic security at the speed they want to go, the speed of trust, and it orchestrates this messy mix that is security. Why do I say it's a messy mix? Well, we know humans are fallible. We've always known that. You ask them to do something, sometimes they do it, sometimes they don't. Sometimes they close a ticket and say they fixed something, sometimes they didn't. We also know agents have problems. Agents hallucinate. Sometimes they act like bratty teenagers.
You need the context and the guardrails and where you choose the explicit human-in-the-loop interaction to make sure that you're getting to that outcome that you want. Skynet isn't showing up tomorrow. The real enterprise is messy. We must go 10X faster, but we have to do it deterministically. This is the layer of Tenable One, the layers of Tenable One. Continuous discovery across all of the domains in your enterprise, including the business context that makes it real. The world's smartest Exposure Data Fabric, the brain, tells you what matters, avoids hallucinations in real time. Hexa, the body, the agentic engine that gets humans and agents working at machine speed. Enough slides. I get to show you the product. I'm going to take you through 4 demos in the next 6 minutes, I think. Let's get into it. This is demo 1.
How do you get from 10,000 findings to 1 attack path? Remember, attack path analysis is the only way you can get from 10,000 findings to a few things that matter. This is looking at the sequences of events that get you from an exposure to something that matters. Frontier models can't do this. They don't have the asset graph. They don't have the identity context. They don't have the brain. Here's the demo setup, because it's going to go fast once I get going. Okay? Simulated customer environment. We've got cloud identity, VM scanning, applications, and of course, a bunch of AI infrastructure, just like every organization on the planet. Let's go and play the video. Here I'm in Tenable One. I open Hexa. I'm going to search for top attack paths. Hexa looks. It's looking across everything. Thinks for a second.
You can see the top five. I could go drill into this. I actually want to zoom into AI infrastructure. In a second, I'm going to zoom into AI infrastructure. Are we paused? Can we play? You'd think a recording wouldn't have the demo gods not like you. I can tell you what comes next. I don't want to click the clicker. I don't know what'll happen. Why don't I tell you what's going to happen while we try to get the video going?
Yeah. We'll put it on the website. What would happen if the video played is you'd see a 4-step attack path. Okay. On the far right is a fine-tuned model. This is something the organization is using for an app in their environment, and they're training that with proprietary data. On the far left is a user. If you looked, that user doesn't have access to the model, so you're probably fine, right. Not really. In the middle is some training data. It's just in a storage location. In this example, it's in an AWS S3 bucket. The average customer has thousands or tens of thousands of these. There's no real way, unless you connect all these pieces together, to see that the data that's in that S3 bucket is actually the data that's used to fine-tune that model.
This exposes you to something that we call data poisoning or model poisoning. Let's go 1 step deeper. You might, if you're a good security team, say, "Let's look at who has access to that training data." You would find that the user in this attack path does not have access. You're safe, right? Not so fast. What the user has is the ability to create a policy that gives access to that bucket. If you get ahold of that user, you can start printing access all day long, get into that training bucket, and poison the model. That's the kind of thing that adversaries love, and it's the kind of thing that siloed security. It's the kind of thing that siloed security just can't help you figure out because you really have to look at the intersection of identity.
You have to look at how that identity is related to the storage assets in your environment and how those storage assets are being used with the AI infrastructure that you have. You really need all the data, plus you need the brain to find an exposure like that. We can do more than just find stuff. The second demo is showing you how Hexa AI helps make humans superhuman. Analysts spend a ton of time doing manual tasks in every aspect of security. We all know this. Hexa handles the operational busy work so that analysts can focus on decisions, not clicks. Same environment or similar environment. What I'm going to use Hexa to do, I'm going to set up a scheduled scan. I'm going to create a dynamic system to organize the results.
Also, something people spend an outrageous amount of time doing manually, historically. Then I'm going to create a summary for my management team because I want to look good. Let's go. Here I am. Open up Hexa. Zoom in. I'm going to create a scan targeting a couple of assets. I'm going to tell Hexa, "Hey, these are our finance servers, so I want this to happen regularly. Please do it for me." Also, we went pretty quickly, but you should have seen it said that I'm going to tag these things as they go. Here we ask for human in the loop because you're doing a write operation in the environment. We're going ahead and creating the scan. By the way, also you should notice this is setting up multiple sub-agents in parallel because Hexa is a harness that orchestrates multiple agents.
Now it's doing the work. It may have paused again. What I'm about to type, there it goes. All right. We set up the weekly scan. That's great. I'm going to go down. It is moving. I can see the, there we go. I'm going to say, "Hey, generate that executive report." This is pretty cool because it does a nice job, as you'll see in a second, of showing what I did, what happened, but it also flags something. It flags that there was a patch regression. This means you previously took an action to patch something, and it doesn't look patched anymore. Maybe the patch failed, maybe something else happened. This is what the industry talks about as validation, and it's really an essential element.
It's one of those guardrails that helps make sure that when humans or agents go do things, that we make sure that they get done correctly. Super important part, especially in the world of AI. Demo 3. What about when I want Hexa to just do stuff for me? Hexa doesn't just tell you what's wrong. It takes action. We have in Tenable One, a number of inbox agents, and we also allow custom agents. Why custom? A lot of our customers, especially our biggest customers, have very complex workflows. They have complicated approval flows, internal tooling, tons of custom data. In the past, the only option to do something here was to create an expensive internal development team or to bring in an expensive outside consulting firm to build custom automation that was fragile and needed maintenance and all that kind of stuff.
Since Hexa comes with MCP, which is a fancy way of saying that it's built to interact with other tools and agents, we can enable security teams to do a lot more in a really cool way. Here's the task I'm going to set up here, and it's going to go even faster than the previous demos, so give me a second to set it up. What I want to do here is I want to automate some patching because I'm worried about an incoming vulnerability. I have the patch, but I can't wait for a normal patch cycle. It is critical to me that we have the right human approvals because my organization requires that. It's also critical to me that in addition to the normal auditing that every Hexa operation always has, that we use Jira for workflow tracking. This could work with any tool.
In this case, we wired it up to Jira. I'm using Claude for the demo, Anthropic's Claude. It could be Codex or any other AI harness. Let's do it. Zoom in. You can see the prompt. We go ahead and do the scan. I found a few assets that have high vulnerability scores, so these are risky assets. Great. Now I'm going to go and check, do I have patches for them with Tenable Patch Manager? Turns out I have patches for most of them. Great. A couple it notes, they don't need a patch, they need a registry fix. Okay. That's easier. That's good. We found six findings across a few assets. We're going to get to a place where I have human in the loop. By the way, you don't have to have human in the loop.
If you want to be fully autonomous, you can do that. That's part of the power of custom agents. You can see the patches that were applied. It does flag there's one manual action you need to do. We went ahead and updated the Jira ticket for my workflow. I assigned it to the right owner so that you can get that done. It also tells me, "Hey, you should probably do a rescan. Do you want me to do that?" Just to make sure that this stuff actually happened, that validation loop again. It's pretty cool. Last demo. Patching, even at machine speed, isn't enough, as we talked about. A third of the findings aren't CVEs and won't have patches ever. Two-thirds of the breaches don't involve a CVE at all. AI scanning tools like Mythos and GPT 5.5 are just going to make this harder.
What I'm doing in this last demo is I'm looking for high-severity findings that have no owner. If they're risky, if those identities look risky, I'm going to automatically quarantine them. I'm going to update the identity system, which in this case is Okta. And just take him out of it so that there is no risk until I can go figure out what's up there and make it right. Let's do it. Okay. Simple prompt again. It's thinking, looking for a critical AES. That's the attack score, effectively, that Tenable uses. Finds some assets, digs in a little bit, works around a problem, finds the owner, finds four matches in Okta. Of course, I'm going to update Jira because that's my workflow. It's important. Have a little bit of human in the loop there. You can see the success. I've got four accounts quarantined.
I'm going to move to the final step, which is verifying the membership, updating the Jira ticket. I've just quarantined those assets in under 60 seconds. There's no risk of an attack with that attack vector. Pretty cool stuff. This is a brand-new tool set for security teams. Stuff like Hexa did not exist yesterday, certainly not a year ago. If you zoom out to the Tenable One platform, we've walked through how continuous discovery is essential, the senses of Tenable One, how prioritization that matters to you has to be there, that Tenable Exposure Data Fabric, the brain of Tenable One, and now Hexa, our agentic engine, the body that makes the security team superhuman and automates the messy mix of humans and agents. I'm going to leave you with my favorite marketing tagline.
As we were working on Hexa, I don't get to decide the marketing taglines, but I get to propose some. My favorite marketing tagline that we didn't pick is that Hexa gets shit done. AI is making the attack surface harder, the job harder. Shadow AI is everywhere. Siloed security can't solve this problem. A platform that only sees some of the attack surface can't solve this problem. You need complete visibility across cloud, OT, on-prem, IoT, identity, business context, and more. Our customers have 50-plus security tools. They don't need a 51st. They need Tenable One. Thank you.
All right. I know we're running a little behind, so I'm going to move relatively swiftly through talking about the marketing piece and then invite our customers up on stage so you could actually hear how they're using Tenable One and Hexa. By way of introduction, I am Meg O'Leary. I am the Chief Marketing Officer here at Tenable. I can't believe it, but I'm here almost three years. They've let me stay. I love this company, I love this team, and I think we are building something really amazing. Let me talk, just as you came in, you I'm sure, I hope, saw the new Tenable brand. This is not about marketing for marketing's sake. This is about taking the foundation of Tenable and what we've built and signaling to the market that we are here and ready for the AI era.
The future we are building required a new expression of Tenable. We really want the market to see us in a new way. We are very proud of our vulnerability management heritage. As companies are looking for VM, they are going to come to Tenable. They're going to come to Tenable because we are the undisputed leader in vulnerability management. As you've heard over and over again, we are ready for the next generation of what's happening around exposures. There's so much goodness in this brand. When we built this brand, we spoke to over 1,000 customers, and the number 1 thing they said about why they like Tenable is because we are trusted. That is the number 1 attribute that they associate with the Tenable brand.
We want to hang on to that brand, but we also want to express it in a new way. When we spoke to those customers, what we realized is we have something that is very, very powerful. We take chaos, and we turn it into control. You heard from Eric and Steve and Mark, 50-plus tools inside their environments, 12 to 15 teams. Now the AI attack surface is coming. Agents are proliferating. It is a lot of chaos to harness. What we learned is that that's what customers count on us to do. This idea of chaos to control, of giving them simple answers in black and white, that is what this brand is all about. It's a scalable system.
We think it's opinionated, we think it's sharp, and we think it stands out in the marketplace because we have something to say, and we have something to show, and I hope that you saw that in the demos and what we're telling you about Tenable One. You're going to see this sort of roll out more and more if you come to RSA or when you come to conferences. Also the first real expression that we're doing of the brand is actually a new brand campaign. When I say brand campaign, I'm not talking about Super Bowl ads. I'm not talking about huge billboards. We are surgical in the way that we do brand marketing. We started investigating our message. I'm just going to give you a little preview of the brand campaign that's rolling out this week.
AI risk isn't always easy to see, and the threat of exposure can be scary. With the right perspective, it doesn't have to be. You can let it run wild across your organization or tame it.
You can let it strike at any time, or harness it. You can let it prey on your company data, or contain it. Employee AI doesn't have to be chaotic. See the full picture to take control with Tenable. Take your AI risk from invisible to visible, from unmanageable to manageable, from untenable to Tenable. Tenable. Your exposure ends here.
All right. Thank you. Thank you. What we're trying to do for our customers is contrast the untenable circumstances of their jobs and what they're trying to do with the control that Tenable is bringing. We're really leaning into the AI message because we think we're doing something very exceptional here. You can see it scales when the opportunity is right to scale to physical spaces, to scale to digital spaces, around trade shows, at our own events, and showing up in the market in a really bold way. As we are saying more and more, when the world is untenable, we are Tenable. With that, I'm going to invite our customers up so we can actually talk about what they're doing to control their chaos. If you guys would join me on stage here. Come on up. Can you do that?
Little set change here. All right. Thank you so much.
Sure.
Am I missing someone?
Yeah, we're missing Tareq.
Eric? He went to the restroom. All right. Well, we'll get started without him.
Don't turn on his mic.
Let's make sure it's really awkward for him when he comes back in the room. All right. Ashley, I really want to hear from Tareq, because he actually is doing some incredibly exciting things with Hexa, and agentic security. Let's just get started with some introductions here. Here he is. Give him a warm welcome. Come on, Tareq. No, you're okay. Why don't we go ahead and get started? Rick, you want to introduce yourself?
Sure. My name is Rick Vadgama. I am the CISO at GEICO. Be sure to bundle your home, auto, boat and motorcycle and give us 15 minutes and we'll save you 15%.
John Schramm. I'm the Global Head of IT Risk and Security for Munich Re, the largest company you may not have heard of before. I run a team of 400 security professionals across 10 countries, for the world's largest reinsurer.
Hi, everybody. My name is Tareq. I hope my mic wasn't turned on while I was in the bathroom.
You're good.
It would have been great. Yeah, as you, I think you can hear, I am French. I've come from Vicat, which is a cement company, which I'm telling in a very poor accent, I'm sure. Basically, they build concrete and sell it across multiple countries around the world. I'm super happy to be here. I don't have a cool tagline like Rick for selling you cement. Sorry.
All right. Well, we're super happy to have you here, and let's sort of talk about the journey that you are taking to exposure management. I know you all sort of started your journey with us around vulnerability management. I know there's a lot of expansion that you've done. Can you just talk a little bit, what was the breaking point or the turning point for VM that made you decide, "Okay, we need to move on to exposure management"? Maybe Rick, you could start for us.
Sure. I'm proud to say that I've been working with Tenable now for 12 years. I'm a 3-time customer, though according to Mark and Steve, I will not get Tom Brady GOAT status until I buy them 7 times. For us, it wasn't necessarily a breaking point. Tenable's really been helping me over the number of years that I've been working with them to pivot my journey. Certainly from a vulnerability management perspective, there's no lack of CVEs. Part of the reason why I'm a big fan of Tenable One is that it's my single VM platform.
Regardless of where all these various sensors are, my ability to ingest all that information and then have a single brain provide my overall exposure management, and oh by the way, to take it to the next level, understand my attack exposure score, is really important. What that really means is this. From a tech perspective, there is certainly no lack of vulnerabilities that we need to address. When I go to tech leadership or when I talk about risk reduction with ELT members, I am really talking about risk. When I go and say, "These are the five things that we need to focus on because they are exploitable," all of a sudden it changes that narrative. Instead of me going with 1,000 things and saying, "Address that," I am basically saying, "These are the five things you need to focus on.
Awesome. Tareq, I know for Vicat, it started with a VM-
It was OT, and then it was CNAPP, and sort of we have all of the different domains of on Tenable One. Can you kind of talk about what drove you to sort of bring it all together under an exposure management platform?
Yeah, of course. With pleasure. Vicat operates in cement and plants, so we started with OT because the sensor solution is actually the best that was on the market. Nobody else was offering that. Then we went to agent with vulnerability management, and we basically followed the product roadmap of Tenable, and then we moved into the cloud, so we invested into the Tenable CNAPP. At this moment, we moved to Tenable One and We went into exposure management, and the philosophy actually made sense, because what is exposure management? Like Rick said, vulnerability, CVEs. That's also what Eric said earlier. Two-third of the breaches don't come from CVEs. They come from misconfiguration. They comes from stuff that are really dangerous. Also, since we are among a lot of 11 countries, it's important for us to share the same language.
Talking like in Brazil or in India, we do need to make sure that we all understand where the risk is and when it needs to be fixed. Exposure management gives us that through the unified view, the unified dashboards, and the attack path analysis. Like Rick said, instead of think you have 1,000 stuff to fix, nope, you have this one and this one to fix, it will secure the solution. It allows the various owners of all of the platforms to go back to their boards with something that's simple, actionable, and that you can mirror in the end.
Sorry, I'd like to add to that. That's a great point, because we all have a lot of security reactive systems. Right? When I think about Tenable, it's my proactive system where I have all the information and telemetry and oh, by the way, we all have various EDRs, and the EDR companies are also talking about VM. When was the last time you were able to install an EDR on a firewall? No. Right?
Which is why Tenable is the right solution, because regardless of what the sensor is, you can pull it all in and now we're having a proactive conversation to go and look for things that matter, where I have misconfigurations around my crown jewels.
Yeah, I completely agree with that.
Yeah.
There is a shift that happened with the reactive environment and EDR, actually Tenable is bringing this kind of mindset that actually security teams know about, like you need to fix it right away. Tenable allows everybody actually to bring that mindset to the proactive movement. Actually, we can fix at the speed of machines. Every vulnerability is a risk. Every exposure is a big risk. It needs to be fixed right away. Yeah, absolutely great point.
John. Oh, please.
I think it's really important, this capability to understand the entire attack surface of a company. We have 2,000 plus applications. We have hundreds of thousands of devices on our networks, sprawls the globe. We have 149 legal entities that we're governing in my central security services team, and sometimes we can't actually shut something off. We don't have a patch for it, but it's making a lot of money, so we can't turn it off. We need to push a fix. Maybe it's a web application firewall rule. Maybe it's a rule. Maybe it's a network structure. Being able to see everything that I have and where those problems are, the things that I can fix, to be able to fix them, and the things that I can't fix, to be able to do something different is very critical to our business.
Can you talk a little bit more about specifically why Tenable One? There's lots of companies, lots of platforms coming out around exposure management. What is it about Tenable One specifically that you chose that as the solution? I'll throw it out to any of you who want to jump in.
First of all, props to Tenable leadership. They have made Tenable One incredibly easy to buy. They've simplified the SKU process, made it really easy for the channels in order to be able to sell it to me, the customer. Oh, by the way, in terms of how they've packaged all the capabilities, it's really meaningful. For me, the openness of the platform and the simplicity and the real power and really with Hexa, it really comes down to how creative my teams can really be. As all of you are out there and read constantly in The Wall Street Journal about how lots of companies are reducing headcount by 5%-15%, what does that really mean? Right? Also, our budgets aren't increasing either.
One of the things that we'll be taking a look at is how we can automate a lot of the lower-level types work by using agents in order to take those things. Such as, and the super nerd thing specifically is tagging an asset with the right sort of metadata so that we can make sure that the right scans are being approached. Previously, it would've taken one of our analysts a lot of time and a lot of collaboration with a bunch of team members. Essentially, we'll be able to automate that through Hexa.
That's such a good point. First, I just want to make sure everyone in the room saw, we announced new pricing and packaging a couple of weeks ago around flex pricing so that our customers can use the assets they need to use in a fluid way to match the needs of their environment. If you haven't seen that news, I'm sure Erin has shared it, but just so we all have sort of the context there. As we're talking about Hexa and what we're able to do with this agentic engine within Tenable One, there's everything from sort of the drudgery of the work that just takes time, tagging, what have you, and then there are things that we are doing that are next level that we really couldn't even think about doing a year ago with such speed.
Yesterday, Tareq did a breakout here at EXPOSURE to talk about what he's doing with Hexa and with agentic security. 200 people came into. Was it this room? I think it was this room.
It was in there.
Literally a standing ovation at the end. Tarek, I would love for you.
Yeah
to sort of share with this group how you're using Hexa in sort of the spectrum of just helping with manual work all the way up to how it's upping your game.
Yep
in risk, in managing risk.
Sure. Pleasure. Just to go on what Rick said, because it was very true, why do we trust Tenable One? Actually, trust is the right word. Out of the big player that we've been using for quite a long time, it didn't have any kind of major issue that some others might have. This layer of trust that has built over all the years makes Tenable One the right decision to bring your data into it. We do feel safe with the solution. The vision. It's very good. I guess you know French people are very nosy, I've also exchanged a lot with the technical teams. They're very good. It makes sense where they go. There's a kinship of engineers that's been created, this is something that personally I like a lot. About Hexa.
Yeah, I also had the pleasure to have access to Hexa before the others. I played with it for maybe the last 4 months. What Rick was describing, the tedious task that used to take an analyst or even more senior people like me 2 or 3 days every month can be automated and actually then takes 20 minutes on a Monday. I can do it whenever I want, change my tags, change my scanning, you need to know that when you do that, this is the basis of discovery. Without those kinds of not very sexy task, actually, the tool doesn't work as well. Somebody has to do it, now Hexa can do it. I can put value, my time, my reflection, actually risk management, which is my job actually, where it matters. That's for our board, that's dollars well spent.
Just for that already, Hexa is fantastic. Eric showed it to you. This one is great. Like you said, since headcount are going to be bigger, we are being less and less people. Being able to do more with the same kind of people or even less is a great asset. On the capability of Hexa, I did the demonstration yesterday. That kind of looked like what Eric did, but it wasn't only in Tenable because in my company, like you said, we do have 50 products, I think. I won't say the names, but all of the DLs, over the firewalls, all of the SIM that you might imagine, we do have them.
Having Tenable as our source of truth and actually using the capabilities offered by Hexa that actually give an LLM model, and which one you want actually, access to this kind of normalized information gives you a very good source of truth, which means that your agent can work very well, and then you can orchestrate many things quite simply. What you said about yesterday was true. I think it worked pretty well. I think the nice thing is that everybody was able to see what you could do. It's not like the future, like Eric said, it's not Skynet. It's actually you can do it right now. It's fun to do. It gives you back control over your assets, control over what you have, and I think the underlying thing is that Hexa made that possible because it is so easy to integrate with the rest.
I think having tried with lots of other solution, that's where Tenable is at the forefront. The vision has been clear, and they are capitalizing on years and years of sensors and data, and they come at the right moment, right time, with the right product. I think that's pretty rare in the landscape of cybersecurity.
Yeah, I think also where we are with Mythos and the acceleration, the tsunami of vulnerabilities we're going to see, this is an enabler for us to be able to go fast.
Absolutely.
Also to enable our business to use AI processes to build out business functions. We have a huge number of units doing things in reinsurance and underwriting, and in client service on AI right now, and we want to do more of that. I think Tenable is one of the reasons we'll be able to manage the risk as we go down that path.
And so-
Also I wanted to add, the work that I had an opportunity to see you do is so inspiring. Why this really matters. Imagine a new zero-day exploit comes out. I can go to Hexa and be, "Where am I vulnerable and where don't I have an EDR in place?" Hexa will go through search, from there I can say, "All right, can you go quarantine those systems or can you go ahead and patch them?" Historically, that would have taken hours or I might have had to run a COE process, a correction of error process, where now I got to disrupt a whole bunch of engineers, this, that, and the other, cause a lot of drama. Through Hexa, I can do that. The other cool thing about Hexa, I'm only limited by my imagination.
Picture a world that once we get this fully deployed and when I come in in the morning, Hexa will have already found all the zero-day exploits, given me a readout of where I'm vulnerable, and if I elect to tell it, "Let Hal take over," then it can either quarantine or patch them or so on and so forth. It basically saves a lot of minutia, a lot of extra effort that my teams have to go through today.
Yeah. Like Rick said, which is very interesting, since I had access to Hexa before the others, earlier during the week, it made cybersecurity fun again. We started asking question.
Yeah.
Like it was finding solutions. The job wasn't a dread anymore. The noise of this hassle, it became fun again to interact with our tools. That's one part which is great. Another thing also that I wanted to add, I saw the great presentation. Knowing that Tenable is going AI-native also actually makes sense with what our companies are doing. There is a convergence that's happening and Tenable offering us XMCP using AI, we are also strongly encouraged to go AI-native also. We do have the access, the MCPs to not go into all those technical work. Actually the way to plug in the AI-nativeness, it's not English, I'm sorry, of Tenable with our own AI-nativeness, I think this is great.
I know we're up against time, I've just one question that I'd love you all to sort of give an answer to. One of the things, you know this better than I, we hear over and over again about one of the value that comes from exposure management is the business level reporting. Going to the board, going to the leadership team, sort of letting them know how at risk you really are. Can you just sort of talk about the value of Tenable One in terms of executive communications, in terms of communicating at the board level?
Historically, from a CISO perspective, in the olden days we would go to the board and say, "These are all our CVE vulnerabilities and whether or not we're meeting SLA" and big glass, and they would kind of glaze over. Now I've been able to change the narrative. Now I talk about exposure. Now I talk about risk reduction. Now when I go up and present a pictorial representation, I show what are the top 5 risks, what are the level of effort, and, oh, by the way, what's the revenue impact that if we lost that system due to an exploit, right? That really resonates with them because at the end of the day, right, the general managers are the ones that dictate the product on what capabilities engineering needs to work on.
Historically, it's always been a tough fight from Cyber working with the dev or the technical teams to try and convince them. Essentially, I'm skipping them, I'm going right to ELT and I'm saying, "These are your 5 top risks. You can choose to accept it, oh, by the way, this is what's going to be the loss of revenue due to an outage.
John, how about you?
Yeah. It's core to my program. As I said, 149 legal entities all requiring reports. I run the security services company for the group, I have to report to all of them. That's a huge task. I have a team of people who do that. Tenable is one of the primary feeders into that reporting system for all those entities to comply with the regulations and to demonstrate their oversight of the servicing that we provide.
Awesome. Tarek, I know you've talked about not actually talking about vulnerabilities-
Yeah
Actually you measure attack paths.
Yeah.
Right? Can you talk a little bit about that?
Yeah. Like I said earlier, Vicat Group is based in France, actually we have subsidiaries all around the world, it's different kind of regulations, different kinds of laws, and also different kinds of cyber insurance topics. For example, a 6.2 in France is-
Do you insure you?
If you give us a good price with GEICO, we can start to visit. We can talk about that afterwards. Yeah, there's all kind of various stuff. In Brazil it's not the same as in India or as in Kazakhstan. Anyway, having a similar vocabulary, similar grammar was one of the big issues that we're moving around. Having Tenable One, but for more than a year has been a game changer because we do talk about attack path. They managed to put that into their insurance contract. All of the countries, it's 13 countries, it's 13 boards reporting to the boards. It's French, let's say that. I won't get into that. All of them share the same vocabulary. They can improve on the same spot.
Since we also had Hexa earlier, I used to have to explain all of those reports. Everybody has its own card into exposure management, and through Hexa they can actually ask question on what to do and what would be the best way to actually improve this. I almost made myself out of a job. Almost.
Your risks reporting at the board level through Hexa, those reports you've got
Yeah
they were blowing minds of our own engineering.
Yeah
Product team. We're super excited to sort of see that kind of use. I know we're running a little long, so thank you so much.
Thank you.
Thank you Rick, John, Tareq.
Welcome.
With that, I'll hand it over to my friend and colleague Dino to talk about our GTM machine.
Thank you.
That was awesome. Awesome. Thanks, Rick. Thank you.
Beautiful. Gotcha. It's always nice when your customers do your selling for you, so thank you guys, that was awesome. My name is Dino DiMarino. I'm the new Chief Revenue Officer here at Tenable, and spent about 17 years, so not as many as Vlad, in cyber at various companies from RSA, Mimecast, and most recently I was the CEO of a machine identity company called AppViewX. The reason I joined Tenable is pretty simple. First of all, it's the team. I've been welcomed extremely quickly and deeply by the executive team, the operating team I get to work with, from my theater leaders, channel leaders across my entire org, customer success, through to the cross-functional teams I work with every day. It's been an amazing 70 days so far. The second thing is the platform.
When Mark and I and Steve first started talking, they walked me through sort of what momentum they had around the platform. This was pre-Mythos. I didn't predict Mythos, but I knew that in a world of AI, this would be the only way that you'd be able to fight machine speed attacks with a machine speed platform like Tenable One. Lastly is the timing. Again, somewhat of the category. Exposure management is becoming a real category. It's becoming preemptive security. Proactive security is a real thing now.
Again, I think the shift in dynamics of how CISOs, like the three gentlemen we had on stage, think of preemptive security is changing from a decades long sort of focus on detection and response to more of a balanced focus on preemptive security detection and response, which I think is the only way that we're going to win the war against the adversaries, against AI machine attacks, machine speed attacks. Let me jump into a few quick updates on how we see the opportunity ahead for Tenable and Tenable One, a little bit about our structure, how we go after the market, and then I'll get into a little bit of the pricing, packaging, and positioning around the platform itself. First of all, you guys know you cover our stock or you're invested in Tenable. We have over 40,000 customers. We're very proud of that.
A mix of some of our high volume business from a Nessus perspective through to some of our on-prem VM technologies like Tenable SC, through to Tenable.io, all the way through to Tenable One. A third of our enterprise customers already have some footprint of Tenable One, and that tells me two big things. A, exposure management is real. You're talking thousands of customers have already made this investment in our platform, and there's still a lot of cross-selling and upselling opportunities across what we've already landed with from a Tenable One perspective. Two, we have a ton of runway just within our existing base of customers, let alone the net new acquisition that I'll touch on in a few minutes, and that opportunity to land and expand with Tenable One. We have a lot of partners.
There's a lot of work that Jeff, who runs this organization for us, is doing around not only mobilizing our channel partners, but enabling them to not just sell our technologies, including Tenable One, but successfully design, implement, and in certain cases, manage the platform for some of our maybe less sophisticated customers or customers, like Rick mentioned, who are going through some type of headcount reduction but still need services wrapped around this key preemptive platform. Lastly, similar to our footprint in Tenable One, we have a lot of big customers, and no surprise, a lot of our big customers drive our biggest expansion.
We have a lot of mid-size customers, in the $100,000, $200,000, $300,000 range that we are starting to see a lot of engagement around driving more upsell and expansion, again, as we land more net new, providing that fuel to drive a double-digit growth engine in ARR over the next several years. We think about how we're organized. This probably looks quite typical, so I'm not going to spend too much time on it as it relates to an enterprise SaaS go-to-market structure. We've got enterprise, commercial, and what we call a high-velocity team, as well as, sort of commingled with an e-commerce team that's supported by our world-class marketing team. Again, shout out to Meg. The branding, when our sales team is screaming from the hilltops that our brand's amazing, you know you've nailed something because salespeople are unfortunately almost as skeptical as CISOs, no offense.
I was super impressed with how the team responded because actually, black and yellow is not purple, not red, which is sort of how a lot of the world is branding themselves as cyber. Anyway, we've got an amazing marketing team that's helping obviously from a demand gen perspective and supplementing, again, a world-class channel organization and channel partners that are helping to drive demand, both for net new as well as existing customers, and supported by field teams in the enterprise, as well as hybrid teams in commercial and a high-velocity team, in what we'd call SMB. I think the key thing here is, as we think of AI, which I'm going to touch on, speed and efficiency.
Actually, Vlad said it multiple times, and I say it a lot within our teams now as I'm getting my hands around the business, is a massive opportunity across all segments, but obviously within more of our high-velocity business to not reduce headcount, but to make the headcount we have significantly more productive and efficient. Our world-class partner ecosystem, again, pretty typical for an enterprise SaaS business. We sort of have three pillars. I think the one thing to call out is you shouldn't be thinking of a partner, let's say like GuidePoint, as living in one of these buckets. Many of our partners live in two of these sort of capabilities, and that's, again, pretty normal.
I think as those businesses modernize and they look to provide more, what I'll call around-the-box, around-the-solution capabilities, they're not only going to resell technologies, but they're going to implement and in certain cases, manage them. Then you've got more pure play players like an IBM, an Accenture, who are less, I'd say, concerned or interested in the product resale side and much more around the broader business consulting and program design or redesign for CISOs who need assistance to really start to modernize their VM programs to an exposure management program. Lastly, you've got tech alliances. Obviously, Steve hit on the Anthropic and OpenAI announcements. These I think are going to be table stakes for any cybersecurity vendor.
It's going to allow us to move faster and stay ahead of the curve as it relates to AI-related threats, be in the know and co-partnering with them, as well as learning from them and leveraging their technology to actually move our platform faster and stay, again, ahead of the adversaries that we are all concerned about as we now live in this new agentic world. Then we've underpinned that with very typical tech alliance partnerships. One of the things I'll touch on in a few minutes is the fact that our exposure management platform is open. We have competitors that tend to want to platformatize the entire estate and do everything they can to make CISOs' lives painful by forcing them to buy one size fits all, when the reality is the journey most CISOs are on is a heterogeneous journey.
Us having partnerships with the likes of AWS, Cisco, and Splunk, to name another 160 or 178 key technology partners, is critical. Underpinning that, when you think about the partnerships we have across tech alliances, we have 300 integrations. Eric mentioned a few. If you think of Jira, that's an integration. Jira is a company. If you think of ServiceNow, we have multiple integrations to ServiceNow. One company, multiple integrations, hence why we have more integrations than partners. Expect that to grow significantly. With the advent of the MCP protocol, which is an AI networking protocol, you're going to see more ad hoc integrations at scale, which is super exciting as it relates to the fixing side of what we're delivering on the platform. A little pivot. We talk a lot about machine speed attacks.
We talk a little bit about AI and cyber. What are we doing inside of the company as it relates to AI inside of go-to-market? We're doing a lot. I'm going to hit just a few highlights here for you. When you think about the customer journey, we map our sales cycles against that, and we also map our enablement, how we derive demand gen through to post-sales experience. I'm going to hit a few highlights that we've already started, and Vlad hit this earlier. What we're doing inside of Tenable around trying to drive AI in our SDLC, yes, that's core to the product, but AI can drive efficiency everywhere in our business. We are in early innings, but we're already seeing really good gains as it relates to that in go-to-market.
Agentic deal coaching, seeing inside of Clari, which is a platform we use, maybe the questions, the trap-setting questions that a seller should use versus having to think of that on the fly. Think about click-to-chat, sort of a table stakes capability, but how can we use agents behind our click-to-chat platform to now streamline how our sales development reps get back to customers within machine speed where appropriate? Here's one that you hopefully will be interested in. We talk a lot about Hexa, and you might be thinking, "Well, you GA'd it yesterday," but we've got Tareq talking about these use cases he's deployed, but we had an early access program, and I was one of the early access people as well, and I will try to trump Eric's quote Hexa is so easy, a chief revenue officer can use it.
I've actually started to use Hexa in our demo environment just to become really, I'd say, astute in understanding of what technical operators will leverage in this technology, and I do think it's going to free up the customers that we have and the prospects that we're working with around the drudgery and the complexity of working through either their headless or a traditional UX front end, but we're going to provide all 3 choices to the customers. Our solution engineers, getting to the punchline, are already starting demos based on the customer's top 3, top 5 pain points, either within Tenable One today, pre-Hexa, or within other technology solutions that we're looking to augment or replace. It's been a game changer for us already, and it's not even GA. Well, it's GA, sorry, 2 days ago. Then in post-sales, again, pretty table stakes things.
How do we give people in the customer success organization real-time telemetry and call to action plans where we've got opportunity to cross-sell and up-sell, or if we see account risk within our customers. This is all underpinned by a go-to-market operations team, again, world-class function within the business that's helping us get insights to drive our sales leaders, SE leaders, channel leaders to the right spots to either double down or potentially invest in other areas, as well as making sure our forecasts are done accurately weekly. We understand exactly what's happening moment to moment within the business. Now let me touch on our pricing and packaging. I think for people that have known Tenable for a while, probably the simplest way to think of what we're delivering was already said by Rick from GEICO.
We're trying to drive simplicity and ubiquity with the new pricing that we've launched just earlier in late in April, so just less than a month ago. Why we're doing that is we're trying to drive adoption of exposure management, and rather than counting multiple line items, which can become, again, fatiguing and super complex for customers, we were saying, how can we simplify that buying journey and also the coverage journey for our customers? Many of our customers, and Mark hit on this, are maybe not quite ready for a full-blown exposure management journey.
It's important to understand that while Tenable One unlocks that capability, we do have a lot of customers that say, "Look, I'm not quite ready for this yet, but I want to take my existing VM environment, Tenable, and start at least to experiment with the capabilities in my infra scanning layer, and then over time, start adding other capabilities that are maybe adjacent to VM, like OT, identity, et cetera." When we think about the sales motion that we have, which I'll touch on on the next slide, it's really trying to get siloed VM security tools. If it's Tenable, it's, let's say, Nessus or Tenable SC or Tenable.io, or if it's one of our competitors, their legacy VM technology and get them to exposure management. It doesn't mean that VM goes away.
Just think of it now as a use case, a vertical use case under a horizontal capability per Eric's slide that is exposure management. The packages, we're not getting rid of VM. We still have customers that use it, need it. The packages now are traditional security products from a VM standpoint with 2 exposure management packages, Foundation and Advanced. In the case of Foundation, just think of all the sort of basic or standard capability of an exposure management platform. In Advanced, we get into more sophisticated use cases. In the case of Hexa, both packages include Hexa. In the case of Advanced, you get significantly more usage in that package. The price per asset is higher. I think Matt's going to touch on sort of the economics that we're trying to deliver with the pricing and packaging.
Ultimately, the Advanced package is our more advanced, most advanced package, and everything Eric's touched on would be included in the Advanced package. We're trying to make it very, very simple for our customers as it relates to their journey with Tenable. We do see that we will have customers that sort of start where they are today, move to Foundation, and then over time, upgrade to our Advanced package. When you think about the on-ramps into the platform, there's really 3 simple ways that I like to talk to our sellers about it as we've kicked off, me joining the company, being a few months in, and the first focus area, Mark and Steve hit this hard at sales kickoff. I was unfortunately not there.
I heard it was amazing, but still, it was good to sort of ride their coattails off a key focus area for the company, which was getting our existing VM base to Tenable One as fast as possible. We're doing that because Tenable One, as Vlad mentioned, provides multiple moats. A, it's a bit of a protective tissue against competitors, et cetera. There's the defensive side of why it's strategic, but also it unlocks ridiculously valuable capability that siloed tools simply don't have. Like I said, we've already transitioned thousands of customers to Tenable One. We still have a lot of runway, over 60% some odd to go. That's a massive focus area for the sales organization and the channel organization.
Displacing competitors, whether it's a sophisticated Fortune 10 or 100, one of whom I spoke to yesterday, that has a niche exposure management platform, a competitive VM technology, a competitive cloud technology, they likely might start with two of those three use cases. It's a straight VM modernization with the future-proofing of our exposure management platform. We have the flexibility, especially with the new packages, to land in either fashion. While we still have VM technology to land more and more, especially with the capabilities of the likes of Hexa and the demands we're going to see from the market on things like MCP, I expect that we will see more and more lands with our Tenable One platform, either Foundation or Advanced. Obviously, once we land, we have a litany of use cases and asset coverage to drive.
I think it's very important to understand the simplicity of the asset coverage gives sophisticated organizations the ability to do things like double scanning. I think we know there's a lot of endpoint detection and response vendors that have some basic VM capability, and we have some Fortune 100 CISOs that say, "You know what? We trust your scan better than anybody else, but we already have an agent on their endpoint. We're going to double scan." The good news for that customer, they pay once. If they want to drop the competitive agent, they don't have to pay. They get to save that money off that competitive, what I'll call displacement.
In the case of Tenable, they've got the coverage and they have the optionality. I think as some of the panelists said, they have the flexibility to move asset types to different use cases over time. That flexibility is critical as we go forward, I think, in this type of agentic world, and that's what Tenable One's platform and pricing provides. This is an example of a very large, major telecommunications company. The good news is I think all 3 that we use on our phones today are Tenable customers. You have a 33% chance, or 33.3% chance of getting it right. This is a customer that's been with us, I think, since 2017, and they started, like a lot of our enterprise Tenable customers, probably back even prior to 2017. They might've been doing some very basic Nessus scanning.
2017, they made a big investment in Tenable SC, along with our web app scanning technology. This was at the time, sort of modern core VM. Like I mentioned earlier, you've got customers at different stages of their journey. This particular customer, like many Fortune 500, I would argue to their credit, was already doing exposure management in, I call it, version negative 1.0, in that they had various sensors like ours and others. They had a SQL database in the back end and a Power BI front end with a lot of bubblegum and tape to drive workflow to do remediation in a matter of days and weeks.
Because we know that has to be collapsed now into minutes and hours, and that's why they made this accelerated journey over the last several years from what I'll call very core VM use cases to a more broad-based, foundational, almost exposure management use case, although we wouldn't have called it that in phase 2, to then about a year ago, making a huge investment in Tenable to now become the brains, as we like to call it, of their preemptive security posture, including everything from VM scanning, web app scanning, cloud, identity, WAS. We are now becoming the orchestrator of remediation for this very large Fortune 10 organization.
Just to wrap up before I hand it over to Matt, three focus areas that we've got our go-to-market team lined up on over the next eight months as we finish the year, but I anticipate these are going to be similar themes. The tactics may change over time. Number one, land with Tenable One. Number two, migrate and expand our VM base as fast as we can from VM to Tenable One. Lastly, how do we deliver speed, scale, and efficiency in go-to-market with AI and automation?
That's going to be, I think, a big factor as how we continue to get leverage on the income statement, still invest in sales capacity, but become smarter and smarter with how we have supporting capabilities in the business, allow our sellers to do what they do best, which is be in front of customers and position and sell Tenable One. With that, I'm going to hand it over to Mr. Brown, who's going to come on stage and take us home.
All right. Thank you, Dino. Really appreciate it. Dino, our newest executive, been here only a couple of months, and, as you can see, hit the ground running. Super happy to have Dino on board. You've heard a lot today. You heard a lot about how this market is changing. It's an absolutely shifting landscape. We wanted to go deep on the technical side, and so hopefully, you got that. You were able to hear from Vlad and from Eric. You heard from Meg on the new brand. You heard from our customers. What I want to try to do is pull this together for you and let you know how I expect that to impact our financial results over the next few years. First, I think it's worth taking you back to 2021, which is the last time that we had Investor Day.
Back in 2021, really, exposure management was a collection of a whole bunch of different sets of tools, right? We had VM, we had web API, cloud, identity. These were all operating somewhat independently. It's pretty different today. Today, we have a unified platform, which you've heard a lot about. That platform is looking across all of the different asset types that customers have. It's focusing on what matters most, and then it's tying it together with agentic capabilities that help orchestrate remediation. That's a big change from 2021. We've come pretty far. We've also come far from a financial perspective. Back in 2021, I'll go a little deeper. Steve touched on this already, but I want to drill into each of these areas a little bit. Our revenue back in 2021, $541 million.
Today, at the midpoint of our guide for 2026, we've now smashed through the $1 billion threshold, growing at 15% CAGR over that period of time. Pretty impressive growth. How about from a profitability perspective? Even better. Profitability has grown from our op income back in 2021, $51 million, 9.4% of revenue. Fast-forward 2026, midpoint of the guide, we're now expecting $257 million in operating income. That's at 24% of revenue. It's an impressive 15 percentage point growth over those five years, so averaging three percentage points per year. With that increase in profitability comes an increase in cash. Unlevered free cash flow grew from $95 million back in 2021 to now more than triple that. We're expecting $290 million of unlevered free cash flow in 2026. That's a 25% CAGR over that period of time, more than nine percentage points of growth. Really impressive. We've come pretty far.
Today, as you heard, we've got over 40,000 customers that span 160 countries. We've got an incredible distribution network, 8,000 channel partners, many strategic partnerships, over 300 third-party connectors within our platform. We've come a long way since 2021. We also believe that this is really just the beginning. Like I said, we drilled deep on some of these technical aspects over the last hour and a half. You've heard about where we've been, where we're going, and most importantly, what we're doing to help our customers stay safe. These are exciting times for us at Tenable. Also really exciting and challenging times for our customers. You've heard about how AI is changing the attack surface. There's a proliferation of vulnerabilities, but these can be addressed with our Tenable One platform. As Eric laid out really nicely, step 1 is this first layer.
It's the surfaces and signals. It's continuous discovery. Step 2, it's making sense of this noise with the Exposure Data Fabric. Step 3 is orchestrated remediation with Hexa. This is our key differentiator. Remember, the challenge for our customers is not discovering new vulnerabilities. The challenge instead is figuring out which of those vulnerabilities pose a risk to them in their specific environments, on their assets, with their configurations. It's those specific risks. The challenge is prioritizing them and fixing them. That's what Tenable One solves, and it's never been more important. To really lean into the opportunity, Dino touched on this with our new pricing and packaging. We knew that we needed to drastically simplify the pricing.
He talked about, actually our customer panel did a really fantastic job as well, discussing not just the benefits of Tenable One and of Hexa, which is by the way, only available on the platform, but also this new simplicity of the pricing. This has been a pretty significant change. It reduces friction. Very important to reduce friction, not only for new opportunities, but also for expansion. In the past, customers wanted to switch and mix and match assets in the middle of a contract term, they'd have to go through new approvals in the PO and procurement process. We don't want that friction. We've eliminated that. With it comes an uplift in price. Tenable One Foundation is new. From going standalone VM to Tenable One Foundation, it's a 6 percentage point price uplift. Going from standalone VM into Tenable One Advanced, it's a 60% price uplift.
The price uplift, a little bit like Dino touched on, is really just the beginning. What we're expecting is that expansion becomes far easier. Once those VM customers are into Tenable One Foundation, they can much more easily expand within that platform and also much more easily upgrade to Tenable One Advanced. That's the goal. Importantly, Hexa AI is only available in these platforms. While it's still pretty early, you've already heard positive feedback from some customers. We're getting positive feedback from our customers and from our sellers. Why does it matter if a customer migrates to Tenable One platform? Well, first and foremost, and importantly, we know that it's a better customer experience. Clearly better for the customer, but it's also better for Tenable, and here's why. We know that our Tenable One platform customers are our more strategic customers.
They have longer contract durations with us, on average, 10% longer than non-platform customers. We know that our Tenable One platform customers spend more with us. We have a higher ACV. Tenable One customers spend two to three times the annual contract value compared to non-platform customers. We know that our platform customers have a much greater opportunity for expansion. Our Tenable One platform customers expand at double the amount of expansion compared to non-platform customers. We know that it helps from a competitive differentiation standpoint. When we're in head-to-head bake-off competitive situations, whether it's in a new situation or in a renewal deal, we have consistently higher win rates when we lead with the platform. Finally, we know, as I mentioned a minute ago, there's an attractive price uplift, anywhere from 6% to go from VM to Tenable One Foundation, all the way up to 60%.
Again, that's just on price alone. What does that mean for growth within Tenable One? What that means is our Tenable One revenue growth is growing in the mid-teens, and this is after normalizing for platform change. What do I mean for normalizing? What I mean is, if last year a customer was outside of the platform, spent $100,000 with us, this year they've migrated into the platform and they're spending $115,000 with us, that's a 15% growth after normalizing for the platform, not 115%. What it means is Tenable One has very strong growth. It's growing in the mid-teens. Based on better pricing and packaging, exciting developments within the platform like Tenable Hexa AI, we believe that this growth is sustainable. How does that then translate to the overall revenue growth algorithm for the company?
Well, today, 2026, we know that the Tenable One platform represents a little more than a third of our business, and again, growing in mid-teens. Non-platform, roughly two-thirds of our business, and that's showing mid-single-digit growth. What we expect to have happen over the next several years, and by 2029, is that our Tenable One platform revenue will continue to represent a greater share of the total business. This is what we believe 2029 looks like. 2029 Tenable One platform revenue will represent more than half of our business while growing in the mid-teens. Non-Tenable One, the remaining portion, continuing to grow mid-single digit. What that translates to is stabilizing growth from in 2026, where we're in high single-digit revenue growth, to stabilizing growth into 2029, accelerating to high single-digit to low double-digit growth. Okay. That's the revenue side. The other side is profitability.
That's been another really impressive part of our story. First and foremost, we know that we're investing for growth. We have an enormous opportunity in front of us. Heard a lot about it today. We're investing in sales capacity. We're investing in developing features and functionalities, particularly into the platform. We also know that we can get some efficiencies. Dino talked about some of these on the go-to-market side. Others have touched on them. A lot of them are being driven by AI capabilities. We think we're going to be able to continue to have cloud optimization in our cost of sales, which means we'll be able to maintain gross margins of about 82%.
Also, some of those AI-powered efficiencies are going to allow us to rotate into high-impact areas for hiring, such as in sales capacity, such as in especially product development, while also continuing to get a little bit of leverage in the margin. Some of these AI-driven capabilities include automatic RFPs and quoting. It includes AI-powered SEs to help our sellers be more effective. In areas like general administrative areas, it's things like AI-powered data querying and aggregation. It's the type of normal things that you would expect to get efficiencies from using these new AI tools. It's allowing us to rotate in and spend money where we think it's most effective. What this ends up translating to is about 1.5 points of operating margin growth each year. Okay. Moving on to capital allocation.
You can see all of that increase in profitability, especially over the past several years, has come with an increase in cash and a lot of it. I mentioned a few minutes ago that we'd seen our annual unlevered free cash flow more than triple from 2021 over to 2026. In fact, since 2021, we've generated more than $1 billion in cash, and it's going to continue to go up from there. What this does is it gives us a ton of flexibility. We've had a history of using cash in inorganic investments in the form of M&A, and we've also leaned into our share repurchases, especially lately. Share repurchases, as represented here by the yellow bar, have increased significantly over the past couple of years. The board authorized an incremental $150 million of share repurchases at the start of the year that we've continued to lean into.
In the first quarter, we bought 6.1 million shares for $130 million, leaving a little over $200 million left on the share repurchase authorization, which is represented by the dotted line here on the screen. We continue to believe that our stock is trading at prices that don't represent the fair value. As a result, we've leaned heavily into share repurchases. As you can see, the diluted share count is coming down. The weighted average shares outstanding has dropped, and in fact, at the end of Q1, it was down 5% year-over-year, and it was at the lowest level that it had been at in over three years. Finally, I'm going to pull it all together and share midterm targets. First, with 2026. This is consistent with the midpoint of the guide that we had given several weeks ago on our earnings call.
High single-digit revenue growth. Gross margin at 82%. We've got sales and marketing, R&D, and G&A at approximately 32.5%, 17%, and 8.5% respectively. Operating margin at 24%. Unlevered free cash flow at 27%. As I mentioned, as Tenable One continues to make up a greater portion of our business and is growing in the mid-teens, we expect our revenue growth rate exiting 2029 to stabilize and then inflect higher, showing revenue growth of high single to low double-digit growth. We expect gross margins will be able to be maintained at approximately 82%. Within OpEx, we expect to get about 4 percentage points of leverage spread out across sales and marketing, little tiny bit in R&D, and then some in G&A as well, resulting in operating income, operating margin of about 28%, unlevered free cash flow of 31%. That means we hit rule of 40 exiting 2029.
This translates to about 1.5 points of margin growth, as I mentioned before, from 2025 to exiting 2029. Okay, I think I made up some time. I know that we are going to open it up for questions now. We're going to have to get set up with some chairs. We'll go take a quick 30-second pause, and then we'll get Q&A going, invite everybody else back up here. Thank you. I think we got like
Hey, guys. We have Ashley running around here, so
Where do you want us?
You guys.
Oh, the hands are up already.
Yeah. How great.
I love it. Yeah, come on up here. [crosstalk]
All right, we got lots of questions. Love it.
Oh, Jesus.
It's good.
Great. Thanks. Rudy Kessinger, D.A. Davidson. Thank you guys for hosting. Matt, one metric you didn't touch on that I wanted to ask about was gross retention.
Yeah
How that's trended over the last several quarters, particularly as it relates to large platform vendors. We hear it in checks all the time, CrowdStrike, et cetera, showing up in deals. I'm curious, as you think about going forward, what is the risk on the standalone VM side growing slower than that mid-single digits? I think on the Tenable One side, I think with everything you guys have talked about, I could actually see upside to that mid-teens growth. I think where I see the risk and where a lot of investors would see the risk is on that standalone VM side.
Yeah, great question. Gross retention has been remarkably stable.
That's something that we've seen quarter after quarter. As you know, we disclose our net expansion rate, and gross retention is a component of that. Of course, the rest of that component is expansion. Even that rate, we are beginning to see signs of stabilization, right? Over time, that rate has been coming down. Underneath that, gross retention, remarkably stable. Our expectation as we make our way through the year is that rate in total, the total net expansion rate stabilizes as well. That's kind of first piece. Second piece, the mid-single-digit growth on non-platform has also been quite stable. Being able to understand the dynamics and the opportunity as we see it is we feel there's a solid floor, and the opportunity for us now is to really lean into that growth, particularly in the platform.
Then you're essentially shifting 20 percentage points of mix from platform in 2026 to exiting 2029, growing in that mid-teens rate to get that incremental 2 to 3 percentage points of revenue growth in that period of time. One last point, VM and exposure management especially, is more important in the agentic era. There's more applications, more infrastructure, more identities, more agents, consequently, more risk and more threats and more exploits. The number of vulnerabilities is increasing dramatically. There's 300,000, I think since 1999, 50,000 new CVEs added last year. NIST is no longer enriching CVE data. They can't keep up with the proliferation of new vulnerabilities. We're entering an era unlike any other. Exposure management is going to be more important. VM is absolutely foundational to that, and it will provide tailwinds to growth, and we're confident of that.
Hey, thanks for doing this, guys. Mike Cikos from Needham & Company. I guess the question comes to the growth versus margin debate. We'll go back to Matt Calitri for a second, but great to see the margin expansion that you guys continue to execute on. What was the thought process, and I know that you guys have been putting this together on a multi-month, multi-year journey, right? As far as the decision to continue to expand those margins versus potentially, let's deliver stabilization of those margins and try to accelerate growth faster. Right.
Yeah.
The second piece, maybe more of a strategic question here, you guys are definitively using the carrot approach to get people to adopt Tenable One. Given the seamlessness of expansion and the dollar opportunity, why not use potentially more of a stick to help that penetration and expand at a faster clip?
Yeah.
Great question. When we think about margin versus growth, we've always taken a pretty balanced approach, but our expectation's around 1.5 percentage points of margin growth. We know that that is an amount that will allow us to continue to lean into and invest in that growth. Right? In the past, since 2021, we'd grown margin 3 percentage points. It's actually a bit of a step down. The reason for that, again, is because we do see an enormous opportunity in front of us. We know that we can invest heavily in that area while still continuing to get 1.5 of margin. The carrot-and-stick approach is also a really good question, and I'll dish it.
Yeah. Let me cover this one.
Yeah.
That's an awesome question. Trust me, it's something we talk about, we debate all the time. Our thought process here, and this was even before Dino joined, we are laser-focused in regard to our selling and our channel organization upgrading that VM install base. We pay accelerated rates to our sellers for Tenable One. We have very aggressive incentive programs to touch all of those VM customers and migrate them to Tenable One. Those motions are taking place. The other attribute is you could obviously see the margin improvement, right, by going to Advanced and going to Foundation. It's also one of those things where you've got to take the customer on the journey. If you just automatically upgrade them instantaneously, they won't understand the benefit of the multiple assets that they could expand with. There's some education.
When we go in, there's a huge sense of urgency to get them onto T1, but we also have to take them through the journey so they actually get the value and the benefits through the process. When they do, you see some of those examples like Dino had shown, where they come in and then they start spending 7x. I can just tell you, and it's even been more aggressive since Dino's joined, we are all over that VM install base, moving them to T1, and we also are ultra aggressive in regard to competitive displacements, going after our traditional competitors and non-traditional competitors. That's another thing we spent a massive amount of time on also with T1.
Yeah.
Yeah.
Hi, Joe from Jefferies. Thank you for this. Congrats on Hexa GA. I think you made it extremely clear why the lab vendors are friends, not foes, and I know you're embedding Anthropic, but I imagine you also have your own AI. Can you just talk, when we think through Hexa, how much is embedded Anthropic versus your own AI? I ask that more because I imagine a lot of your exposure management competitors will also be embedding the lab vendors, and so I'm just curious on the differentiation and the secret sauce on that side.
Yeah, I can take this. The first thing I'd say is that it'll get a little nerdy in the answer, but Hexa is a model-agnostic agentic harness. We built it to run multi-model. In fact, today, we're running on a couple of different Anthropic models, in production with customers. In our labs, we're doing things with other models as well. Of course, the models themselves are quite capable, but there's quite a lot of, I'll say, IP in the tools exposed to the models, how the data is fed to the models, the context created when you use one model versus another model, ensuring that the outcome that the customer wanted when they said, "Go do a thing," is actually the deterministic outcome that was created.
Of course, it's early days still, so our expectation is that the foundational models will continue to get better and better and better, and the faster, the better from our perspective. At the same time, you've got an acceleration of the complexity of tasks that customers are wanting to entrust to things like this. I expect that the gap of value that harness brings stays robust as far as the eye can see.
Some AI exposure, too. Stuff we're doing with AI exposure is pretty powerful also.
Yeah, for sure. Yeah. On the AI security side and helping see the AI infrastructure and all the different attack paths that are there as well.
All right. Meta Marshall from Morgan Stanley. I guess a lot of the conversation focused on allowing customers to move at the pace that they're comfortable with, but how much of there is an acknowledgment by your customers that there's just going to have to be more reliance on automation of these systems in order to protect themselves? As you've been doing beta with customers, how quickly do they rely more on the automation? Thanks.
I'll start, and then others can jump in here.
We talked about, certainly in the agentic era, we'll see a proliferation of vulnerabilities. The one thing that's clear, I think Mark shared the stat, is that meantime from vulnerability discovery to exploit is 1.6 days. Talking to a lot of customers here today, CISO security executives, you look at the SLA time, it's not 48 hours. It's not 7 days. It's not 10 days. It's not 30 days. I think Eric mentioned, according to the Verizon Breach Data Report, it's now 40-plus days.
Time revolves, it's going like this. Mean time to exploit is going like this, it's down dramatically. This is really all about survival. I think what was considered possibly taboo years ago, which is get tickets in the hands of humans and let them do the fix, let them identify the risk, doesn't scale in the agentic era. I think customers are now, I would say, forced to move at machine speed, are willing to accept a little more risk. They don't want to blow up things downstream. We're seeing the transition to assisted remediation, we know autonomous remediation orchestration is coming, and it's where you have a repeatable process, where there's clear governance and guardrails, and where you think the risk downstream is minimal. We are on this journey, and AI is taking us there, and we're leading our customers in that direction.
Maybe just to build on that slightly. This is actually the exact reason why we have levels of autonomy within Hexa, and customers can choose the right level of autonomy or automation they'd like for a specific task, and according to where they are on the maturity curve. Another tidbit to keep in mind, while right now we are talking about what's going on with vulnerabilities are coming and all that, we can actually decouple, right? Customers, once they get going with this autonomous remediation, we don't have to wait for yet another wave of vulnerabilities. The job to be done does not change.
The job to be done in exposure management stays exactly the same. Customers, as they keep going, imagine a flywheel that just keeps going faster and faster and faster as things become more autonomous in the right context in the customer environment, right. With time, customers will actually be able to get ahead of the breach, fix their security hygiene, regardless of whatever threat or vulnerability is going to be released next.
Yeah.
Hi, this is Jonathan Ho from William Blair. Given the clearly growing importance of your platform, the significant capability gains that Hexa adds to that platform, and the broad proliferation of assets that we expect, I'm just trying to understand why we can't see even faster growth than what you're talking about today. Is this just broadly conservatism? Are you looking for more visibility? I'm just trying to understand why it wouldn't be faster than those growth levels. Steve's smiling.
Matt, you want to take that?
Sure. I'll take the easy one. Look, that's absolutely our goal. We're extremely optimistic in not only where I think the market is, but where Tenable is specifically positioned in it. Clearly a huge opportunity, but also somewhat early days, right? The pace at which things are changing and happening really, really fast. Hexa GA'd two days ago, Mythos.
Two months
preview was released on April 7th, right? Here we are, near end of May. Things are happening quickly. Clearly, though, we think we've got the right strategy. We think we have the right approach. We think we have the right products. We think we have the right team. I'm extremely optimistic. I think the future is very bright. I don't think we need to get ahead of ourselves on where we think it's going.
I think that's me. Roger Boyd with UBS. I wanted to come back to the automated response question we were just talking about a second ago.
How much of that toolkit do you want to own yourself? I know you launched patch management last year. A lot of the conversation today was around how keeping up with patches becomes increasingly difficult. How are you thinking about the broader realm of remediation that includes things like configuration management, asset isolation, as far as enabling that automated response? Thanks.
We're definitely leaning into that pretty hard with Hexa. Hexa enables that in a bunch of new ways that would've been really hard to do a year or two ago. Again, a couple of demos we showed, if you have the opportunity to walk the floor. I guess the floor is closed now. There were a bunch of our partners showing some of those kind of capabilities as well. You'll see more from us pushing in that direction.
Hey, it's Zach at Barclays. Thanks so much for hosting this session. I want to zoom out a little bit, and Steve, maybe touch on what you were talking about with more vulnerabilities and whatnot, right? One of the earlier slides kind of had you scan, you find vulnerabilities, and then you patch. I want to dig into each of those from just a value perspective, right? Scanning is something that I don't think frontier models want to do, nor do enterprises sort of trust any old model inside. That's good, right? I think there's clear value there. Just to push a little bit to make sure the question's asked. For finding vulnerabilities, does more of the value shift to the frontier models since they're finding vulnerabilities faster, right?
On the other side, do you capture more value from patching, which now needs to be done at machine speed? There are a couple kind of shifting values here, it feels like, in those three processes, if that makes sense. Maybe I'm thinking about it wrong, but I'm curious how you think about that.
Yeah, I'll start and others can chime in here. There is a clear distinction here. Number 1, first of all, I want to be very clear. What we do is more valuable and more important in the agentic era, scanning becomes more important. Just to make that distinction, the frontier AI model companies, they operate at the code layer. They find vulnerabilities in code. By the way, a vulnerability is not just a bug in a piece of software. A vulnerability/exposure is a misconfiguration, is an overprivileged identity, is the absence of a compensating control. We're not in the vulnerability discovery business. We never have been. Yes, we've discovered 500 zero days since 2018. It's not what we do. We can tell you if those exposures exist in your environment.
We can tell you if those exposures can be connected and chained together to create a lethal attack path. That's really important. Scanning and the data collection infrastructure becomes more important. Prioritization is not optional, it's not severity scores, and it's not CVEs. It is survival in the agentic era, we do that better than anyone. The frontier AI model companies will help us do better reasoning, better explainability of risk, and enhances what we do. Then the final thing is really the ability to take action, which is what Hexa is all about today, and that's really our North Star.
Yeah. If you drill a level deeper, when you talk about finding a vulnerability, I think it's important to be really precise. You basically say there's closed source. I worked at Microsoft for a long time. Microsoft last year found what? Patched 1,100 CVEs. I don't know how many they found last year because I wasn't there last year. In the era I was there, we usually found about 2 to 3x what we actually patched. Better capabilities to find vulnerabilities, great. That's good for the world. That will turn into more things patched from closed source. Great. Tenable doesn't play in that game. We never have. Don't want to. Right? You got open source, right? Different game. There, while some open source libraries, I don't know if people read the cURL article a week or so ago.
cURL's 1 of the popular open source packages, has a particularly conscientious set of maintainers who've been actually pretty aggressive at using frontier models over the last few years. Of course, the many cool tools that existed before there were frontier models. They ran Mythos on top of cURL and found 1 additional vulnerability. That's not to say Mythos isn't awesome. It's just to put in perspective kind of the difference of a really well studied code base, a really well-secured code base, and then Mythos, great. The victory is it found 1, right? The challenge on the open source side is the really good maintainers and well-funded maintainers might be able to keep up, maybe with this, but a lot of the open source used in the world is not. There the challenge is will the patches exist at all?
Certainly will they exist in time? No, I think it's pretty clear. There you've got to really look at how you're using compensating controls, how you have layered security, how you're reducing your exposure risk when there isn't a patch. Again, in that area, the finding of the vulnerability, never part of our job, not what we want to be our job. As that explodes, you have an already hard job that as a defender, but you're trying to figure out of all those things out in the ecosystem, how many are you vulnerable to? That is the heart of what we do.
That's the value.
That's, as Steve mentioned, what we think will continue to have significant value and in fact more value in the world with the tailwinds from AI.
Are we here? All right. Thank you. Brian Essex from JPMorgan Chase. Vlad, I'd like to ask you a question, actually. Historically, vulnerability management hasn't been at the top of the priority list of a lot of enterprises, but I'd love to hear your observations with those that have adopted Tenable One, what has their practice been for the % of assets that they scan throughout their networks? Then part B of that question is, do you share that exposure with maybe some of the EDR vendors that are moving into the space?
Yeah. There are a couple of points here. I think the vision of exposure management is exactly that. It's connecting all these dots, and one of the reasons we have 300+ integrations is we want to pull signal from tools like EDR, your cloud security products, whatever it is you have across your enterprise stack. You don't have to rip and replace and only use a Tenable solution, even if it's better in some cases. You can keep it. We just need the signal, right, exactly to connect those dots. The reason for that, why it's so important for customers, because adversaries don't really go. They don't attack based on your org structure. They don't go only on your on-prem databases and don't touch your cloud. They move laterally. They start with whatever is easiest, the weakest link.
Might be even the human through spear phishing. You have, I think the latest number from Gartner is like 70 plus security tools in an average enterprise. To make things slightly worse, you have different teams under the CISO running those tools. Right? It's a largely fragmented defense. Connecting those dots is super important to build things like attack path, to understand, right? To go across all these signals and out of these connected dots, to understand what's more important to me specifically right now.
Does Tenable One or Hexa give them a better sense of urgency that they need to increase the penetration of the percentage of assets they need to scan in their networks?
Absolutely. It's both that comes from kind of creating that broad context, if you will, and also vulnerability management historically is a very kind of, limited to specifically, only do this on endpoints. That traditional cycle that used to work, kinda. There's some patch. I figure out if it's relevant for my specific server. I open up a patching window. I run the process. It takes two months or so. I get it done, hopefully. Again, this is still relevant, but it's one piece of a much bigger puzzle.
Matt, any quantification of the lift you might see on the VM side for those who adopt-
Not today.
More. [crosstalk]
All right. Thank you. I appreciate it.
Yeah. I was just going to add, too, on that point that I think it depends on what vertical, what segment of the market we're speaking to as far as the comfort level and the speed at which their organizations are scanning more broadly and deeply. Probably your organization's pretty mature. I think what you're seeing with the frontier AI models is people are saying, "Okay, we do have to kick into gear authenticated scans, scanning everything." I think we're going to ask the similar questions, like how frequently should we be looking at the speed of this? I think some of this will be driven by policy, regulation, and our own findings through capabilities like Hexa. I think you're going to see this moving quite rapidly over the coming weeks and months. Yeah.
The one last thing to add, the thing we're seeing with Hexa, which is kind of super cool to see, we talked earlier about the speed of trust, and this is many times of organizational processes inside the large enterprise.
Yeah.
As people see what Hexa can do for them, it allows our practitioners to actually show that thing to their management chain, and it literally opens the doors to adopt more and more cycles, more and more levels of autonomy. Again, that cycle is something that just keeps going.
Mark.
I think we have 2 more, and I know we are running late, so I appreciate everybody sticking around.
Hi. Shrenik Kothari from Baird. Steve, you started the presentation citing this incremental TAM beyond exposure management, from 30 Can you guys hear me? Yeah. Added almost 100% over and above the exposure management to AI attack surface. My first question is, are you already seeing the funding urgency and timing show up in terms of unlocking these budgets from that AI governance bucket? Part 2 is, some of the broader platform players are starting to play in by leveraging their exposure workflows and aggressively leveraging flex models to draw down pre-covered dollars, also across modules. I know you touched upon Hexa from perspective of premium attach, and uptiering motion. Can you talk a little bit about how potentially flex can accelerate that expansion as well?
I'll start off, and then I want to hand it over to Mark, because I think he can add a lot of color here. The one thing I'll say is, if you look at, yes, the TAM has expanded significantly. First, I think the last time we updated our TAM was several years ago, so a $30 billion TAM per annum for exposure management. We said today, AI, securing the threat vector of AI, is an incremental $35 billion. If you look at, there was a The Wall Street Journal article earlier this week, at the average Fortune 500 company over the next 12+ months, will each have 150,000 agents deployed. Multiply that by 500, that's 75 million agents. There's arguably 100 million, tens of millions of companies in the world. I think 100 million+. We are going to see a proliferation of agent unlike anything other.
It's going to be ubiquitous, it's going to be autonomous, and it's one of the most important challenges in all of security. I think to connect this back to go-to market is, yes, customers are still wrestling with this issue. It's a very complex and challenging one. They're getting their arms around it, and it's absolutely driving more engagement. You heard that from Mark, and you heard that from Meg.
Yeah. A couple of things I'll add, and Matt and I, and Aaron hit on this a couple of days ago at one of the investor conferences. First and foremost, kind of anecdotally, since Mythos and the frontier AI models kind of exploded on the scene, we have seen a dramatic increase in customer engagement. I think Steve and I mentioned on the call, reporting Q1, we said hundreds. We are literally at thousands of customer outreaches to us at very senior level, CISO level, engagement, talking to us about what and how we're dealing with it, what would be our remediation steps, what should they be doing in their environment from an exposure management perspective, right? You're looking at some of the pipeline build that Dino and his team are all over. Very, very happy and feel really strong with these signs that we're seeing.
When you look at the competitive dynamic, I think Vlad and Eric, and even our customer panel hit on it. Tenable is the leader, the number 1 player in the exposure management category, and Tenable One is the number 1 platform. It's not just our customers and Tenable saying it. Gartner put us as number 1, Forrester put us as number 1, IDC put us as number 1. When you are looking at building out this now mission-critical exposure management platform, it started, and the genesis was it was world-class vulnerability management. Then you added those other components to get visibility on the entire attack surface with all of the native sensors we now have, and now you're able to get the whole visualization. You're now able to tie in Hexa from an agentic AI perspective.
We feel unbelievably confident, I can't say it strongly enough, on our compete level right now. When you talk to our sellers, you talk to our team, our compete level against our traditional competitors and any new competitors, we feel unbelievably confident going against them.
Hi, guys. Richard Poland from Wells Fargo. Thanks for taking my question and hosting us today. Mine is on Hexa in particular. I'm curious, we talked a little about the 6% uplift for Tenable One Foundations, 60% for the Advanced. How does the Hexa monetization work? Is that usage-based? How should we think about that as part of the monetization model?
Sure, I can pile on after. Yeah.
Yeah. We'll tag team it.
We can all take this one. [crosstalk]
We chose to make Hexa's functionality tied to the platform. What that means is, think the 2 layers of the platform. You've got the new packaging, Tenable One Foundation, Tenable One Advanced. Hexa, there's not good Hexa and bad Hexa, it's just Hexa, right? Now, in Advanced, you have things like attack path analysis, which does not exist in Foundation. Hexa is smarter in Advanced because it has a smarter exposure graph that can do more and have more context. The way we're approaching this is you buy your license, and this is graduated based on how many assets you license. You get a certain amount of included Hexa with that, and then it's consumptive above that. If you're particularly active, you might go a little bit over, and that's how we've approached it.
Yeah, I think it builds an opportunity again, as I think originally, pre-Hexa, pre-me being here, we were probably thinking, okay, the advanced capabilities, to Eric's point, attack path analysis is 1 thing you'd unlock. Now Hexa, in a way, becomes sort of an indirect upsell engine for us because they'll want to unlock some of those capabilities. It's, again, very early days, 2 days after GA, you can tell the excitement we have. Again, we have customers that have leveraged it that are validating the capabilities. It's interesting that we have this, what I call horizontal use case expansion opportunity, which is pretty easy to understand, VM, infra, cloud, AI exposure, et cetera.
Hexa, people wanting to unblock that to say, "Okay, I actually want full boat capability for remediation, attack path analysis," is going to be pretty interesting to track over the next couple of months, for sure.
Last thing, I'll hit it from a margin perspective. As we modeled this out, which we've obviously worked very closely together on this, we have a negotiated agreement with Anthropic that's in place that includes spend across our entire company. It includes what we're doing operationally, it includes what we're doing in development. Also includes cost of sales from Hexa.
Yeah.
In building in the model, we understood what would be included as part of the tiers, sort of free of charge, if you will. The way that we've modeled it out is the incremental uplift that we will get from customers converting over more than pays for what it costs and what's included in the model. On top of that, there's, as I mentioned, an enormous expansion opportunity as customers begin to see the utility of Hexa. We think that's great. It'll continue to expand and potentially then move up even to Advanced, that pays for it again. Finally, as they bump against those limits, which we would love to see, frankly, we want usage, there is a pay-per-token that kicks in after that.
Yeah.
Okay. Great. Thank you, guys.
You guys want to close it up?
I think Mark and I are going to bring it home here. First and foremost, I want to thank you for attending our first Investor Day in many years. The change in this company has been extraordinary. We're in the midst of three major market transitions, from visibility to action, from manual workflows to orchestrated and automated remediation, and from siloed tools to an integrated platform, and one platform for taking action and reducing risk. The mandate's never been more important, the opportunity's never been bigger, and this team here on stage has never been more excited. We're confident in what we're doing and our ability to execute.
Yeah. Echo every single thing Steve just said. Hopefully, you guys can feel it. I know Steve, myself, Matt, Erin, we spend a lot of time with you folks. You can see this confidence level of this team right now, and especially even with new members being here at Tenable. I've been here for 6 and a half, coming up on 7 years. I don't think the confidence level as a company has ever been higher, right? These tailwinds that are coming our way, in our view, are built for this exposure management platform. We're getting the validation from the customers, we're getting validation from the frontier AI labs. Anthropic and OpenAI are saying the same things to us that we're saying to you guys on how these partnerships are going to be strategic for them.
The momentum you feel when you talk to customers, you talk to our partner community, and you talk to our sellers is phenomenal. We just now are all about execution, all about driving growth. All of the metrics that Matt has laid out is what we are laser-focused on. We appreciate you guys coming and look forward to talking to you guys in the future. Thank you very much.