There you go. Okay. All right. Good afternoon, everyone. Thank you for joining us. My name's Brian Essex. I'm JP Morgan's midcap, large cap software analyst. Very excited to have Tenable with us here today. We have Mark Thurmond, co-CEO of the company, and then to his right is Matt Brown, the CFO. Mark, Matt, thank you so much for joining us.
Thank you, Brian, for having us.
Thanks for having us.
Nice to be here.
Great.
This is my hometown, so I'm a Boston guy, so I love when these conferences work out this way.
We'll talk more about that.
Absolutely.
Spent a lot of time here.
I love it. I love it.
Yeah. Excellent. I guess, you know, maybe to kinda start at the top, you know, talked a little bit on your earnings call about, you know, I don't know if it was the word that you guys used, but tsunami of vulnerabilities coming-
Yeah
...coming down the pipeline.
Yep.
Particularly, you know, post Mythos, and you referenced a webcast you had with, I think, 1,000 people-
A 1,000 people, yeah.
...joined up in 72 hours.
Most of that, yeah.
Yeah.
Awesome, yeah.
Maybe help us understand, you know, what the nature of the conversations that you're having with customers-
Sure
...are and how much visibility you have into, like, the resulting demand pipeline for that.
Absolutely. A couple things. Yeah, it's a good question. Put some context to it, too. We actually are having our Exposure Management Conference this week here in Boston, so we put together the, what was literally the first Exposure Management Conference, and it's actually happening tonight and tomorrow. We've got over 650-700 customers that will be attending from all around the globe, and the attendance actually spiked. When you looked at who registered at the CISO level and executive level over the last 5.5, six weeks, now that we think a lot of it had to do with Mythos and the announcements there. In regard to some of the pipe build and what we're seeing in activity, we've had literally thousands, hundreds to thousands of different individual conversations with executives.
In the beginning of the announcement with Glasswing and Mythos, it was more about what does this mean? We hear this word vulnerability. Are you guys gonna be disrupted? Can you give us an explanation what's going on? We sat down. We have a very specific talk track and an educational track on what it means for Cybersecurity, what it means for the Exposure Management category. After folks got educated and realized, okay, this is on software code, right, where they're able to find and do an incredible job at finding those vulnerabilities, we now are using Exposure Management, right? Things behind the firewall for all of our native sensors and all the prioritization and all the automated remediation, all the steps you need to take when you're gonna be seeing a, anywhere from 5x, 10x, 15x- 20x increase in the amount of known vulnerabilities.
For us, it's been an excellent event. We now have taken a lot of that pipeline activity, and it's going through what we call the sales funnel. Meaning comes in as a conversation, then gets converted to a pipeline, then gets converted to a presentation/demonstration. That then moves to a PoV, Proof of Value, and then you negotiate an expansion or a new deal. Great top of funnel, like, super happy with what we've seen there, and now these opportunities are going, you know, through our sales process and sales funnel. We're very optimistic. We feel very strong about what we're seeing in the conversations. The executives who we're now engaging with from a CISO perspective is excellent. Sometimes when you are doing an expansion or an upgrade from VM to Tenable One-
...you wouldn't get access to the CISO. The CISO would say, "I'm gonna trust my VM or Exposure Management Team." The CISOs now wanna meet with us, and we're able to have a broader discussion about bigger expansion opportunities, bigger, more strategic deals, and then educate them about the partnership we now have with Anthropic and OpenAI, which we can talk about, you know, also.
Sure. What are you finding, you know, as you assess your customers' vulnerability landscape or Exposure Management landscape? I mean, obviously with Mythos, everyone's focused on code vulnerabilities.
Yeah.
A lot of those are, you know, attributable to packaged software, but you also have custom software-
Yep
...which may be more difficult.
Yeah.
May cause refactoring.
Well, that, yeah.
You also have hardware-
Yep
...which you may have to replace-
...at some point-
Yeah
...which is longer remediation cycle.
What is the mix that you're finding within your customer base, and how does your platform help them manage exposure to each of those different-
Yep
...segments?
Yep. It kind of hits everything you just discussed, kind of all of the above. The way I'll simplify it is when you think about Exposure Management, right, the true value of Exposure Management compared to, say, traditional old school VM, it's really built for kind of what we're dealing with today. It allows you to see all of these signals, right? We have all of these native sensors within these customers' environments looking at traditional IT assets both in the cloud and on-prem. We also have tremendous visibility at the asset level looking at operational technology, looking at cloud. Think of any type of SaaS-based application or cloud infrastructure. Looking at web application scanning, looking at identities, third-party asset types, attack surface management, so think of internet-facing assets.
All of that allows you to put together what's called the modern, when you look at a modern cybersecurity attack surface. Now, if you're a customer, this is really what you wanna know. You don't wanna know about one specific portion, right, of your environment. You wanna know about your entire attack surface. Once you get all that, you can think of the thousands, and in some organizations, hundreds of thousands of vulnerabilities and CVEs they get. We then allow you to look at it, prioritize it, set up certain automated remediation paths, be able to then take that automated remediation, flow down to patch management, flow down to autonomous automation at some point and level. We can talk about Hexa and our Agentic AI platform.
that we're rolling out. That has been the conversation. What's exciting is customers now wanna look at the entire attack surface. I can give you one quick example where we're seeing some really good opportunity is in the OT space. OT was traditionally one of those asset types that would get cut off at the end of an opportunity or deal. That's why you haven't seen great growth with the private OT vendors, 'cause it wasn't sustainable. We're now seeing really good growth in data center build-outs as the companies are building out data centers, but also wanting to get a asset view of what the risk is in these OT environments. Now with things like Tenable One and what we're doing with Hexa, we're seeing really good growth opportunities there, too.
Great.
Yeah.
How do you find your customers mitigating the risk that they're finding? You know, one of the issues that we're hearing more and more frequently is your meantime to exploit is just collapsing.
Yeah, it's insane.
It takes time to assess your platform, remediate the platform, deploy the patches, right? What does that gap look like and are there other adjacent types of technology that they're deploying to kind of either sandbox those incidents or remediate or air gap from exposure? How are they managing that-
Yeah
...issue?
To your point, right, so when you actually look at from when you first figure out you have an issue into the meantime to potential exploitation, just to put it into perspective, in 2025, 60% of breaches that occurred were on known vulnerabilities that a patch was available. Think about how scary that is.
That means you knew there was a vulnerability, you actually know that there's a patch available, but you didn't have the remediation cycles, you didn't have the automated remediation to allow you to do the patch management, to turn the system down, to talk to the, you know, IT team, to actually put down the downtime. What you're starting to see, and we're gonna talk about a lot of this tomorrow, when we have our Exposure Management Conference.
is with Hexa, our AI agentic agent, we are seeing our customers that used Hexa in early access being able to build the agents to do autonomous remediation, being able to take those manual processes around remediation and around manual tasks. Think of things like tagging an asset, right? Super painful. Think about patch management. Super painful. You're able to create these agents that can actually take those manual mundane tasks and automate them. We'll be publishing some customer success stories where there are certain things they did from a remediation perspective that went from weeks and months down to days and seconds. Huge kind of quantum step, quantum leap forward in regards to the way folks and customers are gonna start using Tenable One. Hexa is gonna be, we think, is gonna be a significant driver of getting people off base VM.
We have a huge tens of thousands of customers that have VM that we wanna get moved to T1 and allow us to expand, you know, the T1 asset count.
How many of these I mean, one of the things that we've heard, several things we've heard, one is the noise to signal ratio-
...you know, accelerating. You know, the other one is, you know, other types of technology that might be able to be deployed. You know, if you assume that you're gonna get breached a lot faster.
You're gonna have adversaries in your network. Things like deception technology, 'cause you wanna find out, or is there somebody in my network?
Like, where do you see the levels of opportunity as this becomes a shifting environment where it's probably likely that, you know, more networks are gonna get penetrated-
Yeah
...over the next year or so?
I mean, listen, when we take a look at it, I think right now people are still kind of in that assessment phase of understanding and getting true visibility to all of the different assets, all of the different potential toxic combinations that they have out there. I think the market, the Wall Street community and customers are getting much more educated on the power of these frontier AI models. Kind of let me just give you a couple examples. When Mythos was launched, everyone saw the sell-off in cybersecurity. Saying, "Oh my gosh, you know, these guys are gonna displace cybersecurity." I think you can see the run back up in cybersecurity where they're realizing, okay, there's gonna be some of these cybersecurity companies, Tenable being one of them, where we'll be announcing our partnership with Anthropic tomorrow.
We have the deputy CISO of Anthropic presenting at our Exposure Management Conference tomorrow, that are leveraging those AI frontier models to enhance and take care of that T1 install base to automate these manual tasks and procedures. I think you're gonna see the fear from our customers, and what we're seeing, is when you do get one of these adversarial attacks, either a state-sponsored attack, or a ransomware attack that uses one of these very capable frontier AI models.
not so much from OpenAI or Anthropic, but from, like, DeepSeek where you have something in China-
...you have something in Russia, and that is one of the big fear factors that a lot of our customers are expressing, saying, "We haven't seen it yet." You can see Google-
...and Mandiant put out a couple different reports where you're starting to see some groundswell of potentially some of those type of very, you know, advanced persistent threats and very sophisticated attacks. That is, what we're talking to our customers is, like, if that is going to happen, to your point, Brian, it's inevitable, you wanna have full visibility. You wanna know where the toxic combinations are, what are those attack paths, right, that the bad folks could get in, and how do you become preventative, right? How do you become proactive in your security approach? These are all the things that we've been preaching, and we do think some of these events are gonna wake customers up to say, "We just can't react and respond.
Like, that is, can't do it. The time is too prized, too precious and too quick, fast-moving right now. You need to be more preventative and you need to be more proactive. That's some of the messages that we've been talking to our customers about.
Great.
Yeah.
How have attach rates been, particularly with Tenable One, but also new release Hexa, you know, over the past, like, month or so-
Yeah
-once we've been in this more active environment.
Hexa, just to clarify Hexa actually gets GA tomorrow.
Oh, okay.
We're announcing tomorrow.
Gotcha.
We have 30- 40 customers that used it in early access, and we'll be publishing some of their results. We got a bunch of good quotes and a bunch of good feedback where you'll be hearing tomorrow and on Thursday at our Investor Day, our CTO and our Chief Product Officer will be talking and they'll be referencing some of the benefits that these customers have already seen leveraging Hexa. Which by the way, Anthropic is one of our strategic design partners. We are using Claude in Hexa.
We'll be announcing that relationship in more detail tomorrow also.
Great.
Yeah.
How important is it? I mean, you talk about, you know, your relationship with Anthropic, and I think, you know, OpenAI's, you know, attack initiative-
...is a little bit more open-
Yeah
...in nature.
Without a doubt. Yes.
You know, how has the impact of each of those models been on your platform?
No.
How critical do you think it is to have the visibility of each of those models-
Yeah.
...to understand how they-
A quick example. Matt has been super involved in kind of negotiating and working with Anthropic on, you know, the deal that we did with them. I'll just give you a quick anecdotal feedback. When we saw the benefit of Opus 4.6, we shifted and upgraded literally within 24 hours to have all of our developers start coding with Claude Code in 4.6.
because we actually saw the benefit. We literally, within 24, I think Eric Doerr, our CPO, will be talking about it. These models are like quantum step-ups. To have a design team that wants to be able to go, I think we were on Opus 4.2 or 4.3.
For him to then wanna make, move that massive, aggressive move that quick and that fast, it shows you know, the speed that these frontier AI labs are moving at. I think Eric actually will give reference to that on the Analyst Day on Thursday.
Yeah, it's been really fun to see how these conversations have evolved over the past four or five months. If you think back to the beginning of the year when really the topic of conversation around AI was, you know, which companies are gonna be disrupted, and there was quite a bit of uncertainty, you know, the sort of SaaSpocalypse that occurred. Then to think really the velocity in which these conversations have evolved, right? Our quarter ended on March 31st. Mythos preview was announced on April 7th.
Right? Our Q1 earnings announcement was April 29th, and then here we sit today.
Yeah.
These are conversations that are happening really, really fast. They're evolving quickly. What I think has been super interesting to observe is how much I think people are getting it and how much things have changed from the beginning of the year to where they are now. I think what folks are starting to realize is these very powerful models are quite capable at finding vulnerabilities, previously undiscovered vulnerabilities in code. That's amazing. We expect there to be this explosion of vulnerabilities that exist. I think people really get that. They intuitively understand that. They are also now increasingly intuitively understanding that that makes Vulnerability Management and even more Exposure Management that much more important.
The difficult part now is not in discovering vulnerabilities, right? The truth is that's never really what Tenable has done. Tenable has done an excellent job of looking at, okay, let's place the context of those vulnerabilities in your specific environment based on your asset types, based on your configurations. Let's give you that visibility. Let's give you the insight. Now we have Hexa AI that sits on top to help with orchestrated remediation.
Cause that's really the trick, right? The trick is these CISOs are now overwhelmed with vulnerabilities that need to be patched. What Tenable One allows our customers to do is figure out which ones are most important to them.
Prioritize them, and then have some automated remediation to then go patch.
Yeah. What percentage, anything you can reference or quantify, like the number of vulnerabilities, kind of back to that noise to signal ratio, the number of vulnerabilities that actually need to be patched versus, all right, maybe you don't use the software anymore and you remediate it by deleting, or, you know, it's one that you don't have very high exposure to, you kind of cast it aside for a little bit. I mean, how is that-
Yeah
...profile really changing?
Yeah, it's changing, but the numbers are massive. You gotta think through it also, it's the complexity of what the vulnerabilities are, let's just say, kind of at a lower level. What you now see with these AI frontier labs is they can actually chain together what used to be in the past considered very low level, non-threatening vulnerabilities.
A vulnerability in isolation, unless it's been identified as being compromised, is low level risk. However, with some of these frontier AI models, when they can actually look at some of these older vulnerabilities and see three or four different older vulnerabilities-
....chain them together, that then gets them access into a network, be able to move laterally, be able to compromise, you know, excessive permissions that are, you know, on the network live, that is where the danger comes in.
That's where this visibility factor really becomes even more important, right? I mean, in an old world, you typically see 2%- 3% of vulnerabilities that could be exploited. That number could go up significantly because now you can use these very sophisticated frontier AI models to be able to chain together what used to be perceived as individual standalone vulnerabilities or non-threatening vulnerabilities.
That is where, again, right, not to bring it back to why all these things are kind of a net positive for Tenable, but they are a net positive because you need to have true visibility of what your asset types are, where are these potential vulnerabilities, how do you prioritize them based on these, what we call attack path analysis or toxic combinations, and be able to be preemptive and proactive instead of reactive, dealing to a kind of a breach or a ransomware situation. We actually view it as a net positive, you know, from what we're doing with Tenable One.
Got it.
Yeah.
Maybe, Matt, if I could ask you know, about a third of the business on Tenable One now, and you have, what, I mean, I think it's ranged from 70%-80% pricing uplift once you get a customer migrating onto Tenable One.
Yeah.
What does that at some point become a headwind for growth? I mean, how much growth has Tenable One accounted for? Now that you have a more material portion, you're obviously lapping that lift last year.
Yeah.
How do you think about the contribution to your platform this year from, you know, incremental Tenable One business?
It's a perfect segue into some of the changes that we've made in pricing and packaging and also a preview into We're gonna talk in even more depth in detail about this on Thursday in our Investor Day. To give you a little bit of a preview, our new pricing and packaging has introduced a Tenable One Foundation, which for us is really important because as you said, there's about a third of our business today is not on the platform. We need an easy on-ramp for our non-platform customers to get into the platform. That easy on-ramp is Tenable One Foundation. We've created Tenable One Foundation. It's a modest price uplift to get from standalone VM into Tenable One Foundation.
The idea is there's two different paths for growth from there. You can expand your asset coverage, which of course we think is a really compelling offer for our customers to just get better with their preemptive security. Also they can upgrade from there to Tenable One Advanced, and that price increase ranges anywhere from 6% to go into Foundation, up to 60% to go up to Advanced, and then it grows beyond that when you factor in expansion. It's a really important part of our growth story. We continue to see favorable trends in that direction. Last quarter, 41% of new customers and new business was done in the platform.
That's about an 8 percentage point growth from the prior year, and we continue to see that trend going forward.
Yeah, the one thing I'll piggyback on that is when you look at the different selling motions, we see it, the two-thirds of our install base, right? That's still on VM, right? One-third is already migrated over to Tenable One. That two-thirds install base, that is a phenomenal opportunity. That's where we see this massive migration opportunity to take those VM customers with the uplifts that Matt referenced into either Foundational or Advanced. We are not allowing customers to run Hexa on VM installation in accounts. If you're a VM customer, you can't run Hexa. We're only building Hexa into Tenable One.
When I think customers that are sitting on VM and want to be able to have a forcing function to upgrade, there's all the other capabilities of looking at all the incremental assets and all the other things we do, the advanced capability. To now have Hexa, we can have Agentic AI agents automate a bunch of these manual processes and mundane tasks and automate remediation and tagging and things like that. We think, 'cause there's not a lot in that VM base, they don't have a lot of cyber experts, right? One of the big issues with that lower end VM base is they don't have a huge cybersecurity team. Right.
If you can automate a bunch of those things, we think more customers will end up migrating to T1 , it gives us a great opportunity in the two-thirds of the install base that are still VM.
Got it. On the Hexa side, you've talked about, you know, consumption tiered model with tokenized access. How do you expect the uplift from Hexa will be like incremental to Tenable One for those customers?
I think the most important uplift actually comes from upgrading into the platform. As Mark said, Hexa is only available in Tenable One. We know that there's an immediate price uplift from non-platform customers into the platform, that benefit, again, it ranges anywhere from a 6% uplift to a 60% uplift.
Just that upgrade ends up paying for the sort of included tokens that all of our customers get depending on the level of assets they have. From there, as customers begin to use Hexa and lean into it, and that's absolutely what we want, they start to bump up against those thresholds, then there's a per token charge that kicks in after that.
Okay. Got it. Then, you know, how, from a, I guess, competitive standpoint, how do you view or how often you run into some of the larger platform players that are elbowing their way into like the VM market, like a CrowdStrike or a Palo Alto, and how meaningful is that?
Yeah. When you take a look at it, you know, we do extremely well against all of our competitors, right?
If I break it down, you look at the Rapid7 and Qualys' compete levels literally coming out of the quarter have never been higher, and they continue to be, you know, at record-setting numbers in regard to our compete level there. In regard to kind of the CrowdStrike and Palo, we don't really ever see Palo Alto obviously in the VM space. We see them a bit in the Prisma Cloud space competing against our CNAPP offering. That's where we see that. CrowdStrike, obviously, we see in regard to Exposure Management, and our win rates are extremely high. We feel very confident about our compete level. A couple different data points. When you look at just not Tenable, the co-CEO of Tenable and the CFO saying our compete level's great, but you look at the analyst community, right. Third-party analysts.
Look at Gartner, IDC, and Forrester. Right? Gartner created, for the first time ever, a Gartner Magic Quadrant for Exposure Management. We were number one. There were I think 51, 52 companies that applied. They put 20- 25 in the quadrant. We became number one. We're also number one in Forrester. We're also number one in IDC. When we actually explain to customers the differences, the technical differences, you do have to do some technical selling, right? You have to explain it, 'cause CrowdStrike a lot of the times will go in there with their flex pricing and try to give it away for free and say, "Hey, use this, it's free." You always got to be careful of what free is. You get what you pay for in life, you got to watch out for that.
When we go in and say, "Well, let's actually break down the technology stack. Let's look at why vulnerability management is the cornerstone and the bedrock of how you want to evaluate Exposure Management and how you want to look at these multiple asset types." You want to come from it from a VM perspective. You don't want to come from Exposure Management from the endpoint or from a firewall or from a managed SIEM. You want to come from it from a VM. If you look at all of the teams, right, some of the larger enterprises that are changing the name of their security organization. The vulnerability team is now being called the Exposure Management Team. It's the VM team. It's not the endpoint team or the SIEM team.
Right.
The SOC team. We feel extremely confident in our compete level. We do have to get into technical evaluations, and we break it down, and we have extremely high win rates. We think when they are T1, it's unbelievably high win rates, right?
Again, another reason why we wanna get that VM base onto T1.
Got it. You know, on the pricing side, the flex pricing, you know, how has that been received by, you know, the channel partners? Maybe can you walk through, you know, some of the economics there? How does that actually work?
Sure. In the past, we had a fairly confusing pricing model.
Where customers, depending on the asset type, would have different ratios and in effect then different pricing per asset. Customers would have to first determine what types of assets they were gonna cover and in what quantities, and then they would get their kinda total cost of ownership there. What we've done now is just drastically simplified that. What we've said instead is, "Look, we're gonna have a single price per asset. We are going to then allow customers the flexibility to set a set capacity, but they can then mix and match across asset types without having to go back through procurement and legal and get additional approvals." Not only does that reduce friction on the front end.
Because it's a much more understandable total cost of ownership, it also reduces friction when they're midway through their subscription and they decide maybe they got the initial allocation wrong.
Right
Or they would like to try out scanning a different asset type. It makes that so much easier, which we believe encourages expansion. So far, you know, education with our sellers has gone very well. Education with the channel, gone very well. It's well received by customers as well. Still very early.
Across the board has been net positive.
Great. How do you think about when should we expect to see maybe some impact of flex pricing on your model?
Yeah. I think. Do you mean impact in terms of like when's it show up in the numbers?
Yeah.
Yeah.
Yeah.
It's a great question, and it's part of what we're already kinda some of the good signs that we're already seeing, which is building momentum around our new and expansion business, for example.
What everybody wants to know is, look, you know, when are we gonna see growth in flex higher? The very first step in seeing growth in flex higher is first of all stopping the decel, that starts with growing new and expansion business.
That's what we're seeing now. We're already beginning to see the early signs, and that's showing up. Look, ideally, that makes its way, of course, to increased bookings numbers and then ultimately to revenue.
That's a good segue into the next question-
...which is, you know, second half revenue guide implies about 6.5% growth.
Yeah.
You guys delivered, you know, what, 9.6% growth in Q1.
Yeah.
So-
Yeah
-how do we put that in context?
I know. This is like-
You know, you're feeling more bullish.
This is the-
You said on the call.
This is like the outperformance gift that keeps on giving, which is great. So when we started the year, this is funny, we guided the year to 7% growth at the midpoint. That was our initial full-year guide. What that meant was, we guided Q1 at 8.1%. Now math just dictates that you know if you're guiding to 8.1% in Q1 and your full-year guide is at 7%, the rest of the year is gonna be something sub-7%. Let's call it 6.5%.
That's right. Yeah.
Q1 comes along, and we have a fantastic quarter, and we deliver above, you know, 9% growth for the quarter. Now, and then the question we get is, "Well, why the decel?" So I have to laugh because the decel was always there, right?
The takeaway from the quarter is, look, as opposed to in the years past when, you know, we've maybe had a Q1 and then had to reset guidance downward on the year.
It's quite the contrary this year. This year, we had a really good Q1, and we took guidance up. Yes, mathematically, there's a decel, but the way to think about it, actually, is that we're a quarter of the way through the year, we're incrementally more positive for the full year, which is what allowed us to raise the full-year guide, and yes, mathematically, that implies a decel, but that's no change to how we started the year. Net, net, we're better off today than we were at the beginning of the year.
Yeah. Got it. Mark, you mentioned your cloud CNAPP business.
You know, how big is Ermetic now? You know, do you think that it could be a substantial contributor to the platform?
Yeah, absolutely.
We'd love to see how that kind of fits in-
Sure
....the whole growth profile.
Yeah. It is definitely, you know, when you look at the asset types, it's one of the larger asset types within Tenable One. I think the shift that we've seen in the cloud business is the bulk of the business that we're now doing for CNAPP is part of Tenable One, the platform. You're not seeing You know, in the early days of CNAPP, you'd see a lot of customers do a standalone deal and buy CNAPP as standalone. You're not seeing many standalone deals. What we're seeing in the market is a chance, and we are seeing this with Wiz now that they're, you know, owned by Google, you're seeing this disruptive motion where they're using Tenable One, they've been a Tenable One customer, they love Wiz. Wiz is a great product and great technology.
You know, but they now see it as part of Google, and you could be a big AWS shop or a big Azure shop, and you're not sure if you really trust what the roadmap is gonna be in regard to where Wiz is gonna go.
Are they gonna have to take them off the AWS platform, re-platform the GCP, how does that work? How does sharing of roadmaps and technology work with AWS and Azure now that you're part of Google? Wiz historically is extremely expensive, right?
One of the most expensive cyber technologies in a cybersecurity stack. Where we're starting to see some momentum is part of Tenable One, not standalone, but as part of Tenable One, you're seeing these opportunities to go into some of these Wiz shops and say, "Hey, you're already using Tenable. You're already using the platform. You're spending, you know, an incredible amount of money with Wiz. Let's be able to move you onto the platform for Cloud Security and migrate you off Wiz." You're starting to see that selling motion. We view cloud and CNAPP as part of T1 to be a significant differentiator, especially when you look at our historical competitors. You know, it really isn't even close to the capability we have compared to.
you know, say a Wiz. Or no, sorry, compared to like a Rapid7 or a Qualys, or even a Crowd. Yeah, we view it as a big competitive differentiator, and we view it as a space that still has lots of growth, lots of leg room, and a competitive dynamic that's being shaken up a little bit by Wiz now being part of Google.
I mean, on that point too, you know, we Obviously that was one of the biggest questions that came up when Google announced they're acquiring Wiz-
Yeah
...is if they were built on AWS.
What are you gonna do?
Billion-dollar customer, right? I mean, one of the biggest.
Yeah.
Yeah.
Any indication of, like, that you're seeing on your side? Is there gonna be a change there?
You know, I can't comment.
What are some things that customers worry about?
I can't I mean, listen, anecdotally, customer conversations, you know, they're concerned about it. I can't give you any inside baseball on what discussions have happened between Amazon and Google. I have no idea. Customers are concerned, especially if you're a true blue, you know, AWS shop, and you knew that Wiz had a very tight relationship, right? Roadmaps would be shared 12 months previously. There was a lot of co-design and co-development with AWS. If you're a AWS customer and now you have a Wiz rep show up with a Google rep to talk about GCP-
...along with Wiz, you know, I think there'll be some concern there. You know, we stay in our lane. We focus on what we can control, and we focus on selling and positioning Tenable on the platform, and if customers see an opportunity to, you know, simplify their cybersecurity stack and are able to remove and consolidate a CNAPP product into a platform like Tenable One, you know, we'll work with customers all day long on those opportunities.
Got it.
Yeah.
With, I think we've got a couple minutes, and I just want to reach out to the audience to see if there is any questions from the audience. Okay. We will follow up on this.
All right.
Wanted to ask Matt about you, Mark, about, you know, things on the hiring front, particularly, you know, on the sales rep side. How have hiring trends been over the past few quarters? What's your outlook for, you know, near-term hiring on the sales rep side?
Yeah.
You want me to take this one, Matt? Yeah.
Yeah, go ahead, and I'll follow up. Yeah.
You follow up. I'll do it super fast.
Yeah.
When we came into the year, we added quota capacity to the field, and we've seen that pay off, right? We feel really good about where we are at. We've seen productivity levels increase. We have deployed a lot of automation and AI technology to improve the amount of face time our sellers get with customers, meaning we've drastically reduced the time to create quotes and configurations, drastically reduced the time they have to spend with inside Salesforce.com, right? A lot of these things have been productivity enhancements-
-when we see certain regions, like, say, for instance Middle East, that's seeing a spike where we might need some resources, we will, you know, add quota capacity. Right now we are in a really, really good spot in regard to our sales rep coverage and productivity. I'll let Matt comment on the rest of the business.
One of the things I'm probably most proud of is our ability to hire in high impact areas, in particular-
...in sales capacity and in some of our engineering areas where we're really leaning into the investment, or into the growth opportunity we see. We're investing heavily there. At the same time, what we're able to do is through AI implementation, automation, we're able to reduce in other areas and pull back.
What you'll end up seeing is from a net headcount perspective, you're gonna end up seeing a headcount that is flat to down-ish actually-
...from the whole company.
Yeah.
While at the same time hiring into those high impact areas and getting a little bit of leverage from, you know, in the form of margin growth on all of the OpEx lines. We're managing it really well.
How much has sales headcount growth been, though?
Are you talking about sales in total?
Headcount, like the total number of people.
Yeah. No, we don't disclose that.
Yeah.
Yeah.
But sales capacity is up 10%.
Yeah.
From what it was a year ago.
Gotcha.
Yeah.
Sales cap is that. Capacity is measured how, though?
Quota-carrying sales reps.
Productive quota-carrying sales reps-
That's right.
..or just total?
No, productive.
Yeah.
Productive.
Productive. Yeah.
Great. Okay. With that, I think we're out of time.
Awesome
Mark, Matt,
Good seeing you.
Thank you so much.
Thanks.
Thank you, Brian. Thank you, buddy.
Appreciate it.
All right. Take care.
Yep. Cheers.