Tenable Holdings, Inc. (TENB) Earnings Call Transcript & Summary

All right. Good afternoon, everyone. I am Melissa Franchi. I am the cybersecurity analyst here at Morgan Stanley. Today, I'm very happy to have the Tenable management team with us. We have Amit Yoran, CEO; and then Steve Vintz, CFO. Welcome to both of you. Before we get started, let me just read this disclosure. Please note that all important disclosures, including personal holding disclosures and Morgan Stanley disclosures appear at the Morgan Stanley public website at www.morganstanley.com/researchdisclosures or at the registration desk. Okay.

That out of the way, let's kick this off. Amit, maybe we can start with just a high-level question on the health of the security market. So we are coming off of RSA conference last week. I know that you've probably had a ton of customer conversations. It sounds like the security demand environment is relatively stable and healthy, but we are in sort of uncertain macro territory right now. So what's your view on the defensiveness of security spending in 2020 and what it looks like relative to last year?

Yes, uncertain macro in a number of different trend areas. But I think overall, I think security has gotten enough visibility over the last several years to be a must-have, enterprises recognizing that there's tremendous threat out there and that they have a responsibility from a standards-of-care perspective to maintain their systems and invest in security. So we see -- currently see security spending very healthy and increasing percentage of a healthy IT budget.

Okay. Well, that's good to hear. And I guess just drilling down in your opportunities specifically, you're focused on Vulnerability Management. I've hosted this week Qualys and Rapid7. There seems to be a consensus that the market is growing mid-teens and that should sustain in the foreseeable future. Do you have that view as well? And is there any potential where you could see greater growth, just given some dynamics of expanding VM beyond the core use case?

Yes. I think the core VM market remains very attractive, as you said, whether it's 15%, 18% growth, depending on whose numbers you believe and look at. Yes, we think there's tremendous potential in the market. We have a blue-chip customer base. We've got 50% of -- more than 50% of the Fortune 500, more than 25% of the Global 2000 among our customers. Our assessment is that we're about 25% penetrated in those accounts. So lots of growth potential within those existing accounts. And then we've got a very healthy number of new logos and new LANs. We had a record number of more than 400 logos on our enterprise platforms in terms of new customers in Q4 and pretty consistently, very consistently over 300 quarter-in, quarter-out. So a great number of new enterprise LANs. And perhaps one of the data points that's most exciting is that about 1/3 of our largest transactions in any given quarter over the last 2 years are coming to us from greenfield accounts, which is shocking and surprising. But a number of enterprises have historically relied on an annual audit from PwC, Accenture or some other firm to tell them what their state of cyber risk looks like. And in today's environment, that's just irresponsible. And so enterprises, whether it's a new CISO or audit risk committees getting involved in cybersecurity, they're now asking, and the way to answer those security and risk questions, to a large extent, stems from the VM program. So we're seeing a lot of new enterprise logos, a lot of greenfield accounts and a lot of expansion opportunities. So we're very bullish on the opportunity in front of us in core VM, let alone some of the markets that we're now starting to move into.

Okay, that's helpful. I guess looking back into 2019, I'd like to understand the different drivers of your growth, then we can talk about what we should expect moving forward. So you've been able to grow, in the most recent quarter, 28% current billings growth. So that's definitely well ahead of the VM market. To what extent is that coming from expansion within your existing customers just by expanding the kind of asset deployment visibility? And then to what extent is it coming from new customer adds and/or moving your customers from Nessus up to the enterprise. Can you just help us understand the different components of growth?

Sure. Well, in the fourth quarter, we grew calculated current billing to 28%, and approximately half of that comes from existing customers. And the expansion can come 1 or 2 ways. First, a lot of people know us for Nessus. Years ago, we had a little more than a dozen sales reps. We had 15 customers spending over $100,000. And over the past few years, we've, again, investing and building out a global go-to-market capability. And the expansion has taken hold as a result. And so we expand 1 or 2 ways. Customers -- a lot of enterprise customers use Nessus and historically have stepped up to an enterprise sale. Nessus is a cost-effective on-ramp into a larger deployment for us, enterprise sale. But then once you become an enterprise customer, we also sell more back into the base. We have an asset-based pricing model. So if you believe in a world where more assets are coming online, and Gartner estimates will be billions of those over the next 3 to 5 years, we naturally grow with our customers and not just traditional kinds of assets, servers, desktops and laptops, but also modern assets such as containers, web applications, operational technology. So about half our growth comes from existing customers and then the other half comes from the new logos, new dollars from new customers. And we called out the healthy number of new enterprise customers we added in the fourth quarter, which is 400. We've been consistently adding about 350 per quarter, plus or minus. And the LANs for those customers are also getting a lot larger. Today, we have over 600 customers spending in excess of $100,000, and we're doing more 6-figure deals now than we ever have and not just $100,000 deals, but $250,000, $500,000-plus. And then also coincides with investment and go-to-market, because over the past few years, we've added a lot of named-account executives. These are sales reps that are focused on the largest of customers. We have over -- we serve over 50% of the Fortune 500, over 25% of the Global 2000. And we're modestly penetrated in a lot of our major enterprise accounts. So lots of runway for continued growth.

Over the last year, you guys have added some additional capability in Tenable.sc and io, Predictive Prioritization capabilities. I'd like to understand how differentiated that is relative to your peers. If we talk to your competitors, they do talk about adding more analytics to help enterprises reduce the noise and make more actionable -- or deliver more actionable insight. Can you just talk about how differentiated Predictive Prioritization is? How important it is to your customer base and is it helping you win new deals relative to competition?

Yes, it's definitely helping us. I think it was sort of a misnomer. If you looked at -- if you talked to Gartner 3, 4 years ago, they probably would have told you something like, all VM vendors basically do the same thing. They are slightly different in the periphery. And I think if you talk to -- depending on the analyst, if you talk to them today, I think you'd have -- they tell you a very different story that the 3 VM companies are very different and deliver very different value propositions. And that should not be surprising. We're pursuing different strategies, and we're just playing different growth rates and so on and so forth. So when Tenable, unlike the other primary participants in the market, which have chosen to diversify, they're going after a unified endpoint strategy or they're pursuing SIEM and managed security services and patch management, and they're creating a more sort of unified approach to security management, Tenable has chosen to execute a best-of-breed strategy in VM. Subsequently, over the last 4 years, each of the last 4 years, we've invested more in VM R&D than both of our public competitors combined. And when you do that consistently and over the cumulative effect of that over multiple years, it just results in a radically different customer experience and outcome. And it's not just, hey, Amit is saying it. Like the data tells us that. We have 22% greater coverage of vulnerabilities than our next closest competitor. That's 22%. That's not 2%. If you're getting tested or evaled in an enterprise, whose job it is to do VM, like that's a very noticeable difference. It translates into greater accuracy. We test a six-sigma accuracy with our false-positive and false-negative rates. When you're a VM program manager and you're telling IT operations to go fix something, you better be damn sure that it's a problem. Or when they tell you they patched it and you say, yes, but you never powered-cycled it, so the service that's being offered to the Internet is still vulnerable and exposed, that type of accuracy matters in the enterprise. So we're seeing a very strong competitive win rate in core VM solutions vis-à-vis our competitors and an exceptionally strong, I'd say it's a very awkward and unusual circumstance if we go into a competitive eval and we don't win the account. On top of that and on top of the core VM, as you said, we've added and invested significantly in analytics. We have chosen not to diversify because we believe the VM market is ripe for reinventing the way you saw Palo Alto reinvented tired old firewall market years ago or Splunk reinvent a tired logging and SIEM market, or ArcSight and others had already sort of won and lost the battles. And so from our perspective, knowing what you have on your network or in your cloud infrastructure and your operating environments, knowing its level of exposure, knowing your hygiene, knowing how to prioritize, what to fix and what it means from a risk perspective, knowing how you benchmark from a standards-of-care perspective or negligence perspective relative to your peers, we feel like are compelling value propositions. So I can't look at and say, we're winning x percent more, because our Predictive Prioritization is more accurate and more compelling than what our competitors are marketing as prioritization algorithms. What I can tell you is we have compelling win rates and a dramatically different growth rate in the VM market because we're dedicated to the market and our capabilities are significantly differentiated.

So being focused on VM is definitely a core differentiator. But even if you use the analogy of Palo Alto, I mean, at some point, they did have to expand beyond the firewall market, and now they're getting into different markets, and we continue to hear about the theme of consolidation within security. So is there some point in time in which you feel like it would make sense for you to expand beyond VM? Or are we really far away from reaching that?

Just about every single breakout company and technology was effectively a one-trick pony through $1 billion in revenue. That's not to say we're not branching out, but it's to say we're being exceptionally thoughtful. We're firm believers in the fundamental opportunity in front of us to reinvent VM. That means we're currently enjoying attractive growth rates that we believe we can continue to deliver on over an extended period of time, but it also means, hey, look, if you do the math on the growth of account penetration in our existing enterprise accounts, we have great runway. If you add in the net new logos that we're landing, we have tremendous runway. If you look at the greenfield accounts, we have tremendous runway. If you expand out from core VM, when you start looking at control systems in automated inventory management for retailers, for robotics and manufacturing, for power and energy and industrial control systems, in control systems which is around data centers and automated building and green building management systems, there's phenomenal growth for us. When you start factoring in cloud-based infrastructure and cloud workloads and DevOps environments, when you start factoring in web applications, there's phenomenal expansion of the attack surface that we can help answer the same question that we're currently delivering to our customers in this new modern attack surface and also all the analytics. Not just here's a list of vulnerabilities, but also what's most exploitable. What matters from an asset criticality and a risk perspective? What are the fewest actions I can take, whether they're configuration changes, applying patches, network or compensating controls I can implement that would most efficiently reduce the risk needle? At the end of the day, our vision is to answer the question for our customers, how secure are we, how at risk are we? And that's a very different question than other security vendors. And we feel like as audit and risk committees and CEOs and Boards of Directors get engaged in security conversations, that's the question they're asking. And so we're super excited about the VM opportunity, but the broader opportunity in front of Tenable.

Since you mentioned the expansion of the footprint, I guess, that needs to be secured, let's maybe let's shift to OT security, IoT/OT, operational technology. At the end of last year, you bought a company Indegy, which provides greater visibility into industrial security devices or industrial devices. Can you just give a little bit more detail on what the technology Indegy brings -- what does the technology Indegy brings that you didn't have before and how is that changing customer conversations?

Yes, it's a great question. So Tenable, this sort of vision for how we help our customers evolve in this modern attack surface has been fairly consistent. About 1.5 years ago, we announced a strategic partnership with Siemens. We launched an organic offering to build visibility into industrial systems and then, over time, learned more and more about the market. We learned that our customers and our users are asking us for capability in industrial and operating environments. We've learned that our team can build pipeline successfully, can close transactions. We also learned that we are -- even with a year or 2 of development and partnership with Siemens, aren't able to bring decades of experience in operational technologies to the table and so had the opportunity to evaluate other players in the market and ultimately acquired Indegy in December of last year. Indegy is the pioneer of active engagement in operational networks. So the traditional security approaches, we'll passively monitor things. We're afraid to touch them. Because the Indegy team have come from operating environments, they're actually comfortable reaching out to the Siemens or a Honeywell controller, clearing it in its native protocol and application, getting a detailed understanding of the environment, how is it programmed, what is it connected to, what are the parameters that drive the control system? And that enabled us to do a much more thorough job of mapping out the assets, mapping out the level and the types of exposures that exist and also allows us to introduce new capabilities like change detection in these operating environments, which is incredibly important. So we take that data, and we've already integrated with our analytic products and offerings that we were talking about earlier. So it allows the customer to have a sort of unified experience, understanding IT and OT. And these things are frequently controlling critical business processes. So it's -- we're really excited about the pipeline we're building and the opportunity in front of our OT products.

Great. Maybe we can shift to Lumin, a new products that you GA-ed at the end of 2019. The conversation on the Q4 earnings suggests there's been good initial customer interest in Lumin. Can you maybe just put a little bit more color around that? What have customer conversations been like? And then what have you seen in terms of the willingness to pay for that added capability?

Yes. The -- so Lumin is a product that, as you said, we launched in Q4 of last year. It's a product that's been in the making for about 2 years. We talked about our excitement about it on the roadshow 1.5 years ago. It's been through extensive early access testing with customers and beta testing. Lumin does a couple of things differently than any other products on the market today. So when we're evaluating a system, we discover an asset, we evaluate it from a security perspective. We're also evaluating the criticality of the asset. So what kind of system is it, what's loaded on it, tell me about the user population, the services, its offering, the volume. And so we give a customer a best guess, hey, we think this asset is pretty critical, or we think it's less interesting. And of course, they can change the rating, and then we can pull data from ServiceNow or other platforms. So when you have an understanding of the asset and how exposed it is, but you also understand how critical the asset is, you can start approximating risk. And then when you benchmark the cyber hygiene of the enterprise, right, how quickly are you identifying problems, how quickly are remediating problems in the environment, you can start answering questions not only about how at risk the enterprise is and how that's trending over time, but how the enterprise is benchmarking from a cyber hygiene perspective relative to its peer group. And when you think about standards of care and negligence and the things that drive CEOs and audit and risk committees, having that type of insight is absolutely compelling. So the initial launch with Lumin has been, I think, from our perspective, an unqualified success, feel terrific about the Q4 sales and the pipeline that we're building with the product. We had investor meeting actually earlier today. One of the investors said, why -- it seems like a no-brainer, why wouldn't somebody buy this, and that's how we feel. So in terms of attach rates to new sales and selling into the existing customer base, we're pleased with the early results and have a lot of confidence in the product going forward. And there's existing precedent that companies are willing to pay for these types of analytics separate and beyond what they pay for VM -- a traditional VM solution.

And then we're attached, we're seeing anywhere from a 30% to 50% uplift in our ASPs. So we're pretty excited about, a, the attach rate, even though it's early and it's still modest. We expect it to grow over time. And directionally successful SaaS products over the course of 3, 4 years plus you could see attach rates that are well above 50% and even approaching rates that are higher than that. So we're excited about the opportunity that Lumin brings. And it's a very -- it's been very successful out of the gate. We'll keep you posted on the progress.

Right. Well, given it's early, what's embedded in your guidance for 2020 in terms of the Lumin contribution?

Yes. Well, we mentioned a number of new products that we mentioned, an enterprise OT capability that we acquired in December. We also talked about Lumin, which out of the gate has seen very good demand. What's contemplated in our guidance is that we expect modest -- is modest contribution from those new products. Because they are new products and given the enterprise sales cycles, there is contribution, albeit modest. It doesn't temper our enthusiasm in any way about the opportunity for these products. And it's really in the year, and there's a lot of selling left. And we look forward to updating investors throughout the course of the year.

Okay. Shifting to the sales force and sales productivity. Last year, one of the points of discussion was the extent to which you are going into bigger enterprise deals, and that was creating a little bit of a longer sales cycle because naturally, you're selling a enterprise deployment versus maybe departmental. Is that dynamic still the case for 2020? And -- or is it perhaps even worsening as you're becoming more strategic for the enterprise?

I think that trend does continue, just to have more strategic sales, VM's gone -- Vulnerability Management's gone from a low-level engagement to, this is something that has Chief Information Security Officer, CIO, CEO, levels of visibility. And along with that, we're seeing more enterprise, RFPs, larger LANs, as Steve said, larger expands within the customer base. And so the procurement is more typical of what you'd see in enterprise sales motion. So you get a procurement office involved, which didn't used to be the case with the smaller, higher-volume transactions. You're seeing privacy offices getting engaged, a different level of scrutiny and buy off, more bake-offs and the like. That said, we did see an acceleration of the business in the second half of the year. We feel really good about the sales processes that we've implemented and continue to improve and refine upon and some of the sales leadership adds that we've made. So we remain confident that as these opportunities get larger, we as a company are better equipped to go after them and deliver results.

Okay. Great. Why don't I just take a pause for a second and see if there's any questions in the audience. Otherwise, I'll keep going. Okay. One right there?

Can you talk a bit about the road to operating margin profitability and operating leverage in the business? You have quite high gross margins. What sort of spending do you need? And if you think out the next 3 years, what opportunities do you see for operating leverage?

Well, first and foremost, I'll tell you, we have a lot of confidence in our ability to drive significant leverage in the business. This is a company historically that was very profitable in the past, 25% plus operating margins. They run from $0 to $250 million, which is the time of the IPO, was all self-financed. The Series A and Series B was 100% secondary shares. So no primary capital has come to the company. Over the past few years, we've traded a point of margin for points of growth and successfully. So we guided this year in terms of CCB to $0.5 billion of sales, well over $400 million in revenue. But we also talked about on the call, becoming a Rule of 40 company, that's really important to us. And that's going to be a natural consequence of the model. We have over 90% recurring revenue, 80% plus gross margins, as you mentioned, very healthy. We have very high net dollar expansion rates and high gross dollar renewal rates. And we have a lot of confidence in our ability to drive long-term leverage in 2018, when we went public, we talked about becoming cash flow-positive by the time we exit 2020. And what we said on the call for this year when we gave guidance is that we'll be free cash flow-positive for the full year. So the cash flow characteristics of the business are very strong. And we believe in balanced growth, and we believe in becoming a Rule of 40 company, and we will deliver on that.

It's a very excited CFO.

Okay. Any additional questions? One more.

As you were developing Lumin and over the course of the 2 years that you ended up spending developing Lumin, how do you think about the decision to build versus buy the additional product?

Well, it's a great question. So there are some components of the product, its initial iteration, which are available on the market. So Predictive Prioritization is a great example. There are a couple of private companies that sell a vulnerability prioritization product. Ultimately, our vision for Lumin is a lot broader. So we took that Predictive Prioritization, we said, this is really a sort of core enhancement, a core analytics feature to the VM solution that people are looking for. When you try and assess a system for the criticality of the asset and translate to risk and when you try and do things like benchmarking, there are really very few technologies on the market, even in startup, bleeding edge start-up LAN that have a sophisticated approach to that. So ultimately, we felt like building that capability was the right move, whereas with other things like the...

Like OT...

Like OT, the inclusion of operational technologies, an inorganic move was just a very natural accelerant to where we wanted to be. And there happened to be some terrific acquisition opportunity.

Okay, great. We'll have to leave it there. We're all out of time, but thank you both for being here, and thank you, everyone, for coming.

Thank you for having us.