Tenable Holdings, Inc. (TENB) Earnings Call Transcript & Summary

Thanks, everyone, for joining us. My name is Sterling Auty, the software technology analyst here at JPMorgan. This is day 3 of the 48th Annual TMC Conference here at JPMorgan. Very happy to have with us for our next session of the morning the management team from Tenable. We have both Amit Yoran, who is CEO; and Steve Vintz, who is CFO. Hey, guys, thanks for joining us.

Thanks for having us, Sterling.

Thanks, Sterling.

Well, listen, we really appreciate it. And actually, before we get started, just a little info for the participants. If you'd like to ask a question, please go ahead and hit the Q&A button at the bottom and type in your question. I'll go ahead and include it in our session as we go along.

With that, Amit, maybe just to get us started, for those that are not as familiar with Tenable, where does it sit in the overall cybersecurity landscape?

A lot of folks think of Tenable as in the vulnerability management spaces. It's where the company is -- which our -- started out in. And we're the largest, strongest and fastest-growing company in that space. If you're not as familiar with the security space or as you think about the evolution of the company, it's really helping enterprise answer this question, "How secure am I? How at risk am I? And how can I most efficiently manage or reduce my risk?" So helping folks identify their systems, where and how they're exposed and how they can efficiently reduce their enterprise risk.

And when you look at the market overall, we tend to think about a number of the vendors in cybersecurity that are servicing low to mid-market or enterprise. Where is your kind of sweet spot?

Yes. We have a solution set that is broadly applicable. So it's very diverse in terms of geo, in terms of industry, in terms of segment. The majority of the company at this point is squarely addressing the needs of the enterprise markets, that we've got about 3/4 of our customers on our enterprise platforms and really servicing that market segment.

So I think what's top of people's minds at the moment is COVID-19 and the overall environment. Can you give us a sense of what did you experience in your March quarter. And what kind of impacts is the business seeing?

Sure. Sterling, this is Steve. I'll talk a little bit about the demand environment and Amit, feel free to interject with the impact on VM as a whole. In Q1, we added over 300 new enterprise customers as well as a healthy number of net new 6-figure customers. So we're continuing to see good activity in both new and expansion. On the earnings call, we did say that while pipelines continue to progress very well, and we're seeing positive developments both in terms of the size and maturity of the pipe, that we do expect an impact on new logos, and to a lesser extent, renewal business. It's businesses -- well, it's difficult to gauge right now. We're pleased with the fact that we have a very broad go-to-market capability where we have offices in over 35 countries, we transact sales in 160, and we're in most major sectors of the economy. And given the health crisis right now, different countries are in different stages in the recovery. And it's why we think it's important to have a broad go-to-market effort.

How have you been able to attract the new logos in this environment? That seems to be the one area that a lot of vendors are, not complaining about, but just identifying it as being a challenge.

Yes. The -- there's some number of logos that are new to us that are converting, that are takeaways from primary competitors or legacy VM solutions and there's a certain natural gravitation to Tenable as the market leader in genuine-level investment and growth in the space. There's also, I think, a broad recognition that understanding your vulnerabilities is both critical from a risk perspective. So as boards, audit and risk committees, CEOs get more engaged in cyber issues, their first natural question is, "How big of an issue is this? How secure are we? How at risk are we?" And so there's, again, a natural gravitation toward vulnerability management. So there's some number of takeaways from primary competitors, and there's also a substantive number of greenfield accounts, which may come as a surprise to many investors. It certainly came as a surprise to me as we started measuring this more carefully over the last 2 to 3 years. And what we find is, in any given period, 1/4 to 1/3 of our new large enterprise transactions are coming to us from greenfields. So they have no organic VM program. They're relying on an audit from a big floor, some consultancy and using that to assess risk and that's simply institution in today's operating environment. So COVID or not, I think there's a natural desire and requirement for business leaders to understand cyber risk. And Tenable represents, I think, the most foundational way to do that.

Why should it be a surprise that, in vulnerability management, that you're still finding greenfield opportunities?

Yes. Sterling, this is a great question. I saw you -- you're almost laughing. That's because, I think, the statement -- because it seems so counterintuitive. And I say it seems counterintuitive because vulnerability management has been around for a long time, right, and it's about a 20-year-old market, give or take. And it seems so intuitive to anybody that's been in and around security. Of course, you would be doing that. And I think the greenfield really represents those enterprises which didn't have corporate leadership engaged in cybersecurity. So again, they're relying on an annual audit or they don't feel the need to get engaged in cybersecurity, saying, "We have a firewall, and so we're secured." And what they've learned is, no, that's absolutely not the case. Regardless of what security protective measures you're putting in place, you have to exercise good hygiene. And the way to assess that and the way to assess risk is only through these types of programs.

Is there any change in terms of the type of solution or the use case that customers are coming to you for in this environment versus prior to COVID-19?

It's early in the changes in work environments to see definitively this is the trend. I think there are some intuitive motions that make sense in increased adoption of cloud-based infrastructure, increased adoption of work-from-home populations, does mean that you want to exercise different types of approaches to understanding risk. And so that's where Tenable brings a very flexible set of technologies, whether you want to use the engine-based approach, a cloud-based approach, an on-premise-based approach. But I think it's -- what we have seen also is that there is a real -- it's a change in the operating environment. It's not like folks have abandoned their corporate networks. They no longer have data centers. They no longer have on-premise applications and servers that they have to maintain security for. Maybe I'll have this new extended attack surface that they weren't anticipating. And so our -- the flexibility of our technology to allow people to assess all the different aspects of their attack surface is critical as well as helping them prioritize what to address, like, IT teams have never been busier, right? They've got to keep -- you've got to not only maintain their infrastructure, they've got to make this new working-from-home remote workforce efficient and give them the access they need and try and secure them. So security teams really need to prioritize what am I going to go talk to the IT -- to IT operations about? What's most critical? What really matters from a risk perspective? And that's where our analytics really become compelling.

What did you see in terms of close rates in this COVID environment as you hit the end of the March quarter? And what's happening thus far? I imagine, listen, we know the linearity is back-end loaded for all software companies. But what can you comment to in terms of the close rates thus far in June?

Well, we said in Q1 that we added -- despite adding a healthy number of new enterprise platform customers and a good number of net new 6-figure customers that we would like to close a few more deals. So we did see some impact on close rates. We're dealing with 3 weeks of pandemic in the first quarter, and now we're dealing the full 3 months of it. The good news is that activity levels, as we commented before, are good, and the pipeline, in terms of size and maturity, it's healthy. But like most software companies, we're back-end loaded. And it's not unusual for software companies to close 50%, even 60% of their total new sales in the June quarter. So we understand that closing new deals now is going to be more important now than ever. We are -- we think we're reasonably well positioned, but we do expect some impact. With the crisis comes a greater degree of uncertainty. But we also know, too, that -- and I think this is according to a recent Fortune survey that, what, 60% of large companies expect to accelerate their digital transformation efforts. So one of the secular tailwinds for us was companies undergoing digital transformation. With that, more connected devices, the attack surface expands. It brings -- this is going to bring a new set of challenges for organizations and a new set of security challenges, in particular, that we're hoping to solve and address along the way.

What did you say in terms of -- one of the other comments is customers asking for flexible payment terms, maybe changes in contract duration. What have you experienced thus far?

Well, with regard to payment terms, our expectation is we had -- that we will see more customers, and we have seen more customers ask for some payment terms. But there are some verticals that are more challenged than others if you look at transportation, health care and hospitality. In aggregate, it's less than 10% of our total revenues, but those sectors have been impacted more than others. So we are starting to see some of it. However, what mitigates the risk a little bit for us is that we do 2-tier disty. So every deal that we transact goes through the distributor, it goes through the reseller and it significantly mitigates the risk. We don't have to track collections and shift 100 -- in 120 different countries. And so in that regard, we feel pretty good. What was your second question, Sterling?

Just contract duration and payment terms.

I'm glad you brought up contract duration. We disclose CCB, calculated current billings, which is the change in short-term deferred revenue over revenue, and it's a close proxy, not a perfect proxy of bookings. We run the company in ACV bookings. Quarters are based on ACV bookings, compensation's tied to it. CCB in an environment like this is probably less meaningful as a leading indicator to revenue. Not only is it predicated on you closing deals, close 1 business, but it's also influenced by early renewals and also multiyear prepay deals. And our expectation is that we will see probably less customers inclined to pay 3 years upfront, and we've seen it in maybe otherwise stronger markets. And so CCB, for that matter, becomes probably less relevant for us, and less relevant is a leading indicator to revenue growth itself.

Are you seeing -- with the increased work from home, it's a lot more devices that are outside the corporate firewall than what they've seen before ever since I -- I think companies have been concerned that they're opening up additional attack vectors there and a different attack surface. Does that pull through increased either usage or upsell opportunity?

I think it's a journey for most companies. As our customers shifted to a work-from-home environment, we opened up much greater flexibility on licensing around adopting -- Tenable.io is our cloud platform and also increased usage of agent-based technologies for those folks so they can assess the systems without chewing up additional VPN -- precious and loaded VPN bandwidth and so on and so forth. So there certainly is the opportunity for increased licenses as -- if that becomes the new norm for folks. Our anticipation is some number of those devices will come back on corporate networks. And so is it more of a shifting of this type of license versus that type of license? So I think it's early in the -- it's early in the process to see what compute will really look like post-COVID. But we aren't anticipating a sort of major tailwind of new license revenue. I think it may just be a slightly different mix than we've seen historically.

So Tenable is one of the small group of companies that actually has its founding either on or related to open-source technology. Can you kind of walk us through what the portfolio stack looks like today? And are you able to leverage some of those open-source roots?

Yes. So as you mentioned, we started off with an open-source technology to help people assess where you scan a system and assess what are the known vulnerabilities that, that system is exposed to. So you know what software needs to be patched, what fixes need to be applied and what configuration settings need to be changed to be secure. Over the years, that open-source technology was closed-sourced but maintained a free license. And that's -- I think many people call it a sort of beloved product, Nessus, where we've had 2-plus million cumulative downloads and users of that, which is actually a very close approximation to the sum total of security professionals in the world. So everybody has used or currently uses Nessus. It's the gold standard for how to assess systems to risk. And it becomes a tremendous source of intelligence for us in that people are constantly testing systems with it, providing us feedback, "Hey, this fix needs to be approved with these changes or I've got a new vulnerability I have discovered, here's how to look for it using Nessus." So there's all sorts of advantages and the cumulative effect of that over the course of decades. We do have a professional version of that product, which has a for-fee license, Nessus Professional, represents, call it, 20-plus percent of our revenue. And that is if you want to scan larger numbers of systems. I want to look at 10,000 systems. I want to audit 10,000 systems on my network. So there's a natural progression from freeware to paid on your license using Nessus Pro. And then beyond that, we have our enterprise platforms, which currently account for 70%, 75% of our sales. And in those enterprise platforms, you have enterprise types of functionality. So the ability to control multiple scanners. You may have a large enterprise, has 30 or 130 scanners on a global basis. And you may want more flexible assessment technology, not just scanning, but you may want agent technology, you may want passive asset discovery, you may want native cloud connectors to the 3 major cloud providers, the integration and understanding of the security of your OT environment as well as more complex reporting and analytics. So what do these vulnerabilities mean from a risk perspective? How is that trending over time? How am I benchmarking relative to my peers, and a much more robust set of APIs to integrate with your logging solution and your patch management, configuration management solutions and other IT operations, ticket management capabilities? And so there's a very natural progression from freeware to professional version and then professional version to our enterprise platforms. But the company's largest segment of growth over the course of several years now has been in that enterprise segment.

So I think that's a good segue into -- so how would we think about your SMB exposure? And what are you experiencing there? Because I think investors are most concerned about SMB, number one, and then those that are in those hard-hit industries like transportation.

We're an enterprise software company, so we sell to large and even midsized organizations, and that's most of our revenue. We do have some smaller customers. A lot of people think of Nessus as an SMB product given its price points. It's sold as an annual subscription. It can range from anywhere from $2,000 to $10,000 per annum. While there is an SMB concentration in Nessus, the preponderance of Nessus is really for the security of communities, specifically pen testers. And we think those dynamics are a little different than smaller companies. If you look at vertical concentrations, we talked about this earlier, our largest verticals are public sector, specifically the federal government. It's about 15% of our revenues. We also have stronger concentrations in financial services, health care, technology. Those have been areas of strength. On the retail side, I think there's a difference between the consumer good companies and ones that are selling primarily to consumer. So in aggregate, if you look at the exposure for transportations, hospitality and retail, it's about 10% of our total revenue. So we think that brings good balance. We're continuing to monitor things closely. But we take comfort in the fact that we sell primarily to mid and large organizations, and we're an enterprise software company. That's probably a better place to be than companies that are focused primarily on SMBs where it's more susceptible to the health crisis.

So how do you drive the upsell/cross-sell? So in other words, what's the tip of the spear when you get into an enterprise? Are you starting with Nessus Pro and working your way up? Or do you land with some of those enterprise platforms? And how do you drive that, like I said, upsell or even expansion?

We can land one or 2...

Go ahead, Steve.

I was going to say we can land in one or 2 ways. Increasingly, we're seeing a greater number of new enterprise platform customers. So we added over 300 in Q1, over 400 in the fourth quarter. So that's been a primary area of focus, continuing to bring new customers into the franchise as an enterprise platform customer. And Amit mentioned that 30% or more in any given quarter can be greenfield. So -- I mean that speaks to the evolving -- how the VM market has evolved from compliance-driven to one that's a foundational part of your security program. Also, we have a product in Nessus that it has -- which is a cost-effective one ramped into a larger platform sale. And it's one that is seen at the market. The free version of Nessus has been downloaded 2 million times cumulatively over the past 15 years. Most security professionals have used Nessus or are already using Nessus and -- during their lifetime. And so we also have customers that come in and use Nessus and then step up to a larger enterprise platform sale. So we can land multiple ways. You can come into Nessus and then step up and make that larger purchase or you can come directly into the enterprise platform. Regardless when you do, we see considerable expansion. Customers increasingly look to us to secure more of their assets. So as more of the assets come online, and Gartner estimates there'll be over 20 billion connected devices over the next couple of years, the compute environments are not static. They're very dynamic. As customers add more digital technology and engage in more digital transformation, increasingly look to us to secure more of those assets. So asset coverage is one vector of expansion. The other is really product. We've launched a number of new products over the years. We've talked about Lumin here and the commercial appeal that, that potentially has. We have WAAS, a WAAS product, container security, a number of other products that we're excited about. And we think the combination of assets and more product will provide a continued expansion within the base. It's one of the reasons why we have this very healthy net dollar renewal rates that we're very proud of.

So 2019, you guys crossed over and became the largest vendor in vulnerability management and continue to be the fastest-growing. What do you attribute that success to? So how are you able to gain that market share?

Yes. I think especially as you look at the enterprise market segment where we're focused, the market's spoken time and again that best-of-breed matters. Those enterprises really want to understand what their risk is, what their exposure is. They go out and they test products, they evaluate products, they compare products. And our level of investment, each of the last 3 to 4 years, has been -- we invested more in VM R&D than our next 2 public competitors combined. You just do that cumulatively -- over the course of the years, the cumulative effect is absolutely tremendous. So we simply have a better product. We cover more CVEs than our next closest competitor, like, not 2% more, 20%, 22%-plus more vulnerabilities. We test our product to do Six Sigma accuracy in terms of false negatives and false positives. And when you do that and you have that type of differentiation in the product, enterprises, they take their time to test, they take their time to understand the difference, can appreciate that and that results in the higher win rates and a greater growth rate in the VM products. And also investing in not just a better VM product but also a more modern approach to vulnerability. So looking at not just traditional assets, looking at cloud-based infrastructure, looking at cloud-based assets, looking at the operational technologies, looking at containers and DevOps environments, enhancements to web application assessments. And so it's a better, more accurate assessment of your attack surface and a bunch of new analytic approaches looking not just at level and types of vulnerabilities, but how exploitable are they, how critical are the assets, what does this mean from a risk perspective and what are the actions I can take to most efficiently reduce risk. Sometimes a single patch may supersede 3, 4 other patches and configuration changes and address dozens of vulnerabilities on more or less critical systems. So it's easy to say we can guide an automated remediation or guide remediation -- efficient remediation. But to do that in the wild really is a very complex form of analytics. So all of these types of things prove to our customers, and I think to the market, that in the enterprise segment, we bring the greatest capability, and that results in growth rate.

So Qualys has suggested that the reason why you're growing faster or -- I should say, one of the reasons that you're growing faster and one of the reasons that you're bigger is that you're not 100% subscription-based, that there's a difference in the business model. Is there that much difference in terms of business model that would cause a meaningful change in terms of either growth rate or size of revenue?

The short answer is no. And despite contrary belief, while we do sell some perpetual licenses, the revenue recognition is not upfront. It's over 5 years. So selling a perpetual license actually creates a longer revenue recognition period. And so selling a subscription, therefore, means you can recognize more of an upfront, you would recognize the subscription over the term. Look, and at the end of the day, we sell -- we're predominantly subscription. We're 90% recurring revenue. We have over 80% gross margins. And we have a product in Nessus that has been a cost-effective, more ramped into a larger platform sale. We are a -- we're completely focused on this market. We have a lot of confidence in the market. We think it makes a difference in terms of competitive differentiation, in terms of win rates. It's one of the reasons why you see the inflection in new logo add. So the data points that we provide to Wall Street, we think, provide a lot of transparency in the business in terms of how many new customers we're adding, how many large customers are we adding and just even the CCB itself at what level of sales as a result of that. So we feel really good about the tailwinds in our business. We know that the health crisis will impact our company, will have some impact on the business. But we think it's best to be focused in the enterprise, best to be focused really on the VM market itself as well -- and not adjacent or ancillary markets.

So typically, during downturns, I expect the margin profile of companies to actually get worse. But when I look at your outlook and I look at what you produced in the March quarter, not only you've generated growth, but it looks like the margin profile is getting meaningfully better. So what is -- how are you managing expenses? And how are you able to still get that top line generation while -- not contracting, but kind of reining in some of the spend?

Yes. And so we're very proud of the margin levers that we've achieved to date. If you look at the beginning of the year, I think we guided to, at the midpoint, a loss of $0.35 for the full year with a loss of $0.17 in Q1. Instead of $0.17 in Q1, I think the print on a pro forma basis was $0.08. So there's a notable upside in EPS. Some of that was due to revenue. We said $0.01 to $0.02 was COVID-related, less fuel marketing, less travel, but the preponderance was really on the expense side and greater operational efficiency. In Q2, we've guided to a loss of $0.04 to $0.06. Also, for the first time since we've been public, on a sequential quarterly basis, sales and marketing actually was lower on an absolute dollar basis in Q1 versus Q4 despite having a number of industry events and upfront costs related to SKO or worldwide sales kickoff. And one of the reasons why, Sterling, is because despite making investments in sales and adding capacity and also investing in new areas of the business to drive innovation and bring new products to market, we are demonstrating a greater level of efficiency and able to balance those investments a lot more. Now that we have critical mass in certain markets, when we add a sales rep, no longer do you need to add all of the associated overhead that goes with it, there's greater efficiencies there. So with every investment and sales rep you have, anything from a sales development rep, a channel manager, a field marketing person, a sales engineer, we're able to achieve a greater level of efficiency given the investments that we've made to date on a historical basis. And going forward, you should expect that story to continue, continuing to invest because we believe in this market. And as you mentioned, we are the largest company in our space and also continuing to balance that with a greater degree of efficiency. And overall, the cash flow characteristics of this business are very attractive.

Amit, the 2008 to 2010 Great Recession, you weren't at Tenable at the time, but you've been in cybersecurity as long or longer than I have. What were some of the things that you learned kind of being an executive and managing through that time frame that you can take away and apply to how to run Tenable during the current economic environment?

Just because I haven't shaved my beard and showing a little bit more white doesn't mean I've been in security longer than you, Sterling. Nice try there. There are -- I think, first of all, steady hand at the wheel. It's easy to overcorrect in one direction versus another direction during these times of uncertainty. And I think, especially, COVID has been a very different type of downturn than we've seen previously just affecting, not just globally, all sectors and a much greater degree of uncertainty, focusing on customers and core value proposition. And there might be some decisions that you and some modes of operating that you decide to push out. In Tenable, one of the things that we focused on, especially in the early days of the crisis, is making sure that we're very deliberate about investing in our engagement with customers, in quota capacity, in our customer interaction points, our support organization and also making sure that we're very deliberate about our road map, about our innovation, about investments in capabilities. So you see that play itself out. Listen, there's been no slowdown in the number of new vulnerabilities discovered. You've seen literally hundreds of vulnerabilities published on Microsoft platforms, on Oracle platforms, on core business platforms over the last couple of weeks. And having a company that's able to continue to innovate, continue to focus, continue to turn around the speed and accuracy of coverage for those exposures and help translate to customers, what that means to them from a risk perspective, I think, is incredibly powerful. And so this is an opportunity to really get a much deeper, closer level of engagement and relationship with your customers. And unfortunately, there's other things that you'd like to do that -- other initiatives that you'd like to invest in that you just going to sort of defer and say, look, this is not core. We're going to wait on this or we're going to look more opportunistically because other companies, other products and other pieces of innovation in the market are going to have a more difficult time getting adoption, getting funding, getting the momentum that they might see in a better market. So focus on the core, operate smartly and I think also be opportunistic because there will be some great opportunities for stronger companies like Tenable to take advantage in this market.

Okay. On the competitive landscape, one thing that I think investors are trying to better understand is you do have nontraditional companies like CrowdStrike that has modules that they call vulnerability. Is that something that's actually competitive to your core platform? Do you actually see a competitive threat from companies like CrowdStrike?

We see a competitive threat from those companies, especially in the investment community. It's a question I hear frequently from investors. And -- but we don't really hear much about some of these new entrants to the market from a customer perspective. Going back to the comments earlier about best-of-breed focus, enterprises are looking for real capability in understanding their exposure, understanding their risk. We see great differentiation between us and our pure play or more traditional VM competitors, and I think some of these new entrants have far lesser and far less mature capability. It's something that we're tracking, obviously. As of yet, they have no meaningful presence from a VM perspective. And we think our level of investment will allow us to continue to differentiate in a more strategic way, not only on the end points, but in other increasingly critical parts of the security or the increasingly critical parts of the infrastructure, the cloud-based infrastructure, the web applications, the DevOps environments, the OT environments and ultimately translating to risk. I think a lot of these new entrants are really focused on kind of vulnerability context as they evaluate attacks more than maturity of capability.

That makes a ton of sense. All right. With that, Amit, Steve, thank you so much for joining us today. Stay safe, and stay healthy. Thanks again.

You, too, Sterling. Thank you.

Thank you, Sterling.