Tenable Holdings, Inc. (TENB) Earnings Call Transcript & Summary

Okay. We're going to be live here in a second.

Have you been to the park?

I have. I have. I think we are live now as well. So hey, good morning, everyone. Welcome to day 2 of the Barclays TMT conference. My name is Saket Kalia. I cover software here at Barclays. Very happy to have with us the team from Tenable. We've got Amit Yoran, Chief Executive Officer; and we've got Andrea DiMarco, Head of Investor Relations. We've got about 25 minutes together. Let's maybe take the first 15 or 20 minutes to do some fireside chat with Amit and Andrea. And then let's make this interactive. Any questions that you've got on the webcast, feel free to shoot me an e-mail at [email protected]. I'd be happy to weave them in towards the end of the session. So maybe with that as a framework, Amit, Andrea, thanks so much for being with us here today.

Great. Thanks for having us.

Absolutely. Absolutely.

Amit, maybe just to help us level set a little bit. Can you spend just a couple of minutes giving us a little bit of an introduction to the business. And Andrea, maybe you could add in some things that Tenable was most proud of kind of coming out of the most recent Q3 earnings call. Does that make sense?

Absolutely. So for those of you that aren't as familiar with Tenable, obviously, a cybersecurity company. Tenable is the market leader in helping enterprises answer this question, how secure are we? How at risk are we? So if you're investing in and familiar with the cybersecurity landscape, there's lots of companies doing all sorts of different things, firewalls and end point protection and encryption and authentication and so on and so forth. A lot of those are absolutely critical technologies to keep your enterprise secure or help detect and respond to breaches when they might occur. We're focused in helping enterprises answer this question, how secure are we? How exposed are we? And we think in today's era, as you're seeing more and more business leadership, corporate executives, audit and risk committee, CEOs ask questions about cybersecurity. We think the criticality of answering that complex question has never been more important.

And I would just add, I think from the most recent quarter, we were very happy with the quarter. I think we are most proud of not only our growth but our profitability. So continued expansion of the margins and free cash flow. And I would note, I guess, on the customer side, continuing to add 335 new platform customers, but most notably, adding about 56 net new 6-figure customers, which is one of our best. And we continue to see additions over even the $500,000 mark. So we've been talking about customers getting larger and larger, and so just continuing to see that theme.

Definitely, definitely, we've heard the theme of sort of bigger deals and bigger run rates here over the last few quarters. So good to hear. Amit, maybe let's talk about sort of the traditional VM market or vulnerability management market here, if you will. I think we've all seen IDC's market estimate here in, let's call it, the several billion dollar range, let's call it, growing in the 10% to 15% range. In our years of speaking together, you've always been -- you've always believed that this TAM could be bigger and probably is bigger. And so I guess the question that I'd love to ask is, why do you think that's the case? And where do you think there's opportunity for the TAM in core VM to be bigger?

Yes. Well, I think you're absolutely right. Our belief and all of our analysis, all the data tells us that this market is significantly larger than what you might get out of IDC or other analysts. And when I say that, I look at our own customer base, right? We've got 50-plus percent of the Fortune 500. We've got 25-plus percent -- I think now over 30% of the Global 2000. When we look at our customers, we're about 25% to 30% penetrated in those accounts. Andrea talked about the several hundred accounts where we're driving 6 figures plus on an annual recurring revenue basis. And if we're only 25% to 30% penetrated in those accounts, we believe that there's tremendous growth potential in that market, in our own account base, plus we're consistently landing a lot of new logos. And those new logos, yes, we do have a healthy number of competitive takeaways. But there are also a large number of greenfield accounts. When you look at our largest transactions in any given quarter, and we're seeing about 1/3 of them coming to us from greenfield, meaning they're not using us. They're not using any of our competitors. They're really relying on an annual audit from a consultancy, to answer this question, how secure are we, how at risk are we, how vulnerable are we. And I think that in today's day and age where cybersecurity is moving so fast and absolutely critical to understanding business risk, that's really not, pardon my pun here, but that's an untenable position. That requires people building inorganic VM capabilities. When you look at all of these growth opportunities within the core VM market, including the greenfield and the expansion, we think the market is significantly larger and growing a lot faster than what the analysts might -- like how they might characterize it.

Absolutely. Love the pun, by the way. Andrea, there's a lot to talk about here beyond traditional VM, but just to kind of put a bow on this topic a little bit. I believe you've got 3 core VM tools here, specifically being Tenable.io, Tenable.sc or SecurityCenter, and of course, Nessus, right? And maybe, Amit, if you want to tag team this. Could you just remind us where each one is targeted? And perhaps just as importantly, how the rev rec models on each of those work? Broad brush, of course.

Yes, yes, and I'm happy to kick off and Amit can chime in. But -- so Nessus Professional is our subscription that is mostly targeted to the SMB market. And we've got -- we've talked back at the IPO, we had over 19,000 customers in Nessus Professional, and that acts as a funnel and upsell into the enterprise platform. So Tenable.io and Tenable.sc are platform customers for our enterprise platforms. In terms of the revenue model, Nessus and Tenable.io and sc are all subscription-based. There's a portion of sc that is perpetual, and it's a small portion. We still have some customers that prefer perpetual licenses. Some certain verticals and certain geographies that prefer that. So it's a small part of the business today, but it remains an option. But the majority of the business is subscription. So I don't know, Amit, if you have anything to add there.

No, I think that's -- I think you've covered it.

Got it. Got it. Amit, I think you mentioned this earlier in some of your comments, but I just want to double-click on it a little bit. And also something that came out, I think, pretty clearly in the last quarter, was this idea of a favorable competitive backdrop, which I think to your point earlier, drove some healthy displacement activity. I guess the question is, can you just talk about that a little in terms of why is the backdrop maybe a little bit more favorable? And where is that share coming from in your view?

Yes. The 3 primary participants in the VM market have 3 very different views of the world and 3 divergent strategies. So in our case, Tenable believes very strongly in the core VM market and the potential that exists in that core market and right alongside that core market. So unlike competitors which have invested in broadening the portfolio of products they have, Tenable has been doubling down, if you will, on this best-of-breed strategy. So we invest more in VM R&D than our primary competitors combined. We've been doing so over the course of the last 4 years. When you look at the cumulative effect of that type of investment, it leads to a dramatically different product. So if you look back 4, 5 years ago and you asked the Gartners or analysts, you say, they say, all VM products are basically equal. There's minor differentiation on the periphery. I think if you ask them today and what the data tells us today is that they're dramatically different, right? We cover 22-plus percent more vulnerabilities, more enumerated vulnerabilities than our next closest competitor. If your job is to understand vulnerability in the enterprise and you test the products, which they do, and one cover is just detecting a whole lot of stuff that the others aren't, that raises eyebrows. We also drive to Six Sigma accuracy with our products, so fewer false positives, fewer false negatives. That matters in an enterprise. And this manifests itself day in, day out. This week alone, you saw a very high-profile breach. Almost every one, all but one of those tools was already covered in Tenable's vulnerability coverage. If you look at the 33 vulnerabilities that were disclosed in a different disclosure this week, we were already covering those from a coverage model. When you look at the Microsoft patch Tuesday, again, already covered in Tenable's products. So the accuracy, the coverage just lead to a different experience as well as the enhanced analytics that we've been investing in 4 years. So at its core, if your job is to do VM, is to understand risk in the enterprise, we are the very clear solution if you test those products. And so we've been enjoying a very strong backdrop of competitive displacements. And I think as I noted earlier, there's still a tremendous amount of greenfield in this market.

Absolutely, absolutely. Andrea, maybe that's a good segue into one of the things that you brought up earlier, which was the number of enterprise deals here, I think, was the healthiest that you've seen for Q3 historically, and correct me there if I'm wrong. But maybe you can just remind us what qualifies to be an enterprise deal by Tenable's definition? And why do you think there was so much success for -- in deals over $500,000?

Yes. And so when I talked about the Nessus upsell, so an enterprise customer is using either io or sc. So they're using the full platform. And some of the reasons that customers upsell are to get access to the full suite of sensors if they want to scan and also deploy agents. If they want access to some of the other product lines like Lumin, Container Security, WAS, ot, if they want to be able to hook up APIs and connect into their ecosystem and really just bring all of the data together in one place. Some customers that use Nessus have 5 or 10 instances of Nessus throughout the organization. So the platform allows them to bring that all into one place. So an enterprise platform customer would be using io or sc. And the reason we're seeing more and more deals over -- within the 6 figure, but even over, say, $500,000, it plays in line with the story that we've been telling. We just continue to see VM become a much more strategic dialogue within our customer organizations and within larger enterprises. So we're seeing customers come in with bigger initial bytes or coming in and wanting to expand, whether it's expand across the product portfolio with some cross-sell or just expand the asset coverage that they're assessing. So we're seeing both of those trends.

Got it. Got it. Amit, I want to shift gears a little bit and actually talk about a recent announcement, which you -- which I think you sounded excited about, which is a frictionless assessment, right? I guess, open ended question, sort of what is this? And how is it different than traditional -- than a traditional VM tool for cloud workloads? Does that make sense?

Yes, absolutely. So frictionless assessment, one of the things that we pride ourselves on is the continuous level of innovation that we're delivering into the VM market, again because of that best-of-breed focus. One particularly exciting piece of innovation that we've recently announced and released is something called frictionless assessment. Frictionless assessment, in its first iteration, allows us to think and operate differently. Traditionally, when you think of vulnerability management, you think of scanning across the network or discovering assets passively. You think about potentially deploying agent-based technologies to assess those vulnerabilities if you don't want to do it over the network. What we have done with frictionless assessment, particularly in cloud environments, is go through the open APIs that are available to us, initially through AWS and eventually on other platforms as well. And without doing a scan, without installing an agent, to be able to use our 20 years of knowledge on vulnerability assessment and pull data through those APIs and determine the level and location of exposures in those cloud environments and in those assets on cloud environments. And it's really -- well, it might sound like, "Okay. Well, that's a very modest twist on innovation." It is a radically different way of thinking. And when we look at our customers and their ability to assess security of their cloud environments, they're really only touching 15% to 20% of those cloud assets because they're typically critical assets. They don't want to risk assessing them and toppling something over. They don't want to introduce agents, which might impact and impede performance or availability. And so they're really very cautious in those environments. This way, without introducing additional risk, without introducing any performance degradation, we can give them an instantaneous and continuous understanding of their exposures and risk in cloud environment. So it's really a highly innovative approach. We're really excited about it, and we're getting terrific early feedback from the market.

That's great color. That's really helpful. Maybe related to that, Andrea, understanding, of course, that it's early. I mean you said it's sort of first iteration. Maybe broad brush, can we just touch on how the pricing for frictionless assessment could work? And whether this is going to be -- probably just as importantly, whether this is maybe more of a cross-selling motion to existing customers or if this could be more of a door opener to new ones?

Yes. I think the best way to think about it is expansion. So it's not going to be a separate SKU. It's not a cross-sell, but it will help our customers assess their assets in their cloud deployments. So we would anticipate expansion from existing customers and then obviously, just ways that tapping to new customers that are cloud-first or really shifting to the cloud. So it just plays into the current trends of this accelerating transition to the cloud. And from a financial impact, I would think about it as expansion.

I was actually -- just look, I was on a call on Tuesday this week with a Fortune 500 CISO and he said that as of 2016, they moved to an all-cloud strategy. They have 2 colos left, no data centers, 2 colos left, where they have 12 legacy applications still running. Everything else is 100% cloud-based infrastructure. So they've really been leaning in to these cloud environments. And so they're using a competitive VM solution. And he's warming up to Tenable based on the accuracy and the coverage. But when I started describing frictionless to him, maybe he just lit up. So I do think most of this is geared toward an expansion within the existing customer base, but it is a capability that I think can really differentiate us in cloud environments.

That's interesting. That's interesting. Maybe just double down on sort of the theme of cloud security. Just generally, Amit, I would say from the last call, I feel like there was a lot of focus on kind of cloud security capabilities, particularly in your section. And of course, we've touched on frictionless, but I feel like Tenable was probably ahead of its time as well when they started talking about -- when you started talking about container security as well. So can we just touch on container security a little bit? And perhaps what else we could see from Tenable in this area in the future, broad brushes, of course?

Yes. And you've got an elephant's memory when it comes to the road map and capabilities that we've been introducing. So I appreciate the sort of commentary. We've been in this market for a while. Because we have -- we think container security is critical when you're thinking about and talking about how enterprises operate, how they think of cloud. But it shouldn't be taken in isolation. And that's where sort of this understanding -- okay, strong capabilities around container security, how do you integrate with the Kubernetes of the world? How do you understand the exposures that are introduced as the enterprise moves to these short-lived containers? How do you think about the security of web applications, which are more than just kind of the assets that they run on top of? How do you assess security of cloud-based assets and applications? So when you talk about cloud security, our view is that you have to have a much more holistic approach than understanding, hey, just the virtual machine, the container, the web application, the cloud infrastructure. It's really sort of this broad ability to assess multiple assets and asset types which come together and say, okay, this is what the security of our cloud environment looks like. And that's, we think, a very compelling and differentiated offering than what you're seeing in other segments of the market.

Absolutely, absolutely. Andrea, I'd love to maybe pivot to profitability here because -- correct me if I'm wrong, but I think that this is the first year of profitability since the IPO, which is great to see. I imagine a part of this is around prudent expense management during the pandemic, not unlike a lot of other folks in the space. But I think a lot of this has been in the making, frankly, since IPO. And so the question is, can you just talk about this path to profitability and positive free cash flow? And how sustainable do you think it might be?

Sure. No, it's a great question. And I think short answer is it is sustainable. What you're really seeing this year is just the natural leverage in the model. We have said on our calls that there's probably $2 million or $3 million that we have saved as a result of less travel and less kind of T&E related to travel. But we've also learned a lot. We've learned what we can do. I think we've all learned what we can do over Zoom. So we've learned we can sell. We can sell 6-figure deals over Zoom. We can deploy. We can train. We can deploy professional services. So when we get back, whenever that is, we would anticipate we won't go back to the traditional sales expenditure, if you will. So there'll certainly be travel and more travel, and we want to be in person with our customers. But we'll do it efficiently where it's needed. And when it comes to marketing dollars, we have seen great return in some of our new digital efforts, digital marketing efforts. And so we'll continue to focus on high-return marketing. So just as an organization, we found a bunch of efficiencies that we anticipate continuing. So we do anticipate that we will continue to be profitable and that we'll see, on an annual basis, continue to see margin expansion.

And that's -- and part of it is in finding those efficiencies that Andrea calls out. But part of it is just the incredible strength of the financial model, the recurring revenue, the incredibly strong unit economics. And as we've said since before the IPO, this company has been incredibly profitable in years past, has basically organically funded its growth from inception through IPO without a single dollar of primary institutional capital involved. And so the unit economics and the overall financial model are extremely strong. We believe that there's natural leverage here that we'll be able to continue to deliver over time.

Absolutely, absolutely. We've got a few minutes left. I want to touch on one financial question with Andrea and then one sort of higher-level question to take advantage of all the time that you spend with customers, Amit. So Andrea, maybe the question for you. I know the team focuses a bunch on calculated current billings or CCB for short, which has been a helpful leading indicator and I think accelerated to over 20% growth this past quarter, and you correct me there if I'm wrong. But I think the team is also cautioned that it needs to be looked at in context with metrics like current RPO bookings as well. And so maybe the question is, can you just talk about what's captured in one versus the other? I'm sorry, I don't mean to make this an accounting lesson, but maybe what happened in Q2 and where CCB maybe felt like a little bit -- a little different, maybe like a little bit of an anomaly?

Yes. I would say we don't give bookings publicly. And so the closest proxy to bookings or to future revenue growth has been CCB. Last quarter, in Q2, there was a bigger gap than usual between bookings and CCB. And the biggest difference between current calculated billings and RPO is timing, deal closing, timing of deal closing because RPO has backlog. So that's the biggest difference. But CCB can fluctuate based on deal timing, based on early renewals, based on the number of multiyear deals. So there's a few factors that will impact that. And in the context of the pandemic, there's just a little less visibility in some of those things like multiyear deals, and so there was a wider gap in Q2. So in Q2, we just said, look, if you want to get a better gauge of our underlying growth, you can kind of triangulate using CCB and short-term RPO and some other metrics. So I think that's the best way to think about it.

Yes. That's really helpful. Last question here, Amit, a question that we're trying to ask all our management teams. And again, I know you spend a lot of time with customers, so we'd love to take advantage of that. Really open-ended question. And that is, as you speak to customers, what are they saying about their willingness to spend in 2021 on tools like Tenable?

Yes. I think the -- at the highest level, answering this question, the questions that Tenable answers for our enterprise customers is arguably the most important question in technology or in cybersecurity. So technology spend remains relatively healthy. Cybersecurity spend remains strong within overall technology spend. But answering this question, how exposed am I, how at risk am I, how secure am I, we think remains, in just about every CIO and CISO survey, remains a top 1, 2 or 3 priority. So we believe, and our assessment is and what we're seeing in terms of momentum with customers, in terms of continued build of robust pipeline and deal flow, we believe we'll continue to have a very strong position in '21 and beyond.

Got it. Got it. Well, I know I had plenty more questions to ask, but unfortunately, limited time here, but I think we knocked out a lot. I certainly enjoyed the webcast. I hope the folks on the webcast enjoyed it as well. Amit, Andrea, thank you so much for the time. We really appreciate it. And hopefully, we can do this in person in San Francisco next year.

Saket, great catching up with you. Thank you.

Same here. Have a good one, guys. Bye now.