Tenable Holdings, Inc. (TENB) Earnings Call Transcript & Summary

All right, great. Welcome, everyone, to the 49th Annual Technology Media and Communications Conference at JPMorgan. My name is Jackson Ader. I'm software research analyst on Sterling Auty's team here at JPMorgan as well. We are pleased to have the Tenable team with us this afternoon. So before we hop in to maybe any kind of Q&A or fireside chat proper, I just want to remind all the participants and investors, if you have a question, just go ahead and ask right on the portal, and we can get the team to answer it in real time. And then there's also, just a little plug here, there's also a poll that we would like some investors or any kind of feedback on the format for next year and this year and how things have gone. So any feedback that people can provide would be great. All right. Without any further ado, we have Amit Yoran and Steve Vintz with us. Erin, we'll see if we have any questions for you as well, but please, if you guys don't mind, just introduce yourselves and introduce Tenable, and then we'll get into it.

[indiscernible] This part could be better rehearsed. Amit Yoran, I'm the Chairman and CEO of Tenable.

Steve Vintz, CFO.

And Erin Karney, Senior Director, IR.

So if we could, maybe, Amit, if you just want to start with a brief overview of the company.

Yes. I guess the way to think of Tenable is a company which started out and has grown out of the vulnerability management space and foundationally focused on answering the question of how secure am I, how at risk am I for our customers. So there's -- obviously, the security space is large and broad and lots of companies doing all sorts of different things, many in the protection business, putting protections around networks and systems and hosts and data and others in the attack detection, response business, the malware, the authentication business. Tenable is in a slightly different segment of the market. And what we do is assess your compute environment and help identify where you have exposures and what you'll look like from a cyber risk perspective, as well as identify the things that you can do to most efficiently reduce risk.

And does it matter if maybe my IT deployment is in the cloud, on-premise, mix of everything, where does your particular strength lie?

Yes. It does matter as it turns out. And what we try to do is bring a holistic approach to that. So while many companies in our space have broadened into other segments of the market, what we're trying to do is broaden our holistic understanding of what your risk looks like. So certainly, in traditional compute environments, desktop service workstations and cloud-based workloads, DevOps environments, in OT environments, control systems and with respect to your directory services and trying to give you that most holistic view of cyber risk across the compute landscape.

Which -- if you had to break it down maybe into some larger trends, what are the largest trends that are driving your growth now around 20% at this point?

Yes. The single largest is, I would say, broadly, digital transformation. But the larger, the more complex, the faster moving, the IT environment, the greater the risk and the greater opportunity and the more -- the greater value that we can deliver to our clients. So where organizations have rapidly shifted to a work-from-home mode, they have fewer anchor points for trust. Directory services and identity and integrity of their accounts becomes even more critical. They've shifted workloads to the cloud. We're now seeing some users coming back into office environments in some hybrid mode. We're seeing a drive in the adoption of control system and operational technologies. I think the most visible of recent times has been the Colonial Pipeline. But all of the critical infrastructures, oil and gas, power and energy systems, manufacturing, robotics, factory lines, inventory management systems, all of those types of things have been highly automated. And so understanding risk in these highly dynamic environments is incredibly complex in these hybrid environments, and that's where Tenable can really bring tremendous value to bear.

So does that mean -- I mean, if we just think about digital transformation, and you mentioned work from home, now people coming back and things getting more complex just in terms of how people are going to work. Was the pandemic, would you say -- was it a tailwind? Was it pipeline building? Or did you see maybe some headwinds just due to people putting a pause on spending?

I think we shared reasonably well in -- without characterizing it as a tough year. So I wouldn't characterize it as a tailwind for us. We had higher expectations going into last year than we achieved. And I'd say part of that was because of the macro environment, a more cautious spend environment. We had about, plus or minus, call it, 10% exposure to travel, hospitality, retail industries. And so we certainly did have customers that were negatively impacted. And I think the more cautious approach to overall corporate and enterprise spend last year than we've seen in prior years, but we had a strong Q4. I think we reported strong results in the first quarter and believe that we're very well positioned to continue to show growth as the market rebounds and the cybersecurity plays a more important role in enterprise decision-making.

Yes. Actually, just following up on that, Steve, if you don't mind. So the I think that there was -- the fourth quarter results, strong; first quarter results, also strong, but maybe the guide for the full year 2021 was a little bit disappointing. So I just want to talk about, was there a material shift between what you had seen entering the year versus what actually ended up happening in the first quarter on the demand side? Well, looks like, Steve, I think you're still on mute.

First and foremost, we had a very good print to the quarter. I think we couldn't be more pleased with the start to the year. In Q1, we grew CCB 20%, grew revenue 20%, deliver sizable beats relative to our expectations on the top line. As well as the bottom line, where EPS came in about $0.08 better than expected, and delivered $38 million, almost $40 million of cash flow. And if you look at cash flow over the past couple of years, in 2019, we burned $30 million of cash and in 2020, we generated $40 million of cash. Then come out in Q1 and put $40 million, almost $40 million of cash, and delivered that in the quarter. It really speaks to the compelling cash flow characteristics of the business. In terms of demand, we saw strength across the board, both domestically and abroad. And you talked about the outperformance in the mid-market where we're seeing good evidence. There's pent-up demand, and customers are increasingly turning to digital transformation. And resuming them, not with a security-first mindset, where those -- the investments in innovation are going firsthand with the investments in security. In terms of the guidance, if you look at last year when the pandemic first surfaced, I think we grew CCB 13% in Q2. We talked about some timing differences of how deals get invoiced. CCB growth between the 2 quarters, Q2 and Q3, was about 17%. In Q4, we delivered 20%. So going into the year, we didn't really know what to expect. Is that just a seasonally strong fourth quarter, with the strong expansion rates and new business, will that continue. So we resumed guidance for the first time on our fourth quarter call, and it demonstrates the increasing confidence we had in the business. So to come back and follow that up in Q1 with not only the beats, but also flow through the beats for the year, deliver a raise for the year, felt really good. It gives us a really strong start to the year and it prepositions us well for even greater success throughout the year.

Anything to call out in terms of seasonality that might be a little bit different in 2021 versus 2020?

I think for now, we would expect to follow the same seasonal patterns that we saw this year than last year. Each quarter is different and unique in its own right. One thing I will say is that as the pandemic has started to abate, we're seeing good demand across the board. We weren't a primary beneficiary of COVID, right? But we also believe that we could be certainly a secondary beneficiary, given the secular tailwinds of proliferation of assets, with the expansion of the attack surfaces, more devices and different kinds of assets come online. But the one -- the final point I'll make here is that demand is still very much and can be lumpy across the board. It's not even in all theaters and all geos. The good news is we sell in 160 countries and have feet on the street in 30, so it gives us a very balanced business.

Just following up again on that first quarter, I mean, Amit, any particular products that you want to call out? I think there was talk about Lumin really gaining some traction there to start the year. But anything else to elaborate in terms of product adoption?

Yes. I think one of the notable things about the first quarter was the strength of the cross-sell of various product lines. I think we highlighted a significant OT win or 2 on the earnings call. We also saw and are seeing very strong traction, early traction with our Tenable.ep, which is the enterprise platform. So that would include the container security, the web app security product, the Tenable.io product in a more holistic approach to assessing cyber risk, especially and specifically in cloud environments. So we're seeing strong -- I think it was our strongest quarter of cross-sell products, and I think an increasing recognition in the customer base that if they're going to really understand cyber risk, they have to think about it more broadly.

So when we talk about OT, the operating -- or operational technology, it's -- something like the Colonial Pipeline, does that just bring the OT security space right into front and center, maybe even more so than some of the other high-profile breaches that, like a SolarWinds that comes to mind?

Well, it certainly does highlight the OT conversation. And there's been a number of things kind of building up to this or which have happened subsequent to the Colonial Pipeline breach as a couple of high-profile water systems, which were shut down because of OT breaches. Colonial Pipeline was actually a piece of ransomware, which attacked the IT environment of the company, compromised their active directory servers, and were impacting them from a ransomware perspective when the corporate leadership decided to shut down the pipeline proactively and as a safety precaution. It highlights the incredible level of interdependency that exists between IT and OT and also the dramatic impact when you have a cyber event or an event, which impacts the OT environment, right I mean we're all sitting around 40 cars deep waiting for gas on the eastern seaboard. We've seen an increase in awareness and demand, increased conversations around the OT product, but it also highlights, I think, Tenable's strength, the ability to assess both IT and OT and also has seen -- we've seen some very swift government action, the recent executive order around power and energy systems, assessing vulnerabilities risk and incident reporting. We saw yesterday a story in the Washington Post that DHS will be releasing some rules, mandating transparency for breach reporting and assessing risk around the oil and gas pipeline. So these things bode well for, I think, our position in the OT market and broader spend in cybersecurity.

Yes. Actually, it's funny. So Sterling and I were just talking at lunch about what the executive orders might mean for the security space. And it sounds like there could be a direct benefit, or you could drop a direct line from some of the conversations of the executive orders that are coming out and Tenable's pipeline, right? Well, no pun intended, but in demand for your products.

I think that the intent of the executive order for sure is to better protect the American people in these critical infrastructures, which are inadequately protected today. And to a large extent, the owner operators of these environments don't have a full grasp on what those environments look like and how they might be susceptible to cyber breach. So there's an important activity in that executive order to help better protect Americans, and we feel like Tenable is well positioned to provide a meaningful piece of assistance in that end.

So I want to talk a little bit about the government vertical in a second. Before we get there, I think, just laying some of the groundwork in terms of the go-to-market strategy. And we haven't touched on competition yet. So maybe we'll speak first about the go-to-market strategy and how it's evolved over time, and then we'll touch on competition before going to verticals.

Sure. Sounds good. And so we're an enterprise software company, about 55% of our revenues come from large enterprises. And so as a result, about 25% from mid-market customers. And we do have a portion of our business that comes from smaller customers. And we think about our go-to-market model and how it's evolved over the years. We've added a lot of sales capacity over the years. Years ago, we had a handful of sales reps in a small number of countries and a handful of channel partners. And so over the years, we've done 2 things. Number one, we've added a lot of sales capacity. We've gone into new markets, but we've also made the commitment to the channel. And the channel has been instrumental in helping us tackle new markets and take down share in a market that continues to grow and unfold. Years ago, 20% of our business was channel and this year, it's much, much higher, dramatically higher. We think directionally, that can be over 50%, and and even approximate 60%. Distribution matters in a market like this in security where there's tens of thousands of security companies calling on the largest enterprises. We also have made investments in the sales force. We work shoulder to shoulder with the channel, but we sell directly to the end user, and we continue to add sales capacity, and we'll continue to do so. If you look at sales and marketing spend, and Q4 ticked up sequentially in the first quarter, it was also up as well sequentially. And so we'll continue to add sales capacity. We'll continue to optimize and hone the channel, which really makes a difference in a market like this. And even things like MSSP are still new routes to market for us, made changes to the product. MSSP is one of the fastest-growing areas of our business. It's only a couple of points of revenue for us today, and we think it could represent, certainly, well over double-digit percent of the business, and it's still early for us.

Yes. I'm glad that you touched on MSSP because -- just what are the required changes that you needed to make to the product in order to enable the MSSP channel for you guys?

I think there were some very -- some of them, very basic improvements, enhancements and feature functionality and others more longer term and more enduring. Certainly, introduction of additional APIs, a lot of MSSPs, especially some of the world's largest telcos and managed security providers have portals, have data analytics and data mining tools and technologies that they use. And we want to make sure that the data sets that we're exposing are available to them to do that. Things like creating account access for their analysts to look through and across multiple customers, the data sets without logging in and logging out of the system. It's just a lot of workflow enhancements, a lot of work, a lot of data, API types of things, creating portal back end integration infrastructure to the MSSP's environment, changes in pricing and billing types of practices. So it's just a pretty broad set of enhancements and we feel like, at this point, will probably provide the leading technology or the technology that certainly is most attractive to MSSP partners. We have over 350. I think we made an announcement earlier in the year, about 350 MSSP partners and many of them large and fast growers.

So is the growth strategy there just about adding more MSSP partners? Or is it just -- is it -- now you have the marketplace covered and you have the blanket out there and now it's just time to grow within those partners?

We feel like we've got the technology base that's required to win at this point. And while we have many of those very attractive service providers, our sales team is very focused on landing additional ones, and it's really to focus our energy and efforts on the ones that are very deep in security and are looking to add the most value to their customer base because we are leading with value and not price. And those which have the deepest and most significant relationships in the large enterprise segment, where our products can differentiate themselves through accuracy, through coverage, through flexibility.

Steve, any financial impact from kind of diversifying the sales force into MSSPs and the channel partners that we should be aware of?

No. None. Go-to-market motion is fairly similar. So with the unit economics, the deals are slightly higher and sales cycles consequently, too. But this has been years in the making for us, and we're excited about the opportunity, long term, and I think we're positioned well for continued success there.

Competition, we haven't touched on it yet. Who do you got up against in the different segments that you compete?

Well, most regularly, we -- the 2 primary competitors are Qualys and Rapid7. It's been fairly consistent over an extended period of time. Probably Qualys, more frequently in the large enterprise segment. The 3 companies have very different approaches to the market, where ours is a very focused, best-of-breed approach, looking at enterprise customers and doing a tight level of integration with other market-leading pieces of enterprise infrastructure, things like SolarWinds -- I mean not SolarWinds, ServiceNow and Splunk and BigFix and things like that, whereas our competitors have chosen a broadening strategy, so building a more unified suite of technologies, which might include logging and SIM and managed security services and patch management and ticketing and things of that nature. Our view is in the enterprise segment, they've already made bets in those spaces, have already selected best-of-breed things and our customers drive more value through our openness and our integration. And having better capability as a best-of-breed provider.

So we actually got a question here from the audience, just following up on competition. Can you please discuss the Cisco Kenna security deal and how Kenna competes maybe with Lumin?

Yes. It's a great question. Kenna provides a bunch of risk analytics on top of security data as does Lumin. So there's an overlap in, I don't know if I'd call it a 40%, 50% overlap, it's something of that nature, where we're driving a bunch of very sophisticated analytics on top of the exposure data that we've identified. And based on the exploitability of vulnerabilities based on the criticality of assets, based on the availability of exploit code and what threat actors are doing, can really prioritize what issues need to be addressed to reduce risk for our customers. Kenna is not quite as deep in the analytics around vulnerability data. They certainly do it. They've broadened into and also look at application data at source code data, source code analytic tools. And so they're taking a, not as deep, but a broader approach to this challenge. We think we compete favorably with Kenna in many instances. There's other instances where Kenna certainly has attractiveness to -- in the market. I think, personally believe that Cisco's move signifies the criticality of assessing and understanding cyber risk to the enterprise, and Tenable is the leader in that space. And to the extent that they're successful selling Kenna in the market, it is -- Kenna consumes a tremendous amount of vulnerability information in order to fuel its analytics. So I think that can bode well as a potential tailwind for us as well. So I think it's -- overall, it indicates the attractiveness and health of the market opportunity.

Any thoughts on whether you think that these kind of more point solutions being acquired by bigger, broader security players might continue? And if it does, do you think that, that benefits Tenable?

Yes. It's a hard question to unpack with lots of twists and turns to it. I do think that we'll continue to see consolidation in the security space. We have a lot of startups, perhaps an unsustainable number of startups, where funding is readily available at sometimes illogical levels from venture sources. And I don't think that's sustainable. Those are sometimes features, not products, or in some cases, products, not companies or certainly not markets. So you'll continue to see, as Tenable has expanded, integrating a platform of cyber risk assessment technologies into a platform and the understanding of how these technologies can create cascading impacts from a risk perspective, from an attack path analysis perspective. You'll continue to see other security vendors making acquisitions and including capability in their portfolios. Our approach is best-of-breed in assessing, understanding cyber risk.

And you, yourselves, you've made an acquisition earlier in February, and you brought up the active directory with the Colonial Pipeline. So you made an acquisition in this active directory space. Can you just give us a little background on what you bought and why?

Yes. And this is one of the most exciting acquisitions that I've been part of in 25-plus years in cybersecurity. So we acquired a company, which is laser-focused in assessing the security of active directory environment. So when you look at an enterprise, almost all enterprises rely on Microsoft Active Directory for directory services. It's the repository of account information, user information, how those users authenticate, what they have access and privileges to, what groups they're part of and so on and so forth. And so it plays an absolutely critical role in cybersecurity. And in an environment where you have work from home, where you have a shift of workload to cloud environments, you don't have the traditional perimeter around your network. You don't have the traditional controls that you can rely on. You have fewer anchor points for trust. And one of those is absolutely user population and directory services. So it has become arguably one of the most critical foundations for cybersecurity, and woefully underappreciated or underserved. So when you talk to CISOs, you'll ask them how concerned they are about active directory. And almost every single one of them will say, "Definitely concerned, it's a top issue for me." And you're asking what they're doing about it, and they'll say, "Well, we just don't have good solutions. So we'll -- we had a consultant come look at it," or something of that nature. So the Tenable AD technology allows you to accurately assess the integrity and the configuration of your directory services and also allow you to provide ongoing monitoring of those directory services for indications of compromise, whether someone is trying to create escalated privileged accounts, backdoor accounts, move laterally within the organization. So just a key strategic opportunity for Tenable.

Any impacts on the financial profile, Steve, from this particular acquisition as we move through the rest of the year?

Yes, that's something we talked about out of the gate when we announced the deal. But we expected to add approximately 2 points of growth for the top line, both in CCB and revenue. And in terms of the OpEx, we said $15 million to $20 million for the remaining stub period of the year. Less impact from a cash flow basis because they do have an annual prepaid subscription model, we collect it upfront. But overall, we feel really good about the opportunity and also the prospect of driving growth here long term, given the heightened threat environment and some of the market pull that we're seeing, certainly a conversation starter that we're having with a lot of customers and a lot of partners. And probably that contribution, more, is back half of the year as we begin to integrate and work more closely with companies.

Sure. Makes sense. We just got a follow-up question on the acquisition from the audience. How does the product compete with sale point?

I guess there's some competitive overlap with SailPoint. SailPoint is very focused on active directory and providing the identity access management governance, the items within the environment that those accounts have access to in Tenable, our [ e-solution ] certainly provides that. We also provide a thorough assessment of how the AD infrastructure, in addition to the user accounts, how the AD environment itself is set up, with respect to trust relationships and hidden accounts and service accounts and things of that nature as well as the attack detection component.

We haven't really talked about the government vertical just yet. So where is it currently in terms of the mix of the overall business? And then it's one thing to have a positive stance from the administration, but it's another to actually have an executive order on the books. So yes, just curious where we stand now in terms of that [indiscernible].

Yes. Federal broadly accounts for, call it, 14%, 15% plus or minus of our business, and that's been fairly consistent over time. We have a position of strength in the Federal market. I think you'd be hard-pressed to identify a department or agency, which doesn't use Tenable in some form or fashion for its security assessment requirements. But still a lot of expansion opportunity in that, where we may be only helping them with certain data centers, certain applications and don't provide yet a comprehensive coverage. So the early -- in the early innings, looking at the administration's forward-leaning posture on cybersecurity, certainly, are encouraged. I think the executive order highlighting CISA as part of DHS and the CDM program, of which Tenable is a critical component, as an area for targeted for additional spend or are very positive indications, along with the attention to OT technologies that we mentioned earlier. So we believe that there's strategic opportunity for us to expand in the public market and in the federal segment. That said, a lot of these are programs that just require time. It's -- many of them are multiyear dollars. You have key leadership that is not yet in place. I think Jen Easterly, the head of CISA is, this week, going for confirmation by the Senate this week or next week. So a lot of those key leaders are -- have yet to be put in place, identified and have yet to be confirmed and put in place. They have to evaluate their programs and target the spend and the multi-year nature of the activity. So I don't think it's a this quarter type of thing, but it's certainly -- these are all very positive developments that could bode well for future growth.

Is the go-to-market motion there different from the rest of the company? And do you feel adequately staffed to kind of capture any additional demand that might come from things like from these trends?

It's the same go-to-market motion. We have a theater that's entirely devoted to public sector as well as state and local. And we feel like even though we have a sizable footprint, we serve most federal agencies, we do feel like that there's a lot of tailwinds here potentially at our back. Also, our proximity to DC doesn't hurt either as well, and we have close conversations with White House and other people at the highest levels and continue to play an active role on the hill. So all told that we've been set up for success here, and it's still very much a sales effort as well as a joint relationship with the partners and the distributors that matter in the public sector.

So only a couple of minutes left, but just briefly, can we talk a little bit about investments that you've made in your own infrastructure in the public cloud and how that might impact the company going forward?

Yes. Well, first and foremost, we have very high gross margins. They're over 80%, and they continue to track better than expected. We launched Tenable.io in 2017 and in a very short amount of time here, have quickly become one of the fastest-growing areas of our business. And it's not just IO, but it's also other cloud-based products here, which are web applications, container security, Lumin, things along those lines. So I couldn't be more pleased with the -- with how some of the cloud products are performing. On the back end, what we're doing is spending more to create more interoperability between our IO platform and SC. The fact of the matter is that most customers have a hybrid compute environment, they long-time deployments, they have worked closely moving to the cloud, and we're one of the few companies that can serve them effectively in that regard. And also we collect and adjust a massive amount of data. So we have a sizable data like here, where not just VM data across traditional assets, but also modern asset types and also investing more to continue to go deeper and provide more analytics and more insight to customers, answering the question, how secure are we in assessing risk holistically.

Got you. All right. Well, guys, we are up against the clock here. Thank you so much for doing this. This is great. Really appreciate it, and thanks to everybody in the audience for listening and participating.

Thanks for having us, Jackson.

Thank you, Jackson.