Tenable Holdings, Inc. (TENB) Earnings Call Transcript & Summary

Thank you for joining us today for our inaugural Investor Day. My name is Erin Karney, and I'm Head of Investor Relations at Tenable. Since our IPO 3.5 years ago, the world has changed in so many ways. We certainly do not imagine that our first Investor Day would be virtual. We have achieved several milestones, and our platform continues to evolve in many ways to serve our customers. We are excited to share our updates with you today. In addition to hearing the familiar voices from Amit and Steve, you will hear from some other Tenable leaders that have made tremendous contributions to our success. Before we get started, I want to do a quick overview of today's agenda. We will have 4 approximately 25-minute presentations: a business and strategy update provided by Amit Yoran, Chief Executive Officer; a product review by Nico Popp, Chief Product Officer; go-to-market update by Mark Thurmond, Chief Operating Officer, and Dave Feringa, Senior Vice President, Worldwide Sales; a financial overview and outlook by Steve Vintz, Chief Financial Officer. After the presentations, we will conduct a question-and-answer session. There will be 10-minute breaks between each presentation and between the last presentation and Q&A. [Operator Instructions] As some of you know, our vendor for our event experienced outages this morning related to a broader AWS outage. We have no reason to believe this will occur again, but on the off chance it does, we will continue to record this session for replay. We will subsequently follow up with the question-and-answer session at a later date. Before I turn the call over to Amit, I want to remind everyone that we will make forward-looking statements during the course of these presentations, including statements relating to Tenable's expectations regarding long-term growth and profitability, growth and drivers in Tenable's business, our competitive position in the market, growth in our customer demand for and adoption of our solutions, the potential benefits of our acquisitions and planned innovation and new products and services. You should not rely upon forward-looking statements as a prediction of future events. Forward-looking statements represent our management's beliefs and assumptions only as of today and should not be considered representative of our views as of any subsequent date. And with that, Amit will kick us off.

All right. Excellent. Thank you. Welcome. Tenable, obviously, we're very excited to host you for our first Investor Day and share more insights into our business and strategy. Next slide. All right. Well, we're jumping through. My name is Amit Yoran, I'm the CEO of Tenable. I've been the CEO since January of 2017. Prior to Tenable, I served as the President of RSA, the Founding Director of the US-CERT program and have been in the cybersecurity space for 30 years. I want to talk a little bit about our performance and sharing some insight into what we've been up to and how we've been performing since our IPO. We've obviously expanded in scale. Our customer base is up almost 50%. We now have more than 35,000 customers at Tenable. We've expanded our partner ecosystem, including an extensive distribution network, and we've expanded sales, surpassing $600 million in CCD by year's end. So extremely excited about our expansion and how we're extending our technology leadership over the past few years. We've really secured our leadership position in the vulnerability management market. We've developed more holistic unified exposure platform, ability to solve more pain points for our customers and their use of technology. We're going to talk more about that shortly. And we continue to deliver impressive results, including strong growth with CCB and revenue at more than 25% CAGR, and achieve impressive profitability, including free cash flow, almost a year earlier than previously anticipated and discussed at the time of the IPO. Next slide. So Tenable is the industry and market leader in vulnerability management. And I don't think anybody that uses VM products, tracks the VM market, participates in the VM market would contest that by just about every single measure possible. Nessus has been the gold standard for assessing system security and vulnerabilities, and it remains so. This year alone, we've had over 1 million downloads of Nessus. So it was ubiquitous and probably one of the most beloved products in the security space. It continues to move the needle. It continues to be very aggressively adopted and embraced across the community. We continue to lead the market by a long country mile in terms of coverage of different types of vulnerabilities, the accuracy of our assessments, the time to market for developing new checks as critical new vulnerabilities emerge, and I'd say the user community recognizes and appreciates our leadership. Over the last couple of years, we've averaged over 360 new customers onto our enterprise platform per quarter, the more than 35,000 customers we have. If you think about VM as identifying, classifying, prioritizing, mitigating misconfigurations that can be exploited across an environment, Tenable is the absolute market leader by just about every stretch and dimension. If you go to the next slide, I can say definitively that it's not only users in the VM community that believe that, but pretty much every single market analyst and market analysis has us as the market leader, whether you're looking at Frost & Sullivan, Gartner, Forrester, IDC. So regardless of who you talk to, customers, partners, analysts, anyone in and around the VM space will tell you pretty much the same response, it is Tenable that has really differentiated ourselves as the market leader. So we're the best-in-class at finding assets, identifying how those assets are configured and how and where they're vulnerable, and prioritizing those vulnerabilities and exposures and guiding our customers on how to best manage risk. If that is your mission within the enterprise, then Tenable has differentiated itself as the market leader in the product to use. If you go to the next slide, we'll talk a little bit about Log4jShell, right? This is a severe risk to the entire Internet. Like we've been talking about this basically over the last 4, 5 days since it was released as the Internet Fukushima. So let me tell you a little bit about Log4jShell because I think it's a great case study and analysis on the strategic importance and value of what we deliver as a company. So Log4jShell, simply put, it's a remotely executable vulnerability which gives an attacker full access and gives them full control of the system that they attack. It's extremely easy to exploit. It can happen over a ton of different attack vectors. So 4 different characteristics that I have been highlighting for folks is that, look, Log4j is absolutely pervasive. It's all over almost every single infrastructure and environment. It's how systems, modern systems, log today. And it's not only ubiquitously used in infrastructure, it's embedded in all sorts of different applications. So on your infrastructure, you can find it and fix it, if you're diligent, if you're proactive. And if you're using applications which have developed -- been developed using Log4j, then you've got to wait for those vendors to update their software before you can -- and self-select say, "Hey, we have this issue", then you can look for that issue, you have to update their software and then you have to go about updating, patching, fixing all of these different applications which have Log4J vulnerable versions embedded into it. So this is a very serious issue. It's remotely exploitable, it can take control of systems, and it is absolutely pervasive in infrastructure and in applications. It runs -- Log4j runs in Java, right? Think about that for a minute. It means that it is the perfect payload. It is portable across heavy equipment, across network servers down to printers, to your kid's Raspberry Pi. It works on Java, which means it works everywhere. And oh, by the way, Java has been like the #1, #2 most popular development language for the last [ 20 ] years. It runs everywhere. So this exploit -- the vulnerability is pervasive, the exploit runs on basically every system you can imagine. The third point is that systems don't have to be Internet-facing or accessible to be compromised, right? Think about a web server or a mail server. They're going to log activity. And even if they aren't running Log4j, right, they're going to pump the logs to a system that is that's analyzing those logs. That's creating business intelligence from the logs that are generated or being used to troubleshoot. Our performance monitor, all sorts of different -- if data is important, infrastructure are using Log4j. So even if they're not Internet connected, maybe the system collects the logs and then it will offload them in some periodic basis or stream them to a logging server, which could be, and probably is, internal. And so boom, even though the internal system isn't accessible, that exploit will still work. And if you think about that, it's easy to imagine in a web server or mail server, think about it as a modern application, right? Modern applications are hyper-distributed with lots and lots of micro services running all over the place and logging to different places. And so this issue is a real mess. And what I can tell you is that absolutely nothing to block it, right? There were some early claims or level of excitement. We'll just throw a web application firewall or a next-generation firewall and it will block it. Unless you're going to block all Java, which is not practical because it will break just about everything that you're doing as enterprise, you can't block it. It's not going to be blocked by your WAF, by your next-gen firewall, by your XDR, and it's not going to be found by those systems either. Maybe they'll find a local version, but in a complex mesh environment of micro services, the only way to do that is using your vulnerability management solution with the remote checks. And so this issue has really highlighted the importance, the capability that Tenable has been delivering for 20 years and is the absolute market leader. So in the first 24 hours, we released checks. What I can tell you today is that only primary VM vendors are able to find Log4j on systems remotely in these complex architectures other than just the kind of very simple use case of, hey, it's running on my particular computer or not. So the distributed nature of this vulnerability is, I think I would say typical, but it highlights why this type of function is complex and critical. At this point, we're finding between 1 and 3 vulnerable systems per second, so this is a big issue. And even if you can block one aspect of it or one part of it, we know, based on decades of experience, is that this is going to morph aggressively, right? We already have more than 9 checks. We're constantly looking for new methods for expectation across various network protocols. And so this is going to be an issue, which is going to be with us for a long time. And by the way, as I said, it's not just finding the logging infrastructure, it's embedded in applications. So as we've led this market for decades, we have the relationship so that each and every piece of software, every software vendor, when they self-report that we have Log4J or we don't have Log4J, or this version of our software is vulnerable because of this version of Log4j, we auto-populate those checks and we build those profiles so that our customers don't have to go have a complete bill of material of every library, every piece of software in their environment. We're automatically building that and pumping it to their sensors, to their scanners, so that they can identify every single piece of software as it -- as those vendors release new versions or update their software and say the previous version was vulnerable. So I think this is highlighted why Tenable is an absolute primary response tool and a critical response tool in time of absolute crisis for the Internet in every single enterprise customer out there. So with that, I'd like to thank our Investor Relations team for drawing up this great example of why best-of-breed and absolutely VM matters on the weekend before our Investor Day. So thank you, Erin. Greatly appreciate it. Next slide. So I won't spend a lot of time on this. Customer use of technology has exploded, diversified in all sorts of different ways and all sorts of different capabilities. And all of these different compute types introduce vulnerabilities, risks, and they're all interconnected. Go to the next slide. Can't be a security company without a lot of headlines. But I think the thing to note here is these are not just IT breaches. There's all sorts of other stuff out there. Businesses now recognize that all of their use of technology, OT, cloud, all of these things are susceptible, are vulnerable and they need to understand and they need to apply their VM discipline to these other areas of compute. And that just becomes a very natural motion for Tenable and for our customer base. So with that, we can go to the next slide. So starting with OT. We're the only vendor that provides complete understanding of IT and OT converged environments, with that deep understanding of exposure and risk. So these -- if you're running an OT environment, an operational technology environment, a factory floor, an assembly line, an automated inventory management system, a pipeline, these systems are not stand-alone 100% OT. Their factory floor has lots of OT. And by the way, it also has lots of IT completely embedded and meshed into that environment, so this is a critical issue. We've seen lots of outages in the OT world, we're going to see lots more of them, perhaps even as a result of Log4jShell. And Gartner and the analysts are seeing it, right, 50% of enterprises are expecting to substantially increase their spending on OT security in the next calendar year. This is no longer a nascent market, which is how we characterized it a few years ago. I think there's more and more focus on OT, on prioritization and understanding cyber risk in those environments. Which, by its nature, has to complete that -- have that complete understanding of OT and IT. So we're seeing lots of momentum in our OT business. And as the -- I think the picture there highlights, we're recognized as an absolute market leader in the OT world. And what I'd say is if you look at all these examples, you can't secure OT in a silo, right. Think about the high-profile examples like Colonial, JBS, those were IT attacks which shut down OT operations. If we go to the next slide. We've extended our capabilities into Active Directory, right? This is the VM use case, as we've done for OT, into Active Directory in securing digital identity infrastructure. Active Directory is ubiquitous, 90-plus percent of enterprises rely on Active Directory as their source of ground truth for identity and directory services. It's critical -- it's even more critical when you think about work-from-home environments, when you think about cloud environments, where you don't have all those anchor points for trust. It is the #1 target. Active Directory is the #1 target for ransomware and hackers, right, think about any piece of ransomware that you've read about over the last couple of years, think about the Mandiant breach. Attackers absolutely go after AD as the first target. Why? Because they want access to the data, which means you have to have more access, which means you have to have an account that has access, and they want persistence. They want to be able to get back into an environment when you discover them. And in order to do that, they want to create additional accounts and back door accounts. The AD is woefully underserved, 86% of enterprises are expecting to increase their spending on AD security in the coming years. So a terrific market. We are -- have the absolute leading technology. And again, it is something that can't be secured in a silo, you have to understand AD security in the context of your broader IT deployment and vice versa. The IT around the Active Directory, which will dictate and contribute to your understanding of AD security. If we'll go to the next slide to talk about our cloud capabilities with Tenable cloud security, right? We've been a leader in VM, and we've been a leader in cloud-based VM for years. Cloud-based capabilities require web applications scan, deep understanding of containers. We've had cloud-native connectors. And recently, we had introduced Frictionless Assessment. A lot of momentum building in our work with customers to help them assess their client environment. Recently, we extended our investment into code, into understanding Kubernetes posture management into understanding security posture management. But when I say into code, let me give you a little bit of context for that. So people like to say cloud, but there are multiple generations of cloud at this point, right? The first generation of cloud was basically taking your hardware environment, virtualizing it and moving those virtual machines, those virtual networks and load balancers into the cloud. It was very much traditional IT virtualized and executing in the cloud. And that's where our cloud-native connector where our Frictionless Assessment and ability to assess in the cloud I think was and remains market-leading. In the second generation of cloud, right, people are defining their systems, their networks, their load balancers, their entire environment, and they're defining those in code and in script, right? They're defining infrastructure as code. That opportunity allows Tenable to get into the build process to help identify issues before they're deployed. It allows us to define as we do now with the Accurics acquisition remediation as code and check it into the build process so that we can prevent these problems from ever occurring and enforce policy and security as code. So our purview and our ability to help customers in this infrastructure as code and cloud-native world is even greater than it has been in the traditional cloud environment. So as we build out our full portfolio of cloud capabilities, it takes us all the way from the far left, from building and assessing vulnerabilities and fixing them at time of production, all the way through the far right, where we're discovering assets. We're identifying their misconfigurations. We're fixing those assets across that entire life cycle. We're identifying drift from how those assets were originally set up and where they're exposed. So we're taking that core expertise, the decades of experience that we have, the market leadership that we have and applying it to the entire life cycle of cloud capabilities. So as security teams are looking to assess risk across this full service of cloud capabilities, Tenable becomes the natural place to go to because it's not just in the code development piece, we can really help them understand risk across that entire portfolio. And by the way, that portfolio is impacted by the systems connecting to that cloud. And again, Tenable is a leader in assessing those systems as well. So if we'll go to the next slide, talk a little bit about Tenable and the evolution from VM to a full cyber exposure platform, right? Our conviction stems from being the market leader, and many folks from pre-IPO have been asking us, well, you're going to go into that market? And are you going to go into this other market? And I said, no, we believe we have very strong conviction in our vision and where and how the world is evolving to. So our conviction stems from being the market leader in assessing system risks, measuring, discovering assets, assessing their configuration, their integrity, identifying the vulnerabilities they have, taking those massive numbers of vulnerabilities and problems and prioritizing what are the things that matter most to our customers and how do we focus them on addressing and mitigating and assisting in the mitigation of those risks. And we are absolutely the leader, and that customer need to do this in the broader context, in their new operating environments, continue to drive our vision and our transformation from a bunch of siloed capabilities from VM and Active Directory and OT environments into an integrated unified workspace, right? If you want to assess cyber risk, if it's your job to assess cyber risk for the Audit and Risk Committee, for the CSO, for the CEO, for the Board of Directors, Tenable's EP platform not only leads the market, it's the only platform in the market today that can help you understand cyber risk in the broader context of your business. So it's easy to see how our vision and our capability and our market leader in vulnerability management for assessing and addressing cyber risk historically are evolving naturally with our customers into these new environments. If you go to the next slide, talk a little bit about our addressable market. It's something that we've also probably had many conversations about over the past few years. What does it mean from a TAM perspective? Yes. Since the IPO, as we said, as we committed, we're focused on the VM market. We are winning in the VM market and believe that that will remain the case, and that many people underestimate the size and the growth rate of that market. But most importantly, the strategic nature of that market. Think about the Log4J example. Time of crisis, people turn to their VM solution. Where does this exist? Are we at risk? How at risk are we? Where do we need to prioritize fixing this? And it isn't just this weekend. This is, as I said, the long tale of Log4J has one simple example, the long tale how this is going to impact enterprises with new announcements from all sorts of software vendors that their software was vulnerable or creates vulnerabilities based on them assessing their own code, and that's helping to identify where they have to fix it. So this is the strategic market for helping us and allowing us, enabling us to tap into all of these other high-profile, high-growth markets where we can help folks in their assessment of risk and identities, in their identity and digital infrastructures, in their cloud-based environments and all the critical assets that they're putting there, in their OT environments, their operational technologies in their core mission-critical activities. And the growth rates of these markets will vary from mid-teens to high 30s. But ultimately, these provide us a lot of conviction about the approach that we've taken, our leadership in VM and how that naturally allows us to tap into these additional market opportunities, some of which can even be significantly larger than the traditional VM market. We'll go to the next slide because this is probably the one thing that I really want to highlight. If I can leave you with one single thought as an investor and analyst, it's that the world of the CISO doesn't work like you think it does, like that diagram on the left. The diagram on the left with all these different neat little boxes that are elegantly stacked on top of one another, that's a view of the world that vendors have concocted, that IT vendors and security vendors have concocted, right? Because we, as vendors or software developers, are trying to solve a discrete problem. You can't fix everything, so let's solve this one problem for our customer. When you look at things under a telescope, right, whether it's IT, OT, web applications, you're looking at things through a very narrow perspective. The cyber world, right, as many people are realizing today, looks radically different. It's a complete mesh. In many ways, it's a mess. You aren't looking at those neatly stacked boxes, you're looking at all those capabilities through a kaleidoscope, right? So we have zero doubt that we're not only building and recognized as best-of-breed technologies in literally every single segment of the expanded TAMs and markets that we're operating in and recognized as leaders in those with best-of-breed capability, we're bringing through our platform, due to the fact that we operate in all these different segments, we're bringing more data together and more accurate and better data together than anyone else. And only we can deliver, only Tenable can deliver on this unique value proposition. So the one thing that -- the thought that I would leave you with is, if your question is how at risk are we, where are we at risk? How can we most efficiently reduce that risk? Then you're asking the same question that our 35,000 customers have been asking and turning to us for and that same exact use case. And we believe in the strategic nature of that question and use case, and how it is expanding in our ability in a unique and differentiated way to answer that question is both best-of-breed capability and the only unified platform that allow people to address it. So with that, I'm only slightly over, Erin. Over to you.

All good. Thank you, Amit. We will take a 10-minute break, and then you'll hear from Nico Popp, Chief Product Officer. Thank you all. [Break]

Wonderful. Hey. Welcome back, everyone, and good afternoon or good morning. Let's talk about product. So who am I? Nico Popp, I'm the Chief Product Officer. I've been on the job a little bit less than a year, so somewhat new, but not really new to cyber, right, 20 years in cybersecurity. Notably, I was running the data protection and cloud security franchise at Symantec prior to Tenable. Super excited to be here today to build on some of the ideas, some of the strategy that Amit presented before. In fact, I'm going to talk about the 3 mega opportunities ahead of us and provide maybe more detail. So opportunity number one, this idea of extending VM to the always extending attack surface, right? I call it VM everywhere, big opportunity. Number two, cloud security at a time where cloud security is shifting to the left, a big industry trend. We think we have a special role to play in cloud security, so I'll develop on that. And then the third opportunity, last, certainly not least, right, this idea of transforming Tenable into a data analytics platform. So where do we go? Let's start with the first one, VM everywhere. I want to start with the problem. If you are a CISO today, right, one of your main concern is this idea that the attack surface keeps expanding. And so the question -- the Tenable question, how secure are we, is still a very powerful question. It's just it's getting more and more difficult because it's a very -- it's a really multifaceted question. If you think about it, it used to be simpler. All you have to answer is my traditional on-prem data center, my traditional IT infrastructure, is it secure. And then COVID, some of these [ light-up ] went home, a lot of them did, now is my remote workforce secure. And then we have public cloud now. In fact, we have 2 or 3 public cloud because we want to have a multi-cloud strategy. So is that cloud secure? I think you realize quickly that digital identity is one of the biggest vulnerabilities, so you're going to worry about that. And finally, if you have critical infrastructure, right, you're going to wonder whether your OT infrastructure is secure as well. So it's very complex because the attackers, they leverage the entire attack surface, right? So you can find solution, you can find a lot of vendors. But what it means, more vendors to manage, more solution to deploy to integrate, more, more, more complexity, okay. So that's the problem statement. So to every complex problem, there is a Tenable solution, pun intended. And that's what we call VM everywhere. I decided to take our core competency and extend it across that growing attack surface. So we've been on that journey for some time, right? We are -- our root, our DNA, right, our know-how is anchored in traditional IT infrastructure, right, private infrastructure. And then we expanded, right? We did expand with Indegy where we got into OT infrastructure, and we build a muscle. We didn't stop there. I think with our seed, we did something really interesting. We realized that identity access is probably one of the most -- largest vulnerability, and I think the industry acknowledges that. You all heard about the zero trust movement. And then finally, public cloud, right, with Accurics, and I'm going to develop all that. Now the question that should come to your mind is, Tenable, why do you have permission to move across the attack surface and still be relevant and still win, right? And there's actually a very simple answer. If you think about that world, right, that entire attack surface, the reality is that there's only 3 types of vulnerabilities out there. They are all relevant. Software vulnerability, number one. Access, right, [ entertainment ] vulnerability, usually the over-provision access. And third, configuration vulnerability that are really important in the cloud. So here's the secret, right, a Vuln is a Vuln is a Vuln. So this really leverages the same core competency around vulnerability management. It leverage our DNA. It leverage all our know-how, right? So by the way, what's also interesting, it directly fit our business model, right? Think about it. As we expand the attack surface, we discover more assets. More asset under management, right, drives our bookings. So a very simple, right, flywheel, a powerful flywheel. Surface expansion means asset expansion means more growth. So it's a very natural strategy, right, for us at Tenable. I want to drill into the why do we win, give you a little bit more color. There are really 3 magic ingredients. The first one is the technology, right? The technology matters. Scanning technology, actually, is a big deal. And we have all the scan, all sons or daughters of Nessus, agent-based scanning, network-based scanning, API-based scanning, frictionless scanning, you name it, right, IaC scanning. We have all of them. And I know sometimes it sounds like words in the slide, but Log4J is a very strong remainder that tech matter, right? Most of the VM players, the new VM players out there, will only do static scanning, right? Well, we also have dynamic. With dynamic, you're going to unveil and cover way more faulty system than with static one. So the tech matters. Keep investing into that tech, right? When the growing gets tough, you go to the professionals, we are the pros. Tech alone, not enough, right? You need content, you need security content. And one of the reasons I was really excited to join Tenable is the reputation of the research team. So you could look at the richness of the content, right? That content can never get stale, you got to keep on working on it. But there's a third magic ingredient. That's the go to market, right? So many [indiscernible] would be happy with 300 customers, right? We're talking about 35,000 customers, the reach. But more importantly than the reach, it's the trust, right? The trust that these customers are placing into Tenable to deliver one of the most important aspects of cybersecurity today. Now that reach, that trust, is super valuable because when comes the time to decide who's going to secure their OT infrastructure, who is going to secure their cloud or their AD infrastructure, right? The first intuition will be to basically employ the one that you already have, the one you already trust, the one that already performed for you. So that gives us permission, right, to upsell and move across the attack surface very swiftly. And that's super important. Now having said that, yes, very strong wins, very strong positive wins because it's a solution, right? And because of this vendor consolidation trend in the industry around cybersecurity. But as Amit put it, these products, right, these individual product, they stand on their own, right, like OT. The market is strong. Everybody has noticed the Colonial Pipeline breach, right? Everybody has heard about President Biden's bill on critical infrastructure cybersecurity. So the market is very vibrant. And then you heard about the accolades that we are receiving from Forrester, basically declaring Tenable as a leader. So you could build a company around that business alone. It is the same, right? Everybody has Active Directory, all the bad guys leverage AD, right? That's the lateral movement because of Active Directory that led to the paralysis of this Israeli hospital for a month where they had to use paper and pen because their network was basically infected with ransomware. So opportunity is there. By the way, the Alsid people, you could not hire these people if you wanted. You could not find these people. And the -- the innovation they keep delivering, we're going to talk about cyber-attack pathway in a second. The point here, the makeup point is, yes, there is a -- there is an halo effect from Tenable, but its products are really, really good on their own and that's important. And that's what makes that whole thing exciting, right, that VM everywhere is really a powerful opportunity for us. And by the way, even more exciting, I think we only scratched the surface. It's not like we are opportunity bound or opportunity concentrated at this point. If I look on the left, more opportunities if we decide to do so, right? Third-party libraries, open source API security, code security, you name it, and that's on the left alone. On the right, same thing, external surface management, SaaS security posture management, third-party risk management. All these things are part of the attack surface, all these things could leverage our core competency. So we're not at the end. We're only at the beginning, at most at the end of the beginning. All right. From one exciting opportunity to another. Cloud security. I think everybody agrees, it's a large opportunity. Just read that AWS alone is probably around $50 billion. [ So takes your favorite ] percentage 8%, 12%, 15% for the spend on cyber, the IT spend on cyber, and you get to a very large number, whichever way you use. So why -- what product are we solving? And then why Tenable? I think that's an important question because it's a quadrant market. Well, we are seeing a very important disruption that gives permission to comment. Let me explain. The first wave of cloud adoption was all about legacy applications moving to the cloud, right? That's why we -- you all heard about lift and shift. We are lifting and shifting our application to AWS or Azure. And for that, traditional security work well. And so the first generation of cloud security work well. Now when we hear -- we talk about the digital transformation, these are very different applications that are being built and deployed. These are -- we call them cloud-native applications. There are 3 things you should know about this application. They are very different than their predecessors. You will hear things about like micro services, container, mesh network, right? We used to talk about 3-tier applications. Here, we're talking about like 500 micro services, from 300 to 500 totally different architecture. The deployment model is completely different. You heard about continuous integration, continuous deployment, infrastructure's code. Because of that, they change all the time. And that rate of change is actually defeating kind of the first approach to cloud security. Let me explain again, because I think this is very important to understand that it's a new game in cloud security. It's a new opportunity. The first part that you have with the traditional approach to security is that this -- the applications are changing so quickly that the whole idea you can detect security flaws in production is ludicrous. It's too late. In fact, I think Palo Alto last week published a study where they deployed some misconfigure workload, anyway, workload with vulnerabilities. Within minutes, within minutes, they were compromised. So the guy on the right, and he's CSPM consult doesn't have the time. Doesn't -- can't react in minutes, right? So that's the essence of that shift left movement. There's going to be a premium on doing security on the left closer to the developers before production. By the way, not just that it's better to detect from the left. You see that guy on the right? Remember, 500 micro services, he has no idea what that developer on the left is actually doing. So imagine, I'm in my CSPM consult and I find containers they have an open port that sounds dangerous. Should I close that port? Yes, no, maybe. I really -- I don't know, right, because I don't have the context, right? So the security guys can't make a decision, right? The blind leading the blind. And then lastly, the security [ employer ] is naked. Even if I fail powerful enough to make such decision, right, and close the port, 3 minutes later, the DevOps guys are going to redeploy and override all my changes. So think about that. It's too late for me to detect from the right. I cannot make the right decision. And by the way, I cannot fix everything. That's the essence of the shift left movement. And by the way, you'll hear it from everybody in the industry. So it's simple. The next generation of cloud application basically are defeating the first generation of cloud security. So it's a disruption. And so carpe diem, we seize the day, and we acquired Accurics, and integrated Accurics and we're going to launch a new solution, Tenable.cs, or Tenable.cloud security. We're going to launch it in February at [ SQ ], very -- sales conference is really -- is where we like to launch this new product. What will you have in there? You will have Accurics, so infrastructure as code security, CSPM, Container Security or Frictionless Assessment in one solution, in one [ SKU ]. I want to pause for a second here because you're probably asking another vendor in cloud security. But everybody, every security vendor in the industry will tell you security has to shift left, cloud security has to shift left. Think for a second what it means. What kind of security can you do on the left? Can you do EDR? No. Can you do [ foul ]? No. Can you do XDR? No. What can you do? Well, you can find software vulnerabilities. You can find configuration vulnerabilities. You can find access vulnerabilities. Yes, that's VM everywhere. That's what we do. So what I'm saying is we have birthright. We have birthright to be a leader in that market. What else can we do beyond birthright? How can we win in that market? One word: Integration, integration, integration, right? What if it's VM? Well, let's use the most powerful VM management tool, our IO console, right? One console is better than 2 console or 7 console for multiple acquisitions, right? So the simple idea to basically give you a single pane of glass, right, to see all your assets, private cloud or the public cloud, AWS, GCP, Azure in one place. Same swift, same workflow, 10 years of reporting, right? All the maturity of that tool versus the new startup, right? You get all the maturity. So that's a product guy talking. Think about the go-to-market. Hundreds, thousands of customers who already trust Tenable. They have the tool, they use the tool, they know the tool, they love the tool. You are one click away to doing cloud security. Upsell, cross-sell is much easier than new sale. So very simple sales play, right? And then finally, I think there's a long-term advantage. I think if you talk to the top Fortune 5,000 in the world, they all tell you my future is hybrid. I'm going to continue to be hybrid for a long time. So this is the perfect solution for a hybrid enterprise, for hybrid cloud. One VM program, all the cloud, private and public. Okay. So we got product leverage. We got go-to-market leverage. But there's one more thing. How about some technology leverage? If you remember last year, we introduced frictionless, right, or Frictionless Assessment. And what we had heard from customers is we don't want a Nessus agent in our workload. So what we did, we leverage an existing agent, the existing management agent, and that's what we call frictionless. Now what we learn from customers is that the DevOps guy, they actually -- they don't want any agent because they're always afraid that their precious container, their precious micro service is going to slow down if you're running a scan on that -- in production on that server. So we invented a new way that doesn't even require that agent. And the idea is to basically use this API, find new workload, snapshot them, and then we do the scan. But we're not doing the scan in the running workload, which is the beauty, so no performance impact. So we're going to launch that after cloud -- tenable.cs in the first half of next year. And by the way, I was trying to Google, how I'm going to call something that's 0 friction, right? And I found Teflon and Hyperloop, so I think we're going to stick to frictionless, it's a much better name. So here we go. That's the cloud secure opportunity, obviously significant. We get the opportunity to be a leader in one of the most exciting market of our generation. But you haven't seen nothing yet, but let's talk about the platform. So we already have a platform, right? We call it tenable.ep or exposure platform. And by the way, it's a great offering, it's working. No surprise, right. Compelling value proposition at the product level, we're covering the attack surface with one solution. Compelling pricing, ROI, you get a significant ROI with a discount. And then finally, the mega trend of security is too fragmented, I want to consolidate around a few trusted vendor, so we're checking all the boxes. So this is good. But we are not happy with good, we want great. So we thought that's a platform, but can it make it something more powerful? Can we make it a unified platform? So that's where we are today. So let me ask you the question, how are you -- so the idea here, by the way, is if you buy 1, 2 product, the platform is actually going to make these 2 products better, right? It's 1 plus 1 equal 3. How to create a network effect, a platform effect. We improve the security posture, the more product you -- from Tenable you use and you deploy, that's the network effect. That's what we're trying to create. How do we do that? How do we bring this product in a more meaningful way? How do we do that? It's the data, of course, right? So what if we bring the data together, what could we do if we brought the data together? Well, we could do very powerful analytics. In fact, we build on our Lumin experience. And we realize that with Lumin, we applied analytics on the VM data, and we made VM data, right? [indiscernible] VM. So the first inclination, and we did that, is we supply Lumin, right, to AD data, to OT data, to cloud data, so we're doing that. And then we -- the light bulb popped up. We realized what if we could collate that data and it would yield new insight that were never there before. It's kind, right, collating that data. And that's what we call attack pathway. And I'm going to give you a full example in a second, but we think it is the game changer. So hold that thought, I'm going to give you a full explanation. There's another kind of analytics that we like is the analytics that basically appeals to the buyer, the chief buyer, right, the CISO. You know that powerful question, am I secure? Or am I more secure than the last quarter? The Board keeps asking that question, and it's really hard for CISOs to answer. So we're going to give them a higher level analytics, we call it as the BI of cybersecurity. So they can basically answer a question like what's my ransomware risk? Am I doing better than last year? What's my grade overall? Maybe I'm a B plus, but actually, where should I focus? Or you're a C minus in cloud or you're a D in OT, so you have to spend more time there, you got to raise your SLA. And then who's doing well in the company? Is North America better than Europe, right? Who's trending better? How do I compare to my peer, all these very powerful cyber management question, we'll give you the analytics for that as well. Let's go back to the data. If we are really a platform, what we think is important to do is ingest more data. Look, the attack surface is huge and keep expanding. We are not going to be able to do everything and be everything to everyone. So we need to be able to ingest external data, so we're going to do that as well. So we'll ingest external data from our customer that basically drive more insight. That refines 2 types of analytics that I mentioned before. All right. I want to talk about this attack pathway because every platform needs a killer app. We think it's the killer app. So I'm going to give you an example. I'm going to bring -- let's look at something very familiar to us. We have Joe. Joe is working from home. So what we know about Joe? Well, Joe is under attack. Organized crime is going after Joe because he's basically at home alone, and they want to spread ransomware. They want to compromise Joe to spread ransomware. So let's bring our first data set, let's bring VM data, what do we know about Joe? Well, we know that Joe has a really bad hygiene. Unfortunately, Joe never patch his laptop and is vulnerable to a ransomware malware attack, right? Vulnerability that the bad guys are using to -- basically to break in. So we know that Joe is -- basically Joe is -- Joe is going to be compromised. That's the first data set. Let's now add the Active Directory data set. What else do we know about Joe? Well, we know that Joe works from home, so he's part of a group called the Remote User Group. Unfortunately, what AD also tells us is that, well, there's a slight misconfusion because we put all the users that can do remote access in one group. Which means that Joe, therefore, the bad guy, can access my very critical Windows server. Now this is really bad because other admins, domain admin access that server. So in memory, I'm going to go different techniques, I'm going to be able to steal this admin credential, elevate myself as a bad guy and I can take over the domain controller. I'm king of the castle at that time, bad guy has taken over the network. By the way, that is a traditional ransomware attack, right? So 2 data set, you can see the inside of correlating the data together. Now one data set cannot do it, you need to do this -- you needed these 2 datasets together to drive such insight. Can we do better? Oh, you bet, we can. What else do we know? Let's go back to that critical server. I'm going to check my Nessus scan, and then what do I know about it now? Well, I know that that server is a special server, it's a VPN server. Meaning, it enables remote access to something else, another domain. Now from the AD data, it's the same 2 data set. I know there is a trust relationship between the current domain and that new domain. Oh boy, that means that the bad guy who is master of the first domain is now a privileged user on that second domain. So what's in there? Oh boy, oh boy. This is my critical infrastructure. So great. Let me bring the OT data, what's in there. Now with the OT data, I know the assets. I know they can communicate with each other. So unfortunately, what I'm discovering is that Mr. Bad Guy can now put ransomware not only in the IT network, but all over the control network, right? That remote work station, the history, and he can put malware everywhere. Three data set, 2 major attack pathway. Of course, of course, it's a product guy telling a story, these kind of things would never happen, right? But it did happen. Yes, it's pretty much what happened with the Colonial Pipeline. So I want you to reflect for a second here. It is really powerful stuff. The first power here is, I don't know anybody else who can do that. It's simple, you have the data or you don't. We have the data, so we can drive this insight, right? This attack pathway is huge information. Now the more subtle [indiscernible], if you want, is like these insight of bringing the data together actually make every single product [ better ]. I promise you, there is no other OT product in the world that would be able to say, my biggest vulnerability, my OT network is actually that external server, VPN server, right? Because you don't see it, right? My AD, right, fix trust relationship please, don't go home. And then my VM data, right? If there's one thing you do tonight, right, before leaving the office for the weekend, fix that MFA vulnerability, right? You would not know that without putting the data together. So it's very powerful. So where are we? Well, we've done a lot of work already so we're almost there. In fact, we're going to launch the new EP again at our sales conference early February. And then since the data is made up together, well, there is no reason not to put all the product, all the data into EP. So we're going to add tenable.ad, tenable.cs, the new cloud security solution and tenable.ot to the AD -- to the EP platform. And then we introduce the first attack pathway based analytics based actually on Active Directory pathway. Middle of the year, we will enhance the analytics, extending them to the entire data set. We'll also introduce attack pathway for the cloud. Remember the context, we'd see the attack pathway in the context for cloud security. And then finally by the end of the year, we'll select very strategically external data feed, right, external data that can really enrich and improve our analytics. So that's the plan. Which brings me to the conclusion, right? Three amazing opportunities. I told Amit that I would join a company that only have one of those. They're all synergistic. They're all complementary. But like Amit, I would like to leave you with one thought, right? And that thought is data as a platform. See, technology ages, content, people can copy it, imitate it. But data, data is hard to come by. Data never age, right, never ages. Data is a powerful competitive advantage. And then think about that flywheel, the more we're successful, the more we grow, the more data we have. And by the way, we are successful. We are growing. The more data we have, the more differentiated, the more competitive advantage we have, a full flywheel. So maybe I'll use the kaleidoscope in another way. Take that kaleidoscope and look inside, right, that Tenable kaleidoscope. I hope that you now see something new, something really powerful, something really unique. Tenable as a cyber data platform. Thank you.

Thank you, Nico. We will take a 10-minute break, and then you'll hear from Mark Thurmond, our Chief Operating Officer; and Dave Feringa, Senior Vice President, Worldwide Sales, on our go-to-market and customer success update. [Break]

Hello. Welcome back. Mark Thurmond here, Chief Operating Officer of Tenable. It's great to be with you today. Very, very excited to give you some insight and to give you some visibility on the evolving go to market from IPO to where we are today. Just a quick little bit of my background. So I've been with Tenable coming up on 2 years in February of 2022. Before that, I was with a company called Turbonomic which is an application resource management space recently acquired by IBM. Before that, I was with a company called Qlik in the visual analytics space. And I actually spent 15 years at EMC, close to 7 of those years running field marketing and sales for RSA security, and it started my career off at Parametric Technology, PTC in Boston. So super excited to kind of give everyone some visibility here. And I think hearing what Amit and Nico said, I just want to emphasize this whole platform discussion is amazing on many different levels, right? So first and foremost, when you heard from Amit and from Nico on the technology side and all the benefits that our customers and end users are going to see from actually unifying the platforms and our technology. From a go-to-market perspective, it also simplifies and unifies the buying decisions for our customers, so we are expecting significant leverage from this. And so what I want to do is kind of walk you through in some detail on how we're actually going to market here at Tenable. The first thing that I want to start off with is really walk through the 3 very distinct specific sales plays that we drive consistently around the globe. The first one is the Nessus upgrades. And you heard Amit and Nico talk about Nessus. It is such a cool platform to jump off from in regard to the ubiquitous nature of Nessus. So if you think about it pre-IPO, there was over 10 million downloads of Nessus. Since the IPO, there's been over 3.5 million downloads of Nessus. Year-to-date, we're tracking over 1 million downloads of Nessus. So that does a couple of things for us: A, it gives us our tremendous flywheel to go upsell and be able to upgrade from Nessus Essentials to Nessus Pro, then onto the platform. But what I have found since being here is what's really exciting is the credibility and the brand recognition that we get with Nessus. I can't tell you how many customer calls I've been on where we're talking to a CISO or talking to an executive on the security side of the house, and they will say the first product they configured, that they programmed, that they used at university or maybe their first job in cyber was Nessus. And that gives us an unbelievable amount of credibility with our customer and with our installed base. So that is a very specific motion that we drive. The second one is being very, very aggressive on new logo acquisition. So we range anywhere from 350 to 400 new logos a quarter. We very much focus in on driving those new logos in very, very specific areas. When you look at how we go and attack those new logos, it then allows us -- after we get those new logos, and they start off with us, it then allows us to then go into the expansion. And when we look at new logos, it's really greenfield, so customers that haven't known any VM before. And then when you look at greenfield, it then goes into competitive displacement, some of that might already own a VM solution before. And we've got 2 very distinct selling motions going after those specific new logo motions. Once you get a customer, this is where the exciting part here at Tenable happens. So if you think about it, right, over 35,000 customers. This is one of the largest installed bases of all cyber, right? So what it allows us to do is expand into those installed base and into those customers. Two different avenues here. It allows us to expand the asset to discover more assets, right? So when we close our first new logo with a customer, typically, they don't cover all of the assets within their environment, both on-prem and in the cloud. So we have an opportunity to now go back with a bigger attack surface and be able to look for and identify incremental assets within that installed base. The second part is really exciting in regard to the net new use cases. So if you think about the acquisition strategy with Active Directory, operational technology and now cloud security, this gives us unbelievable opportunity to go back in and have new unique discussions with our customers that are absolutely resonating. And we'll talk about the buyer evolution. We'll talk about how the decisions are actually getting made around these technologies. And you will see it comes back to the platform, simplifies it on so many different levels. So then when you take a look at those selling motions, Nessus, new logos and expansion into the installed base, that is all underpinned by world-class customer retention. So 95% of our revenue was reoccurring revenue. When you take a look at our net dollar expansion rate, which Steve will cover in the finance portion, is outstanding. So this is really one of the key pillars on the success and how we drive the go to market here at Tenable. Next slide, please. So you think about it, why do we win? Why does Tenable win, right? First and foremost, having been in technology for a very long time, what I can tell you is successful sales organizations need technology. They need unique differentiated IP from the competition, and that is what we have here at Tenable. Incredible amount of innovation and incredible M&A strategy building on our portfolio. So the reason, the #1 reason we win is technology, technology, technology, right? The second one that is extremely powerful is that installed base, right? That cannot be understated. The leverage and the opportunity we have going back to our existing installed base and driving opportunities as the portfolio continues to get built out. Number three is something that myself, and you'll hear from Dave Feringa, Senior Vice President of Sales, have spent a massive amount of time on here at Tenable, right? I think we have one of the most highly trained execution-oriented sales forces on the planet in cyber, right? We have spent a huge amount of time training and enabling our core sellers, along with our specialist sales organization, which I'll give you more color on. We are extremely metric-driven, right? There's very specific productivity metrics that we are now driving with sellers. So we're looking at how do we qualify deals, right? We're looking at how we identify, what the use cases are, who is the economic buyer, how do we move deals through pipeline and through the funnel faster. Very rigorous on qualification. We look at how can we improve productivity as we hire new sellers, how can we get them to be productive faster with training and enablement. How do we improve our competitive win rates, something that we are laser focused on beating the competition and we are seeing our competitive win rates increase. Improving the average sales cycle. So how can we shrink and get our deals done faster and quicker. And all of that is centered around simplifying our marketing message and positioning, right? So we are very much focused on selling what we call value drivers and simplifying the language that we use when we talk to our customers, and that has been able to pay off in space for us as a company. Obviously, you heard recognized leader, right? The analyst recommendation that we get at this company are phenomenal. And what I want to highlight for the investors and for the analysts, when you see Gartner or you see Forrester or you see Frost & Sullivan or you see IDC ranking us #1 or as the leader in those categories, A, it's phenomenal validation. But when you go to the international markets and you're selling in EMEA or you're selling in APAC or Latin America, a lot of the decision-makers will look at those analyst reports before they bring any vendors in. So as we continue to drive that type of awareness, and we uniquely differentiate on the technology, that gives us a driver seat approach in some of those international markets. One of the things when you look at the international markets is we are 100% committed to the channel. So we have arguably one of the most incredible partner organizations on the planet, right? We have over 1,900 partners globally, allowing us to get footprint, allowing us to grow and expand into new countries, into new geographies very quickly. Also, the significance in public sector. And some of the things, obviously, that you look at the $1.2 trillion infrastructure package that was recently done, a lot of that money was going to be earmarked, right, for cyber. Cyber within the public sector and for federal government, but also for state and local government. And we have a deep history in the federal government with significant market share. Obviously now with FedRAMP cert for IO, we want to be able to go to that SC installed base and introduce IO to them now that we have FedRAMP. And now we also have all of those incremental use cases, those opportunities to talk about operational technology, Active Directory and cloud security. Now when you look at us, we are an enterprise software company. So one thing that we do here very well is look at these 4 categories as professional services. And again, think of Tenable professional services in 2 distinct areas. A, we have professional services globally that allow us to deploy, once we sell our software to deploy our software very quickly so customers can see a very quick time to value. And the second is we very much want them to get what we call positive business outcomes. So making sure that we use our professional services to drive those positive business outcomes when we're talking about our solution with our customers is critical. The second part is that ecosystem. So we do not and we will not compete with our partners in regard to professional services. So our PS team actually trains and enables a lot of our partners around the globe. We create quick start programs for them. We create skewed up services for them to go to market with, right? And that is where we're able to get a lot of loyalty within the channel because we do not compete and we do not fight with our channel. We've got tremendous global support all around the globe. You take a look at that ecosystem, which I [indiscernible] and our customer success group reaching out and having constant dialogue with our installed base are big differentiators from an enterprise perspective. Next slide. So focus areas, right? Dave and myself, we love this. We love to be able to be very direct with our selling organizations and with our partner community. And we try to simplify things at every stage of the process. So in our -- in our view and our go-to-market focus areas and growth drivers break down to 5 distinct areas. The first one is we will be adding and we have been adding sales capacity quota carriers around the globe. We're not only are adding core sellers, so core sales reps that represent all of the products, but also driving specialized sales force. So when you look at the acquired companies around OT, AD and cloud security, we are building out sales reps and SEs that are true subject matter experts around those distinct areas. So while we have phenomenal relationships with the CISO, who is still the primary economic buyer. And when I say economic buyer, he is the executive or she is the executive that has discretionary control over the security budget. We still have a very tight link into the CISO. But now with our specialist sales force, we are able to go drive a bunch of influencers, a bunch of folks that can influence a technology decision around OT, AD and cloud security. This drives overall productivity because our core sellers can continue to sell the core offerings, they can continue to build relationships, navigate purchasing, navigate procurement, work with legal and then get technical wins done by the specialist organization. You heard me talk about it, right? 86% of those customers that were polled are going to spend more money on Active Directory. So we want our Active Directory, our AD sales force, targeted to get those technical wins to identify where those opportunities are and then be able to drive those deals with the core sellers. Big productivity enhancer for us. The second one, obviously, we've hit on this, and we will continue, right? Everyone needs to know how incredible that installed base is. And now that we have new technologies to go talk about, and as Nico continues to innovate the platform, this is just going to allow us to expand within those customers at a faster pace and that is very exciting based on where we are headed for the technology side, right? Obviously, common sense, maintaining this unbelievably high renewal rate, right, and making sure that those customers stay with us for the journey, which they do, that is a big focus. We will be, along with adding quota capacity, we are hiring across the globe customer success managers to make sure that we're keeping very high touch points with our installed base. Leveraging the partner ecosystem, absolutely critical, making sure that we're getting geo expansion, which I'll touch on when I talk about the ecosystem. And the last part is maybe a little bit tactical, but it is really important, right? I'm a big believer, Tenable is a big believer that compensation drives behavior. And so we've taken a lot of effort and time to make sure that we align our compensation plan so there's no friction internally at Tenable. And then we also look at incenting and giving accelerated commission rates on areas that we want to drive into our installed base and into our net new logos. So a lot of time and effort has gone into that. All of this is centered around world-class execution from a go-to-market perspective. Next slide, please. So we talked about the global presence, right? We talked about the 35,000 customers. We have boots on the ground, right, within 35 countries. We're adding resources at the country level. So when you look at 2021, we've added employees into Austria. We've added employees into South Africa. In 2022, we're looking at adding headcount and bodies into Korea. We're going to be expanding our presence in Taiwan. We've added significant headcount in Japan and in India and in Germany, so we will continue to build out our quota capacity and headcount globally. Based on that ecosystem, we do business in over 160 countries with that amazing 1,900 partner organization. One thing that I want to highlight, too, when we talk about the partner organization. Based on our acquisition strategy and now having the most differentiated technology in regards to OT, AD and cloud security, we've been able to recruit 200 new partners into our partner organization that were specialized in those areas. So now they are part of our larger ecosystem, but focused in on those specific categories. That is allowing us to get significant leverage. One area of the business that is really growing, it's arguably from a go-to-market perspective, one of the fastest-growing areas that we are seeing and that is the MSSP business. And by the way, this is global. So we've added over 300 MSSPs, and I'll touch on this in a little more detail on another slide. But this is a super-fast route to market for us. There are certain regions of the world, say, for instance, LatAm, that want to buy and the majority of their bookings and revenue come through MSSPs. So they could be smaller in size or they might not have the number of cyber professionals within their companies and enterprise, so they go to an MSSP to cover multiple parts, right, of the security stack. We are doing extremely well within those MSSPs and we expect that to continue going into 2022. Next slide. Okay. So how do we segment the market, right? This is one of those things that might have shifted a little bit since the IPO. It's one of the things that we do. I will give a lot of credit, right, to our sales operations team. We are spending a huge amount of time doing analytics and analyzing our territories, our opportunities within the installed base and, obviously, our new logos. And so when we look at it, right, we are predominantly an enterprise software company, right? So we enterprise, we segment our enterprise, which is 3,500 employees and above, and we have direct touch. So SEs and sales reps and channel employees and specialized sellers going into that enterprise customer and working very closely with them. We then have the commercial segment, which is 500 to 3,500 employees, which is all about inside sales, gaining velocity, making sure that we're communicating with them frequently via our inside sales model. And the last part is the velocity in e-commerce. And again, this is a special part of Tenable, right? When you talk about that Nessus installed base and that brand awareness, right, we absolutely crush it in that e-commerce and velocity business, right? And these are a lot of times we're not touching these transactions, right? They're either coming through e-com or going through our partner community. All of that is underpinned with a global marketing organization, which is incredible in regards to building pipeline, doing field marketing events and driving activity. We also have sales development reps that are consistent throughout the globe. And then you can see on the side of the pyramid there, we have CSM coverage, professional services coverage and channel coverage consistently, again, throughout the globe. This is one of the reasons that we are able to deliver our message around this platform and our technology consistently around the globe. Next slide, please. So we talk a lot about ecosystem, right? And again, when you look at all the different competitors out there, they're in my opinion, in my humble opinion, right, we have the best channel in the ecosystem in cyber, right? We do a phenomenal job at working with our partner ecosystem and we think about it in 3 very distinct categories. The first one is tech alliances. So we've got tremendous relationships with Splunk and ServiceNow and IBM and Google that we have deep integrations with to help support our installed base. We're now doing a lot of work with AWS on their advanced technology partner. This is one area that's seeing triple-digit growth, and we're going to continue to drive and execute there. We've got hundreds of integrations into hardware and software platforms to make sure that we can be deployed seamlessly within our customers. And what I'd love to do is love to measure and track. And so when you look at tech alliances, how is it contributing to the bottom line. And when we look at those tech alliances, we have over 20% of our sales and pipeline being built by influence coming from the tech alliances, working with some of those big partners we talked about like Splunk or ServiceNow and allowing us to get into accounts and being able to help us influence some of that business. The middle area there, the channel, we hit on this one, right? We are 100% committed to the partners, 1,900 partners growing. And again, you've got to measure it and you want to see how you're doing. One of the biggest measurements, right, you want to look at is channel in. And what does channel in mean? Channel in means deals and opportunity that the channel is bringing to you. They're bringing into Tenable, right? And right now, when we look at year-to-date, 40% of our business is channel in, meaning 40% of our business is coming to us from our ecosystem. That is awesome, like that is world-class. We have aspirations to grow that to 50% over time, but that is incredibly high, and it is significantly up from the time of the IPO. So the investment and the money that we've done with our partners has paid off. When you look at the Assure Program, all you have to do is look to the CRN annual report card, which we were one of few cyber companies that got 5 stars, right? And those 5 stars are all centered around driving incentives and training and enabling your partners, making sure that you're able to help them drive services and making sure that they have the right benefits and incentives to be able to go grow that business. We have over 8,000 unique product certifications in our ecosystem. So again, think about that a little bit, rationalize that a little bit. We have an army, right, of partner sales reps and SEs that are certified, trained and enabled on Tenable. They lead the charge when they're comfortable and confident in being able to understand our technology and articulate to their customer base. If they have 50 different products on their data sheet, they're going to position and sell Tenable because they're comfortable, they're trained and they're certified. So we take a lot of pride in that. We've also done a lot on the Assure Program on automating and simplifying the way they use the portal and the way they engage with Tenable. Very, very powerful. The last part I hit on, right, is the MSSP business. And I do expect this business to be unbelievably fast growth. Not just for Tenable, but as an industry, I think you continue to see MSSPs doing very well. We focus in not just on the top of the pyramid, we focus on the entire pyramid with the MSSPs. So we have 8 of the top 10 MSSPs are using Tenable, 7 of the top SIs are recommending Tenable to their customers. And I talk about rapid growth areas, right? When you take a look at it, not only is it one of the fastest-growing areas from us as a category at Tenable, it is also allowing us to go into countries faster and quicker. And the one thing I will highlight here is if you think about our MSSP business to date, it has traditionally been focused on core VM because that what we have. Obviously, there's some WAS, some Container, right, some Lumin in there. But the bulk of it has been with core VM. When we start now integrating and we start putting into the MSSP community, OT, AD and cloud security again, there's an opportunity for significant leverage globally, right? So early, early innings there. Still growing unbelievably quick, but once the platform plays out, which it will, and we get that platform out on that next thing with OT, AD and cloud security, we're expecting acceleration there in that business. So super, super excited around that part of the ecosystem. So hopefully, that makes sense. What I want to do now is I want to give an opportunity to Dave Feringa, who's our Senior Vice President of Global Sales. He's going to walk you through because he's very close to it, what does that buyer evolution look like? How has it changed and morphed? And then actually give you some examples of actual customer success stories. And it has been an actual privilege and an honor working with Dave over the last couple of years, and so I'm going to pass it over to Dave. All yours, man.

Thank you, Mark. My name is Dave Feringa. And yes, I am the SVP of Worldwide Sales for Tenable. I've been here 3 years, and prior to Tenable, I ran the global sales organization for Trustwave. And then prior to Trustwave, I spent 11 years at F5. The last 4 years, I was their EVP of Global Sales as well. As Mark mentioned in my section, I'm going to discuss our approach to the buyers within our customers and how that's evolved, and then I'm going to follow up with some real-world customer examples. So one thing that's remained -- thank you, for the next slide, yes. One thing that has remained consistent is our core executive buyer is the CISO and our most influential technical buyer remains the vulnerability management team. We've successfully worked with both over many years selling our best-in-class VM solutions. From these relationships, we've been able to launch into other areas of the security business. As companies adopt digital transformation, the attack surface expands in other areas. The VM team also often introduces us and certainly works very closely with us as we go into the operational technology, the Active Directory and the cloud security spaces as companies have to assess risk across these areas as well. This has really expanded the number of use cases that we can address. One common theme we've heard from many of our customers is they want a single vendor that can assess and remediate vulnerabilities across the entire attack surface. Companies are trying to reduce the number of security vendors they deal with. They get operational efficiency and they get a better way to handle risk as well. One of the main reasons we've invested in the specialist sales organization and also a specialist engineering team as well is that within the OT, AD and CS spaces, we want to make sure that we understand their unique requirements within these spaces and then tie it back and how it ties back into the overall risk and the overall vulnerability management strategy of the customer. The CISO stays involved. They're the executive buyer, and they want to have a consistent view of risk across all areas of the business. So one other positive impact we have seen with new logo customers who currently are not with Tenable is that if we don't have a VM opportunity, they could be satisfied with another vendor or maybe their subscription doesn't run out for a couple of years. We now have other avenues to approach those customers. We can now talk to them about industrial security, talk to them about OT, Active Directory and/or cloud security. In the past, we might have been set out of these deals. Now we've got multiple doors that we can go through and multiple different approaches for those customers. Next slide. Okay. I'm now going to go through some real live customer examples. The first one is a very large manufacturing conglomerate up in Canada. Background on this is they were an existing Tenable SC customer, but they were very, very concerned about the recent attacks in manufacturing and energy, especially the Colonial Pipeline attack. Their objectives were, first of all, they wanted to make sure they secure their assets in their manufacturing facilities because, listen, if you shut down a plant, that could be massively costly for them. They also wanted to have better risk visibility across not only the manufacturing environment, but they wanted to match it with their current visibility and their IT environment as well, so they have both. And ultimately, they wanted to prevent what happened within the Colonial Pipeline situation. So who is the buyer. The buyer primarily was the CISO. We had many influencers. We talked to plant managers. We talk to the active directory team, also the vulnerability management team was involved throughout. What did they end up buying? Well, first of all, they expanded their Tenable SC relationship with us. Then, they bought Tenable OT for many of their key industrial sites. And finally, they bought Tenable AD to reduce risk laterally across all their businesses. Why do they choose vendor -- choose Tenable? Well, first of all, we're the only vendor that can provide a unique and unified visibility of both their OT and their IT environments. They love Tenable AD because Tenable AD prevents lateral movement across all their many different businesses in case there's a breach. And you know what, they've been a very happy customer for a very long time, and that's certainly played a role in us winning this business. The total ACV value of this deal was about $1 million. Next slide, please. Another example, financial institution here in the U.S. This is a very rapidly growing bank who is using multiple vendors for risk-based vulnerability management. Their objectives were they wanted to reduce risk by consolidating multiple vendors into one, and they wanted to make sure they did business moving forward with a vendor that could scale with their growth. We wanted to make sure they improved operational efficiency. We wanted to make sure they had a predictive cost model for future growth. And as we talked about a little bit earlier, as Mark mentioned, technical integrations were really important. And our integrations with Splunk and ServiceNow were critical to this opportunity. We primarily dealt with the CISO and also the VP of Security Strategy. What do they end up buying? Well, they ended up buying Tenable EP, the exposure platform that Nico talked about earlier. Why did they choose Tenable? Well, first of all, we're the only solution that can provide a complete RBVM solution for them across all of their businesses. They consolidated 3 vendors into one. They love Lumin. Not only could Lumin help them improve the way they look at and remediate vulnerabilities, they also could now look at all of their individual banks and all of their individual business units, and they can assess risk and the different risk profiles and how risky they are throughout their entire organization. If a certain bank, certain business unit was not doing as well from a risk profile, they know where they can apply resources, and that was something that was really important to them. EP provided them a predictable cost battle for assets, including future solutions. We're actually talking about WAS right now. And one final point. A partner actually brought this deal to us. The partner had both executive relationships and also technical relationships within this account. They literally were with us from the beginning of the process to the end of the sales process. We never would have gotten this deal without the help of the partner. And I think it goes back to what Mark talked about a little bit earlier, we've made a ton of investments in the partner community. Here's a great example where those investments paid off. Total annual contract value was about $200,000. Next slide, please. The last example is a very large U.S. federal agency. As Mark mentioned earlier, we've got a very large and trusted brand within the federal government. This agency was using multiple vendors for vulnerability management. They also had a very large global footprint. They were looking for a single vendor to basically look at all of their vulnerabilities across their global footprint and to be able to help them with risk across all the different advanced threats that were out there. They needed to have the flexibility of an on-prem solution, but they also needed a FedRAMP-ed cloud offering for here in the U.S. Integrations were critical here. Again, Splunk, CyberArk and ServiceNow. And because they're global, they need somebody that could support them 7 by 24 globally. So who's the buyer? The executive buyer were the branch chief and the CISO. We also worked very extensively with the vulnerability management team. What did they end up buying? Well, they bought Tenable SC for on-prem locations and they bought our FedRAMP version of Tenable IO for cloud. We're also talking to them about Active Directory in 2022. Why did they choose Tenable? Well, first of all, we're the only vendor that can give them the flexibility of having an on-prem solution as well as the FedRAMP cloud solution. They love VPR. VPR allows them to prioritize how they're going to remediate critical vulnerabilities. The integrations were really important. And finally, we've got a very long-standing, very strong, trusted brand within the federal government. And I think that played a big role in helping us win this deal. In addition, the 7 by 24 global support is critical as well. So the total annual contract value of this was $2.3 million. Next slide, please. I'd like to take a minute and just talk about the Log4J situation. As many of you know, Log4J hit us late last week, and Amit touched on it quite a bit earlier in the presentation. This is a significant security issue that affects everybody. Tenable's response to our customers has been awesome, from rapidly deploying and developing and deploying and developing plug-ins over the weekend to making a number of videos, educating our customers on the steps they need to take to reduce the effects of this, to beefing up our global support to take and answer a number of customer calls, our response to our customer has really shown the power of Tenable and the power of our solutions. We've truly differentiated ourselves from our competitors. Our competitors don't have the focus. They don't have the breadth and depth of our VM solutions to handle a crisis like this in the way that we handled it. Our customers have been thrilled with our response, and it's great to have a positive impact on their business. Finally, sales team is excited. Like I said, I've been here for 3 years. The sales team has never been more excited than they are right now. The innovations that we've made to the products have really expanded the number of places that we can go sell, the number of use cases. In short, the sales team has got a lot more stuff to sell, and they're excited about it. The net result is we're a lot stickier, we're a lot more strategic, we're a lot more valuable to our customers. Finally, as Mark mentioned, we're rapidly expanding our sales team. That creates an incredibly positive vibe throughout the sales organization. It also creates a lot of promotion and other types of opportunities for the people on our team as well. For that and other reasons, we're all really excited to be here at Tenable. We've got a tremendous opportunity in front of us. Thank you, and I'll turn it over to Erin.

Thank you, Mark and Dave. We will take a 10-minute break, and then you'll hear from Steve Vintz, Chief Financial Officer, who will cover our financial update and outlook. [Break]

Welcome back, everyone. My name is Steve Vintz, I'm the Chief Financial Officer of Tenable. I've been with the company since 2014, that's over 7 years now. And since our life as a public company, I've talked to many of you along the way. I know we have a lot of registrations and attendance for today's event, which is great to see. And I look forward to having even more conversations going forward. So I'd like to make a few comments today about the past, present and future of Tenable that I think will frame the conversation in the slides ahead. We've been a public company since 2018. And since then, we've reported 13 quarters of growth. We've accomplished a lot, and a lot has changed for us over the years. But the one thing has not, which is our unwavering commitment to the market, and helping our customers solve what we believe are their most pressing security challenges and answering the question, how secure are we? For us, all of this starts with the vulnerability management market, which we said at the time of the IPO, we wanted to become the undisputed leader. In 2018, we were not the largest player in the market, but we are today in terms of revenue. And we're the leader on many other fronts, such as total number of customers, number of new customers added in a given year, device coverage, zero-day. We've won numerous awards and distinctions and continuously received recognition from the industry analysts such as Gartner, Forrester and IDC for our leadership and innovation. But our mandate was never just about VM, it's always been about a larger opportunity in front of us that we call Cyber Exposure. I'll talk a little bit later about our progress in evolving our business and expanding beyond what is traditionally defined as VM into high-growth markets that our customers want us to address, and we are well positioned to serve. That said, VM is critically important today, and it's our ability to assess exposures across the attack surface that makes us such a value partner to our customers and allows us to expand the relationships, and Log4j is a great example of this as we highlighted earlier. In terms of financial results, we believe the secular tailwinds in this market will continue to create compelling and durable growth for us. All of this puts us on a solid path to achieve over $1 billion in revenue with very attractive operating and free cash flow margins. I'll cover this in greater detail today. If we turn to the next slide, let's first talk about some top line metrics that we provide that aid investors in understanding the health of the business. I'll start with calculated current billings, or CCB for short, which is a close but not a proxy of the underlying bookings of the business. Bookings, specifically ACV bookings is how we manage the company, how we set really quotas, how we analyze performance at the company level. Now for our business model, we believe CCB is currently the best metric to determine the future growth trajectory of the company. Alternatively, ARR and recurring revenue doesn't quite capture the full picture as it's largely on an LTM basis and does not properly reflect changes in growth rates in the current quarter. Also, we do disclose the percentage of recurring revenue in our public filings and we also disclose short-term and long-term RPO in our filings, which tends to align more closely with CCB. That said, CCB does have its limitations and can be impacted by a number of factors such as the percentage of early renewals invoiced in a quarter. But for now, CCB still makes sense even with its limitations, plus we know investors will calculate it anyway, and we want to provide meaningful context to investors around it. In terms of new enterprise customers, net new 6-figure deals and net dollar expansion rate, collectively, these metrics, 3 metrics together, not so much individually, but together, are informative and tell an important story. So let's go to the next slide and talk about our performance since the IPO. As you can see here, we have some historical performance for you, which is notable. Now this starts with a few declarations we made at the time of the IPO, which have influenced our financial results over the years. The first one we've already discussed, which is our market leadership. But in terms of product, in 2018, we said that we expect that Tenable IO, our cloud-based offering, which we launched in 2017, just one year prior to the IPO, would one day become our flagship product and represent over 50% of our new sales. And as we've discussed on our last earnings call, that has indeed become a reality. We also said market leadership from product side, we will become free cash flow positive by the time we exit 2020 and we would turn profitable in 2021, and we've done precisely that. In fact, earlier than anticipated. Today, we're going to make a few more declarations that will influence our growth in the years to come. But in terms of historical financial performance, as you can see here, we have 2.5x CCB, growing to what we expect on a full year basis to be over $600 million. [ Reform ] revenue, 30%, and have significantly improved the operating leverage of the business with more to come. In short, we've taken a very balanced approach to growth and profitability. And if we go to the next slide, you can see here over the years, we've amassed a sizable base of customers. It's one of the largest in the entire security industry for any company today, which stands over 35,000 paying customers. And this doesn't include, it's important to note, it does not include the millions of free downloads of Nessus. The huge community of Nessus creates competitive moat and is a flywheel into the paid versions of our products such as Nessus Pro or the enterprise products. In terms of new customers, though, we've added hundreds each quarter since 2019, 360 on average with many greenfield opportunities and the value of these relationships is expanding. And I'll say here, the size of our customer base is really a reflection of the investments we made to date in adding sales capacity, leveraging our massive network of resellers and distributors, and this will figure prominently in our ability to sell our unified exposure platform going forward. And it's our history, our intimacy, our credibility and our knowledge of our customers' needs that allowed us to earn their trust and expand the relationship with them over time. So speaking of the product platform, let's go to the next slide. Let's discuss how we've evolved the product capabilities over time to help customers in their digital transformation journey and help them secure new areas of the attack surface. Evolution is a big theme for us today, and Tenable has done a lot over the years. As we mentioned earlier, our roots are in traditional VM. Years ago, we sold primarily a vulnerability assessment tool in Nessus, which has become the gold standard in assessing vulnerabilities. With the backdrop of high-profile data breaches, we have invested aggressively in the business, adding sales capacity, becoming 100% committed to the channel, expanding our network of partners, marching into new countries, all of which has allowed us to successfully scale the company. This was a major evolution for us going from a $2,000 to $3,000 vulnerability assessment scanner to selling an expansive VM enterprise product with $50,000 ASPs closing 6-figure deals in the enterprise market. But innovation did not stop there. As we've highlighted for you today, and as Nico said earlier, vulnerability is everywhere, a Vuln is a Vuln is a Vuln. And over the years, we've launched Tenable IO as well as new products and new features such as Web App Security, Container Security, Lumin and Frictionless Assessment. We've also been active on the M&A front, acquiring new technology and new expansionary markets such as OT, AD and security. And while we successfully sold many of these products stand-alone as an add-on sale to address a specific use case, all these products would integrate and help us solve a bigger problem for our customers which is the ability to manage exposures holistically, which we productize in tenable.ep. And it is that commitment to innovation and the expansion of our product portfolio that has positioned us for our next major evolution, which is selling a unified exposure platform. Tenable.ep helps our customers secure more of their attack surface. With an asset-based pricing model, EP today includes Tenable IO, WAS, Container Security and Lumin and has an average selling price that is 60% higher than our standalone VM product. EP will expand next year to include AD and cloud, and we believe this is what our customers want. And just like we foreshadowed in 2018 about Tenable IO, we can say today that tenable.ep, their exposure platform, will be our primary go-to-market motion and become our flagship product in the years to come, and we feel really good about making that claim. So let's go to the next slide and take a look at our mix of business and see how it's changed over the years as we've broadened our focus beyond traditional VM. Now as you can see here, we have evolved and considerably expanded and diversified our base of business over the last 5 years as traditional VM, which we define as Nessus and Security Center, is expected to represent 60% of our CCB this year. And while we have a sizable base of customers who use traditional VM offerings and that base is growing, customers are increasingly choosing our cloud-based products, Tenable IO and Tenable.ep and related exposure products to secure more areas of their attack surface. And it's that 40% of our business that is growing 50% plus, which offers a very attractive growth opportunity for us going forward, characterized by what we believe will be higher asset counts, more 6- and 7-figure deals, even 7-figure deals, and healthy net dollar renewal rates. Now, this is important, it's not to say that Nessus and Security Center is not important because they are. These are beloved products that have been in the market for years that has created a clear attacking go-to-market advantage for us that enhances the value of our exposure solutions, with hundreds of thousands of plug-ins and warm leads from Nessus, not to mention the margins here are very attractive for these products. But perhaps more importantly, it does provide a flexible deployment option for our customers as most of our customers have hybrid compute environment. So securing traditional assets is critical for our customers, and we will continue to do so, and that will continue to be so for our customers in the years to come. That said, we have a compelling upgrade path for traditional VM customers who want to cover more areas of their attack surface. And it all starts with Tenable IO, which is the foundation of our unified exposure platform and allows our customers to either purchase other exposure products individually or purchase EP itself. So the takeaway here is securing the cloud is a massive opportunity for us and will drive higher mix of business for our exposure solutions as workloads continue to move to the cloud. So let's go to the next slide and talk about M&A. Given the size of the opportunity we are addressing, M&A has a major role to play. Not only in terms of our ability to expand into highly complementary adjacent markets and add incremental capabilities, but also with regard to timing because M&A can and has accelerated our time to market and time matters in the dynamic markets in which we operate. We firmly believe that we will continue to need and keep pursuing a combination of organic innovation and targeted M&A to achieve our strategic objectives. But close observers will have noticed a few common patterns in our M&A activity. First and foremost, we've focused on strategy. We have broadened offerings and capabilities, technologies, IP, that are focused on specific and priority pain points for our buyers and pain points for which our buyers have budget responsibility and availability. Second, we have targeted enterprise-ready IP, and we can immediately bring to market with our huge army of sellers and sell back to our base of 35,000-plus customers. Third, we've had conviction that the capabilities in which we have invested represent an important presence in a secular trend that we believe will drive demand in the years to come, such as the convergence of OT and IT, which we were the first to market with in early 2020 when we launched the OT and IT security platform or Active Directory, which is a major pain point for our customers and a challenge for them to secure at scale, or in the case of Accurics, the shift left Infrastructure as Code, security is policy and unifying that with onetime capabilities in public cloud environments with automated remediation. Fourth point I want to make here is that we recognize that Tenable strength comes in the power of its combined portfolio. So we have ensured that acquired capabilities will integrate with and enhance the value of our exposure platform. And finally, it is important to note that we have focused on earlier-stage companies with no or limited commercial capability and no significant base of business. To date, we have not acquired any meaningful revenue. And the levers that Tenable is demonstrating, the success in sales comes from the combination of strong capabilities and market-leading distribution that we have. And while these deals are modestly dilutive initially, we assume -- as we assume the incremental OpEx of the acquired company, and we work to build pipe and close deals and eventually recognize the resulting revenue over the contract term, we are very confident they will be accretive to cash and earnings over time. And as you can see here, we've provided TCB dollar thresholds for the full year. I think the big takeaway is not so much the specific amount of sales that we're doing, but rather, we are having success selling the newly acquired tech, not to mention LANs, container and other products back into our base. And some of the products such as OT, our sales force has been selling for 2 years now and others are very new for us, such as Alsid. But in terms of top line, the takeaway is we are selling these products with success with our sellers, to our customers with a clear need to address other areas of exposure, and we are just getting started. So let's spend some time looking ahead and talking about the path forward and let's go to the next slide and talk about growth strategy. Our strategy for continued growth and success is fairly easy to understand and predicated on a few basic concepts. First, expand relationships with the existing customers. We've talked about the sizable base of customers and our ability to expand those relationships over time. Invest in sales capacity, expand the sales org and drive higher levels of productivity, lead with, obviously, the exposure platform. And we talked about how our business has evolved and expanded to address in more areas of the attack surface. And of course, M&A, which we just covered more recently here, will continue to play a big role in accomplishing our strategic objectives. So now that you have a sense of as to how we plan to generate growth, let's go to the next slide and discuss how we expect that to impact the numbers and our expectations of growth going forward. In terms of revenue, it's hard to believe that only a few years ago, we did $188 million in annualized revenue. And today, we're talking about a path to $1 billion in revenue. $1.1 billion to be exact, which we believe we can achieve in 2025 based on 20% annual growth. On a CCB basis, we would expect to achieve the $1 billion mark in 2024, just 36 months from now. And in terms of how we're managing the business, we are investing to achieve 20%-plus growth. This is a floor, meaning the minimal growth we would expect not a ceiling, and I want to make this very clear. There are a number of factors that give us high confidence that we can achieve this level of scale and growth, some are secular trends such as proliferation of assets and connected devices, the expansion of the attack surface, the adoption of cloud, driving the need to unify Infrastructure as Code, with production, onetime capabilities and automated remediation. These represent major shifts in the market for our customers and Tenable has evolved to help them secure their critical digital assets wherever they may be. And evidence of this is our ability to transact more 6-figure deals, the mix of business and strong growth from our exposure solutions, which have allowed us to grow over 20% even during more challenging economic times, such as the global pandemic. This has also been a catalyst of growth for us in recent quarters as CCB has increased from 20% growth in Q1, to 23% growth in Q2, to 25% growth last quarter. And in terms of the algorithm of growth, our business model is fairly straightforward. 95% of everything we sell is return, add expansion from existing customers, which we have a long history of doing, expanding asset count, selling more back into our customer base, then add sales to new customers which is driven primarily by increases in sales capacity, higher levels of productivity, more channel and business, as Mark commented earlier, all of this should give you a very good way to frame our revenue growth going forward. And we assume the mix between expansion sales and new sales will not change meaningfully going forward, but there's clearly interplay between the 2. For example, we're moving to more of a platform sale, so we could see bigger lands than what we've done to date. And we could -- that could impact expansion rates. If EP is indeed a catalyst for capturing more of the customer opportunity upfront or EP could, in fact, be a catalyst for even more expansion as it facilitates an easier way to expand into new asset classes. But the point here is the growth algo we are seeing in '21 is the same growth algo we expect to see going forward. And again, it's worth reiterating. The 20% growth is not -- is a floor. It's not a ceiling, and we're investing in growth and focus on executing to deliver 20% plus growth. So let's go to the next slide. Now that you better understand our growth trajectory, let's spend some time on the margin profile of the business because it's very compelling. With 95% recurring revenue, 80% plus gross margins and high renewal rates, I have a lot of confidence in our ability to expand the margins both in terms of the operating margin and the unleveraged free cash flow margins well beyond current levels. Now before I make some forward-looking comments, let me address our historical performance because operating leverage to date is commendable. As you can see, in 2019, we had negative operating margins when we were burning cash, while spending 60% of our revenue in sales and marketing. And this year, the full year, we expect our operating margins to be 9%, which is up 300 basis points from last year. Our current Q4 guide reflects 5% operating margin, which how we look at is our current run rate operating margin. But as we've previously discussed, it reflects the incremental OpEx we assumed throughout the interconnection with the Alsid and the Accurics acquisitions, which we believe will positively impact revenue growth. But in terms of our '22 margins, it's worth noting -- I'm not going to go into that today, consistent with past practice, I'll cover that on our earnings call in February. Now looking ahead, we are confident in our ability to drive good growth at scale and increase operating and unlevered free cash flow margins of the business. We're not going to put a timetable to reach our target margins because when we do so and the rate in which we expand the margins each year, generally depends on a confluence of factors such as growth, opportunity for investment and the expected return, health of the broader market, et cetera. That said, investors should take note that we have delivered major operating leverage over the years. Over the last 24 months, we have increased the operating margin by over a whopping 20 points. And this has very little to do with savings in sales and marketing and due to travel from COVID. We've built density in key markets over the years, which we've been able to leverage and drive further efficiency in the business. So now we have always done a good job balancing growth and profitability, but we are focused on growth, given the confidence we have in the business and the expanded product portfolio. But at the same time, what we are providing you today are higher long-term margins than what we previously anticipated. And specifically, we have confidence in our ability long term to increase the operating margins to over 25%, and increase the unlevered free cash flow margins to over 30%. There's a lot of margin left in the business. We've demonstrated good margin today. We have confidence these margins will expand over time despite further investment in the business. So in closing, I'd just like to say here, if you go to the next slide that we have a clear line of sight to 20% plus growth on a path to $1 billion. And we have expansionary TAM due to the expanding product portfolio. And we're leveraging our huge army of sellers, extensive network of resellers and distributors to capture greater share in this market, and we're targeting a rule of 50. So overall, I feel really good about the business and our long-term outlook, and we're excited to be here today to deliver this compelling message. Thank you.

Thank you, Steve. We'll take a 10-minute break, and then I'll finish our day with Q&A. [Operator Instructions] [Break]

Welcome back, everybody. We will go ahead and jump into Q&A. Our first question is, are we correct in interpreting that if your vendors don't tell you what to stand for with Log4jShell, we still don't know and won't be able to find related vulnerabilities.

No. We're still going to be able to identify vulnerabilities on your assets, independent of vendor. What will be happening over the next several days and weeks and quarters, is that we're expecting thousands and thousands of software vendors, thousands of software products to report that their products are vulnerable based on them embedding Log4j into their product, and they're going to provide those updates. What we do is automate the process of their notification, automate the building in of those checks into our product and automate the distribution of those checks in real-time down to our customers so that when they look at their systems, they'll know, hey, this vendor just notified they've got a vulnerability. And by the way, here's where those systems are. So we can anticipate in the coming days and weeks, there will be thousands of new vulnerability disclosures from different software vendors based on Log4j. And we automate that entire process for our customers.

Next, it is clear to me that a web application firewall is not a good solution to block remote execution related to Log4j. However, why do you think CISA recommended organizations to deploy it? Why didn't they tell agencies to deploy a best-in-class VM solution to combat this?

Yes. That's great question. This issue is pervasive and just about everybody in the security community has a role to play. I don't want to say WAF is useless. It isn't useless. It has a role to play. It just has a limited capability. You can stop some soft using your WAF. You can also block some outbound traffic, but it's not going to solve this issue, especially as this issue continues to evolve. So hopefully, I think what this is saying is buy yourselves some time, deploy your WAF, deploy these updates, hopefully, you got yourselves a little bit of time. You can hustle and fix the systems that need to be fixed. So we've been working very closely with CISA on this. And if you look at their vulnerability guidance page for Log4j, you can see the Tenable is highlighted and they look to us, and we're definitely part and integral to how the government is approaching Log4j.

Given the importance of Log4j, how do you see the vulnerability impacting either near-term or medium-term growth rates? And what products would benefit most from the vulnerability? So maybe Steve can start and then Amit, you might want to jump in there? Steve, you're muted.

Well, Log4j is certainly driving higher levels of conversations and engagement with our customers and our partners. But we believe overall that there's a strong spending environment. We're excited about heading into the fourth quarter, which seems be a strong quarter for us. And I'll talk a little more about growth expectations and margins in 2022 in our February call.

Yes. I'll just add to and say, listen, we're focused on our mission to help customers understand the security and integrity in their environments. And that said, we continue to do the right thing and sometimes things work out in your favor. So we have phenomenal capabilities to identify these types of exposures as they emerge. So we've got more customers that are both using and trying our web application scan and security tech capability as an additional and alternate method for finding this in their environments and their and also EP as part of their broader protection. So each of these types of vulnerability announcements for Log4j and the thousands that will follow, we feel can be a significant catalyst for driving people to mature their VM practices, driving them to mature how they assess and understand cyber risk, expand to get the full coverage of assets that's in systems in their environment. So it's too early to tell, but I think this is a very different story than we saw from like a solar wins type of reach announcement, this is fundamental architecture that really needs assessing and addressing and we think that we are best in class at doing that.

Amit, can you expand more on the AD opportunity, the level of customer awareness as to how vulnerable they are? And what the competitive landscape looks like for other protected solutions?

Yes. I'd say with the rise in ransomware, people have started to realize how at risk and how critical their AD environments are, right? It is critical to the enterprise. It is pervasive in the enterprise, and all of your activities, work from home, cloud, all of those types of initiatives rely on that ground source of truth for identity in active directors. So we believe our approach is technically superior to anything else on the market. We conduct the deepest audit possible, the best ability to detect new attacks as they merge against Active Directory, and we do it in a very sophisticated and elegant way. You don't have to deploy agents and impede performance on your demand controllers. We don't rely on Windows logs, which have been falsified or bypassed through things like, example would be like the Mandiant breach or any sophisticated adversary. So we think we bring the right approach, the technical rigor with the product, the ease of deployment, the ease of use. I would not be surprised if you heard it here first, within the next few days, you start reading about Log4j being leveraged by ransomware attackers going after Active Directory. So this is, again, tidal wave of stuff coming, and we think we're front and center in assessing, understanding and helping protect against it.

Next is Infrastructure as Code, do solutions in this market require a different channel to market? And talk about where you fit versus the DevOps platform providers or traditional code scanning solutions and newer DevOps security focus solutions versus your broader risk management approach. Is there a difference in enterprise versus mid-market here?

Yes. Listen, I'll jump on that one, Erin. So it's actually -- one of the things that we're seeing. There's 2 things to take in account in regard to this question, right? A, we are still seeing very similar when you look at infrastructure as code and cloud security, you are seeing obviously similar buyers. And we're still starting to see obviously CECL very, very involved in making these decisions and still continuing to have oversight. Again, when we talk about the platform approach and what we're doing around the platform, it's really centered around the CECL having budget control and really making sure that they're involved in a lot of these decisions. On the DevOps side of the house, well, one thing that people need to keep in mind when we acquired Accurics. They've got a phenomenal thing when you take a look at their Terrascan technology, which over 500,000 downloads, which is an open source cloud-native application scanner. So with over 500,000 downloads already, the dev community already is familiar with this. And if you think about Tenable's DNA with Nessus, right, with over 7 million downloads, we understand how to communicate to communities, we understand how to gain leverage, and we do think, as Nico highlighted, a Vuln is a Vuln is a Vuln, with our relationships that we've got back at that CECL level, that we'll be able to continue to drive this business at a very effective rate. We also picked up a bunch of great subject matter experts with Accurics. And so they will continue to help enable our selling organization and the customer base. So we feel fairly comfortable with this one.

Thanks. Great. Does having IDC in your CNAPP platform provide substantial differentiation for you? Who do you compete with there? I believe some vendors have invested to have a complete CNAPP platform. Others have not.

Okay. Nico here. I'll jump in. So the simple answer is no. We don't think IaC is a long -- scanning is a long-term differentiator. In fact, we think it's stable stake. So for us, it's an enabler, right? Because the idea is once you can scan the IaC, you actually can understand the infrastructure that is going to be deployed. So it allows us to understand the infrastructure on the left. What we do with that? Well, we bring all our know-how, right, all our knowledge, all our tools. Now we can find configuration another way. Now we can find access to our buy. We're going to find container and workload that are going to be deployed. We're going to go tandem before the deployment. So it's really an enabler. And by the way, what's kind of interesting is a lot of people are buying IaC scanning or building IaC scanning from formidable source. I think the missing point is -- these are vendors that started on the right, and I think they can just bolt on IaC scanning and they are done. The answer is actually you need to start on the left and then build the runtime security from the left because you need -- remember that context the guy sitting at the table, you need that context. You need that baseline because otherwise, you're going to have what we have today, which is a lot fatigue. If you want to know -- you only want to focus on what changes, we only want to focus on what's risky. So you want a risk assessment that baseline to come first before you can do effective on time security. So that's the way we naturally extend into CNAPP, right? And of course, there's a lot of classic even they are big, small, unicorns and the rest. But the eruption -- the disruption is you got a start on the left, and you got -- it's your anchor to your foundation. That's what we're doing with it.

So someone along the same lines. There are a number of ships left existing cloud and Kubernetes best-of-breed stand-alone players. How do you convince the market that you had the right solution approach?

So remember, right, you start on the left, right, because then we bring everything that Tenable does so well, right? A Vuln is a Vuln is a Vuln, right? And so, this has value because there's a premium on doing security for the cloud early, right? Because in production, it's too late. So now you're bringing the best of breed to the left, right? And then you drive this integration. With this integration, you remember we talked about the strength of the go-to-market, right, we're going to our base and basically giving -- telling him, you're one click away to do cloud security. And by the way, more than future-proof cloud security. Cloud security does that on the left. So it's that whole leverage, right? That's the way you compete. It's the go-to-market. It's the customer base, it's the trust, it's the know-how but on the left.

And taking it out of the silo, right? I mean it's not just -- yes, we've done on the left. But then through the life cycle of the application, the deployment, the drift, all the things that are, I'd say, uniquely tenable capability, best-in-breed capability in uniting those is just compelling.

Does Tenable need to be integrated into the DevOps developer tools or CICD pipeline in order to reach the developer audience versus traditional security professionals? How do you solve that tension between those 2 groups?

Absolutely. And this is why we bought Accurics, right? So first of all, buyer is the same. The buyer is still the safety buyer, it's the CECL. DevOps, however, is a very strong influencer. So you need to appeal to DevOps, you need to appeal to developers, right? So what Accurics brought to us was really and why we fell in love with Accurics, they bought really 2 fundamental things. First, they brought Terrascan. Developers, they love open source. Terrascan is one of the most successful open source projects around IaC scanning, 0.5 million download, I think plus actually, 100,000 developers adopted it. So developers, you want developers to love what you're doing. So the open source is super impotent. The second thing that's important, you don't want to ask these developers to come to CSPM counsel right, to go find the issue that they have to fix them. So what Accurics brought to us are all this integrations, integration in the Karmic repository, GitHub, Gitlab, integration in the pipeline, right, in the CICD pipeline, TERA, CircleCI, all these things. So now we have this integration, we can bring all the know-how, all the scanning capabilities to the left. So these 2 things are core, and that's why we acquired Accurics. We wanted that enablement.

Can you give more color on the go-to-market strategy for the IaC service and how you plan to shift left? Are you selling to DevOps or is the buyer similar to Corbion? Do you think the popularity of Nessus gives you any strategic advantage in terms of adoption?

Yes, I'll take that. And it's very similar to the question I had before, right? I don't think there's any question about it that -- this is definitely in our DNA. We know how to deal with all these massive communities. And we were going through this process, and we're evaluating Accurics in talking to our customers. A lot of our customers, especially at that CECL level, as I highlighted on, were now having a significant amount of input and responsibility, right? This was now significantly much on their radar screen. And so I think it's actually fits very, very well. With our go-to-market, I think it fits very well with the DNA of Tenable based on what we've done in that Nessus community, being ubiquitous and being everywhere. And I do think from a debt perspective, Tenable's got a lot of credibility. So I view it as something that is natural. There is some enablement and training that we need to do, but I think it's something very natural from a Tenable perspective, and aligns very well with our buyer, which to me is one of the most important things.

Do you envision Tenable CS deployed as a stand-alone solution or will it be typically added on with a Tenable IO purchase? How is it priced relative to Tenable IO? Lastly, can customers that still run Tenable SC also deploy Tenable CS?

Yes. All of our solutions, Tenable will continue to be sold as point solutions for a very specific use case. And Tenable CS recently recognized by Gartner on the CNAPP side or OT by the slides and the things that we highlighted earlier. We're recognized as best-in-class by almost every single analyst in just about every single segment that we operate in, right? We are very aggressively going after these market opportunities. But it's really that power. It's the power of that platform, the EP, the unifying the user and the directory services data insights and exposures with the understanding of what's happening in the Kubernetes in the cloud, in the DevOps environments, in the drift and tying all these things together in a way that is uniquely empowering Tenable to deliver differentiated insights to our customers a real understanding of how cyber risk operates and how exploits operate in the real world. So we want to bring that higher level of analytics and differentiation on top of best-in-class products, and you'll see us continue to do that.

How much of the $25 billion TAM can your products addressed today? And where do you need to make acquisitions to make a larger portion of those TAMs addressable?

Yes. We're able to address all of that TAMs. So if you look at, we cut back the size of the total identity market to that percentage, which we feel is addressable using for our current set of products and capabilities. The same thing on the identity and the cloud piece. So we have broadened our TAM. We have best-in-class capability to go after each of those specific TAMs and growth rates. So we're very excited, very confident in the addressable market that's in front of us right now.

How will the revised EP be priced with all of this new capability? Are you giving away too much value?

This is Steve, I'll take that. We have an asset-based pricing model. So when we include more capability in our exposure platform, keep in mind, that means we're covering more areas of the attack surface. And so since it has an asset-based pricing model, allows us to cover more areas of the attack surface. Today, EP includes Tenable IO, WAS, Container Security and Lumin, we're getting a 60% uplift in EP relative to standalone VM. As we add more capability to EP, our expectation is that asset counts go up, and consequently, so ASPs. So long term, what we could see is even more larger deals here with EP or EP itself since customers are allowed to use license assets among different asset classes could facilitate even more expansion within the customer base. So they're big bites or more expansion or a combination of both over the course of time.

Can we also get a little more color on how the core VM capabilities allow Tenable to compete effectively expanding into these new areas where there are stand-alone competitors?

I will take that one. So let me try to give you 3 answers to that. Answer number one, remember, all these products they are winners on their own. They are standalone. They're going win without a help. Number two, integration, right? Remember, a Vuln is a Vuln is a Vuln. These 3 types of vulnerabilities exist everywhere in all environments, right? So integration comes -- is really a huge value add for customers. I'll give you a couple of examples. OT, usually in our OT environment where you do security, you deploy a network device. And that network device will discover you OT assets and will find, it will detect threats. Well, guess what, we integrated our scanner, right? So we can find all this one in the same device. So integration adds value. Cloud is another example. Think for a second, if you are the container, right, and you have gazillions of containers. You want to see all these all in one place. You don't want to go to a console to find the software vaults and other console to find the access vaults and then another one, right, to find the configuration vaults. So that integration is a huge benefit for people. So integration, number two. Number three, it is the data, remember, today, security is silo. And the bad guys are taking advantage of it. What we're doing by bringing the data across the attack surface together is we're breaking the silos. And I promise you the next cloud attack will be because of Joe, not because the cloud assets is going to. I will compromise Joe, I will use AD vulnerabilities to become Mr. Super DevOps. They want some Mr. Super DevOps, I will go after your cloud asset through vulnerability. So that view, bringing the data together, right? I think it's the third argument. Again, something that if you don't have the data, you cannot do.

On M&A, which product areas are you looking to expand upon? Also, to be clear, is incremental M&A assumed at all in your long-term outlook?

Yes. Without going I guess, into specific, you have many targets and products, I can tell you that M&A is clearly part of our strategy. We love the organic development, the work that Nico and his team are doing. We also feel like we've made some great acquisitions that tied very closely to our strategy. We didn't go way out in the field. It's very closely aligned with our view of the world and our conviction and acquisitions, which create great leverage and alignment from a technology perspective, the ability for this portfolio to really drive leverage from a technology perspective for our customers and also leveraging go-to-market, right? They're aligned with our buyer and that core use case is still the same. Help me understand my cyber, help me understand what to do, how to better manage it and how to more efficiently reduce it and help me execute on that. So M&A is going to continue to be part of our strategy. That said, we didn't assume any benefits from future acquisitions in today's discussion and outlook.

Yes. I'll just add to that, which is -- as Amit mentioned, the outlook we gave today includes the current capabilities of the company, not future M&A and also the growth rate that we gave you, the 20% minimal growth, while we're shooting for 20% plus -- it's not a CAGR. So if we over deliver in 1 year, our expectation is we wouldn't come back and lower in the following year. So we feel really good, given the spending environment, given the expanded product portfolio and given the size of the opportunity, our ability to grow 20% plus over the course of time without any future M&A capability.

How should we think about the pace of your sales and marketing investments over the next 6 to 12 months?

Well, we talked about this on earnings calls earlier. During the pandemic last year when we had less visibility, we moderated the investments in sales and marketing. But at the start of the year, but -- what we mentioned is that we plan to add sales capacity, and we plan investments in sales and marketing. As we made our way throughout the year and growth has accelerated from 20% CCB growth in Q1 to 23% in Q2 to 25%. And we said more recently is that we are planning even more aggressive investment in the second half of the year. And this goes along with the increasing confidence and visibility that we have in the business. So we don't -- certainly don't want to undershoot the opportunity here with a lot of confidence in our business, our expectation is that we're going to continue to invest and help drive incremental growth.

Yes. And I'll just piggyback on Steve's comment, right, as I highlighted in my presentation, this is something where we are expanding into different countries and new opportunities and adding not just core capacity quota carriers, but also specialists quota carriers to improve our overall productivity and be able to get more technical wins. So definitely, from an investment perspective, adding go-to-market resources is top on the list. So going out...

Current gross margin is well above the long-term target. I assume the expected decline in gross margin is due to the increased investment in cloud infrastructure? Or is there more to it than that?

I'll take this one. Yes, we're very pleased with our gross margins. It was something we foreshadowed at the time of the IPO. Our gross margins were like 85% plus. We said, look, we expect Tenable IO, our cloud-based offering to represent a higher percentage of our total sales. I think it was 20% or so of our sales at the time of the IPO, maybe high teens. Today, it's well over 50% of our new sales. But even despite dramatic increases in the mix of business towards cloud, the gross margins haven't moderated all that much. And over the years, what we've done is a really good job spending up points of presence all around the globe. Initially, these are what we call semi-fixed costs as we go into new markets, there's an incremental cost. And then as we drive additional sales in those markets, they get fully absorbed over time. So there's been a lot of efficiencies here that we've been able to deliver over the course of time despite the expansion despite the higher mix of business. And so I think our gross margins have certainly exceeded expectations, and we're very pleased with them overall.

Can you help us think of the uptake for Tenable EP in recent quarters? If this is expected to be your primary go-to-market and flagship product in the coming years, can you talk to the current penetration of your enterprise customer base? I would think the platform help streamline, simplify the upsell and cross-sell of your portfolio to customers. Do you have evidence of this you'd be willing to share?

Yes. Listen, I'll take that. So we definitely have evidence, right? If you think about it, the cool and exciting things are still early in the journey for EP, right? So if you think the way EP is today, as Steve already highlighted, right, a 60% uplift from core VM, right? So that's outstanding from a financial perspective. But when you're going to look at it really within WAS, Container, Lumin from an EP perspective that was very limited. Now as we start integrating more of it, and we start talking about AD, we started talking about cloud security, this will be definitely a big part of our selling motion as all the things that we've highlighted throughout the presentation today absolutely is the way customers want to consume and buy the technology. It allows them to break down these different silos, not just from a technology perspective to make better security decisions but also enable them to buy and procure technology in a simpler, quicker, faster pace. So this will definitely be part of the go-to-market selling motion. It's something that we talk a lot about with the platform and are very, very excited at the prospects of EP. Thank you.

Great. And our last question for today is many enterprise software companies have struggled with delivering both growth and profitability. What are the pitfalls you watch out for and what gives you confidence you can continue to do both?

I'll take that. We have a history of balancing growth with profitability. And over the course of time, we've shown major leverage in the business. If you look at a couple of years ago, we're spending over 60% of our revenue in sales and marketing. We were burning cash, and we were not profitable. And over the last 24 months, we've improved the operating leverage by over, as I mentioned earlier, a whopping 20 points. And this is despite observing the cost of the acquisition. So we feel really good about the margin leverage in the business with 95% recurring revenue, 80% plus gross margins, high expansion rates, good levels of productivity our expectation is that we're going to continue to invest. We do know where we invest, there is a clear return. We generate -- we historically have delivered good achievement rates and participation rates. And -- but that's not the only point of leverage in sales and marketing more channel in business and more maturing sales force. So we've got a lot of confidence in the margin profile of the business. Our focus and certainly running for share, capturing more of that share and investing in the business, while we continue our march towards our target margins.

Great. Thank you all for your time today, and I will turn it over to Amit for final statements.

Great. Thanks for joining us today for our Investor Day. We're absolutely thrilled to be able to give you an update on our business and insight into our strategy and financial outlook. We continue to be the absolute best-in-class in VM, and we're particularly excited as we establish our leadership position in VM everywhere, inform me about my risk everywhere world. And we think we have a unique ability to do so. We hope you found today informative, and hope you have a wonderful holiday season. Thank you.