Tenable Holdings, Inc. (TENB) Earnings Call Transcript & Summary

All right. Good morning again. My name is Doug Bruehl, and I'm an associate on the software research team. With us, we have the privilege of hosting CEO and President, Amit Yoran; and CFO, Steve Vintz. So we'll do about 20 minutes of Q&A up here and then open the floor for the final 15 for any questions from the audience. So if you're listening live, you can submit the questions over the app. Otherwise, if you're on the room, just raise your hand.

So for those not familiar with the Tenable story, can you give a brief overview of both the platform and the business?

Sure. I guess just a short version. Tenable is cybersecurity company, very focused on answering the question, how at risk am I? How exposed am I? How secure am I? And so the core of the company started out in the vulnerability management market, discovering where you have assets, what those assets look like, how they're configured, what -- where they're vulnerable and exposed to and then have been expanding in and outside of traditional IT desktop server workstation to cloud-native workloads, cloud infrastructure to operational technologies to web applications to Active Directory and identity stores, all of which are instrumental to answering this question, how secure am I? How exposed am I? Am I exercising a good standard of care in my cybersecurity or behaving negligently?

Great. Thank you for that. So moving on, can you give an overview of the Active Directory industry and why this could be an area of growth? And then part 2 of that question is how do you size that total opportunity?

Yes. So Active Directory, which is where all the machines and user information throughout an enterprise is typically stored, so Active Directory is used in over not -- well over 90% of the enterprises out there. And it is and has become target #1 for attackers, whether it's nation-state attackers, cybercriminals. If you look at any ransomware, over 80% of ransomware targets Active Directory. If you look at high-profile nation-state breaches like the Mania breach, those very specifically target Active Directory because one of the things you're trying to do is gain access broadly to the information that's of interest to you and/or also establishing persistence in the environment, so creating backdoors, creating long-term access in case your breach is discovered. And the primary mechanisms for doing both of those things -- for accomplishing both of those goals is through compromising Active Directory. Active Directory has been around a long time. It's -- in the enterprise, it's a complete mess. If you work for a large enterprise, if you work for a bank, there are probably tens or dozens of domains out there with all sorts of complex trust relationships. So the ability to audit that, the ability to determine where the configuration of that Active Directory environment is sloppy or could be exploited is significant and providing the ongoing monitoring for that Active Directory environment. Am I doing high-risk things? Or is there an indication of compromise? So it's an incredibly lucrative target for hackers. It is -- and controls the crown jewels of access into the enterprise even into cloud environments. And there is a great shortage of capability of software out there that can help you audit and assess the integrity of your Active Directory, which is to date, most enterprises, if they secure their Active Directory at all, it's through hiring a consultant to come in and do some sort of ad hoc assessment. So the ability to do this, do it definitively, do it in expert and machine-readable way and secure it from an ongoing perspective, we think, is a tremendous market opportunity and aligns very well with our core buyer. The team that's managing vulnerabilities that's assessing risk for the enterprise, for them to also assess Active Directory and the accounts and accesses and privileges associated with those accounts in Active Directory, really goes hand in glove with assessing cyber risk.

Makes sense. So shifting gears a bit. Can you talk about your go-to-market strategy and how that has evolved over time?

Hey, Steve. Do you want to...

Sure. Sales and marketing is a big area of investment for us, and we've done a good job over the years going into new markets and then penetrating those markets and going deeper in those markets. Years ago, we had a handful of sellers selling in 4 countries. And today, we have feet on the street in approximately 35 and we transact sales in 160. We're new in major sectors of the economy. We feel like we're just getting started in many respects, such as Middle East and maybe Brazil, Japan and India. So we've done a good job really investing. And our growth, if you look at it over the past couple of quarters, has accelerated notably from 20% in Q1, 23% in Q2, 25% in Q3, 29% in Q4, now 31% CCB growth in Q1. That goes hand-in-hand with the investment in go-to-market but also our ability to drive higher levels of productivity with a broader product portfolio that we're selling now as a result, which we can talk more about. Not to be underlooked or overlooked, should I say, is Nessus. Nessus is one of the most ubiquitous products in security. There's been 2 million downloads of our free version of Nessus over the years, which represents almost the sum total of all security professionals in the world. And then there's also a paid version of Nessus. It's a cost-effective on-ramp to a larger platform [ tell ]. It creates a flywheel effect into the enterprise, and it gives us a cost-effective way to go to market.

Great. Thank you. So there seems to be a lot of language lately about protecting OT environments. So have you seen a significant uptick in the interest for Tenable.ot?

We have. It is -- so Tenable.ot for operational technologies, so think of the computers which operate control systems, so oil and gas pipelines, manufacturing, automated inventory management, power, energy, production, transmission, distribution. All of these infrastructures are computer controlled at this point, and they use very specific controllers produced by Siemens, Rockwell or what have you. And these are very sensitive systems. They're typically tightly controlled. And you have to assess them, they operate very differently. You have to assess them very differently than you do general-purpose IT. So we launched an OT security cybersecurity product about 2 years ago, and we're seeing a tremendous amount of momentum there. Similar to our Active Directory technology, we think it's a very natural alignment with our core buyer and our core use case, our core go-to-market motions. We also think we have significantly differentiated capability where everyone of these environments, every factory floor, is not just control system operated. There are combinations of OT and IT, which are completely integrated in these environments and required to operate securely. So if you think of a high-profile breach like Colonial Pipeline or JBS, the meatpacking breach last year, their operations were shut down not because of an attack on the OT environment. It was the integration of OT and IT that was a compromise ultimately that affected their Active Directory and their IT environment that caused them to decide to shut -- out of an abundance of caution to shut down the pipeline. And so we are the only company with this type of significant capability to look at and assess IT and OT in a combined way, and we're seeing tremendous momentum and believe in the long-term opportunity in that OT market is tremendous.

Got it. Then sort of high level, what differentiates you from other SaaS security platforms in this market?

So from a SaaS security perspective, we're -- our view is that there's a lot of companies -- so we grew out of vulnerability. We've been doing vulnerability management, security assessment using software for 20-plus years. We're the leader in that market by every dimension and every measure. There are increasingly critical areas of computer critical areas where software is used, which folks are developing assessment technologies for. So looking at containers and assessing the security of containers, looking at your cloud, your cloud infrastructure configuration, looking at the integrity of virtual machines, of OT technologies, of Active Directory and identity stores, as we talked about earlier. We're the only platform approach to assessing cyber risk. And we think it's absolutely critical to assess in this platform-based approach. It's not just -- you can't assess the cyber risk of the enterprise by simply looking at your vulnerability-scanning information. That's a good start. You can't identify exposures looking at your identity in isolation because a lot of attacks, a lot of campaigns go across these data sets. The Colonial Pipeline, again, as an example, it was identity and IT, which impacted ultimately OT and the risk to the enterprise. So having these types of holistic approaches to assessing cyber risk, we think, is critical. And we're really the only platform-based approach to assessing cyber risk.

All right. Then turning to financials. So your enterprise platform customer count grew a little over 15% last year. Do you view this as a sustainable number? And if not, what do you think that sort of falls to?

Yes. The mix between pipeline opportunities can vary between large and small deals, between new and renewal business/upsell. So overall, we're very pleased with the performance of the company. As I mentioned earlier, growth has accelerated from 20% in Q1 of last year to a 31% CCB growth this year. If you look at the most recent quarter, we added over 450 new enterprise platform customers, added 17 net new 6-figure customers. Years ago, it was only a handful of customers who had -- were spending over 6 figures with us. And today, that's well over 1,100. So over the years, we've done a good job as we've gone to market, investing in sales and distribution, transacting larger deals. And we're very pleased with our performance over the years. This most recent quarter, we saw a strong performance from customers that were spending over 600 -- over $100,000 with us where they were adding to their license counts, which doesn't necessarily show in the 6-figure deal. So we don't optimize -- no one metric is kind of the definitive metric for us. It's new customers, large deals, things like net dollar expansion rate, all that stuff tells a really important story. And we've done a great job closing larger deals. And that also corresponds with the broader product portfolio, as Amit mentioned, and also the Exposure platform, which we launched in Q1 of last year, where customers get different asset types and are allowed to look at and cover various assets. We identify various asset types and assess vulnerabilities. And when we sell EP, it comes with a 60% uplift, so EP is a great catalyst of helping us transact larger deals. And no one quarter is really definitive in its own right, so we feel good about our ability to close deals and close large deals.

Great. And we've seen within cybersecurity a lot of companies taking a stab at public cloud security. Can you talk about your increased investment in public cloud infrastructure? And then how does this affect margins in the near term? And then what is the final longer-term opportunity?

I'll talk maybe just a little bit about our approach to cloud security because we think we have a compelling story to tell for our existing customers and our existing use case, which is help me understand my cyber risk. They've historically lacked the visibility into that cloud-based infrastructure that they've had in traditional environments. So we produce and deliver cloud-native connectors for existing customers, which give them through the native APIs of these infrastructures visibility into all of the virtual machines, containers, usage of storage and compute in these cloud environments and allow them to natively assess where these environments are vulnerable to known exploits where the configuration of these systems varies from their corporate standard or from best practices. And in recent periods, have expanded that to go all the way to the far right, meaning when these systems are out and operational, how do they vary from the gold image over time, which can introduce and represent significant risk. And we've also continued to shift left. So integrating into CI/CD pipelines, helping folks understand when they check in code, what is the infrastructure that will be produced to run that code, whether that complies with corporate practices, best practices, known vulnerabilities. And so we're really on the leading edge of full soup-to-nuts capability of understanding cloud security from build through run time, but also how that risk relates to other cyber risks. So a developer is coming in from a vulnerable system, they have a high degree of access and privilege, and they're accessing certain things in the cloud environment, which are more or less critical or more or less exposed. So then, having a holistic understanding of across the life cycle of cloud but also how it relates to the broader enterprise, we think, is critical, and we're seeing great momentum there.

And on the investment side, we've been investing in 2 things: number one, broader asset coverage routes, as Amit mentioned, is in vulnerability management, discovering and assessing vulnerabilities, more so years ago in traditional assets. And then over the years, we've been investing in new asset types, whether it's web applications, cloud security, which includes both pre and post production, as Amit talked about, external asset management, so both organically and inorganically. So I think the best way to think about us in terms of breadth and depth, breadth in terms of discovering all these different asset types in your compute environment, whether it's on-prem, in the cloud, whether it's traditional or even modern asset types, and then going deeper in terms of analytics. And one of our active more recent acquisitions is APA. So we're going to be launching a more expansive set of analytics in the second half of the year. I believe we're very early in our journey on the analytics side, our journey in with regard to monetizing the data that we're capturing, which is very sizable, capturing all these different falls across all these different asset types. We have third-party threat data and then also taking the exposures in -- on Active Directory environments and identities and then also kind of connecting all the dots on that and providing visualization and attack path back to customers. So we're pretty excited about the analytics and the telemetry and the insight we can provide our customers with regard to risk.

All right. So I want to shift to the threat environment for a minute. So given the rising geopolitical tensions, particularly in Ukraine, Russia, and given that many advanced persistent threats come from either nation-states or groups that are sanctioned by nation-states, how do large enterprises like a Colonial who may be the target for widespread disruption think about managing their vulnerabilities in this sort of new geopolitical reality?

Yes. I think you've got a number of interesting points there. The first is that despite their misnomer, despite all the high-profile bogeyman images, which come to mind around advanced persistent threats, around nation-states, the truth of the matter is a vast super majority of these attacks and exploits occur using simple techniques going against well-known vulnerabilities. Less than 10% of the APT breaches, the high-profile breaches, are occurring because of some zero-day exploit, some vulnerability, which wasn't known about. 90-plus percent of these are coming from known vulnerabilities to which patches are readily available, the system owner and operator just didn't assess for -- didn't assess, didn't determine they had this vulnerability nor bother applying the patch. So the -- and so this is so much so the case such that every single week, the Cybersecurity and Infrastructure Security Agency, CISA, within DHS, FBI, NSA, GCHQ in the U.K., week in, week out are publishing advisories to critical infrastructures in the U.S. and abroad saying, these are the known techniques. This is the known exploit set -- vulnerability exploit set that's being used by Russia, North Korea, China, Iran. So that type of marketing, from our perspective, are recognition from government and authoritative sources that vulnerability management is absolutely critical to and fundamental to cybersecurity. It's one of the reasons why vulnerability management is, in some cases, number one, but in just about every CISO, Chief Information Security Officer, survey, you're seeing vulnerability management is priority 1, 2 or 3, almost without exception. If you look outside of, hey, this is the right thing to do from a security perspective, whether you're dealing with ransomware or whether you're dealing with nation-state actors, if you look at the regulatory framework, vulnerability management is absolutely critical. There's some draft guidelines put out by SEC out for comment right now. I think it closes in the next couple of weeks, that would mandate public company disclosure of the processes and systems that they have in place to assess cyber risk, breach disclosures already, regulation and interpretation happening by CISA, but also requiring some level of cyber expertise or at least the disclosure of cyber expertise that might exist on their Board of Directors. So vulnerability management, we think, is absolutely critical to the regulatory legal environment. It's absolutely critical to foundational cybersecurity today. And every single measure and data point tells us that, which is why we're seeing great prioritization being put on vulnerability management by CISOs.

Okay. Great. And then before we jump into the Q&A, is there anything we haven't covered so far that you would like investors, either current or potential, to understand about Tenable?

I think just at our core, we've always been a balanced grower. We've achieved Rule of 40. Steve has gone on record recently saying we're going to and drive it toward being a Rule of 50 company. We've never been a grow-at-all-cost company. The company is extremely capital efficient, went from -- literally from startup through IPO with 0 institutional venture capital invested. We've got a very compelling business model with high recurring revenue, high margin, high gross customer renewal, high expansion, net dollar renewal growth rate within customers, very cost effective in our customer acquisition costs, all of which combined to be just a very compelling business model, especially in this environment.

Yes. And I'll just further illustrate, we'll do over $700 million in sales and CCB, about approximately $675 million in revenue this year, and we don't guide unlevered free cash flow. But I think analysts are -- I think JPMorgan's estimating comp at $90 million plus. We have 95% recurring revenue, 80% plus gross margins, and we have very high net dollar -- growth in net dollar renewal rates. So I feel really good about our ability to continue to walk up the cash flows of the business in a very healthy way.

All right. Thank you both. So we have a question submitted electronically about the Log4j exploit. So is there a short-term remediation to this? Or is it going to be a prolonged exercise in ID-ing and removing the issue?

I think this is a great example of an exploit that's pervasive that's going to be with us for a long time. Exploit code is already available out in the wild, and we're seeing it being taken advantage of. As we look at systems, we believe that 40% of enterprises still have significant exposure to Log4j. Not only even if you fix the direct infrastructure where you've deployed Log4j, it's embedded in so many pieces of software for which updates are not yet -- have not yet been published nor yet deployed. So we think this can be an ongoing cycle. A great example of why prioritization, understanding where you have exposure, being able to either mitigate through configurations, compensating controls, is critical to op -- secure operations.

Okay. So do we have any questions from...

What's your current mix of North American revenue versus international? And where do you think that it is going to change in the next 2 years from now?

International for us represents about 30% of our total revenues, a little more. And I think long term, it can be 45%. As I mentioned, this business is very global, and we're very early in our journey, not only in the Americas, North America in particular, but also in EMEA and APAC. And we're seeing a very strong demand. And as I mentioned earlier, certain sectors of the economy, like within EMEA, I know there's concerns about a recession. But we feel really good about security budgets. We think they're defensible. And we think VM is a top spending priority, so we're going to continue to make investments, do it in a very balanced way, as Amit mentioned earlier. And that will be a big area of focus. But the growth rate internationally has always been slightly higher than North America just because the markets are less mature and still so early.

Amit, maybe you could talk about your shift-left strategy with Accurics and how it positions you versus Palo Alto and Microsoft-GitHub combination.

Yes. We feel very good about our differentiation in core VM and that understanding of how to assess systems for risk, which has developed and matured over the course of 20 years across tens of thousands of organizations of all types. With Accurics, which is an acquisition that we closed in Q4 of last year, that's the -- was a market leader in assessing infrastructure as code. So that's the -- when I talk about integrating into CI/CD pipeline, looking at code as it's checked in, software developers these days instead of waiting for virtual machines to be stood up from IT are now defining what the virtual infrastructure will look like within cloud environments in the code itself. And as you might imagine, it's extremely efficient for the developer and for the enterprise for adding new capability, making sure the infrastructure can meet the requirements of the software that's running on it. But it is terrifying to the security teams and controls that used to be in place in traditional IT but also in first-generation cloud. By integrating into a CI/CD pipeline, we can see what the code will look like. We can assess it across best practices. We've got over 1,500 defined policies -- templated policies that organizations can leverage within assessing the infrastructure as good. We're also one of the only companies that produce remediation code at check-in time. So you check in a piece of code, the pipeline says, hey, this is going to violate corporate policy or security policy or best practice. And oh, by the way, here's the alternative remediation as code that you can check in instead. Use this line instead of that line. We think it's a compelling differentiator. There's really only one other company out there that we feel can do this at scale and efficiently. And we're integrating that understanding with our ability to assess not just the infrastructure's code but the virtual machines and the containers you have out there and their variants from their drift from gold image. So again, going soup to nuts, we feel like we're the only integrated approach. So Palo is a great example, has made several acquisitions in this space. They're still being brought to market. They're being sold under a common brand but still very separately licensed and disjointed, unintegrated capabilities. We have that only elegant sort of workflow across the entire life cycle of cloud for our customers. We think it's a key differentiator. Going forward, we think that remediation, this code understanding, will allow us to define security policy as code, enforcement as code, and just open up a lot of doors in the cloud environment because it's a blank canvas that weren't available to us in traditional enterprise on-prem IT environments.

Can you just talk about your role in remediation in production and live environments? Is there more of an opportunity to be -- for you to be more involved? I mean you talked about Log4j as very prevalent in the environment still. Can you be more active in -- whether it be patch management or somewhere else in remediation?

Yes. It's something that we've looked at and continue to look at very closely. And it is not a one size fits all. So in traditional IT, that window has not been open to us. There's a terrific set of partnerships through integration with things like SSCM, through things like BigFix. Many large enterprises -- most large enterprises have already made strategic decisions on their configuration management software, the controls, the processes that they have around patch management or change in configurations. And the teams which are responsible for assessing vulnerabilities and risks do not have control over desktop configuration, server configuration, application-level changes. So we've shied away from and for the foreseeable future believe we will continue to look at partnership opportunities in those spaces. In other areas, like Active Directory perhaps, like cloud-based environments, infrastructure as code, which are moving in a much more dynamic way, there are not established enterprise bets, which have been made. There are not the same series of controls and processes that exist in traditional IT. And there, we have a much broader purview willingness to engage with folks to make those changes at code time or at run time that we might not have had in traditional on-prem IT. So that's the approach that we're taking. We feel great about our ability to expand as customer use of technology changes. Ultimately, we believe that critical place where we sit in the CI/CD pipeline and in the Git repositories will enable us to expand. More things will be controlled through Git-centric operations. People will take their identities, their directory service stores, and they will control them through a Git-centric activity. New employee comes onboard, Okay, great. Let me provision it. Let me do this. Let me do that. Those are all going to become Git-centric operations. And our ability, including the on-prem -- controlling on-prem technology, so we think that is a strategic piece of real estate that we'll now sit on that will naturally allow us to expand in exciting ways.

Guys, appreciate the time today. I wanted to ask kind of a big picture question about the last few years and looking a few years forward, right? When we were -- you guys were kind of pressured out of the gate from the IPO. And there were a lot of investors, I think, who were looking at the company and saying, "Hey, this looks like you have this clear leadership position in the VM market," but it feels like it could be too narrow of a category, right? Growth was decelerating somewhat. Margins were still negative. And now we fast forward to today and the business is reaccelerating on the top line. Margins are nicely positive. You've got great cash flow. And it just feels like things are kind of moving in the right direction across the board. And I wonder if you could just kind of summarize for us how you're thinking about that kind of inflection, whether that's been driven by the broader product set that you have with the Exposure platform, whether it's kind of a change in the demand environment, if there's some things that you've done differently from a management standpoint or -- just what factors have influenced that to kind of drive especially these great results we've seen over the past few quarters?

It's a great question. At its core, rewinding back even to the time of the IPO, we were very certain in our strategy. VM [ mark ] was under -- estimates were far low -- far lower in terms of market size, in terms of market growth rate than our belief in our assessment based on looking at our own data and our own customer behavior. And that we weren't going to broaden outside of VM to go after managed security services and logging infrastructure and some products in EDR and other things out there. We felt like this -- answering this strategic question, how secure am I, how at risk am I, was the right approach. And we would naturally expand with our customers from core IT to some of these other asset types, whether it's identities, operational technologies, cloud-based infrastructures, environments and lots of others, which we are not yet engaged in. So I think the confidence exists or continues to grow that this is arguably the most strategic question being asked in cybersecurity today, meaning it's being asked by the Board of Directors, the Audit Risk Committee, the CEO. And that we have the leadership position and can apply our experience and knowledge of how vulnerabilities work, of how exploits work, across these different asset types. So for us, I think it's the strategic importance of the question that we're answering and the fact that our focus on answering this in a differentiated way across a broader set of concerns for our customers is leading them to decide that Tenable is the right strategic partner for me.

Great. So unfortunately, we are out of time now. But Amit, Steve, thank you so much for being here today. And we look forward to seeing you succeed.

Thank you.

Thank you, Doug.