Tenable Holdings, Inc. (TENB) Earnings Call Transcript & Summary

[Audio Gap] TMT Conference. This morning, we have the pleasure of having the team from Tenable. We have Amit Yoran, CEO; as well as Steve Vintz, CFO of Tenable. Before I begin, just a brief programming note for important disclosures, please see the Morgan Stanley research disclosure website at www.morganstanley.com/disclosures. With that, Amit, Steve, thank you so much for being here today.

Great. Thanks for having us.

All right. So I wanted to just talk a little bit about the evolution of Tenable in the last couple of years to level up the conversation. So it started off in core vulnerability management. You've added a number of use cases, and now you've got this Tenable One platform. Walk us through that. Why is it such a different company than it was when you IPO-ed back then?

Yes. I would say the vision has been consistent. Our ability to execute on that vision has continued to evolve. So if you rewind the clock back 5, 6 years, we were one of 3 leaders in the vulnerability management space. We're the only one who thought that this is a space worth investing in, larger market opportunity, larger potential, higher growth rates than a lot of analysts had anticipated or were projecting. So we invested heavily in VM, spending more in R&D than our primary competitors combined, doing that over the course of multiple years, just leads to a quantitatively and qualitatively different experience for our customers. Our vision -- and now I think at this point, we're kind of the undisputed leader in VM by just about any metric, size, growth, customers, coverage of -- so our vision was not just to help customers determine where they have vulnerabilities and where there are regulatory drivers to have a VM program, but to really help enterprises understand what their level of cyber risk looks like. And so if you look at enterprise use of technology over the last few years, it's changed dramatically. It's not just desktop servers, workstation, there's cloud-based infrastructure. There's different types of identity environments. There are operational technologies. There are all sorts of different use cases and applications of technology, which have introduced risk to their enterprise environment, but they haven't been able to get their arms around. So through combinations of organic development and acquisitions that we've made, we've brought together market-leading capabilities in a growing number of these different asset types to help customers assess for vulnerabilities, exposures and risks in those areas. What we're most excited about is the recent launch, a quarter or 2 ago of our enterprise platform, Tenable One, which brings the data from these different products into a unified data lake. And we're now enabling all sorts of analytics on top of each product area, which make our capabilities much more compelling on the number of fronts. It's a very long-winded answer, but it's worth that I assure you. The first is we can deliver insights that other products can't. Other folks can assess cloud security. We have market-leading capability from infrastructures code, assessing assets, CSPM, cloud security posture management. Other folks can do that. We think we do it better. We think we do it best for a number of reasons. But you can't assess the integrity of your cloud environment unless you also understand the permission sets of the folks connecting to that cloud environment because the cloud might be configured securely. But my DevOps person is connecting and has escalated a privilege level that he or she doesn't need. And by the way, they're coming from a system that's totally hosed. And that combination of things is a formula for catastrophe. If you look at the last past breach over the last couple of weeks, that's exactly what happened. So even if their CSPM said you're great, unless they have this platform-based approach to understanding cyber risk, they wouldn't have been able to see things like that.

Got it. Got it. We're going to have to get you a bigger room next year. So sorry about that. I definitely want to dig into the product in the market. Maybe just shifting to you, Steve, on macro, which everyone is worried about. Tenable has fairly short sales cycles, I think, 4 months on average. You were one of the first security companies to call out, hey, this macro is getting a little bit tougher, right? There's more scrutiny. This was the June quarter. And then that sort of consisted -- or it was persistent, excuse me, throughout the back half of last year. What have you seen in the last 3 months that has perhaps encouraged you on the macro? Has it changed your view at all? Any color on that?

Sure. And if you recall in Q2, we had just come off of one of our best growth quarters as a public company. We grew CCB over 30%. And then going into Q2, we felt pipelines were healthy and other things. But in the last couple of weeks of the June quarter, we saw more levels of review, more levels of scrutiny. Obviously, interest rates are starting to creep higher. There's concerns about a long and protracted recession, et cetera. And so we saw that specifically in Europe. And I've been doing this for a long time, a CFO of a public company. So when you see -- start to see something like that, you can't assume it's isolated. You have to assume that it's going to be more pervasive. So we took what we saw in the last couple of weeks of June, and we extrapolated it out over the rest of our business and did not lower guidance, but didn't raise guidance. And going into the second half of the year, we saw things stabilize quite a bit. Yes, there were more levels of review, more scrutiny. But the big takeaway for us is that I think we've done a really good job learning where to hunt. Demand is not monolithic in the business, and we transact sales in 160 countries. We have feet on the street in 35, right? We sell not only domestically but abroad, lots of different verticals. And one of the things that we've learned is that sometimes like things like tech telecom, financial services, energy tend to have higher close rates. Larger, more established companies have more cybersecurity programs. They tend to have higher close rates. When we MEDDPIC an opportunity, which is kind of a sales framework, and spend a lot of time on our largest opportunities, close rates tend to go higher when we go to a POV. So I think our sales team has done a great job adapting to this new environment. understanding where to have success. And we're really pleased with our execution over the last couple of quarters. And obviously, this market is very dynamic. Things can change from week-to-week and month-to-month, each quarter is different. But I think we feel really good about where we are, and the guidance that we gave on our last earnings call.

The only thing I would add to that is our platform-based approach, I wouldn't say that market is a tailwind for us, but it certainly allows us to play to our strength. So for instance, if we're helping an enterprise assess 70,000 assets in their VM program, we can now expand into their cloud environment, and they're buying from asset 70,001 to asset 90,000. It's far more cost-effective and far greater leverage for them as they consider vendor consolidation versus going out and procuring a separate product to assess cloud with, again, starting at a much higher price per asset point.

Got it. Talk a little bit about the vendor consolidation. I mean Tenable has got a lot of use cases now in their Tenable One platform. What's the appetite around that?

Well, we're seeing a lot of momentum. So we -- what we've said is that we now have -- so we've got about 45,000 customers, about 7,000 of which are on our enterprise platforms. We have -- about 10% of that are customers that are already on Tenable One. So we used to sell a bundling of licenses over the last couple of years in different forms. We've now actually migrated all of those customers on to the Tenable One platform. About half of the Tenable One customers that we see are new lands. So we're able to land with this new platform message, vision and experience. And that's super exciting on a number of fronts. One is we're seeing the shortest sales cycle of all of our products with the platform sale. We're seeing the largest ASPs of all of our products on the platform sale, it's probably not surprising. And we're seeing the highest competitive win rates. So we're able to have those most -- more strategic conversations, and they're really resonating. The other half of our Tenable One sales are coming to us from existing customers that are already using us for VM or for Active Directory or for cloud security and at renewal time are flipping to the Tenable One approach because they have better analytics around their existing product. We can now do attack path analytics on top of their VM solution. We can give them asset inventory capability on Tenable One. They have to go out and procure a separate asset inventory technology or CMDB, if you will. So we're able to provide differentiated analytics and the ability to expand licenses. So I think over time, we'll see more and more of the existing customer base move to -- toward Tenable One, which, of course, has higher ASPs and price per assets.

Got it. And I think, Steve, you talked about a 70% ASP uplift when a customer moves from the standalone VM to Tenable One. Curious, just from a capability standpoint, what is the incremental services that are being offered? And how is it different from the prior iteration to the Tenable.ep? Because I think the uplift there was a little bit less. Yes.

Talk about the capability of Tenable One, and I'll chime in.

Yes. So when you buy or when we're assessing an asset through Tenable One instead of VM, we're providing additional insights on that asset, its asset criticality rating, so not just is it vulnerable, but how important is this thing, what type of thing it is, how does it fit in your environment. We also enable analytics that aren't available in a traditional VM program. So if you look at benchmarking, it is a great example. If I'm a CEO, if I'm an audit and risk committee member, if I'm a CIO, this question how at risk am I, am I exercising a good standard of care with my IT systems? Am I being negligent? Ultimately, from a legal perspective, is best answered relative to a benchmark. I'm at the top quartile of my peer group, large enterprises -- large manufacturing enterprises, global financial institutions or regional retailers. If we can give them an answer that says you're at the top quartile, you're at the bottom 17%, that becomes very compelling. If we're able to show them the paths from externally discovered what is Internet Facing to this critical internal resource, it's not just, okay, it's not externally facing, but what are the combinations of systems and vulnerabilities, which could get an adversary from the outside to my accounting systems or to my code repos. That's important, and how do they apply -- where do they apply compensating controls. So when they buy from Tenable One or when they buy the license through Tenable One, there's all sorts of enhanced analytics for them as well as the ability to combine these data sets, not only for unified reporting, but analytics that really continue to differentiate themselves.

And well, in terms of the uplift, the 70% uplift, we have an asset-based pricing model. So with Tenable One, we are covering more areas of the attack surfaces that Amit mentioned, whether it's web application, cloud security, identity via Active Directory, even external Internet Facing Assets. So it's an asset-based pricing model. We've got a higher price per asset. Now when you buy Tenable One, it's actually cheaper to buy Tenable One on a price per asset basis than it is to kind of cobble together these products individually via a bundle. So it delivers much deeper, richer insights to customers. And some of the things that Amit talked about, which is consolidation of vendor spend, building better interlock among cyber security functions. It's what's really resonating with customers in addition to more so understanding their risk.

So one of the things I used to hear from maybe investors who were less optimistic about Tenable One's growth prospects or Tenable growth prospects, excuse me, is look, fine, this is an important solution, but in the market, based on industry estimates of maybe $4 billion to $5 billion. And there are a lot of competitors, there's open-source alternative. But the penetration rate for your service is still very low, both from a customer and an asset perspective. When you look at your installed base, what percentage of assets are your customers even covering with a solution like Tenable?

Yes. Even in VM, which so many -- people are shocked when they look at the data and they see how underpenetrated the VM market is because it is -- I mean it's no-brainer. It is a no-brainer. Like how can you operate into these environment? We see about 30% of our VM sales coming to us from complete greenfield. They're not using us. They're not using any other VM solution. They're relying on an annual audit from a consultant or some other solution is their assessment of enterprise risk, which is -- I don't call it negligent, but it's just asinine to do in today's environment, knowing how dependent on IT systems modern companies are. So there's lots of greenfield. It remains consistent at about 30%. We feel like we also have the ability to do competitive takeaways. And we're very transparent about how many new logos we're landing on our enterprise platforms every single quarter, time of IPO was trying to get to and then stabilizing around 300 now over the last couple of quarters, it's been closer to 500 -- over 500 this past quarter. So there's a lot of greenfield, there's a lot of room for expansion. And the existing account base is underpenetrated, it's ballpark that 50% of their assets that they're assessing from a vulnerability perspective, when you start looking at the cloud-based environments, where developers are throwing things into cloud environments in Wild West fashion, it is far lower. When you look at the number of folks that understand their risk around Active Directory and understand that we can help them there, it is far lower. So our ability to expand in the existing account base leaves us with rate cause for optimism.

And Steve, anything you've seen from a pricing perspective, like has price per asset is stable? Has it been increasing, like-for-like without the bundling?

We haven't seen any changes in either competitive or market dynamics that includes pricing. So we've -- I think we have good pricing leverage. We passed on price increases each year with customers. So there is an incentive for customers to do longer-term deals. Our average contract term is about 15 months, really hasn't changed month-to-month much. But if customers want to do -- have a right lock, then they'll do a 3-year prepaid deal. But a lot of it's annual prepaid subscriptions, and there really hasn't been a lot of change there in that regard.

Got it. I want to ask one more question, and then I'll open up to audience Q&A. I mean you were on a TV recently, and talking about AI. And AI is not necessarily new in cybersecurity, but the mainstream adoption of these new generative AI models is certainly in the consciousness more than it ever has been. And you mentioned being clarified as a prospect from the adversary perspective. So how do you see AI changing the threat landscape in general? And how is Tenable helping to solve that problem?

Yes. So at Tenable, we use AI in a number of different ways, determining which pieces of software might have vulnerabilities, determining which of the tens of thousands of vulnerabilities discovered each and every year are actually exploitable. It's actually an amazingly small number. And so making sure that we're spending our R&D dollars and focusing our customers on the things that matter most to them. And then also a bunch of data science and modeling around what these things mean from a risk perspective [Audio Gap] great use of AI. There are a lot of horrible uses for AI in the cyber world. And in particular, if you look at phishing, everybody gets all these scam messages. There is a concept called spear phishing where someone may spend weeks or months researching an organization and an org chart and an individual and build a scam that is very specific, directed and targeted towards them. And when you see a lot of attacks against whether it's government agencies or large enterprises, you see these very sophisticated spear phishing campaigns. When you look at something like AI, which can take incredibly large data sets, which can ingest everything that's ever been published about you and your family and your business relationships and your company and ingest those things and process them in ways to develop these highly targeted campaigns with laser effectiveness and efficiency at great scale and speed, I think you can look at whether it's through spear phishing, through detecting and determining exploits in software and in gaps between different pieces of middleware and applications, I think the threat use cases for AI, we'll see those leveraged and leaking a lot more havoc before we see effective general-purpose AI helping people protect themselves.

Any questions from the audience? We've got one here.

Thanks for sharing everything, it is interesting. M&A, inorganic growth. I think you guys have a nice cash position improved last year. I know you've done a couple of smaller deals, but given macro and where the market is, do you plan to do more? And where would that be, broadly speaking?

We do. We think this tough environment will create opportunities from us -- for us from an M&A perspective that might not have been reachable in previous periods and previous market conditions. It takes some time for some of the public valuations to work their way down to the private companies. You have to wait for those private companies to realize they have to raise additional funds and test the waters and see what kind of terms those fundraisers would occur with and so that frequently warms them up to looking at alternatives and opportunities and being much more realistic about valuation. So we're definitely -- we've been active. We definitely remain and intend to remain active and look -- you're not going to see us move dramatically outside of our vision for cyber exposure. And that allows us to create great leverage from a research and development perspective when we look for exploitability and understanding how exploits work. That is -- that research can be leveraged across all of our different product lines. When you look at our platform and the analytics available, each of our individual products can leverage the analytics in our platform. So we want to make sure that we're creating leverage from a go-to-market perspective, from a technology perspective. And of course, Steve, over the last couple of calls has made some pretty strong commitments from an unlevered free cash flow perspective -- you guys might not have noticed -- to investors. And so we will make sure that we are not doing things that would distract from the commitments that we've made.

Two quick questions. One is Tenable One on the financial model. Is it accretive to net new ARR growth and margins? Or is it just sort of offsetting some other products that's falling away? And could you talk about cyber insurance and if that's the growth driver of our business?

Sure. I'll take the first one. Our gross -- our margins on Tenable One are very attractive. They are the same, if not better in some cases. So that's one thing I want to make very clear. We did talk about -- there is -- over the years, as we've talked about the evolution of this company. We have evolved the product portfolio and become much more strategically relevant to our customers and expand it from having a singular focus on VM to one that now assesses risk holistically, and we play in much larger markets with regard like cloud security, identity security, analytics. Those are the 3 top spending priorities with CSOs, and that's exactly what Tenable One addresses. So we're seeing great momentum there. . We did talk about some contraction in the gross margin. This is investment that we're making out of the gate. It's not, any way, it's not tied to gross margins of Tenable One. So the investment is we're launching a more expansive set of analytics. We just recently launched attack path analysis, which connects [ falls ] and threats, identities and all those things and graphically depicts the likely path of exploit. Those are -- I'll characterize as semi-fixed costs that we are coming ahead of the revenue that we expect to generate with APA, with a premium price version of Tenable One. So that's more temporary than anything else. And we said, long term, we expect our gross margins to be high 70%, low 80% range. We said this at the time of IPO, we continue to reiterate this, and we feel good about our gross margins. But the gross margins on Tenable One are very compelling.

On the insurance side, I think that there's been the promise of cyber insurance or insurance really influencing and enhancing how people think about cyber for a long time. We came out with a report 3 weeks ago -- 3 or 4 weeks ago -- within the last 3 or 4 weeks with our first partner that is offering differentiated insurance based on what the results of Tenable assessment and scores look like. And we think that this is an area that is ripe for growth and disruption. We, as probably, every public company has some degree of cyber insurance. Those rates have gone through the roof. You've seen underwriters saying we're getting out of this business because of the data stinks. We can tell people definitively what their hygiene looks like, how aggressively they're assessing their hygiene, how frequently, what their mean time to remediate and address issues that get discovered is. And that absolutely has impact on probability of breach and impact of breach when it does occur. So we're still in the early days. But I believe we're getting to that tipping point where we can start quantifying and helping the insurance industry really understand cyber in a way that they haven't to date. To date, it's been, well, if you deploy these firewalls or if you deploy -- if you do an external assessment, we'll give you a 10% or a 2% discount, and that's just throwing a dart in the dark. I think we can really change that.

Steve, maybe a profitability question for you. So Tenable, yes, made the commitment to double unlevered free cash flow by 2024. We did notice. Talk a little bit about what the levers are -- the major drivers of leverage there?

Yes. I think -- well, things like G&A will naturally just come down over the course of time. And -- but I think one of the big levers is sales and marketing. And a couple of things to note there. Well, first, I feel very confident in our ability to drive margin leverage. I think we've been doing this in a very balanced way. We've been very deliberate about it. And I think a couple of things that are out there. Number one, years ago, sales and marketing spend as a percent of revenue was 60%. Today, it's in the mid-40% range. Long term, we see it going down to kind of low 30%. We are the only company in our space with regard to our core market, which is VM that has made the commitment to the channel. Years ago, 4% of all of our sales were inbound from the channel -- sourced from the channel. At time of IPO, it was roughly around 20% we disclosed. And recently, at the Investor Day, we said it was 38%, almost 40%. And we think long term, it will be 60%. So the channel can open up a lot of doors for us, especially in international markets. And we're 100% channel-committed. Second thing it really goes hand-in-hand with product, which is we put more product in the hands of our sellers. Years ago, we were in a handful of countries. Today, we have feet on the street in 35, and we transact sales in 160, as I mentioned earlier. And our sales reps have done a good job with addressing like cloud use cases, things like identity, selling Tenable One. So we've made a massive investment in our go-to-market over the years going into new countries, and we're just starting to get to leverage on that. So I think sales and marketing is a big one. We have a lot of confidence in where we're going and feel really good about the margin leverage and feel very good about our commitments to the Street where we said that free cash flow midterm will go to $240 million, $250 million in 2024.

All right. I think with that, we're just about out of time. Amit, Steve, thank you so much for your time. And thank you, everybody, for joining.

Thank you.

Thank you.