Tenable Holdings, Inc. (TENB) Earnings Call Transcript & Summary

Well, good morning, everybody. Thank you for joining us. My name is Hamza. I'm the cybersecurity analyst here at Morgan Stanley. And with me, I have the pleasure of having the team from Tenable. We've got Steve Vintz, the CFO; and Erin Karney, Head of IR. Steve, Erin, thank you so much for joining us.

Thanks for having us.

And before I begin, just a brief programming now. For important disclosures, please see the Morgan Stanley research disclosure website at www. morganstanley.com/researchdisclosures.

With that, let's get into it. Steve, maybe before we get more into the weeds, I was wondering if you could briefly talk a little bit about how Tenable as a company, as a platform has evolved over the last few years. You started in vulnerability management, now you're this broader cyber exposure platform. What does that entail? And what are some of the use cases that you've added on?

Tenable is the cyber exposure company, which means we help organizations understand and reduce risk. Our roots are in vulnerability management, and that's a really important market, and that's foundational to an organization's overall security program. We're the unequivocal leader in this market, we believe, #1 in device coverage, 0-day research, revenue, number of new customers added per quarter, we're adding hundreds, and certainly size of customer base. But since going public, we've had a broader mandate, which is exposure management. That's an outgrowth of VM. And today, we continue to win and take share in some of the biggest markets in security, not only VM, but also cloud, identity, OT, and the intersection of all those things that we call our exposure management platform Tenable One, which is helping customers understand and reduce risk in delivering context aware prioritization with regard to risk reduction. I think in short, the right way to think about us is operationalizing preventive security, which can reduce risk and prevent attacks. And the specific use cases can vary. We can tell our products on a stand-alone basis to address a specific use case, whether it's in cloud security or even OT or, of course, VM. But increasingly, we've had success selling the platform, which is the integration of all these capabilities in helping customers really prioritize risk.

Got it. I definitely want to dig more into the platform. But maybe at this high level, what are you seeing in terms of the security demand environment? There's been some of your peers who spoke about spending fatigue, others saying different things. But I'm curious what Tenable has been seeing.

Well, there's -- lately, there's been some focus on platformization and certainly vendor fatigue. And we agree those are certainly themes that were -- that play out in customer conversations and partner conversations. But the security market historically has been very fragmented, been best of breed. And over the past couple of years, we've worked hard to integrate a lot of these data sets and a lot of these offerings. So we've had success selling a broader platform. I think it's fair to say that the selling environment can be very fluid. We're all running agile companies. And we just announced a successful Q4. We added 500-plus customers a quarter. We saw good demand, strength in Fed, which has been a major tailwind of growth for us this year, certainly a stronger selling environment in the mid-market success with larger deals. So overall, the demand environment remains healthy. Each quarter is different in its own right. But some of the things that we've talked about early in the year will continue to play out and are catalysts of growth -- potential catalysts of growth, such as Fed and cloud security and continuing to take and win share in some of these important markets.

Got it. Erin, maybe to bring you in the conversation. Obviously, a lot of focus on platform consolidation. I think Tenable has been pretty thoughtful about expanding out its platform, really starting from its core capabilities around exposure management and risk reduction. So when you think about expanding into cloud security or OT or identity, what have you? How is that different from like you trying to go from VM into an entirely different market altogether?

I think alignment is really important. So whether you're talking about buyer alignment or just understanding in general of [indiscernible] so we come at it from an area of strength coming from VM. So as we've gone into these other areas, we've kept that exposure management vision, that understanding of risk, and whether you're applying OT, identity, cloud, whatever it is that you're focused on, we can bring that understanding.

Great. So a lot of tailwinds right now in cyber, and it seems like you're seeing a pretty healthy demand environment. When you think about some of the drivers, whether it's AI, new SEC regulations, maybe for you, Steve, as a CFO, right, you're responsible for -- a lot of your responsibility is risk management. So when you're talking to CFOs about cybersecurity, especially in light of these new regulations, what are you hearing from them? What is the spending appetite looking like?

Well, I think there's several drivers of growth in security and will be over the course of a couple of years. Number one, geopolitical considerations. It's fair to say there's more malicious activity, more targeted attacks and more bad actors, and often nation states are behind those. If you think about the threat landscape and how that's played out over the course of time, years ago, a successful breach was really about taking credit card data. And today, it has the potential to disrupt our way of life and there's great civilian impact. Think about the breaches with regard to JBS meat packing company, a utility company in Florida, Colonial Pipeline, even Change Healthcare, which Amit talked about more recently, and it has the ability to impact how we bring food to civilians, how we -- impacts our drinking water, the flow of fuel, be able to get medicine in the hands of consumers. So the stakes have never been higher, and certainly, it's been an area of focus for our customers, securing critical infrastructure. I would say number two would be AI. AI certainly will quicken the pace of innovation. But it also has the ability to disrupt a lot of things, and it's going to create major reliance on tech, even more reliance in the future. Companies are embracing digital transformation. There's been a proliferation of assets, more devices and connected systems than ever before. And we're just starting that. So this reliance on the ability to -- for transportation going forward and even things like medicine and restaurants and food prep, as one said that 40% of all jobs potentially over the next 15 years will be replaced by AI. And so with AI comes opportunity, but also comes responsibility because we do think attacks will become more targeted and more sophisticated as a result. And the other thing would be certainly regulation, which you mentioned, which was a potential certainly tailwind of growth here. We have the SEC's new mandates to have greater disclosure and awareness about a company's risk posture with regard to cyber. And we think it's certainly early in terms of the kind of regulation that's still yet to come. AI presents a lot of opportunities with certainly some challenges and there will be continued focus on governance and risk frameworks and how companies are doing AI more properly. But certainly, lots of potential tailwinds of growth. In security, compute has become much more complex, the attack surface has expanded. So consequently, we believe it's certainly early innings for a lot of security companies and certainly a long tail of potential growth here.

Got it. So Tenable has been a leading share gainer in the vulnerability management for a long time as it expanded out its platform. An area that you recently expanded more significantly into was cloud security with your acquisition of Ermetic. Talk to us a little bit about how that came together. And do you think there is alignment between the buyer of vulnerability management and the cloud security buyer?

Well, we certainly do, but cloud security as a whole, it's a -- one of the largest markets in security and certainly has -- it comes with higher growth potential. If you think about the security market as a whole, cloud security market, should I say, I think whether it's IDC or some others, the estimates for TAM today range from anywhere from $7 billion for cloud security total spend. It's up to $17 billion. So let's call it $10 billion, plus or minus. I think the largest cloud security provider is, call it, $350 million, maybe $400 million. And there's a handful of others that obviously -- that do cloud security, and many other private companies as well. So certainly big market penetration relatively low. There's not going to be a zero-sum game where there's one company that's going to win here. There's going to be several share gainers. And to us, it's -- who wins here in this market is ones that have critical mass, that have addressed a very critical problem, whether it could be endpoint security, could it be vulnerability management. It could be someone coming from the network side, has a massive customer base and extensive distribution. As we look at the cloud security opportunity, where we're really strong and historically is infrastructure as code, assessing on the preproduction side. But with the acquisition of Ermetic, we now have a couple of things, and accelerates our road map. Number one, powerful CIEM, should I say, cloud identity and entitlement management. We think Ermetic hands down addresses one of those complex problems in all of cloud security, which is managing your human and your service identities across your public cloud infrastructure, across multi-cloud. And then visually detecting those identity vulnerabilities with these public-facing vulnerable cloud workloads. Number two, unified CNAPP, both a unified and agentless solution that automates asset discovery, risk analysis and automates compliance and remediation, whether it's preproduction, container run time or even looking at the configuration of those workloads, so broader CNAPP. And then the last thing, if you kind of step back, we don't -- security is not done in silos. So being able to secure these public cloud environments is really important. But at the same time, our mandate is to address kind of the broader problem, which is helping customers understand their risk. So more broadly helping customers understand their software vulnerabilities, identity vulnerabilities, the configuration vulnerabilities across on-prem environments as well as these public cloud environments. To help reduce risk and prevent attacks is really important. So it's the intersection of all these things and the ability to ingest third-party data. No security company can assess all these different systems across your attack surface. But to be able to ingest all this data that you do on the assessment side as well as ingest third-party data across other areas certainly is very compelling. And we think we're early in our journey with regard to certainly AI, the ability to drive greater insights with the -- with all the data that we aggregate and collect.

Got it. And then how does that offering fit within your broader Tenable One platform? Is that -- Ermetic now included in that? And can you remind us what the typical uplift looks like when a customer moves from your stand-alone VM product to Tenable One?

Yes. So for us, we have the ability to sell cloud security stand-alone, and that's really important to address a specific use case. And the use case is typically twofold. Number one, as we talked about kind of the broader CNAPP offering. And so market certainly very sizable, penetration still relatively low, tenant greenfield opportunity for us to continue taking when share selling a broader CNAPP offering. If a company has an offering, we have the ability to sell market-leading CIEM technology on the identity side. And so while the acquisition of Ermetic is still fairly new, we closed the acquisition in October, and in Q4, we are focused on migrating customers to this new more expansive cloud platform, we've already seen opportunities, a ton of opportunities, and have had success today selling market-leading CIEM, identity and the entitlement management solution, also having wins in the -- with the broader CNAPP offering. So being able to sell market-leading technology in a big market like cloud security and using that as either a tip of the spear to acquire customers, or having success selling back into your customer base, is really important. However, as we talked about before, we look at the market with the lens of risk, helping customers answer the question, how secure are we? And so we believe principally that cloud security has to be part of a broader offering, being able to integrate all these data sets across -- and to identify assets and threats across all these different systems, whether it's traditional compute environment, service desktops and laptops, whether it's industrial control systems via OT technology, whether it's Internet, external-facing assets via ASM, whether it's web applications, certainly, these active directory environment, being able to integrate all of these vulnerabilities, all of these identities, and integrate that in a way to help customers drive recommended remediation and reduce risk is really important. So platform is going to be a continued theme for us. We're getting great traction in larger selling prices. And we're helping assess and secure more of these asset types.

Yes. And then the other area that you spoke a little bit about was OT security or operational technology security. There's -- that's been a big area of exposure for a lot of companies, medical devices or critical infrastructure. What are you seeing there? And how are some of these recent partnerships, I believe, your partnership recently with Siemens, if I'm not mistaken, how is that driving more pipeline?

Yes. OT, we think, is a big opportunity for us. And if you kind of look at -- when we say OT, we're talking about these industrial control systems. And a lot of companies today have an OT footprint. And so whether it's -- if you're a -- if you're a FedEx and you have all these planes and the mail sorting equipment, which has a digital footprint, whether you're Starbucks and have coffee roasters and your supply chain is all very digital, being able to assess those systems and devices for vulnerabilities and [indiscernible] is really important. These companies take a very different approach in terms of how you do the assessment. They have different operating systems, different security protocols. And if you look at how the market has played out, years ago, it was analog. None of these systems were digital. To more recently, they became digital, but air gap, not connected to a network. Now they're all digital, connected, all interoperable, and certainly has created some challenges for a lot of our customers to help secure those. And more importantly, if you look at the responsibility of securing those environments in OT, and it shifted to the de facto responsibility of the plant manager, which doesn't have particular expertise in cyber, to one where we're seeing this convergence between OT and IT where increasingly the CISO has the responsibility to secure those environments. So for us to be able to sell a compelling OT technology, either stand-alone or part of the broader offering, and we've had success doing that, and being able to leverage our distribution and our massive customer base is important. And look, more recently, we announced the integration of our OT technology into Tenable One. And I can tell you with some degree of certainty, we're going to have success closing large deals in part because of the integration of OT into the Tenable One platform.

Interesting. And Erin, how can -- what are some of the metrics that investors can look at to track the broader platform traction that you're seeing? Is it large customer adds? Is it net retention rate? Just remind us what you're seeing there.

Yes. So we put both of those up there. Certainly, customer adds is notable for Tenable One and broadly. Each quarter, we typically talk about how much of the new business is Tenable One. It was over 20% this past quarter, and we talked about that. So we do try to put those numbers out there. But net retention, of course, we do look at CCB as our top line metric. Now there was a nuance in Q3, for those of you that understand, because of Fed business, but generally speaking, that is a top line metric for us. And yes, I think -- oh, large 6 figures, that's one I want to come back to. So we are landing larger customers. And so it's not just the 6-figure customer, which we put out there. We're seeing more 7-figure customers, which is a figure we don't put out there. We're talking about whether we should start putting it out there. But it is notable, and we do talk about it each quarter that we are landing these large customers and these really large deals. And that traction is just continuing to build.

That's really impressive. And then when you think about like the penetration within your installed base, you've got the enterprise customers, then you also have, I think, something like over 3 million Nessus users or Nessus downloads, and Nessus is the freemium version of the Tenable product. How do you think about the penetration rate of your solution just more broadly?

Yes. And I would say, so we're unique in the sense that we have a product in Nessus that is so ubiquitous and so loved in security. It's one of the most iconic brands in all of cyber, in Nessus, and it's the gold standard to doing vulnerability assessment to being able to do these scans on your networks. And so there's a free version of Nessus and there's a whole community of users that use Nessus to identify these vulnerabilities and they -- if it's a 0 day, then they'll write a plugin using the whole Nessus language itself. So 3 million-plus users. We have 40,000-plus customers, and we have our own data science and research efforts. So we're able to scale down from doing something that's free to a paid version, a freemium version of the product. We sell a -- Nessus is -- there's a paid version of it that's $3,000, represents about 20% of our total sales. And then consequently, 80% is what we call the -- one of the enterprise solutions, which is the expansive VM solution or one of our exposure solutions, Tenable One or cloud or identity or OT. So connecting the dots on kind of free to freemium to enterprise has been very helpful for us. It's allowed us to scale our customer base and acquire customers cost effectively. And consequently, investors -- I mean customers can land with Nessus, and then the quantum leap-up to buying a larger enterprise platform. And once they become an enterprise customer, we have success renewing and expanding that relationship anywhere from our net dollar expansion rates, which we disclosed on a quarterly basis can be anywhere from 110% plus up to 120%. So certainly being able to sell more back into our base has been -- allowed us to acquire customers and certainly drive margins higher.

But one other thing I would say about Nessus beyond the -- talking about penetration levels, is the amount of data we can get from this massive customer base, including Nessus, really helps to build that data lake. And with AI, data is -- I mean, data is really important, for many reasons. But certainly with generative AI, it's becoming increasingly more important. And we have more of that data than anybody else, I think, in part to Nessus.

Okay. Got it. Very interesting. And maybe speaking on Gen AI, how are you guys thinking about integrating LLM technology within your product suite, especially when you think about looking at vulnerabilities and trying to prioritize which one are high risk or low risk?

Yes. Certainly, it's going to create a lot of opportunities and challenges in cyber. When you think about the power of generative AI, it has the ability to consume and ingest anything that's ever been published, on you, your family, your business relationships, your company, and create more targeted, more sophisticated attacks. And we're already starting to see the use of generative AI in malicious activity. It's always, I think, broadly understood that bad actors will more quickly adopt AI, and we'll see the potential for attacks to increase. But a lot of companies who are sitting on vast amounts of data, like such as Tenable, right, leveraging the power of the community with our customer base, with our data science and research efforts and the data that we collect across all these different asset types, and being able to apply AI in a way that helps solve a bigger problem. We think we have a competitive advantage. And the right way to think about Tenable is kind of breadth in terms of the areas of the attack surface that they can -- we can discover and assess and secure, these different asset types, but going deep in terms of the analysis and the insights that we can deliver for our customers. And AI is going to play a very critical role here, something that we plan to roll out sometime during the course of the year, something called Cyber Asset Management, which takes all of these assets and devices and systems that we're able to discover. Also combining that with third-party data that we're ingesting from other providers. And through the power of AI, kind of leveraging that with the context of these vulnerabilities, these misconfigurations of these identities, to help customers prioritize remediation and reduce risk. So certainly, we're in the early innings, but certainly, companies who have vast amounts of data, sizable customer base, and are going to be certainly in a position to see higher ASPs and hopefully more pull-through rates on the platform itself.

Great. Last 1 or 2 questions, then I'd love to open up to the audience. But profitability, there's been some pretty significant improvements you've made through operating margin recently. What is the right balance for you now going forward? I mean Tenable obviously has a big opportunity ahead of itself, but your forward growth rate now is sort of in the low teens from a revenue perspective. So is it rule of 40, is it -- how do you think about that balance?

Yes. So balancing growth with profitability is really important to us, and we're not a grow at all cost company. I think over the years, if you look at kind of where we started, and the investment, as a consequence of that, years ago, we were not the leader in VM. We were not #1 or even #2 in market share. We were a distant third. So over the years, we've invested in the vulnerability management market, have become the clear, unequivocal leader, which is where I started kind of our talk track at the beginning of the session. And the outgrowth of that, certainly, we've been able to leverage to address other market opportunities. So for us, investment has been really important. However, we have a responsibility to walk up the margins. Our growth has moderated, probably like a lot of cyber companies. We've got it to kind of mid-teens growth, at the high end it was like 14% on the most recent call. I have a ton of confidence in our ability to continue to drive margin leverage. We have 95% recurring revenue, we have 80% plus gross margins. We have a massive customer base, high gross and net dollar rental rates. For us, we want to strike that right balance. I think the right way to think about us is a rule of 40 company. We're a rule of 40 company before. We will be a rule of 40 company again. If you look at the margin leverage, over the past couple of years, it was kind of mid-single digits in 2020, last year it was 15% operating margins, higher free cash flow margins. That 15% is up from 10% a year ago. We just guided to 17% to 18% operating margins at the beginning of the year, which we think is a great place to start. And certainly, we're going to continue to focus on expanding the operating margins. Our growth strategy perhaps is a little different from some of the other companies in the VM space in the sense that we're focused on some of the largest opportunities in all of cyber with cloud, identity and OT and, of course, the intersection of all those things that we call Tenable One. But for us, we certainly have the ability to drive growth higher given the investment we're making in some of these major market opportunities. We're not assuming that will play out this year, in the guide. But if our growth continues to stay at these levels, and we think this growth is certainly sustainable, expect continued margin expansion for us. And our long-term target margin is 25% operating margins. We have not updated our long-term target model and we plan to do so at our next Investor Day. But in short, I have confidence in the margins.

Okay. Great. Any questions from the audience? No?

I appreciate the time with you here today. I just wanted to ask, as you think about kind of the relative priority that customers place on their exposure management investments, right? It's -- in conversations that I have, it sort of varies on -- in terms of where it is on the list, right? But generally, there's a few things above it in terms of identity or EDR or whatever, stuff that is really kind of like bursting at the seams with attacks and board-level attention and things like that. And I just wonder if you could kind of update us on how you feel about the relative prioritization that you see from customers? How those conversations go? How you try to encourage them, I presume, to be more proactive, more preventative, instead of only working on tools that are kind of addressing attacks and things after the fact.

Sure. Well, there's a couple -- if you look at some of the top spending priorities in cloud today or even for more broadly, CIOs, it's -- certainly AI is probably top of the list. It's cloud, which includes cloud security, -- cloud and then cloud security. So those are clearly the 3 top spending priorities. We talked about our roots are in VM. And so VM is a spending priority. Clearly, if you look at the number of new customers that we add each quarter, I think last quarter was 500-plus. We're very intentional with the metrics that we give investors, as Erin talked about earlier. But this is not a switching market. And sure, we're adding and landing new customers with cloud, identity and OT. But a big part of our new customers come from vulnerability management. So certainly, lots of untapped opportunity in VM. And the penetration, even though the market continues to evolve, we're certainly having success there. So certainly, VM, we think, offers good sustainable, durable growth. If you look at cloud security in particular, and certainly that's an area of focus, and we talked about that, sizable TAM, low penetration, and we're getting more bats and certainly have a much broader offering, and we believe we'll continue to be successful there and take and win share. And then kind of all these things, which is AI, which is delivering greater insights to our customers, you have to acknowledge the buying behavior of customers today. And usually, it's like, okay, when RFPs come in, it's often not like, give me -- I need exposure management platform. So I want to compare your exposure management platform with some of the others. Exposure management is what we do is the intersection of all these things, and we think we're uniquely positioned to do it. And this is a market we believe we own. But usually, these RFPs coming in, it's like, okay, cloud security, identity or OT, or even VM. And so our ability is to sell a broader platform. It's grounded in belief that you have to have market-leading technology, have to be able to compete in your own regard, be able to take in share in some of these markets. But at the same time, you have to be able to deliver -- solve a problem that's much greater than just a siloed function than just cloud or just identity. And that's what Tenable One is helping solve. So for us, we believe that our product offering addresses some of the top priorities on all of cyber. But at the same time, it creates something that's exponentially greater in terms of the problem it solves with Tenable One.

Any other questions? Okay. Great. I think we'll leave it right there. Thank you so much, Steve, Erin, for your time, and everyone, for joining us.

Thanks for having us.

Thank you.