Tenable Holdings, Inc. (TENB) Earnings Call Transcript & Summary

Excellent. Well, good afternoon, everyone. Welcome to day 1 of the Barclays Tech Conference. My name is Saket Kalia. I cover software here. I'm honored to have with us the team here from Tenable. We've got Steve Vintz, Co-CEO; as well as Matt Brown, new CFO. Also have Erin Karney, Head of Investor Relations there in the audience. So we've got about 30 minutes together. Let's spend the first 20 or 25 minutes just going through some fireside chat with the team, which I know is going to be real fun. And then we'd love to make it interactive. If anyone's got a question, just pop up your hand, we'll get a mic out to you for the benefit of the webcast. So with that, Steve, Matt, thanks so much for being with us here today.

Happy to be here.

Thank you.

Yes, absolutely. So I think that there's so much to talk about from last quarter, right? I mean, Steve, Matt, maybe just to help us level set, can you just spend a couple of minutes kind of recapping some of the points from last quarter that you were most proud of? Maybe, Steve, you talked to us about some of the strategic points in the business that we've made some really good progress and some good things. And Matt, maybe from a financial perspective, you can highlight some of the points you want us to take away.

Sure. I'll start here, and we're pleased with the results in the third quarter. Matt can get into this a little more, but we exceeded on both the top and bottom line and gave a strong outlook for the year. That's always a good thing. But kind of numbers aside, one of the things I'm particularly proud of is the momentum and the traction that we're getting with our exposure management platform. And just to level set exposure management in its most basic form is a unified business -- risk-based business contextualized view of your entire security program. So you understand your entire digital footprint. So whether it's assets and connected devices on the network or workloads in the cloud or even industrial control systems, these things that are on your factory floor to understand all of that, do that in a very unified way. So you're identifying the most important vulnerabilities and exposures on your most important devices that have the most sensitive data with lots of entitlements and access, both human and machine. So you're identifying likely path of exploit for the organization. So they can look at the company through the lens of threat actors. It's a big problem. It's one of the most important, we think, in all of security. And we had great traction this quarter with our exposure management platform. Over 300-plus new customers we added, a good number of those were new lands with the platform. We're also seeing certainly significantly higher ASPs, which is great to continue to get traction there. And one of the important attack vectors, if you look at our exposure management offering, which includes traditional -- assessing traditional network devices. It includes cloud, it includes web apps, it includes ASM and other areas of the attack surface. But moreover, more recently, we announced over 300 integrations as part of the platform. So we're now able to ingest data from other security companies, whether it's web app, data from security companies and web application and AppSec, cloud, endpoints, whatever the case may be, ingesting that data, combining it with our own, enriching it, scoring it to be able to drive higher levels of mobilization and remediation. So the traction there has been notable. And AI is also creating tailwinds for us, where we brought to market and announced AI exposure, where we're now able to identify as part of the platform, vulnerabilities, misconfigurations and flaws in a lot of these AI applications and the cloud environments in which they run in.

Yes, absolutely. Matt, maybe on the financial side, you could round that out.

Yes, so much to be proud of. In Q3, I was very happy that we were able to come in over the high end of the guide on all of the metrics that we guide to for the quarter, which is fantastic. And that also allowed us to guide up for full year at the midpoint on our guided metrics. So I felt really good about the solid execution there. We saw 11% revenue growth. I was super happy about the incremental margin growth that we saw. So year-over-year, in the quarter, we saw a 350 basis point increase year-over-year for op margin, which is especially impressive given that at that same time, we increased our R&D spend by 18%. So we were able to generate that much incremental margin while still investing heavily in product development that made me very happy. So put us on solid footing for the rest of the year. It's encouraging to feel that momentum building. And yes, looking forward to continuing that trend.

Yes, absolutely. Steve, maybe back to you. I mean, the way that you talked about the business before just around sort of exposure management, that's so much of a broader category than what we've historically called VM vulnerability management. How do you think about that sort of expanding the TAM? Do you see that out there? I mean, do you think exposure management kind of expands that definition?

Well, it does. And we've been on this journey for some time now. We went public in 2018. We were not the market leader in VM, but one of the things we said is that our mandate was in short order to become the unequivocal leader in vulnerability management. And VM is really the ability to discover and identify exposures in network-based devices and service desktops and laptops. And then over the years following, we brought new capabilities to market to address other domains of the attack surface. But one of the things that we talked about early on at the time of the IPO was the outgrowth of VM for what we call exposure management. And exposure management is a category that we've created. It got very little recognition and fanfare by the industry analysts. And we saw it as certainly a big problem given all the vendor sprawl. When I talk to CEOs, CISOs and even CIOs, one of the things they tell me is that there's not a lack of data. In fact, there's an avalanche of it, and they're having a challenge managing all of it. So they're drowning in alerts and starved for insight. In fact, if you look at organizations today, most reasonably sophisticated organizations have over 80 different security vendors and technologies deployed across their environment. And that doesn't create clarity. It creates a lot of noise. And so given the proliferation of all these devices and systems, we need a unified way to really understand risk because cyber risk is not a technology issue, it is a business issue. And so we need to be able to quantify risk and be able to trend it in a way that -- so others can understand the impact on the organization. So we were pleased to see Gartner release an MQ for CTEM, their first one, specifically exposure assessment platforms. We were at the top right, IDC also came out with a MarketScape report in exposure management. We were at the top right. Forrester came out with their report this quarter on UVM, which is their preposition to exposure management. We were at the top right there. So it's nice to see a category that we created kind of a market turning to us. Gartner says -- now says one of the biggest opportunities in all of security is exposure management, is CTEM, continuous threat and exposure management, in part because a lot of the spend in the market, if you think about it over the years, has been in detect and respond technologies, actively searching for breaches and then responding to them. 96% of all spend in security today is on detect and response. Think about that. It's basically looking for fires. What we advocate at Tenable is what we call proactive security exposure management, which is the shift from firefighting to fireproofing and it's, we think, one of the biggest opportunities in the market. So we're early on it. It's a journey. We're getting great traction with customers. And certainly, it's nice to see not only the industry analysts recognize it, but we're already to see -- starting to see other companies now talk about exposure management, which I think is healthy because certainly, it's a big opportunity, one of the largest TAMs. It's the intersection of cloud and network and identity and all these other things to help customers really understand risk. But it's really the mobilization and the remediation pieces that I think are going to continue to create an inflection point for us, which is what do you do with all that data? How do I look at all this data in a way where I can proactively reduce my risk? Because there's no shortage of vulnerabilities in the world. There's 300,000 unique vulnerabilities today that's been identified. And according to our research, there's roughly over 500 billion of unique instances of those vulnerabilities. And AI is leading to more vulnerabilities, more threats and more breaches, and it's demanding a secular shift in security this shift to proactive, which is what exposure management is all about.

Interesting. I always love that analogy of firefighting versus fireproofing really brings it home. But maybe we'll use that as a stepping stone to talking about Tenable One a little bit. And Matt, maybe the question is for you. The way that I was viewing the mix shift in this business was that maybe VM was 80% of the business and exposure solutions was the remaining 20%. But that doesn't really tell the whole story because Tenable One, of course, includes VM. So I was curious, right, just as you come in with fresh eyes, how you sort of articulate the mix shift that's happening in the business right now?

Yes. It really does sort of start with that difference between EM and VM. And as you mentioned, there's more value in EM for the customer than there is in traditional VM. Referencing back to that Gartner Magic Quadrant, it was very interesting. One of the -- I think one of the most interesting stats that was identified in that piece talked about how companies that adopt exposure management solutions, those companies in the not-too-distant future, just in the next couple of years, will experience 30% less downtime as a result of exploited vulnerabilities compared to companies that have VM only. That just tells you the value proposition that you get from EM instead of VM. And for us, our Tenable One platform is our exposure management platform, right? The super encouraging thing there from my point of view is there is a tremendous amount of value that customers get when they go to Tenable One. We see an uplift in price. Tenable One grows faster than the rest of our portfolio. Those customers are stickier, so retention rates are better. All of that goodness, we're seeing momentum building and moving towards that platform. And the good news is we're fairly early days still, right? There's a lot of runway ahead of us. There's roughly 1/3 of our business today of our enterprise business is in Tenable One. That means we've got 2/3 then that we still have an opportunity to go get, which is really nice.

That was going to be the next question on runway. So thank you for that. That's great context. Maybe, Steve, then this one could be for you. I think we disclosed last quarter, right? We just said, right, Tenable One is about 1/3 of the total business. And we've talked about sometimes how -- we talked about sometimes the parallels between Tenable One and Tenable.io, for example, right? And so maybe the question is, how do you compare and contrast that adoption curve of Tenable One to Tenable.io? It seems like it's steeper. It feels steeper from what I remember Tenable.io, but I'd love to hear how you compare and contrast those 2.

Yes. And so Tenable.io is our cloud-based VM offering. So historically, the roots of the company have been vulnerability assessment. We have a piece of technology called Nessus, which is one of the most ubiquitous pieces of technology in all security. It's been downloaded over 3 million times, represent -- virtually anyone who's a security professional has used it or is using it. And over the years, we've kind of built some enterprise-type capability around it and then delivered a more expansive VM capability as part of a cloud offering, which we've been in market doing for some time. But when we went public, it was somewhat of a newer offering for us, not the subscription model, but the cloud-based version. And in short order, in 3 years, I think following the IPO, it became over 50% of our total sales. So we said it would take 5. We did it in 3. If you look today, Tenable One, as Matt talked about, highest selling prices, highest close rates, highest renewal rates of any of our products. It's what customers -- certainly, it's how customers want to buy, and it's how we're going to market. It's roughly about 30% -- 40% of our total new sales. We think that will be 60% plus. Also look for new pricing and packaging for us to continue to evolve. We have an asset-based pricing model. So as customers place more assets in their environment, increasingly, they turn to us to help assess those. And even in terms of total sales, it's about 30% of our total sales, and we think that can more than double over the year. So we feel really good about where we're going. One of the reasons why is what I talked about earlier, which is the shift from detect to respond reactive to more proactive security, which AI is necessitating, right? There's no shortage of vulnerabilities. There's going to be more vulnerabilities in the world. With AI, threat actors are weaponizing it. So there's been more 0 days discovered this year and more incidents and meantime for vulnerability discovery to vulnerability exploitation has shrunk dramatically. You used to have 2 weeks to be able to apply a patch. Now you have days and even seconds. So it's important not to necessarily understand vulnerabilities and manage all of them and patch everything, but identify likely path of exploit. So that's what this is really about. So consequently, 4% today is spent on proactive security. Others have indicated -- a lot of the other industry analysts say that 4% will go over the next 5 to 10 years to 50%. That's a dramatic increase. So whether you think it's 4 going to 50% or 4 going to 20% or 25% or 30%, that's where this market is going. We're talking about a secular shift in security in terms of how we need to think about cyber risk as a whole. and certainly, exposure management and doing that in a continuous way is the epicenter of all that.

Yes, absolutely. Matt, maybe for you, just staying on Tenable One. I mean, you talked about kind of the ASP uplift that you get the additional value that a customer is receiving. Just walk us through some of the drivers of that. And what's kind of the uplift that you're able to see from some of the data that you've seen?

Yes, it's a significant uplift. And at the same time, the customer is getting significant value, too, right? And so it's quite a significant uplift when you look at a customer that is doing VM stand-alone only today into Tenable One, it can be as much as 50% to 80% of a price uplift when they're using the full breadth of the features within Tenable One, which is important. And ultimately, that's where we want them to be and where we see just this enormous opportunity. Ideally, you're taking a stand-alone VM-only customer and helping them on their journey to a more sophisticated exposure management solution. Part of the way of getting them on that journey is to get them into that platform. So we can get them into the platform, land on the platform, expand from there. And it's a pretty significant price difference taking them from just core VM into the full breadth of our Tenable One platform.

Got it. Got it. Maybe, Matt, just to stay with you just on Tenable One because we've talked a bunch about the product and we talked about the market a little bit as well. I want to -- and this is clearly the future of the business, right? That's what's kind of coming through. But I'd love to dig into how a growing mix of Tenable One could maybe impact the model. And so one of the things that we've talked about in the last couple of calls has sort of been this growing divergence or this divergence between CRPO and CCB, right, calculated current billings. Can we just touch on that as it relates to Tenable One? If you could start us off, Matt.

Yes. What we're seeing is, increasingly, we're engaging with our customers on larger, more strategic, longer-term deals, which is exactly what we want. We love that. We've got a bigger seat at the table, and it is nice to be locked in with a customer for multiple years and frees up capacity, all sorts of reasons why we want that. At the same time, though, whereas in the past, we may have required upfront billing, say, for a multiyear agreement, we're allowing our customers to pay annually. So what we're seeing is as more of these deals are happening, contract duration is going up, which is impacting RPO. And at the same time, billings duration is actually going down because we no longer have a policy of requiring upfront billing. When that happens, you start to see some distortion in the numbers. So CRPO is benefiting from having this outsized growth of long-term RPO, which is then feeding short term and increasing that number. And conversely, CCB is being negatively distorted because the long-term billing portion, it's showing up in the contract, but it's not showing up in long-term deferred revenue, right? So there is this disconnect where we know that they're both being distorted somewhat. And so that's a dynamic that we wanted to make sure that folks understood because CCB is a metric that we have historically guided to and tracked, but it's something to just be aware of.

Yes, absolutely. I think that's a really important point. I mean -- and maybe we'll come back to that. But Steve, maybe for you, just to kind of stay on the economics of Tenable One because I think they're just so much more compelling. As you build up a bigger base of Tenable One customers, what's keeping a customer on Tenable One or even expanding versus moving to another solution? And maybe relatedly, Matt, I mean, you touched on this earlier, but how different are the gross and net retention rates on Tenable One versus other Tenable products? Maybe you could start us off.

Sure. And we talked about kind of our growing mix of Tenable One, higher selling prices and close rates and certainly renewal rates. Look, one of the reasons why customers are using Tenable One, it's -- you can't do -- Tenable One includes all of the individual domains that we assess, whether it's traditional VM, network-based devices, cloud security, OT, which are the industrial control systems that are now digital and all interoperable and all susceptible to exploit. We're seeing more attack there in critical infrastructure. Think manufacturing facilities, municipal water systems, think telecommunications, all those things, right, create significant exposure. And now even AI, which is an important part of the attack surface, shadow AI that applications that are downloaded or created that employees use not maliciously, but as a means to do their job faster, but it creates real risk because they're prompting things in these public LLMs such as customer data, financial data, sensitive information around strategy. That's all part of the attack surface. We manage that. We can monitor at the prompt level and tie it back to your policy. So -- and then now more recently, ingesting data from others. So when customers use Tenable One, selling prices are higher, it's a stickier product. And we're still very early in that journey with the customer because they don't buy and assess everything within their environment. But what they want to do is they want more insight. It's really all about unified visibility, right? Right now, visibility is fragmented with all of the vendor sprawl, and we were able to bring that together in a way where customers understand their entire digital footprint, right, by ingesting third-party data, which sounds seemingly simple, but it's more than APIs. It's normalizing it, deduping it, it's doing a whole bunch of things with the data so we can drive higher levels of prioritization. It's about visibility, it's about insight, right, all the contextualization that goes with it. And then it's all about action, too, which is how do I reduce risk. So this has been a journey that we're on with customers. We're proud of the fact that more than 15% of our enterprise customers are now using the platform. Even within those customers, those cohort of customers, the usage there, we still think is modest in terms of our ability to grow with them over the years. So it's a journey, and we feel like it's starting to inflect higher.

Absolutely. Matt, maybe on gross or net retention rates to the extent you can comment?

Yes, there -- so we don't publish the specific breakdown, right? And I won't do it here, but it is higher, and it's higher than any individual product that we have as well. It's something that we're actually thinking about is there's a lot of interesting things when you start diving into Tenable One, and we give some Tenable One specific metrics. But certainly, as we're thinking about, CCB, maybe not as meaningful as it used to be, what are some other metrics internally that we're looking at? Some Tenable One specific metrics are certainly some of the that we're thinking about.

So boy, that's a great segue into the next question that I wanted to ask you, Matt. I mean, to your point, right, like as we change -- as the billings duration here changes, that might weigh a little bit on CCB. You still grew at 11%. But then, of course, RPO might also feel that impact of longer contract duration. So I mean, how could those focus metrics change? Like does it make sense to go to talk about other metrics? A lot of our companies talk about ARR. I mean how do you sort of think about the future of the metrics here as the business evolves? Because the economics here are improving, those metrics don't necessarily reflect it properly. So what will be a good way to think about that?

It's something that we're thinking a lot about. And there are a lot of different options, and there's pros and cons to many. ARR is something that we look at internally, but lots of folks have different definitions of what ARR is and so different ways of measuring it. So I'm not sure that that's the best either. It's absolutely top of mind. We know that revenue is solid, right, in terms of a metric. That gets reported all the time. We know what that is. It's a GAAP definition. Everybody knows how to calculate it. And it also -- it falls right in the middle now of what I would consider your upper and lower bounds of CCB on the one end and CRP on the other, revenue is right in the middle. So that might be the best metric, but it's something that we're thinking about.

Yes, absolutely. I'm going to go back to some financial questions in a second. But Steve, maybe for you. Obviously, U.S. Fed and public sector have been nice, large, stable businesses for Tenable for years now. Is there any area within the large public sector that you and the team are particularly excited about as we head into 2026?

Yes. Well, I think it's notable that we're able to deliver good quarters despite the sizable market leadership we have in the Fed. We serve a wide range of 3-letter federal agencies. U.S. public sector is 15% of our total sales. So we have major market leadership there. And the good news is that we've been able to close deals despite somewhat of a selling environment where there's far less visibility. Like we've had to deal with everything from Doge early on at the beginning of the year, where there's disruption in personnel, even to -- we lack real leadership in security within Fed right now, like there's Sean Plankey. Well, first of all, the CISA has been completely rightsized, right? It's back to their focus over the years in a prior administration, politics aside, has been on election security. The Trump administration now is refocusing kind of their center of gravity into critical infrastructure and network security, which is the original congressional mandate. We hear Plankey -- it's been some time. He has not been confirmed. We're told now he's out. And so we don't have leadership at CISA. I think new business has been tougher. I know new business has been tougher to transact within the government. But those are -- that's transitory stuff. That's all short-term stuff. Public sector, major leadership. It's created tailwinds of growth for us over the years. It will create tailwinds of growth for us in the ensuing years. Right now, there's just a little less visibility. Deals are a little tougher to get across the finish line. But despite that, we're able to deliver good results, give a good outlook. And so the best days are still ahead for us in Fed, because they want to modernize, they want to consolidate. And those are all things that we do really well. And obviously, they also want to focus on things like cloud security, where we're now FedRAMP authorized. Things like exposure management, where we're now FedRAMP authorized. So look for bigger deals, more traction there.

That's great. That's great. Matt, maybe back to you. I mean, just to talk about growth headwinds, tailwinds, it's obviously very early to guide for next year. But with all the different dynamics that we've talked about, what are some puts and takes that you want us to think about for the model next year from a growth and profitability perspective?

Yes. I think -- so yes, definitely too early to guide. We're feeling really positive about, obviously, how Q3 went, our then renewed optimism for 2025, where we were able to take up the guide. So feeling like that's providing some nice momentum and stability. And we've had a history of being able to grow while continuing to expand margins. That's also something that we're going to continue to on. So look for more of that. We remain committed to making sure that we can grow with profitability and at the same time, making sure that we're investing in all of the areas where we're seeing growth out there on the horizon.

No, that's a really helpful framework. I mean, Steve, maybe last one as we wrap up here. I mean, to Matt's point just around still being able to invest, I think you specifically highlighted investments in R&D on the Q3 call. The team has just done a series of great tuck-in acquisitions over the years to really build that breadth of product right across exposure. Should we expect that to continue? Maybe open-ended question for you.

Well, security is a fragmented market. And the deals we've done in the past are used -- were used as a means to accelerate road map. And there's a lot of customer pull with respect to those. But they're also a journey. They've been a journey for us. Like, for example, we acquired a company called Apex Security early in the year and even Vulcan, which is more on the third-party data side. But with those acquisitions, they require time, they require investment. The products have to mature. We're also very focused, as you heard today, time and time again on selling and going to market with the unified platform. And so sometimes they necessitate rewriting of technology and code into the platform. So the short answer is, yes, we'll continue to evaluate acquisitions. But we have a full plate right now. We're hard at work in bringing if you think about the growth that we've been able to deliver to date with certainly no tailwinds from Fed and historically, there have been and there will be with, quite frankly, we only have been in market with third-party data for a very short amount of time. And next year, we'll have a full year of selling that. We now have 300-plus integrations into the platform and more to come. And more importantly, the mobilization, the remediation pieces that are now coming to the market in the fourth quarter from the Vulcan acquisition. So these are all things -- and then AI security. So these are all things that, quite frankly, we haven't gotten the benefit of this year. We've been able to transact newer business. We've been able to deliver -- get momentum with the platform. We've been able to get validation and recognition from the industry analysts as the leader in one of the most important markets or our best days are still ahead. We think we have all the capability we need to be able to drive growth to the levels that we want, and we're committed to, and that's what we're focused on for now.

I don't think I could have thought of a better way to end right there. So Steve, Matt, thanks so much. That was a really enlightening session. So thank you.

Thank you for having us. Appreciate it.