Tenable Holdings, Inc. ($TENB)

All right. Good afternoon, everyone. Thank you for joining us. My name is Brian Essex. I'm JPMorgan's midcap, large-cap software analyst. Very excited to have Tenable with us here today. We have Mark Thurmond, co-CEO of the company; and then to his right is Matt Brown, CFO. So Mark, Matt, thank you so much for joining us.

Thanks for having us.

This is my hometown. I'm Boston guy, so I love when the conferences work out this way.

We'll talk more about that. I spend a lot of time here.

I love it.

Yes. Excellent.

I guess maybe to kind of start at the top, you talked a little bit on your earnings call about, I don't know if it was the word that you guys used, but a tsunami of vulnerabilities coming down the pipeline, particularly post Mythos, and you referenced the webcast you had with, I think, 1,000 people joined up in 72 hours.

Yes.

Maybe help us understand what the nature of the conversations that you're having with customers are and how much visibility you have into like the resulting demand pipeline for that?

Absolutely. So a couple of things. Yes, it's a good question. So put some context to it too. We actually are having our exposure management conference this week here in Boston. So we put together what was literally the first exposure management conference, and it's actually happening tonight and tomorrow. So we've got over 650 to 700 customers that will be attending from all around the globe. And the attendance actually spiked. And when you look at who registered at the CISO level, an executive level, over the last 5.5, 6 weeks, we think a lot of it had to do with Mythos and the announcements there. In regard to some of the pipe build and what we're seeing in activity, we've had literally thousands, hundreds to thousands of different individual conversations with executives. In the beginning of the announcement with Glasswing and Mythos, it was more about what does this mean? We hear this word vulnerability. Are you guys going to be disrupted? Can you give us an explanation what's going on? And so we sat down. We have a very, very specific talk track and an educational track on what it means for cybersecurity, what it means for the exposure management category. And after folks got educated and realized, okay, this is on software code, right, where they're able to find and do an incredible job at finding those vulnerabilities, we now are using exposure management, right, things behind the firewall for all of our native sensors and all the prioritization, and all of the automated remediation, all the steps you need to take when you're going to be seeing anywhere from 5, 10, 15 to 20x increase in the amount of known vulnerabilities. And so for us, it's been an excellent event. We now have taken a lot of that pipeline activity and it's going through what we call the sales funnel, meaning it comes in as a conversation, then gets converted to a pipeline, then gets converted to a presentation/demonstration. That then moves to a POV, proof of value, and then you negotiate an expansion or a new deal. So great top of funnel, like super happy with what we've seen there. And now these opportunities are going through our sales process and sales funnel. So we're very optimistic. We feel very strong about what we're seeing in the conversations. The executives who we're now engaging with from a CISO perspective is excellent. Sometimes when you're doing an expansion or an upgrade from VM to a Tenable One, you wouldn't get access to the CISO. The CISO would say, "I'm going to trust my VM or exposure management team." The CISOs now want to meet with us, and we're able to have a broader discussion about bigger expansion opportunities, bigger, more strategic deals, and then educate them about the partnership we now have with Anthropic and OpenAI, which we can talk about also.

Sure. And what are you finding as you assess your customers' vulnerability landscape or exposure management landscape? Because you have different -- I mean, obviously, with Mythos, everyone is focused on code vulnerability. And a lot of those are attributable to packaged software. But you also have custom software, which may be more difficult, may cause refactoring, and also hardware, you may have to replace at some point, which is longer remediation cycle. So what is the mix that you're finding within your customer base? And how does your platform help them manage exposure to each of those different segments?

Yes. So it kind of hits everything you just discussed, so kind of all of the above. But the way I'll simplify it is when you think about exposure management, right, the true value of exposure management compared to, say, traditional old-school VM, it's really built for kind of what we're dealing with today. It allows you to see all of these signals, right? We have all of these native sensors within these customers' environments looking at traditional IT assets both in the cloud and on-prem. But then we also have tremendous visibility at the asset level looking at operational technology, looking at cloud. So think of any type of SaaS-based application or cloud infrastructure, looking at web application scanning, looking at identities, third-party asset types, attack surface management. So think of Internet-facing assets. All of that allows you to put together what's called the modern, when you look at a modern cybersecurity attack surface. And so now if you're a customer, this is really what you want to know. You don't want to know about one specific portion, right, of your environment. You want to know about your entire attack surface. Then once you get all that, you can think of the thousands, and in some organizations, hundreds of thousands of vulnerabilities and CVEs they get. We then allow you to look at it, prioritize it, set up certain automated remediation paths, be able to then take that automated remediation, flow down to patch management, flow down to autonomous automation at some point and level. We can talk about Hexa, our agentic AI platform that we're rolling out. And so that has been the conversation. And so what's exciting is customers now want to look at the entire attack surface. I can give you one quick example where we're seeing some really good opportunities in the OT space. OT was traditionally one of those asset types that would get cut off at the end of an opportunity or deal. That's why you haven't seen great growth with the private OT vendors, because it wasn't sustainable. We're now seeing really good growth in data center build-outs as the companies are building out data centers, but also wanting to get an asset view of what the risk is in these OT environments. And now with things like Tenable One and what we're doing with Hexa, we're seeing really good growth opportunities there too.

Great. And how do you find your customers, I guess, mitigating the risk that they're finding? One of the issues that we're hearing more and more frequently is your mean time to exploit is just collapsing. And it takes time to like assess your platform, remediate the platform, deploy patches, right? So what does that gap look like? And what are the -- are there other adjacent types of technology that they're deploying to kind of either sandbox those incidents or remediate or air gap from exposure? Like how are they managing that?

So to your point, right, so when you actually look at it from when you first figure out you have an issue and to the mean time to potential exploitation, just to put it into perspective, in 2025, 60% of breaches that occurred were on known vulnerabilities that a patch was available. So think about how scary that is. That means you knew there was a vulnerability, you actually know that there's a patch available, but you didn't have the remediation cycles. You didn't have the automated remediation to allow you to do the patch management, to turn the system down, to talk to the IT team, to actually put down the downtime. What you're starting to see, and we're going to talk about a lot of this tomorrow when we have our exposure management conference, is with Hexa, our AI agentic agent, we are seeing our customers that use Hexa and early access, being able to build the agents to do autonomous remediation, being able to take those manual processes around remediation and around manual tasks. Think of things like tagging an asset, right? Super painful. Think about patch management. Super painful. You're able to create these agents that can actually take those manual mundane tasks and automate them. And we'll be publishing some customer success stories where there are certain things they did from a remediation perspective that went from weeks and months down to days and seconds. So huge kind of quantum step, quantum leap forward in regards to the way folks and customers are going to start using Tenable One. Hexa is going to be, we think, is going to be a significant driver of getting people off base VM. We have a huge tens of thousand customers that have VM that we want to get moved to T1, and allow us to expand the T1 asset count.

How many of these -- one of the things that we've heard -- several things we've heard, but one is the noise-to-signal ratio accelerating. And the other one is other types of technology that might be able to be deployed. If you assume that you're going to get breached a lot faster, you can have adversaries in your network, so things like deception technology because you want to find out, or is there some many in my network? Like where do you see the levels of opportunity as this becomes a shifting environment where it's probably likely that more networks are going to get penetrated over the next year or so?

Yes. I mean, listen, so when we take a look at it, I think right now, people are still kind of in that assessment phase of understanding and getting true visibility to all of the different assets, all of the different potential toxic combinations that they have out there. I think the market, the Wall Street community and customers are getting much more educated on what these -- the power of these frontier AI models. Let me just give you a couple of examples, right? When Mythos was launched, right, everyone saw the sell-off in cybersecurity, right, saying, "Oh my gosh, these guys are going to display cybersecurity." I think you can see the run back up in cybersecurity where they're realizing, "Okay, there's going to be some of these cybersecurity companies," Tenable being one of them, where we'll be announcing our partnership with Anthropic tomorrow. We have the Deputy CISO of Anthropic presenting at our exposure management conference tomorrow, that are leveraging those AI frontier models to enhance and take care of that T1 installed base to automate these manual tasks and procedures. I think you're going to see the fear from our customers, and what we're seeing is when you do get one of these adversarial attacks, either a state-sponsored attack or a ransomware attack that uses one of these very capable frontier AI models, not so much from OpenAI or Anthropic, but from like DeepSeek, where you have something in China, you have something in Russia. And that is one of the big fear factors that a lot of our customers are expressing, saying, "We haven't seen it yet. You can see Google and Mandiant put out a couple of different reports." We are starting to see some groundswell of potentially some of those type of very advanced persistent threats and very sophisticated attacks. That is -- what we're talking to our customers is like if that is going to happen, and to your point, Brian, it's inevitable, you want to have full visibility. You want to know where the toxic combinations are, what are those attack paths, right, that the bad folks could get in, and how do you become preventative, right? And how do you become proactive in your security approach? These are all the things that we've been preaching, and we do think some of these events are going to weigh customers up to say we just can't react and respond, like that is -- can't do it. The time is too precious and too quick, fast-moving right now. You need to be more preventive and you need to be more proactive. And that's some of the messages that we've been talking about customers about. Yes.

Great. And how have attach rates been, particularly with Tenable One, but also newly released Hexa over the past like a month or so...

So Hexa, just to clarify, Hexa actually gets GA-ed tomorrow. So we're announcing tomorrow. But we had 30 to 40 customers that used in early access. And we'll be publishing some of their results, like they've -- we've got a bunch of good quotes and a bunch of good feedback, where you'll be hearing tomorrow and on Thursday at our Investor Day, our CTO and our Chief Product Officer, will be talking and they'll be referencing some of the benefits that these customers have already seen leveraging Hexa, which, by the way, Anthropic is one of our strategic design partners. We are using Claude in Hexa. And we'll be announcing that relationship in more detail tomorrow also.

Great. And how important is it? I mean you talk about your relationship in Anthropic, and I think OpenAI's TAC initiative is a little more open. But how different has the impact of each of those models been on your platform? And how critical do you think it is to have the visibility of each of those models...

Yes. I'll give you a quick example. And Matt has been super involved in kind of negotiating and working with Anthropic on the deal that we did with them. But I'll just give you a quick anecdotal feedback. So when we saw the benefit of OPUS 4.6, we shifted and upgraded literally within 24 hours to have all of our developers start coding with Claude code and 4.6, because we actually saw the benefit. And we literally within -- I think Eric Doerr, our CPO, will be talking about it. So these models are like quantum step-ups. And so to have a design team that wants to be able to go, I think we're on OPUS 4.2 or 4.3. And for him to then want to make move, that massive aggressive move that quick and that fast, it shows you the speed that these frontier AI labs are moving at. And I think Eric actually will give reference to that on the Analyst Day on Thursday.

Yes, it's been really fun to see how these conversations have evolved over the past 4 or 5 months. If you think back to the beginning of the year when really the topic of conversation around AI was which companies are going to be disrupted and there was quite a bit of uncertainty, the sort of SaaS apocalypse that occurred. And then to think really the velocity in which these conversations have evolved, right? Our quarter ended on March 31. Mythos preview was announced on April 7, right? Our Q1 earnings announcement was April 29, and then here we sit today. These are conversations that are happening really, really fast, that are evolving quickly. But what I think has been super interesting to observe is how much I think people are getting it and how much things have changed from the beginning of the year to where they are now. And I think what folks are starting to realize is these very powerful models are quite capable at finding vulnerabilities, previously undiscovered vulnerabilities, in code. And that's amazing. It's an important -- and we expect there to be this explosion of vulnerabilities that exist. I think people really get that. They intuitively understand that. They are also now increasingly intuitively understanding that, that makes vulnerability management, and even more exposure management, that much more important. Because the difficult part now is not in discovering vulnerabilities, right? The truth is that's never really what Tenable has done. Tenable has done an excellent job of looking at, okay, let's place the context of those vulnerabilities in your specific environment based on your asset types, based on your configurations. Let's give you that visibility. Let's give you the insight. And now we have Hexa AI that sits on top to help with orchestrated remediation. Because that's really the trick, right? The trick is these CISOs are now overwhelmed with vulnerabilities that need to be patched. What Tenable One allows our customers to do is figure out which ones are most important to them, prioritize them, and then have some automated remediation to then go patch.

Yes. What percentage -- like anything you can reference or quantify like the number of vulnerabilities kind of back to that noise-to-signal ratio the number of vulnerabilities that actually need to be patched versus, all right, maybe you don't use a software anymore and you remediate it by deleting, or it's one that you don't have very high exposure to, you kind of cast it aside for a little bit, I mean, how is that profile changing?

Yes. It's changing, but the numbers are massive. And you got to think through it also, it's -- the complexity of what the vulnerabilities are, let's just say, kind of at a lower level, what you now see with these AI frontier labs is they can actually chain together what used to be in the past considered very low-level, nonthreatening vulnerabilities. A vulnerability in isolation, unless it's been identified as being compromised, is low-level risk. However, with some of these frontier AI models, when they can actually look at some of these older vulnerabilities and see 3 or 4 different older vulnerabilities and chain them together, that then gets them access into a network, be able to move laterally, be able to compromise excessive permissions that are on the network live, that is where the danger comes in. That's where this visibility factor really becomes even more important, right? I mean in an old world, you typically see 2% to 3% of vulnerabilities that could be exploited. That number could go up significantly because now you can use these very sophisticated frontier AI models to be able to chain together what used to be perceived as individual, stand-alone vulnerabilities or nonthreatening vulnerabilities. So that is where, again, right, not to bring it back to why all these things are kind of a net positive for Tenable, but they are a net positive because you need to have true visibility of what your asset types are. Where are these potential vulnerabilities? How do you prioritize them based on these, what we call, attack path analysis or toxic combinations, and be able to be preemptive and proactive instead of reactive leading to a kind of a breach or a ransomware situation. So we actually view it as a net positive from what we're doing with Tenable One.

Got it. And maybe, Matt, if I could ask you, about 1/3 of the business on Tenable One now and you have, look, I mean I think it's ranged from 70% to 80% pricing uplift once you get a customer migrating on a Tenable One.

Yes.

And what -- does that at some point become a headwind for growth? I mean, how much growth is Tenable One accounted for? And now that you have a more material portion, you're obviously lapping that lift last year, how do you think about the contribution to your platform this year from incremental Tenable One business?

Yes. It's a perfect segue into some of the changes that we've made in pricing and packaging and also a preview into we're going to talk in even more depth and detail about this on Thursday in our Investor Day. But to give you a little bit of a preview, our new pricing and packaging has introduced Tenable One foundation, which for us is really important because as you said, there's about 1/3 of our business today is not on the platform. But we need an easy on-ramp for our non-platform customers to get them into the platform. And that easy on-ramp is Tenable One Foundation. So we've created Tenable One Foundation. It's a modest price uplift to get from standalone VM into Tenable One Foundation. But then the idea is there's 2 different paths for growth from there. You can expand your asset coverage, which, of course, we think is a really compelling offer for our customers to just get better with their preemptive security. But also they can upgrade from there to Tenable One Advanced, and that price increase ranges anywhere from 6% to go into Foundation, up to 60% to go up to Advanced. And then it grows beyond that when you factor in expansion. So it's a really important part of our growth story. We continue to see favorable trends in that direction. So last quarter, 41% of new customers and new business was done in the platform. That's about an 8 percentage point growth from the prior year, and we continue to see that trend going forward.

Yes. The one thing I'll piggyback on that is when you look at -- we see that, when we look at the different selling motions, we see the 2/3 of our installed base, right, that's still on VM, right? And 1/3 is already migrated over to Tenable One. That 2/3 installed base, that is a phenomenal opportunity. That's where we see this massive migration opportunity to take those VM customers with the uplifts that Matt referenced into either Foundational or Advanced. We are not allowing customers to run Hexa on VM installation accounts. So if you're a VM customer, you can't run Hexa. We're only building Hexa into Tenable One. So when I think customers that are sitting on VM and want to be able to have a forcing function to upgrade, there's all the other capabilities of looking at all the incremental assets and all the other things we do, the advanced capability. But to now have Hexa where you can have agentic AI agent automate a bunch of these manual processes and mundane tasks and automate the remediation and tagging and things like that, we think, because there's not a lot in that VM base, they don't have a lot of cyber experts, right? One of the big issues with that lower-end VM-based is they don't have a huge cybersecurity team. So if we can automate a bunch of those things, we think more customers will end up migrating to T1, and it gives us a great opportunity in the 2/3 of the installed base that are still VM.

Got it. And then on the Hexa side, you've talked about consumption tiered model with tokenized access. How do you expect the uplift from Hexa will be like incremental to 101 for those customers?

Yes. I think the most important uplift actually comes from upgrading into the platform. So as Mark said, Hexa is only available in Tenable One. We know that there's an immediate price uplift from non-platform customers into the platform. And so that benefit, again, it ranges anywhere from a 6% uplift to a 60% uplift. Just that upgrade ends up paying for the sort of included tokens that all of our customers get depending on the level of assets they have. From there, as customers begin to use Hexa and lean into it, and that's absolutely what we want, they start to bump up against those thresholds, then there's a per token charge that kicks in after that.

Okay. Got it. And then from a, I guess, competitive standpoint, how do you view -- or how often do you run into some of the larger platform players that are elbowing their way into like the VM market, like a CrowdStrike or a Palo Alto? And how meaningful is that?

Yes. So when you take a look at it, we do extremely well against all of our competitors, right? But if I break it down, you look at the Rapid7 and Qualys' compete levels, literally coming out of the quarter have never been higher, and they continue to be at record-setting numbers in regard to our compete level there. And in regard to kind of the CrowdStrikes and Palo, we don't really ever see Palo Alto obviously in the VM space. We see them a bit in the Prisma Cloud space, competing against our CNAPP offering. So that's where we see that. CrowdStrike, obviously, we see in regard to exposure management. And our win rates are extremely high. We feel very confident about our compete level. A couple of different data points. A, when you look at just not Tenable, the co-CEO of Tenable and the CFO saying our compete level is great. But you look at the analyst community, right, third-party analysts, so look at Gartner, IDC and Forrester, right? Gartner created for the first time ever a Gartner Magic Quadrant for exposure management, and we were #1. There were, I think, 51, 52 companies that applied. They put 20 to 25 in the quadrant, and then we became #1. We're also #1 in Forrester. We're also #1 in IDC. So when we actually explain to customers the differences, the technical differences -- so you do have to do some technical selling, right? You have to explain it. Because CrowdStrike a lot of the times will go in there with their flex pricing and try to give it away for free, and say, "Hey, use this, it's free." So you always got to be careful of what free is, you get what you pay for in life, and so you got to watch out for that. But when we go in and say, well, let's actually break down the technology stack. Let's look at why vulnerability management is the cornerstone and the bedrock of how you want to evaluate exposure management and how you want to look at these multiple asset types, you want to come from it from a VM perspective. You don't want to come from -- exposure management from the endpoint or from a firewall or from a managed SIM. You want to come from it from a VM. So if you look at all of the teams, right, some of the larger enterprises that are changing the name of their security organization, the vulnerability team is now being called the exposure management team. It's the VM team. It's not the endpoint team or the SIM team or the SOC team. And so we feel extremely confident in our compete level. We do have to get into technical evaluations, and we break it down, and we have extremely high win rates. And we think when they are T1, it's unbelievably high win rates, right? So we want to -- again, another reason why we want to get that VM base on to T1.

Got it. And then on the pricing side, the flex pricing, how has that been received by the channel partners? And maybe can you walk through some of the economics there? How does that actually work?

Sure. So in the past, we had a fairly confusing pricing model where customers depending on the asset type would have different ratios and an effect than different pricing per asset. And so customers would have to first determine what types of assets they were going to cover and in what quantities, and then they would get their kind of total cost of ownership there. What we've done now is just drastically simplified that. What we've said instead is, look, we're going to have a single price per asset. We are going to then allow customers the flexibility to set a -- set capacity, but they can then mix and match across asset types, without having to go back through procurement and legal and get additional approvals. So not only does that reduce friction on the front end, means it's a much more understandable total cost of ownership. It also reduces friction when they're midway through their subscription, and they decide maybe they got the initial allocation wrong or they would like to try out scanning a different asset type, it makes it so much easier, which we believe then encourages expansion. So far, education with our sellers has gone very, very well. Education with the channel, gone very, very well. It's well received by customers as well. Still very early. But across the board has been net positive.

Great. And then how do you think about -- when should we expect to see maybe some impact of flex pricing on your model?

Yes. I think -- do you mean impact in terms of like when does it show up in the numbers?

Yes.

Yes. It's part of -- it's a great question. And it's part of what we're already kind of -- some of the good signs that we're already seeing, which is building momentum around our new and expansion business, for example. So what everybody wants to know is, look, when are we going to see growth in flat tire? The very first step in seeing growth in flat tire is, first of all, stopping the decel. But that starts with growing new and expansion business. And that's what we're seeing now. So we're already beginning to see the early signs, and that's showing up. And ideally, that makes its way, of course, to increased bookings numbers and then ultimately to revenue.

That's a good segue into the next question, which is second half revenue guide implies about 6.5% growth. You guys delivered, what, 9.6% growth in Q1. So how do we put that in context? Are you feeling more bullish...

This is like the outperformance gift that keeps on giving, which is great. So when we started the year, this is funny, we guided the year to 7% growth at the midpoint, and that was our initial full year guide. And what that meant was -- we guided Q1 at 8.1%. And so now math just dictates that you know if you're guiding to 8.1% in Q1 and your full year guide is at 7%, the rest of the year is going to be something sub-7, let's call it, 6.5%. Q1 comes along, and we have a fantastic quarter and we deliver above 9% growth for the quarter. And now -- and then the question we get is, well, why the cell? And so I have to laugh because the decel was always there, right? The takeaway from the quarter is, look, as opposed to in the years past when we've maybe had a Q1 and then had to reset guidance downward on the year, it's quite the contrary this year, this year we had a really good Q1 and we took guidance up. So yes, mathematically, there's a decel. But the way to think about it actually is that we're 1/4 of the way through the year, we're incrementally more positive for the full year, which is what allowed us to raise the full year guide. And yes, mathematically, that implies a decel, but that's no change to how we started the year. Net-net, we're better off today than we were at the beginning of the year.

Got it. And then, Mark, you mentioned your cloud CNAPP business. How big is Hermetic now? And is it -- are you -- do you think that it could be a substantial contributor to the platform and...

Yes. Absolutely.

Would love to see how that kind of fits in to the overall growth profile.

Yes. So it is definitely, when you look at asset types as one of the larger asset types within Tenable One, I think the shift that we've seen in the cloud business is the bulk of the business that we're now doing for CNAPP is part of Tenable One platform. So you're not seeing -- in the early days of CNAPP, you see a lot of customers do a stand-alone deal and buy CNAPP as stand-alone. You're not seeing many stand-alone deals. What we're seeing in the market is a chance, and we are seeing this with Wiz, now that they're owned by Google, you're seeing this disruptive motion where they're using Tenable One. They've been a Tenable One customer. They love Wiz. Wiz is a great product and great technology. But they now see as part of Google. And you could be a big AWS shop or a big Azure shop and you're not sure if you really trust what the road map is going to be in regard to where Wiz is going to go. And now they're going to have to take them off the AWS platform, re-platform the GCP. How does that work? How the sharing of road maps and technology work with AWS and Azure now they're a part of Google. And Wiz historically is extremely expensive, right, one of the most expensive cyber technologies in the cybersecurity stack. So where we're starting to see some momentum is part of Tenable One, not stand-alone, but as part of Tenable One, you're seeing these opportunities to go into some of these Wiz shops and say, "Hey, you're already using Tenable, you're already using the platform. You're spending an incredible amount of money with Wiz. Let's be able to move you on to the platform for cloud security and migrate you off Wiz." And so you're starting to see that selling motion. And so we view cloud and CNAPP as part of T1 to be a significant differentiator, especially when you look at our historical competitors, it really isn't even close to the capability we have compared to, say, a Wiz -- or no, sorry, compared to like Rapid7 or Qualys or even a Crowd. So yes, we view it as a big competitive differentiator and we view it as a space that still has lots of growth, lots of legroom, and a competitive dynamic that's being shaken up a little bit by Wiz now being part of Google.

Yes. I mean on that point too, obviously, that was one of the biggest questions that came up when Google announced they're acquiring Wiz, is if they're built on AWS, so...

Billion-dollar customer, right? I mean one of the biggest. Yes.

So any indication of that you're seeing on your side? Is there going to be a change there? And is it something customers are worried about?

I can't comment -- I mean, listen, anecdotal customer conversations, they're concerned about it. I can't give you any Inside Baseball on what discussions have happened between Amazon and Google. I have no idea. But customers are concerned, especially if you're a true blue AWS shop and you knew that Wiz had a very tight relationship, right? Roadmaps would be shared 12 months previously. There was a lot of co-design and co-development with AWS. And so if you're an AWS customer, now you have a Wiz rep show up with the Google rep to talk about GCP, along with Wiz, I think there'll be some concern there. But we stay in our lane. We focus on what we can control. And we focus on selling and positioning Tenable on the platform. And if customers see an opportunity to simplify their cybersecurity stack and are able to remove and consolidate a CNAPP product into a platform like Tenable One, we'll work with customers all day long in those opportunities.

Got it. I think we've got a couple of minutes. I just want to reach out to the audience to see if there's any questions from the audience? Okay. We'll follow up on this. I wanted to ask Matt about, or you, Mark, about things on the hiring front, particularly on the sales rep side. How have hiring trends been over the past few quarters? And then what's your outlook for near-term hiring on the sales rep side?

Yes. You want me to...

Yes, go ahead and I'll follow up.

Super fast. When we came into the year, we added quota capacity to the field. And we've seen that pay off, right? So we feel really good about where we are at. We've seen productivity levels increase. We have deployed a lot of automation and AI technology to improve the amount of face time our sellers get with customers, meaning we've drastically reduced the time to create quotes and configurations, drastically reduce the time they have to spend with inside Salesforce.com, right? A lot of these things have been productivity enhancements. When we see certain regions, like, say, for instance, the Middle East, that's seeing a spike where we might need some resources, we will add quota capacity. But right now, we are in a really, really good spot in regard to our sales rep coverage and productivity. And I'll let Matt comment on the rest of the business.

Yes. One of the things I'm probably most proud of is our ability to hire in high-impact areas, in particular, in sales capacity and in some of our engineering areas where we're really leaning into the investment -- into the growth opportunity we see. So we're investing heavily there. But at the same time, what we're able to do is, through AI implementation, automation, we're able to reduce in other areas and pull back. So what you'll end up seeing is from a net headcount perspective, you're going to end up seeing a headcount that is flat to down-ish actually for the whole company, while at the same time hiring into those high-impact areas and getting a little bit of leverage from -- in the form of margin growth on all of the OpEx lines. So we're managing it really well.

How much is sales headcount growth been though?

So sales capacity growth or are you talking about sales in total?

Headcount, like the total number of people.

Yes, we don't disclose that. But sales capacity is up 10% from what it was a year ago.

Is that -- and capacity is measured how?

Quota-carrying sales reps.

So productive quota-carrying sales reps or just total?

No, productive.

Yes. Productive.

Great. Okay. With that, I think we're out of time. So Mark, Matt, thank you so much.

Okay. See you, Brian.

Thank you, Brian.

Yes. Cheers.