Tenable Holdings, Inc. ($TENB)

[Audio Gap] I'm going to actually spend a few minutes talking about the world we're actually living in today. And a lot of what you're going to hear are the themes that we actually heard over the last 2.5 days coming out of our incredible Exposure 2026 conference. I'll talk about the trends that are impacting the attacker defended dynamic and how AI is changing that dynamic and ultimately, how this sets us up for an exceptional opportunity for exposure management and especially towards Tenable One and when Steve comes back on stage, he's really going to walk you through a bunch of detail on how we see that playing out. So for 2 decades, right, we're talking a long time for 2 decades, the cybersecurity world kind of operated in this cyclical cycle, right? We would go through and we would look and find vulnerabilities, right? We would then fix those vulnerabilities, and then it was all about reducing risk after you did those first 2 steps. During that period, however, the assumption was that the volume of critical exposures would remain within what humans could actually handle. Tenable evolved significantly through each stage of that market transition. So you think about Nessus, looking at and solving the visibility problem, you then look at VM, which solve the prioritization challenges and now exposure management. And exposure management has emerged because cyber risk became interconnected across the entire attack surface. Think of OT, cloud, right? SaaS applications, totally transformed. And now with AI that is accelerating that interconnected risk at machine speed. And it has actually changed the economics entirely, right? CDs grew from roughly 18,000 in 2020 to more than 48,000 in 2025. And keep in mind, these numbers do not include the impact that the Frontier AI labs will have on those numbers, right? The question no longer is can we find those vulnerabilities right? That's not the big strategic question. The question now becomes, can we reduce the risk at machine speed before the attackers before the bad guys. So this is why exposure management in Tenable One it literally is no longer just the best practice, and we heard it in this conference is literally becoming a nonnegotiable platform in this AI era. So let's talk a little bit about that. Okay. AI is increasing cybersecurity pressure from 2 directions simultaneously, right? First, AI is creating more exposures. Right? AI is dramatically accelerating how software is written, deployed and interconnected, right? 84% of organizations are already using or planning to use AI in their software development process. Think about how fast 84% of these organizations, how fast that has happened over the last 18 to 24 months. Most security teams, though, still lack the visibility into how and where AI is being used across the SDLC. This problem and all these issues about having insecure apps entering production faster than the security team can actually govern them. So the guardrails simply were not there yet. Most organizations still lack the visibility into where AI code, AI agents, AI apps are operating across the entire enterprise in their environments. The second big area, right, is around discovery. Frontier models now analyze massive code bases and accelerate vulnerability discovery at machine speed. When once required weeks or months, specialized effort that manual effort is no longer scalable. Recent research, and this is some crazy stats are going to start throwing at you guys in a second. But recent research from Google found early evidence that attackers are beginning to use AI to discover vulnerabilities to support these exploitation activities at scale. And we actually heard some rumblings of this week here at this conference. So the window between exposure creation, discovery and exploitation continues to compress at lightning speed. All right. So let me kind of go deep on some of these numbers to put some context to it, so you can kind of understand the ramifications and what we're going to be working with. The disclosure to exploit window has effectively collapsed, right? If we take a look at 2021, the median time from a vulnerability disclosure to a known exploit was 771 days, right? You look at it moving forward and look at where we are today, it's 1.6 days. Right? In February, entropic OPUS 4.6 found more than 500 days in open source code, which is an order of magnitude increase than anything we've seen before, right? And on April 7, when anthropic-released mythos, it discovered thousands of software vulnerabilities that went as far back as 1999. And according to Anthropic, which we had here at our conference this week, which was awesome, 99% of those disclosures still remained in patch. So the reality is the attackers can find these old vulnerabilities with the power of AI to create sophisticated attacks. That is one of the ways we have not seen yet before. So this is a consequence of everything we've been talking about at this conference and over the last 15 to 18 months, right? AI is increasing the number of exposures entering our customers' environments. The result is an explosion of findings, but more findings don't automatically make the organization safer. In fact, the customers -- our customers are actually already overwhelmed with the amount of information they're getting. Last year, this stat is significant. Last year, more than 60% of organizations, right, that had a breach or a ransomware attack, they actually had a patch available on the known vulnerability that was exploited, but they weren't able to put it into production. Right? That's an unbelievable stat because it tells you the problem isn't simply finding vulnerabilities. The problem is understanding which exposures actually matter at reducing risk before the bad guys can operationalize them. Again, this is the trend that I think a lot of governments, a lot of organizations are going to start kind of going through. More findings, more noise actually brings less clarity for our customers. Okay. So the answer is not going to be solved by AI alone, right? And it is true that front to AI models are dramatically accelerating vulnerability discovery but as we said, discovery alone does not reduce risk. Organizations still need to -- let me run through this list. They need to understand what assets exist. They need to assess their exposure and every organization is different prioritize what truly matters, coordinate remediation and validate that risk was actually reduced. That is the difference between vulnerability discovery and exposure management. So even when teams know where there's exposures, where they could be impacted, acting on it fast enough is absolutely the challenge. Remediation still requires coordination across the teams, the tools and the environment. And most of the processes remain fragmented and manual. Again, this was a huge theme we heard the last few days, right? So the customers are really demanding a shift, right? They're not asking for more tools -- that's why when Steve and I and Matt talked to the Street, we always talk about how consolidation is 1 of the biggest drivers out there, right? They're asking for systems or platforms that help understand risk and that could actually take action. That is the opportunity. And literally, that's exactly what we built Tenable One for, right? AI, when you take a look at it, AI is in a temporary disruption, right? This is a secular shift and how security operates. This is not a onetime event like Log for Shell. This is how business is going to be run moving forward. As the speed of both discovery and exploitation is accelerating a fundamental shift is absolutely required, right? And it will be defined, but what we view as 3 transitions from discovery to taking action from manual workflows to orchestrated fixes and from isolated tools to an integrated platform and 1 of a system of action that requires a platform to be capable of understanding risk across the entire attack surface and coordinating action fast enough to keep pace at machine speed. And again, that's why we focused and centered an engineered tenable 1 to do. And with that, I'm going to hand it back to Steve, right? And Steve will be able to walk you guys through more detail on how we're putting this plan into action. Thank you very much.

Okay. Hello again. What Mark just described is not a temporary disruption. It is a secular shift, a major secular shift to security and how it operates, and it's a shift towards exposure management. And speaking of the platform. Investors often ask us what makes Tenable and is platform defensible? Not just now, but over the long term. And the answer is that Tenable One is built on 3 critical layers. Each one is a moat in its own right, but together, they compound. The first is our sensor layer. It's the data collection, infrastructure inside of a customer's environment that the rest of the platform sits on. The second is our exposure data fabric. It's where raw telemetry data becomes a unified model of risk and how it forms. And the third is HEXA, our Agentic agent. It's where knowing within an environment becomes action with human oversight, built in, and that's important. Each layer is hard to build. All 3 together, we believe, are nearly impossible to replicate. And together, they're the foundation of how security gets done in the agentic era. So let's spend a little more time today going through each one. Okay. Everything starts with data because how and where you collect that data is important. How and where you collect that data, determines what you can see. And we believe we can see more inside a customer's environment than anyone. We have scanners operating in enterprise environments. We have agents on endpoint and workload. We have passive network monitoring on OT networks. We have cloud configuration and workload analysis. We have identity telemetry, both on-prem and in the cloud, by the way, and we have external attack surface discovery and now visibility into the signals around AI applications, agents and systems. In short, we're a data aggregator. We're a data compounder. We have one of the broadest sensor and telemetry networks in the industry hands down. It's infrastructure. It's sticky, and it's a hard one, and it's nearly impossible to replicate. So that's what Tenable does directly to assess exposure. And while it's comprehensive, we recognize that no 1 security company can assess exposure across the attack surface. The market is far too fragmented for that. That is why having an open architecture to ingest data from other security providers is important. We have 300-plus integrations. And today, we just announced an open connector. So organizations themselves can ingest data. from almost any source. It doesn't matter if you have an API or a connector, they have the power to do that. We connect with it, we transform it and we make it actionable because in a world where the attack surface is expanding the ability to unify data, normalize it, decorate it and deduped is critical and it's foundational. Okay. But data even great data at scale does not create clarity. In fact, it can create more noise for security practitioners and it often does. That is why our exposure data fabric is so important. It creates insights from action. And it's not separate data feeds sitting next to 1 another in silos. Instead, it's a unified model of how various domains interact with vulnerabilities and configurations and it's how risk forms around them. And that model, it's not powered by telemetry alone. It's enriched by the efforts of our Tenable research team. Yes, humans still matter. It's important because our tenable research team helped us understand emerging threats, Help us understand exploits and help us understand the exploitability of vulnerabilities and exposures. Now all of this intelligence becomes part of the reasonable layer of the platform. which our partnership with anthropic helps us accelerate. We'll talk about that momentarily. But the important takeaway here is here with our data fabric, customers understand which combinations of exposure are most important and they understand how to prioritize those exposures because prioritization in the genetic era is not optional. It's critical. So it's also the foundational layer of how customers can take action and take it deterministically with confidence, which takes us to PEXA, Agentic engine. Yesterday, we announced the general availability of Hexa, our gentic engine, which is powered by anthropics latest models. Hexa sits on top of our exposure data fabric and turns what it knows into action. It orchestrates the steps required to identify the fix and then closes it and validates that the fix has been done. Now we do this all through a series and a fleet of coordinated agents that sits on top of 1 unified model, all operating with humans in the loop. And customers can also build their own agents. So instead of handing teams and enumerated list of vulnerabilities and say, "Here you go, PEXA can identify attack pass, can make recommendations, the best recommendations about the actions to take and can orchestrate those fixes. You're going to hear directly from Eric momentarily. We'll show you some incredible things about what Hexa can do. And you're going to hear from customers today about how they're using Hexa to solve some really important problems. Okay. Now we realize that not every customer is ready for autonomous action, at least not now, okay? That's coming, but not now. environments are complex, governance models vary and trust, trust and automation happens over time. So that's why -- Am I missing a slide here. Yes, I think I am missing a slide. Okay. That's why we think about remediation as a continuum, right? It's a continuum. -- based on the size, the sophistication, the maturity and the risk tolerance of the customer. On one end of a continuum is manual remediation. That's where customers identify risk, they figure out what actions they take. And then they go out and take those actions manually. That's where the market is today. That doesn't scale in the agentic era. You need to match machine speed threats with machine speed action. The second phase in the continuum is assisted remediation -- that's where AI prioritizes the risk. That's where AI accelerates the decision-making. And that's where AI orchestrates the fix with humans in the loop. You've heard that a couple of times now. It's really important. And the third phase is really autonomous remediation, okay? And we're not talking about every workflow or every action, but we're talking about autonomous remediation where customers have guardrails where there's a repeatable process and where the action is well understood. And we're not there yet, but that's where the market is going. And Hexa is meant to address the latter 2 phases assisted remediation and autonomous remediation. But directionally, that's where the market is going, Hexa is leading the way. And now more than ever, if that is important. So let's kind of bring this home here. Our work with the Frontier AI models companies are strategically important. Before I describe how we're working with them. I want to answer another question that we also get from investors because it's an important one. And the question often goes like this. What happens if one of the frontier model companies decides to compete with tenable. It's a fair question. And the answer to that question becomes well understood, want to understand what they're trying to build and what they're not because there is a clear mandate with entropic and others. They are racing to build the most capable, the most efficient intelligence layer. In the world, and we're big fans. It's extraordinary, the reasoning engine. The Frontier model companies, though, are not in the business because I made that very clear today. of deploying scanners in a data center, a dropping sensors on an OT network running on a power grid on municipal water supply on an oil refinery. They're not in the business of auditing cloud configurations at 3:00 in the morning and then taking the support call. They're not in the business of scanning a container image before it ships. And they haven't earned the right, not yet, and I don't -- and I say this in a very loving way, but they haven't earned the right, not yet to be deployed on a domain controller at a Fortune 500 company. We have. It takes years of trust to build. That is infrastructure, and the infrastructure layer is what matters in the Agentic era. The LOMs are only as good as the data, they're reasoning over. They require a data fabric and a trusted sensor layer underneath. And all of our data is proprietary. We're running behind the firewall. And are not able to publicly train on our data. And that's why we're partnering with them. And that's why they want to partner with us, okay? Because no model is designed to do security autonomously. Instead, we're here to help deploy AI safely and operationalize it. Okay? And yesterday, we announced -- you may have noticed a strategic partnership with Enthropa to help advance the next era of agentic exposure management. Anthropic brings the resin engine, Tenables the exposure intelligence, the operational context and the infrastructure layer required to safely deploy those capabilities inside complex enterprise environments. And through this partnership, we're not only leveraging Quad to help power tenable. But instead, we're collaborating closely. Hexa and Tenable, we're collaborating closely on joint research. We have access to nonpublic models and we're advancing a Agentic workflows, and that's really important. Together, we're building the systems capable of understanding attack pass determining the smallest set of actions that have the biggest impact on risk. And together, we're helping orchestrate the right fixes. So defenders can move with confidence deterministically and ensure that risk has been reduced. This is a fundamentally different operating model than other security tolling, okay? We're moving from isolated systems, two, an integrated system of action and one system to help customers reduce risk. So in a world where the attack surface is expanding, we will see a proliferation of CVEs and caps right? We're going to see more vulnerabilities, new vulnerabilities than ever before by 10 or 20x. This is how we win. This is how we grow. And this is how we help our customers solve the most important problems in security today. So thank you. With that, I'm going to turn it over to Vlad, our CTO.

Right. Good afternoon. It's a pleasure to be here. So as Aaron mentioned, I'm fairly new to the company. So I genes 5 months ago as the CEO for Tenable, I also lead Tenable research and managed Tenables R&D center in Israel. . Before that, I spent 11 years at Microsoft working on security as their corporate VP for cloud and AI products Working alongside Eric, actually, that was the previous time, we did a bunch of things together, building products like Defender Cloud, Defender, the micro security graph, MicroSet and a bunch of others. So we're here today to talk about exposure management, but I also want to start by showing what drives the pressing need. And why, as an example, a month ago, the U.S. Federal Reserve Chair and the U.S. Treasury Secretary have convened an emergency meeting in Washington, D.C. with the CEOs of the U.S. major banks. Bank of America, Citigroup, Morgan Stanley and a few others. They were there to discuss a single AI model that was [indiscernible] Metros preview and the significant risks it might create. Now Mythos was, of course, designed for defense, for software engineering, for security. But it also had capabilities that could flatten the stability of financial systems if it was to fall into the wrong hands. The CEOs were directed to treat that as a top threat to their institutions. Allow me to zoom out into a slightly global point of view. Now 2 weeks ago, I have attended the World Economic Forum's Annual Meeting on cybersecurity in Geneva. The goals of the cybersecurity center of the forum is to coordinate the global several defense across the ecosystem to partner in the fight against cyber crime and ransomware and overall to strengthen the cybersecurity and several resilience of critical infrastructures and businesses worldwide. The event was attended by about 150 of the top CISOs, CTOs and CEOs across the private sector, government ministries heads of national cyber defense agencies and many others. At the closing session of that 3-day event, the participants were presented with this question. what will define cyber risk in 2027? The answer was clear, with 46% of the votes going to AI as a threat multiplier. Now a slightly distant second place went to the response of geopolitical escalations that could target critical infrastructures. Now I think it is quite clear that AI in the hands of attackers is both a bad idea, but it is also a global concern in 2027, but for sure, it is also our current reality today. There's almost like a shift of mindset came up across every panel and every workshop at the forum. And that is traditional patching cycle is no longer relevant. AI in the genetic economy is the next greatest vector of global risk. And that also needs a new operating model. And I think that's the model we are also building our platform around. Let's take another look from the eyes of the overture this time. Now [indiscernible] have been tracking attacker speed for about 15 years. Looking at this chart that shows time to exploit. In fact, it presents the average number of days between patch availability and the first time we have observed exploitation of that vulnerability in the wild. Now you can see on the left-hand side, the slide starts at about 2018, you see 63 days, then goes down to 44 days, 32 days in 2022, it's kind of a linear reduction. Something happened in 2023. It broke the trend. The time to exploit collapsed from 32 days to just 5 days. In 2024, it went negative 1. And Google [ Mandiant's ] report from last month puts that number at a negative 7%. Now the moment that line has crossed 0, that's a yellow dotted line. That's the moment patch the patch cycle basically stopped working. It means that adversaries today are exploiting vulnerabilities on average, a full week before a patch is even available. Now this also shows that it's not a snapshot of a point-in-time situation. It's a curve, it's a trend, and it's quite clear where this is going. Now I've been doing cybersecurity for about 25 years, and the rhythm was roughly the same. And Mark and Steve touched upon this as well. Somebody usually human security researcher finds an issue in code, find the security vulnerability. They then traditionally use responsible disclosure to disclose it to the vendor who then goes and tries to fix the software. Eventually issuing a patch or a new version. Adversaries have operated on a similar cycle, although they're not in the habit of disclosing that to the vendors, but they also look for issues and code. Sometimes they get the patch and the dereverse engineering to recognize it and use it in the wild. That window between discovery, patch availability and active exploitation used to be measured in months. Now traditional patching takes days. The last data point we have from Verizon report released earlier this week was that on average, security teams take about 43 days to patch. It was actually better last year -- but it was largely fine because you had the time. The best teams today, by the way, can probably pull it off in anywhere between 5 to 8 days. It's a big improvement, but it is still fairly off mark. Now that compression of time is driven by 1 thing. And that is that AI today can do in hours, minutes, sometimes seconds, what it takes humans weeks and months. Now we've heard it here, we saw it in the news, we were living it with [indiscernible] 6 in February, finding vulnerabilities that have survived decades of one review. Later methods came along, it found a bunch of vulnerabilities as well. But more so, it has changed logical flows. It has found lower severity issues and chain them together in a way that previously only humans could do into critical vulnerabilities. It has also built autonomously working exploits of those security issues. Now about 11 years ago, we actually saw a similar watershed moment with AI. That was when Google deep mined AI, AlphaGo has successfully defeated the human master go player. Now for a very long time, GOL was considered the ultimate challenge for AI. It's a gain that was played for over 2,500 years and experts believe that computers were still decades away from being successful at that game. The thing is the game of Go has more possible board configurations than ATMs in the observable universe. -- that stand to the power of 170. And to that point, AI used basically bot force to beat games like chest, which is a simple game and brute force was basically enumerating all the possible moves, all the possible possibilities with Go that was unfeasible. So Google's deep mind at the time has proved that neural networks can master human intuition. They can manage extremely complex domains without relying on human knowledge without using brute-force methods, and also to self-improve exponentially basically by playing millions of games against itself. Now that was a huge moment about 11 years ago. Now if you go back to 2026. The frankly, mind blowing realization that the frontier LMs today can run a 32-step-reasoning chain to complete end-to-end simulated breach of a corporate network is astonishing. It also means the reactive security cycles, we all have seen for the last 2 or 3 decades are absolute. Now to be clear, this is not a single AI company story. I think this is actually a new rhythm of our industry. All the labs are racing on the same capability curve. Every model becomes better at finding vulnerabilities, doing so faster than ever in more sophisticated ways. We are seeing today that the volume of non-vulnerabilities is having a step change. And I think that's going to keep happening at least in the foreseeable future. The speed of exploitation is compressing. And the unpatentability is, the misconfigurations, the over privileged identities, the shadow, AI agents, the AI infrastructure all of those are already running in every enterprise environment in the world. And that's actually fuel that's going to ignite faster then the current operating model can probably handle of the model that the security teams have today. Now I'm a strong believer that security is a team sport and AI labs are definitely not the adversary. In fact, AI and frontier LMs are the best new tools the defenders ever had. We just have to start using them much more in the right ways. Now let's connect all of this back to Tenable. What I wanted to do is to go one level deeper, a bit more technical on 3 things. The first one is why our architecture is a structural moat and why it's also the right platform for exposure management with AI. The second, where AI and cybersecurity goes next and why I believe that every step in that direction actually expands our opportunity. And last, what we're doing in Tenable as an AI native company to become an AI native company and what that actually means for our ability to deliver. Now if I had to summarize in 1 sentence, what I've heard in Geneva 2 weeks ago, what I'm hearing from the industry, what we heard from Antropic being on stage at exposure conference earlier today. I think I would say and compress it into this kind of 1 sentence that basically represents the core of our moat. That the defenders edge in the AI era is not the model. It's the data, it's the context the harness and the guardrails that you need to build around it. Now let me break it down layer by layer. The layer surfaces and signals that Steve has mentioned, is the basic data collection on which everything is built. Now I'll add just one example to build on Steve's point. So a model, we've all seen that through OPUS and others model can successfully find vulnerability in the Linux [indiscernible] source code, for example. But it can't really go and figure out which 1 of 50,000 or so Linux oats running in the corporate network, which one of those is actually running the affected version, whether it's, in fact, effectively network which will or maybe it has a compensating control in place. rendering that vulnerability, irrelevant for the moment. Now answering those questions can only be done through sensors that are deployed within the live customer environment. We have those sensors. That's basically a huge part of that layer. In fact, we have over 300,000 of the sensors. We call them plug-ins. And they are deployed across more than 40,000 of our customer base. Now the way to think about that, they basically represent the qualified knowledge and the deep expertise of our research teams, and they've been doing that for 2 decades. And this is a way for us to understand and see the real world enterprise environment across the full surface, everything we need to protect. Data centers, IoT devices, OT infrastructure, cloud identities, AI apps, everything a company has. Of these pains actually operate using nonintrusive techniques because you don't want to bring down production simply by checking if something is up or down or what's the version. As we generate today about 100 new plugins every week to keep pace with the evolving threat landscape. Now our platform basically checks if an asset in the customer environment, whatever it may be, is vulnerable to whatever the latest thing is -- it checks the configuration, it checks all those things and delivers a [indiscernible] answer with high precision. Now that precision effectively underpins the downstream actions and decisions that go all the way up to Hexa AI. Before that, what our executive team had to do is things like open a ticket, calling your IT team to take a system of flying. Filed a report or got format schedule a patch window. Now with Hexa, you'll hear more from Eric who goes right after me. Today, these actions can be done with AI agents part of the Hexa harness working for defenders. The second layer is the exposure data fabric. It is essentially taking 1.7 trillion security findings from all these sources across all the customer base we have, these are deterministic measurements of real configurations, real environments, real assets, including historical data, for sure. And that serves as the base for the Agentic workflows we have with Hexa. Now HEXA is using that data to orchestrate action, providing it the right harness the right guardrails for trusted and safe action what's allowed and what's not. Things like role-based access, permission management, it has to have an audit trail and other enterprise requirements. Now we know this and AI labs have been saying this as well that AI agents without the right harness won't be able to complete the more complex security workflows. Actually, things might get even worse because AI agents have the tendency to go off rails, doing things they shouldn't be doing. -- and this is happening as well. Now across the 3 layers, every action Hexa takes is grounded in observable and measurable data. It has an audit trail, it gives defenders the levels of autonomy they need to protect their enterprise, both at machine speed, but with human control. Now as Steve mentioned, these layers, they compound and they create the structural boundary that we're talking about. The second thing going to leave you with is what Tenable is doing to become a native company. Now, during my time with Microsoft and specifically for the last 3 or 4 years, I've been part of the company's had transformation at scale. And in a sentence, that's basically the playbook we are running here. Now today, 100% of our global R&D team is using AI tools day-to-day. We have built the right scaffolding, the checks and balances. We have usage, -- we have token economy, and we've even added AI fluency, if you will, as a performance criteria. We have also established new AI native operational structures. We call them accelerations quads. These are essentially small cross-functional teams operating on a startup like cadence cutting across the company. And we're using that model to aggressively close the gap between experimenting with AI to actually running the company on AI. We are treating the agents as a new type of an internal software developer persona. We are adapting our product interfaces to be used by agents as well as humans, what's called a headless design, which is essentially decoupling the back end, the data, the logic, the APIs from the front end, the user experience and the presentation layer. When the consumer of the client becomes an agent rather than a human, the product, in fact, needs to be consumable by both humans and the AI agents. Now we are not voting on the eye on to legacy stack. What we're doing, we're evolving ourselves, our product stack, our architecture our team and our platform with AI. Last but shortly not the least, thanks to our partnership on topic as well as being part of open AI's trusted access for cyber program. We gain access to their early models that we're using both internally as part of our research teams as well as within our product through things like Hexa. We also have the privilege of working with the AI labs engineers and their technical staff to really fine-tune the LLMs to what we need within our product and our research team. Now the AI transformation we've driven internally is basically it's a program that's structured across 4 themes, 14 work streams -- it goes across the work we're doing with our teams and talent, the tools we're using and how we have them grounded on the data in our specific company, in our enterprise. We've also built metrics and ways to measure value -- this is an ongoing process. And of course, we have the governance for responsible and safe AI adoption and security in our CECO team. We are seeing some early productivity gains that I can share. We are seeing actually great improvements across velocity of delivery. Throughput per single human engineer went more than 2x. And the overall efficiency of every single person in the R&D organization has improved significantly. Now to small step back. I think probably every product or manufacturing company in existence roughly does these 4 things. They build something, they sell it for a profit. They support it with their customers and they support their enterprise functions, things like finance, legal, HR and other departments. To break it down even further, product creation goes usually across this process of creation and distribution. You find the problem you want to solve, you write requirements, you architect a system, you design an interface, you develop it, you test it, you document it, release it, and then you work with our marketing and sales and operation teams. To get it in the hands of customers and make a profit. Now these steps essentially remain the same, almost the same with or without AI. However, there are a few things that do change. And I believe that, that's something is speed, efficiency or productivity, if you will, and the division of work. Now we're seeing that paradigm shift. We're seeing that across the industry, but also from our own personal experience at tenable and what I have seen happen at Microsoft a few years ago as well. The first change is that our workforce, in fact, now is hybrid. It has both humans and AI agents. Humans take the role of defining directing or supervising with AI taking more and more of the execution cycle at machine speed. Now you can't only focus on cold -- so we're also working to streamline the process end-to-end left to right. Some of these steps also need to evolve, such as the headers design I've talked about where the consumer is no longer only biological. We know the product will be used more and more by agents along with humans, and we need to adjust the design and the interface to that. We need to have the right guardrails in the release cycle. We need to run the AI models within the right harness and invest in adopting the tooling to our specific needs. The last thing, and this is, I think, the holy grail that we're on track to achieve is when this process, this cycle becomes autonomous and fully agentive. What that means is that we have successfully orchestrated agent to agent communication and agent to agent workflows. They can then go and iterate through these steps while preserved in the context the shared memory, if you will, which is not a simple challenge, the human intuition and the intent of the creator with humans in the loop for direction, control and supervision. The last thing I want to touch on is where I think we are going next. Now for me, there were a couple of sessions that really were eye opening at the [indiscernible] form. One of them was securing the Agentic economy. I think it also provides a glimpse into where the market is going. And I kind of broken it down across 5 trajectories. And I think every 1 of those talks to the expanded opportunity we have. First, we're all seeing that the LLM capability floor keeps dropping. So we are already seeing autonomous packages going mainstream, OPUS cyber, they show the trend, but others follow closely. So what that means is that the Frontier will become baseline quite fast. And that means there's a major shift that's happening. When [ Mitas ] came along and topic predicted that others will catch up within 6 to 12 months. The reality was that it kind of happened in 30 days. So with GPT 55 being almost as good on many of the existing cybersecurity benchmarks. The second thing that's happening is that Agentic AI becomes table stakes for both sides, both the adversaries that are way ahead, actually. They're early adopters, these guys. They're moving super fast, but also for defenders. If you go to something like a hacker 1 leader board today, you'll see a bunch of names, some of them, maybe most of them will be AI agents or humans heavily augmented by AI. This is sort of our line of sight into that capability curve. There's also an interesting implication on regulation. Now 1 example I've heard was the European Union's AI Act next enforcement phase takes a tax effect on August 2, 2026, in about 2 months. And there's a discussion of what it actually means where things like audit, compliance, insurance, they all require reproducible, auditable [indiscernible] output. What I see that means is that LLM have to be part of a workflow in a way that ensures determinism as well. So it needs a harness, it means that wrapper. The agenetic economy is definitely the new attack surface. Our own cloud on a security report we've released a few months ago, shows things like 70% of enterprises today have AI artifacts, such as NCP servers or applications without proper security oversight. Eric is going to share some data points that are even carrier of what we're seeing from customers today. And last, the contextual value, for tenable, that context is realized through our exposure to data fabric. And I strongly believe that becomes the most valuable real estate in the stack in this new world. I don't think success will be to the 1 who has the smartest LLM. All of us will have access to LOMs. Depends on the price, but that gets cheaper and cheaper as well. I think success will be for those who can ground those AI agents in the right data in the right context, orchestrate them with the right harness and build and run them with the right guardrails. And I personally believe that every one of these trajectories are a tailwind for exposure management, that's actually what brought to tenable. And that's what we're building here at Tenable. With that, thank you for your time. I'll pass it on to my friend and colleague, [indiscernible]

I'm Eric, Chief Product Officer. Been here for a little over a year. Before this, I was at Google for a couple of years, I led the [indiscernible] integration, Chronicle, Google Threat Intelligence. And before that, I was at Microsoft Security for quite a number of years with the lag. I had a funny job there. I was in addition to building security products responsible for the Azure sock and incident response for all of Microsoft. Spoiler, I wouldn't recommend doing both of those jobs at the same time to anybody. But it did give me a unique insight into how one of the world's biggest targets is attacked every day, and that's been super helpful in my career since and what I bring to Tenable. There's a ton of innovation that has happened in the post-breach world even before AI, but not as much in preemptive security. And that's a big part of what brought me to Tenable. I watched this pattern over and over. The reach happens, we clean it up. That was before AI. AI changes the math. If the attackers are operating at machine speed, as Mark talked about, you can't respond your way out of that with spreadsheets. The Defenders edge has to move forward to preemption. You have to fix it now before they exploit it. And this is me, the little help from Claude, my version was longer. So what's happening? We talked a little bit about this earlier. This is a hard problem before AI, NAI is making the attack surface way worse. You see productivity rising, of course, visibility is falling. But we've kind of seen this movie before in security. We saw with cloud, where cloud adoption outpaced security. We saw it with SaaS, where things remember when Box and Dropbox came on the scene, all of a sudden, there's documents being shared everywhere and security teams are saying, I have no idea how to keep my hands on this. Same kind of trend, but AI is running this tape at 10x feet. And these are 2 curves moving in opposite directions. The business is sprinting. Every business unit is shipping AI models, training data, agents, MCP. The workloads are going live faster than security can spell them. The CISO is effectively flying the plane blind. But every platform shift creates a new security category. Cloud give us Snap, the dissolving perimeter gave us 0 trust. We believe Shadow AI accelerates the trend towards exposure management. The average enterprise has 50-plus security tools. You can't solve this problem in a siloed way. The answer isn't the 51st security tool. We think it's tenable. So how do we do it? Three steps. I'm going to go a little deeper than Stephen and Vlad here. Step one, you have to have continuous discovery you have to see everything. You can think of this like the census. You not only just have to see, you have to see, you have to hear, you have to taste, you have to smell. You need to pull in all of that context because the enterprise is alive. It's not a static thing. It says cloud, it has devices, they have web apps. It has identity. And of course, now it has AI, AI infrastructure as a critical piece of the new attack surface. And that whole attack surface is constantly changing, and the threat landscape is constantly changing continuously, not monthly, certainly not quarterly. And it's hard to do that at scale. This sensor fabric creates a network effect, 1.7 trillion real-world findings, $113 billion on average a month, new findings per month. That's deep scanning inside the operational environment. You've got a -- but as Steve mentioned, no one can scan every interesting piece of data in the enterprise. So the 300 data integrations we have and growing more every day, allow us to bring in context from other security tools, but just as important from the infrastructure and business systems that help create the context that allows you to know what matters. Zooming into AI in the last 30 days alone, in our customer base, we found 457 million AI security findings, finding as a problem or a potential problem. That's across 7,000 customers in 57 countries. So this is a globally growing shadow AI problem. We're built. And if you could think about it, we've been training for 20 years to outscale the attackers. Last year alone, we shipped 70,000 plug-ins. Vlad mentioned this, you think of this as detections for different kinds of issues that our customers have. We have hundreds of shadow AI detections to. They're live today and more shipping every day. We cover about 25% more than CESA with the known exploited vulnerabilities program. You may have read the news that CISO is sadly scaling back some of their activities because they can't handle the increase in volume, we're scaling up. The enterprise is alive, 11 helps you discover it in near real time. Step 2. Yes, the priority is what matters because every enterprise is different. We had about 48,000 CDs. This is the funny unique number for every unique vulnerability. Maybe we'll have 100,000 this year, maybe more. The last thing security teams need is another firehouse. You got to bring that data in, you have to deduplicate it, you have to correlate it enrich it. decorate it. You have to make it useful because the raw data is not useful. And you have to do that synthesis at the center rather than inference at the edge because the data needs to be a graph. With this, this exposure data fabric. We can tell you, on average, the 3.3% of those unique vulnerabilities that matter to you. And we do it faster. Again, looking at CESA, we discover exploitation about -- we overlap in about 64% of the times that CESA discovers vulnerabilities. But the median time we discover that exploitation is 7 days earlier. The average is 37%. But you have to move beyond CDs. Because as we see from those recent Verizon data breach report, which we contributed to, about 1/3 of findings are not CDs. These are identity misconfigurations, infrastructure hygiene, exposed secrets and 2/3 of the breaches come from those non-CD issues. So 1/3 of your risk, but 2/3 or 1/3 of your findings, 2/3 of your risk. So with our exposure data fabric, this all becomes context. In context, as Vlad mentioned, is extremely necessary for the orchestration of both humans and agents. So if the sensors are the sensors, you can think of the data fabric like the brain. But let's talk about number three. The third step is obviously fix the problems. But unfortunately, this is where historically the industry has broken down and moved at the speed of spreadsheet, just not machine speed. Grade visibility and prioritization is obviously critical. It is necessary, but it is nowhere near sufficient to solve the problems of today. You can see in 2025, about 26% of the worst vulnerabilities, the commonly exploited vulnerabilities or known exploited 1 real disease, we're fully remediated. 26%. You see the patch cycles, 43 days on average, flat showed that the trend line, but they're actually going in the wrong direction. The year before, the industry average was 32%. That's terrifying. Spreadsheets can't keep up, only machine can fight the machine, and this is why we built Hexa, which went generally available yesterday. So if the sensor fabric or senses and if the exposure data fabric is the brain, ex is the body. Hexa is our genic engine. It's intenable one. We announced it at RSA a few months ago. We've been in early access with a few dozen customers, including some in this room, for the last few months, and we went generally available yesterday. It is built on the exposure data fabric. It enables automatic patching and remediation. You need the brain to coordinate those actions. It moves security teams for manual security to a genetic security at the speed they want to go, the speed of trust. And it orchestrates this mix, this messy mix that is security. Why do I say it's a messy mix? Well we know humans are falable, we've always known that. You sometimes you ask them to do something. Sometimes they do it, sometimes they don't. Sometimes they close a ticket and say they fix something, sometimes they didn't. We also know agents have problems. Agents [indiscernible] sometimes they act like bratty teenagers. You need the context in the guardrails and where you choose the explicit human in the loop interaction, to make sure that you're getting to that outcome that you want. Skynet isn't showing up tomorrow. The real enterprise is messy. We must go 10x faster, but we have to do it deterministically. So this is the layer of Tenable One. The layers of Tenable One, continuous discovery across all of the domains in your enterprise including the business context that makes it real, the world's smartest exposure data fabric, the brain tells you what matters, avoid solution nations in real time and Hexa, the body. The Agentic engine that gets humans and agents working at machine speed. But enough slides, I get to show you a product. And so I'm going to take you through for demos in the next 6 minutes, I think. So let's get into it. This is demo 1. How do you get from 10,000 findings to an attack path? Remember, attack path analysis is the only way you can get from 10,000 findings to a few things that matter. This is looking at the sequence of events that get you from an exposure to something that matters. Frontier models can't do this. They don't have the asset graph, they don't have the identity context. They don't have the brain. So here's the demo set up because it's going to go fast once I get going, okay? Customer environment, simulated customer environment. We've got cloud identity, VM scanning applications and, of course, a bunch of AI infrastructure, just like every organization on the planet. So let's go and play the video. So here in Tenable One, I open Hexa. I'm going to search for top attack pets. Looking across everything, thanks for a second. You can see the top 5. I could go drill into this, but I actually want to zoom into AI infrastructure. And so -- in a second, I'm going to zoom into AI infrastructure -- are we paused -- can we play -- you think a recording wouldn't have the demo gods like you. Why don't I tell you what's going to happen while we try to get the video going. We'll put it on the website. Yes, we'll put it on the website. So what would happen if the video played is you'd see a 4-step attack path, okay? On the far right, is a fine-tuned model. This is something the organization is using for an app in their environment, and they're training that with proprietary data. On the far left is a user. But if you look, that user doesn't have access to the model, you're probably fine, right? Not really. In the middle is some training data. It's just in a storage location. In this example, it's in an AWS S3 bucket, the average customer has thousands or tens of thousands of these. There's no real way unless you connect all these pieces together to see that the data that's in that S3 bucket is actually the data that's used to fine-tune that model. And this exposes you to something that we call data poisoning or model poisoning. But let's go one step deeper. You might, if you're a good security team, say, let's look at who has access to that training data. And you would find that the user in this attack path does not have access. So you're safe, right? Not so fast. What the user has is the ability to create a policy that gives access to that bucket. So if you get a hold of that user, you can start print and access all day long, get into that training bucket and poising the model. That's the kind of thing that adversaries love, and it's the kind of thing that siloed security. Here, now it's going. It's the kind of thing that silo security just can't help you figure out because you really have to look at the intersection of identity, you have to look at how that identity is related to the storage assets in your environment and how those storage assets are being used with the AI infrastructure that you have. So you really need all the data plus you need the brain to find an exposure like that. But we can do more than just find stuff. So the second demo is showing you how Hexa AI helps make humans superhuman. So analysts spend a ton of time doing manual tasks in every aspect of security. We all know this. Hexa handles the operational busy work so that analysts can focus on decisions, not clicks. So same environment or similar environment. What I'm going to use HEXA to do I'm going to set up a scheduled scan. I'm going to create a dynamic system to organize the results, also something people spend in a rangeous amount of time doing manually historically. And then I'm going to create a summary from my management team because I want to look good. So let's go. Here I am, open up HEXA, Zoom in. So I'm going to create a scan targeting a couple of assets, Teleca, these are our finance servers. So I want this to happen regularly, please do it for me. And also we went pretty quickly, but you should have seen it said that I'm going to tag these things as they go. Here, we ask for human in the loop because you're doing a right operation in the environment. We're going ahead and creating the scan. By the way, also you should notice, this is setting up multiple subagents in parallel. -- because Hexa is a harness that orchestrates multiple agents. Now it's doing the work. Now it may have paused again. What I'm about to -- there it goes. All right. So we set up the weekly scan. That's great -- it is moving. I can see the -- yes, there we go. And now I'm going to say, hey, generate that executive report. And this is pretty cool. Because it does a nice job as you'll see in a second of showing what I did, what happened, but it also flagged something. It flags that there was a patch regression. This means you previously took an action to patch something, and it doesn't look patched anymore. Maybe the patch failed maybe something else happened. This is what the industry talks about as validation. And it's really an essential element. It's one of those guardrails that helps make sure that when humans or agents go do things that we make sure that they get done correctly, super important part, especially in the world of AI. Demo 3. So what about when I want Hexa to just do stuff for me. exit doesn't just tell you what's wrong. It takes action. We have in Tenable One, a number of inbox agents, and we also allow custom agents, why custom. Because a lot of our customers, especially our biggest customers have very complex workflows. They have complicated approval flows, internal tooling, tons of custom data. In the past, the only option to do something here was to create an expensive internal development team or to bring in an expensive outside consulting firm to build custom automation that was fragile and meat and maintenance and all that kind of stuff. Since Hexa comes with MCP, which is a fancy way of saying that it's built to interact with other tools and agents. We can enable security teams to do a lot more in a really cool way. So here's the task I'm going to set up here, and it's going to go even faster than the previous demos. So give me a second to set it up. What I want to do here is I want to automate some patching because I'm worried about an incoming vulnerability. I have the patch, but I can't wait for a normal patch cycle. It is critical to me that we have the right human approvals because my organization requires that. And it's also critical to me that in addition to the normal auditing that every Hexa operation always has, but we use Jira for workflow tracking. That's going to work with any tool. In this case, we wired it up to Jira. I'm using cloud for the demo and for optics Cloud, it could be codecs or any other AI harness. So let's do it zoom in, you can see the prompt. We go ahead and do the scan. I found a few assets that have high vulnerability scores. So these are risky assets. Great. Now I'm going to go and check, do have patches for them with tenable patch manager, turns out have patches for most of them. Great. A couple of notes. They don't need a patch. They need a registry fix, okay? That's easier. That's good. Now we've found 6 findings across a few assets. We're going to get to a place where I have human in the loop, by the way. You don't have to have human in the loop, if you want to be fully autonomous, you can do that. That's part of the power of custom agents. Now you can see the patches were applied. It does flag there's 1 manual action you need to do. We went ahead and updated the Jira ticket for my workflow, I signed it to the right owner so that you can get that done. It also tells me, hey, you should probably do a rescan, do you want me to do that, just to make sure that this stuff actually happened, that validation loop again. It's pretty cool. Last demo. Patching even at machine speed isn't enough, as we talked about, 1/3 of the findings aren't CDs and won have patches ever. 2/3 of the breaches don't involve a CV at all. and AI scanning tools like Mythos and GPD55, wire is going to make this harder. So what I'm doing in this last demo is I'm looking for high severity findings that have no owner. And if they're risky, if those identities look risky, I'm going to automatically quarantine them. I'm going to update the identity system, which in this case is Okta and just take them out of it so that there is no risk until I can go figure out what's up there and make it right. Let's do it. Okay. Simple prompt again, it's thinking, looking for critical AES. That's the attack score effectively, the tenable users, find some assets, digs in a little bit. works around a problem, finds the owner finds 4 matches in Okta. Of course, I'm going to update Jira because that's my workflow. It's important. Have a little bit of human in the loop there. You can see the success. I've got 4 accounts quarantined. Now I'm going to move to the final step, which is verifying the membership, updating the JIRA ticket. And I'm just quarantine those assets in under 60 seconds. There's no risk of an attack without attack vector, pretty cool stuff. So this is a brand-new tool set for security teams. Stuff like Hexa did not exist yesterday, certainly not a year ago. If you zoom out to the Tenable One platform, we walked through how continuous discovery is essential, the senses of Tenable One, help prioritization that matters to you has to be there, that exposure data fabric the brain of Tenable 1; and Alexa, our agent engine, the body that makes the security team superhuman and automates the messy mix of humans and agents. And I want to leave you with my favorite marketing tagline, as we were working on Hexa, I don't get to decide the marketing tag lines, I get to propose some. My favorite marketing tagline that we didn't pick, Is at Hexa, [indiscernible] one. AI is making the attack surface, harder, the job harder. Shadow AI is everywhere, sideload security can't solve this problem. A platform that only sees some of the attack surface can't solve this problem. You need complete visibility, cross cloud, OT on-prem, IoT, Identity business context in more. Our customers have 50-plus security tools. They don't need a 51st in [indiscernible] one.

Thank you. All right. I know we're running a little behind. So I'm going to move relatively swiftly through talking about the marketing piece and then invite our customers up on stage so you could actually hear how they're using Tenable and Hexa. By way of introduction, I am Meg O'Leary. I'm the Chief Marketing Officer here at Tenable, I can't believe it, but I'm here almost 3 years. They've let me say. And I love this company. I love this team, and I think we are building something really amazing. So let me talk just -- as you came in, you -- I'm sure, I hope saw the new tenable brand. And so this is not about marketing for marketing's sake. This is about taking the foundation of tenable and what we've built in signaling to the market that we are here and ready for the AI era. So the future we are building required a new expression of Tenable. And so we really want the market to see us in a new way. We are very proud of our vulnerability management heritage. As companies are looking for VM, they are going to come to Tenable. They're going to come to Tenable because we are the undisputed leader in vulnerability management. But as you've heard over and over GaN. We are ready for the next generation of what's happening around exposures. But there's so much goodness in this brand. When we spoke to when we built this brand, we spoke to over 1,000 customers. And the #1 thing they said about why they like Tenable is because we are trusted. That is the #1 attribute that they associate with the Tenable brand. So we want to hang on to that brand, but we also want to express it in a new way. And when we all spoke to those customers, what we realize is we have something that is very, very powerful. We take chaos and we turn it into control. So you heard from Eric and Steve and Mark, 50-something -- 50-plus tools inside their environments. 12 to 15 teams. Now the AI attack surface is coming, Agents are proliferating. It is a lot of chaos to harness. And what we learned is that, that's what customers count on us to do. So this idea of chaos to control of giving them simple answers in black and white, that is what this brand is all about. So it's a scalable system. We think it's opinionated. We think it's sharp. And we think it stands out in the marketplace because we have something to say and we have something to show. And I hope that you saw that in the demos and what we're telling you about 11. So you're going to see this roll out more and more, if you come to RSA, when you come to conferences, but also the first real expression that we're doing of this -- of the brand is actually a new brand campaign. So when I say brand campaign, I'm not talking about Super Bowl ads. I'm not talking about huge billboards, we are surgical in the way that we do brand marketing. We started investing in about a year ago. Our website traffic has more than doubled since we've started targeting customers and prospects in this way. and we just want to make sure they hear our message. So I'm just going to give you a little preview of the brand campaign that's rolling out this week. [Presentation]

All right. Thank you. Thanks. So what we're trying to do for our customers is contrast the intenable circumstances of their jobs and what they're trying to do with the control that Tenable is bringing. And we're really leaning into the AI message because we think we're doing something very exceptional here. And you can see it scales when the opportunity is the right to scale to the physical spaces to scale to digital spaces around trade shows and our own events and showing up in the market in a really bold way because as we are saying more and more when the world is untenable, we are tenable. So with that, I'm going to invite our customers up so we can actually talk about what they're doing to control their chaos. So if you guys would join me on the stage here. Come on up.

All right, we'll get started without him. Don't turn on this -- and let's turn the offer comes back in the room. All right. Actually, I'm going to want to hear from Eric because he actually is doing some incredibly exciting things with Hexa and agenetic security. So let's just get started with some introductions here. No, you're okay. You're okay. Why don't we go ahead and get started? Rick, do you want to introduce yourself?

Sure. My name is Rick Vagama. I am the CECL like GEICO, Be sure to bundle your home, auto, boat. -- and motorcycle and give us 15 minutes and we'll save you 15%.

John Schram, I'm the Global Head of IT Risk and Security for Unit Re. The largest company you may not have heard of before, and I run a team of 400 security professionals across 10 countries for the world's largest reinsurer.

Hi, everybody. My name is Tarek, I hope my mic was internal, what I was -- it would have been great as you, I think you can hear, I am French. I've come from Zika, which is a cement company, which I'm telling in the very [indiscernible] I'm sure, basically, they build concrete and sell it across multiple countries around the world. them super I don't have a coal like selling you .

All right. Well, we're super happy to have you here. And let's sort of talk about the jury that you are taking to exposure management, right? So I know you all sort of started your journey with us around vulnerability management. I know there's a lot of expansion that you've done. But can you just talk a little bit what was the breaking point or the turning point for VM that made you decide, okay, we need to move on to exposure management. And maybe, Rick, you could start for us.

Sure. So I'm proud to say that I've been working with Tenable now for 12 years. I'm a 3-time customer, though, according to Mark and Steve, I will not get Tom Brady go status until I buy them 7 times. But anyways, so for us, it wasn't necessarily a breaking point, right? I mean Tenable has really been helping me over the number of years that I've been working with them to pivot my journey. Certainly, from a vulnerability management perspective, there's no lack of CVEs, and part of the reason why I'm a big fan of Tenable One is, is that it's my single VM platform. So regardless of where all these various sensors are, right? My ability to ingest all that information and then have a single brain provided by overall exposure management and oh, by the way, to take it to the next level, understand my attack exposure score is really important. And what that really means is this, right? From a tech perspective, there's certainly no lack of vulnerabilities that we need to address. But when I go to tech leadership or when I talk about risk reduction with ELT members. I'm really talking about risk. So when I go and say, these are the 5 things that we need to focus on because they're exploitable. All of a sudden, it changes that narrative, then instead of me going with 1,000 things and saying address that, I'm basically saying these are the 5 things you need to focus on.

Awesome. Derek, I know for Vicat. It started with VM, then it was OT and then it was [indiscernible] all the different domains an 101. But can you kind of talk about drove you to sort of bring it all together under an exposure management.

Pleasure. So Vika operates in cement and plan. So we started with OT because the sensor solution is actually the best that was on the market. Nobody else was offering that. then we went to agent with narrative management. We basically followed the product roadmap of Tenable. And then we moved into the cloud. So we invested into the tunable Synap. And at this moment, we move to Tenable One actually we went into exposure management and the fast actually made sense because what is exposure management, like Rick said, vulnerability is. That's also what Eric said earlier, actually, 2/3 of the bridges don't come from CVs, they come from misconfiguration. They come from stuff that are really dangerous -- also since we are among a lot of countries, we have -- it's important for us to share the same language. So talking like in Brazil or in India, we do need to make sure that we all understand where the risk is and what needs to be fixed and exposure management give us that through the unified view, the unified Dageboards and the attack asset bases. Like Rick said, instead of think you have 1,000 stuff to fixed, you have this one and this one to fix. It will secure the solution. And the various owners of all of the platforms to go back to their boards with something that's simple, actionable and educate measure in.

And so I'd like to add to that, like that's a great point, right, because we all have a lot of security reactive systems, right? And when I think about Tenable, it's by proactive system where I have all the information and telemetry and oh, by the way, right, we all have various EDRs. And the EDR companies are also talking about VM the last time you were able to install the EDR on a firewall. No, right? So which is why Tenable is the right solution because regardless of what the sensor is, you can pull it all in. And now we're having a proactive conversation to go and look for things that matter where I am misconfigurations around my crown jewels.

Yes. I don't disagree with that shift has happened with the active environment and EDR and actually enable is bringing this kind of mindset that actually security teams know about, like you need to fix this right away. And [indiscernible] everybody actually to bring that mindset to the proactive movement such we can fix at the speed of machines, every vulnerability is the risk, every exposure is a big risk. It needs to be fixed right away. So you're absolutely great point.

No, I think it's really important this capability to understand the entire attack surface of a company. Again, we have 20-plus applications. We have hundreds of thousands of devices on our networks, sprawls the globe. We have 149 legal entities that we're governing in my central security services team. And sometimes we can't actually shut something off. We don't have a patch for it, but it's making a lot of money, so we can't turn it off. So we need to push a fix, maybe it's a web application firewall rule. Maybe it's a rule. Maybe it's a network structure and being able to see everything that I have and where those problems are the things that I can fix to be able to fix them and the things that I can't fix to be able to do something different is very, very critical to our business.

Can you talk a little bit more about specifically why Tenable one, right? There's lots of companies, lots of platforms coming out around exposure management. What is it about Tenable One specifically that you chose that as the solution? I'll go to any of you who want to jump in.

So first of all, props to Tenable leadership, okay? They have made Tenable One incredibly easy to buy. They've simplified the SKU process made it really easy for the channels in order to be able to sell it to meet the customer. And by the way, right, in terms of how they package all the capabilities, it's really meaningful. But for me, right, the openness of the platform and the simplicity and the real power and really, right, with Hexa, it really comes down to how creative my teams can really be. And as all of you are out there and read constantly in the Wall Street Journal about how lots of companies are reducing head count by 5% to 15%. What does that really mean, right? Also, our budgets aren't increasing either. So one of the things that we'll be taking a look at is how we can automate a lot of the lower-level types of work by using agents in order to take those things. So such as in the supernerd thing specifically is tagging an asset with the right sort of metadata so that we can make sure that the right scans are being approached. Previously would have taken one of our analysts a lot of time and a lot of collaboration with a bunch of team members. Well, essentially, right, we'll be able to automate that through Hexa.

That's such a good point. First, I just want to make sure everyone in the room saw we announced new pricing and packaging a couple of weeks ago around flex pricing so that our customers can use the assets they need to use in a fluid way to match the needs of their environment. So if you haven't seen that news, I'm sure Aaron has shared it, but just so we all have some of the context there. But then as we're talking about Hexa and what we're able to do with this genetic engine within Tenable 1, there's everything from sort of the [indiscernible], right, of the work that just takes time, tagging, what have you. And then there are things that we're doing that are next level that we really couldn't even think about doing a year ago with such speed. Yesterday, Tarek did a breakout here at exposure to talk about what he's doing with Hexa and with a genetic security. 200 people came -- it was a dire, I think it was this room but literally a standing ovation at the end. So Tarek, I would love for you to sort of share with this group how you're using hexene of the spectrum, just helping with manual work all the way up to how it's upping your game and risk in the...

Just to go on what [indiscernible] very true. Why do we trust actually trust is the right word. Out of the big players that we've been using for quite a didn't have any kind of major issue that some others might have. So this layer of trust that has built over all the years makes, the right decision to like bring your data into it, we do feel safe with the solution. Also, the vision is very good. And I guess you know French people are very nosy, so I've also exchanged a lot with the technical teams. They're very good. It makes sense where they go. So there's like a keen ship of engineers that's been created. This is something that personally like. About Hexa. So yes, I also had the pleasure to access to Hexa before the others. So I played with it for maybe the last 4 months. And what Eric was describing, like the TDS task that used to take analyst or even more senior people like me 2 or 3 days every month can be automated and actually, it then takes 20 minutes on the Monday, I can do it whenever I want, change my tags, change my scanning. And you need to know that when you do that, this is the basis of discovery without those kinds of not very sexy task, actually, the tool doesn't work as well. So somebody has to do it, and now take a and do it so I can put value my time and reflection actually risk management, which is my job, actually where it matters, and that's for our Board, that's the labs will spend. So this -- just for that already excise fantastic. Eric showed it to you. This one is great also, like you said, since headcount are going to be bigger. We're having less and less people. So being able to do more with the same kind of people or even less -- it's a great asset. Now on the capability of excess, did the demonstration yesterday, that kind of look like what Eric did, but it wasn't only intenable because in my company, like he said, we do have 50 products, I think, I won't say the name, but all of the EDA over the firewalls, all of the SIM that you might imagine, we do have debt and having tunable as our source of truth and actually using the capabilities of [indiscernible] actually give an model, a new which 1 you want, actually. Access to these kind of normalized information gives you a very good source of truth, which means that your agent can work very well. And then you can orchestrate many things quite simply. What you said about yesterday was true. I think it worked pretty well. I think the nice thing is that everybody was able to see what you could do. It's not in the future, like elegant. It's actually you can do it right now. It's fun to do. It gives you back control over your assets, control over what you have. And I think the underlying thing is that make that possible because it is so easy to integrate with the rest. And I think I've been tried with lots of other solutions. That's where the [indiscernible] that the forefront. The vision has been clear and they are capitalizing on years and years of sensors and data and become at the right moment, right time with the right product. And I think that's pretty rare in the landscape of cyber security.

I think also where we are with Mythos and the acceleration, the tsunami of vulnerabilities, we're going to see this an enabler for us to be able to go fast and also to enable our business to use AI processes to build out business functions. We have a huge number of units doing things in reinsurance and underwriting and in client service on AI right now, and we want to do more of that. So I think Tenable is one of the reasons we'll be able to manage the risk as we go down that path.

And also I wanted to add, like the work that I had an opportunity to see you do is so inspiring, okay. And so why this really batters, right? Imagine a new 0-day exploit comes out, right? And so then I can go to Hexa and be where am I vulnerable and where don't I have an EDR in place. So Hexa will go through search. And then from there, I can say, all right, can you go quarantine those systems? Or can you go ahead and patch them, right? And historically, that would have taken hours or I might have had to run a COE process, a correction of error process, right? We're now I got to disrupt a whole bunch of engineers this they cause a lot of drama. Right, through Hexa, I can do that. But the other cool thing about Hexa, right? I'm only eliminated by the my imagination. So picture a world that once we get this fully deployed and when I come in, in the morning, Hexa will have already found all the 0-day exploits, giving me a readout of where I'm vulnerable. And if I elect to tell it let [indiscernible] take over, then it can either quarantine or patch them or so on and so forth, right? And it's basically saves a lot of minutia a lot of extra effort that my teams have to go through today.

Like Rick said, which is very interesting, since I had access to or the others earlier during the week, it made cybersecurity fun again. We started asking questions. Act was finding solutions so the job wasn't a dread anymore, so the noise of the disaster, we can fund again to interact with versus that's 1 part, which is great. Another thing also that I wanted to sit so the great presentation, knowing that Tenable is going in native also actually makes sense with what our companies are doing. So there is a convergence that's happening. And tunable offering us eMCP using AI. We are also strongly encouraged to go AI-native also. So we do have the access, GMCP not go into the technical although the technical lot. But actually, the way to plug in the AI nativeness, it's nothing I'm sorry table with our own relativeness. I think that's great.

I know we're up against time, but I -- just one question I'd love to all to give an answer to. One of the things you know this better than I, but we hear over and over again about 1 of the value that comes from exposure management is the business level reporting. Going to the Board, going to the leadership team and sort of giving a -- letting them know how at risk you really are. So could you just talk about the value of Tenable 1 in terms of executive communications in terms of communicating at the Board level.

Yes. So historically, right, from a CECL perspective in the olden days, we would go to the Board and say, these are all our CV vulnerabilities and whether or not we're meeting SLA and the glass and they would kind of glaze over, right? Basically not been able to change the narrative. Now I talk about exposure. Now I talk about risk reduction. So now when I go up and present a pictorial representation, I basically show what are the top 5 risks what are the level of effort. And by the way, what's the revenue impact that if we lost that system due to an exploit, right? That then that really resonates with them because at the end of the day, right, the general managers are the ones that dictate the product on what capabilities engineering needs to work on. And historically, it's always been a tough fight from cyber working with the death or the technical teams to try and convince them. Essentially, I'm skipping them. I'm going right to ELT, and I'm saying here -- these are your 5 top risks -- you can choose to accept it. But by the way, this is what's going to be the loss of revenue due to an outage.

John, how about you?

Yes. I mean, it's core to my program, as I said, 149 legal entities, all requiring reports. I run the security services company for the group. I have to report to all of them. So that's a huge task. We have a team of people who do that. Tenable is one of the primary feeders into that reporting system for all those entities to comply with the regulations and to demonstrate their oversight of the servicing that we provide.

And Tarek, I know you talked about not actually talking about one realities, but actually you measure attack back, right? So they talk a little bit about that?

So like I said earlier, so [indiscernible] is basically France, but actually we have subsidiaries all around the world. So it's different kind of regulations, different kinds of lows and also different kinds of cyber insurance topics. For example, a 6.2% in France -- if you give us a good price with ice, we can start the business, we can talk about the business. But yes, so there's all kinds of various steps. So in Brazil, it's not the same as in India or it's in Kazakhstan anyway. Having similar vocabulary, a similar game was 1 of the big issues that we're moving around. So having to #1, but this for more than a year, has been a game changer because we do talk about the tax at -- so they managed to put that into their insurance contract. And so all of the countries, so it's also in 13 countries, it's 13 boards, reporting to the board. French, let's say, that I won't get into that. But all of them share the same vocabulary, they can improve on the same spot. And since we also had a wearer, I used to have to explain all of those reports everybody has its own card into exposure management. And treaty can actually ask questions on what to do and what would be the best way to actually improve that. So I almost made myself out of the [indiscernible]

Your Rick's reporting to the Board level through Hexa, those reports they were being mines of our own engineering and product team. So super excited to sort of see that kind of use. I know we're running a little lot. Thank you so much. Thank you, Rick. John, Eric. And with that, I'll hand it over to my friend and colleague, Dino, to talk about our GTM.

Awesome. Got you. It's always nice when your customers do you're selling 4 years. So thank you, guys. That was awesome. My name is Dino [indiscernible] I'm the new Chief Revenue Officer here at Tenable and spent about 17 years, not as many as Latin Cyber. At various companies from RSA Mimecast. Most recently, I was the CEO of a mission entity company called APX. And the reason I joined Tenable is pretty simple. First of all, it's the team. So I've been welcomed extremely quickly and deeply by the executive team, the operating team I get to work with from my theater leaders, channel leaders across my entire org, customer success through to the cross-functional teams that work with every day. So it's been an amazing 70 days so far. The second thing is the platform. When Mark and I and Steve first started talking, they walked me through sort of what momentum they had around the platform. This was re-met I didn't predict mythos, but I knew that in a world of AI, this would be the only way that you'd be able to fight machine speed attacks with a machine speed platform like Tenable One and then lastly is the timing. Again, somewhat of the category exposure management is becoming a real category. It's becoming preemptive security, proactive security is a real thing now. And again, I think the shift in dynamics of how CISOs, like the 3 gentlemen we have on stage, think of preemptive security is changing from a decade's long sort of focus on detection and response to more of a balanced focus on preemptive security, detection and response, which I think is the only way that we're going to are against the adversaries against AI, machine attacks, machine speed attacks. So let me jump into a few quick updates on how we see the opportunity ahead for Tenable and 101, a little bit better structure, how we go after the market and then I'll get into a little bit of the pricing packaging and positioning around the platform itself. So first of all, you guys know you cover our stock or you invested in Tenable. We have over 40,000 customers. We're very proud of that. Mix of some high-volume business from Anesa's perspective through to some of our on-prem VM technologies like Tenable SC thought Tenable IO all the way through to Tenable. And 1/3 of our enterprise customers already have some footprint of 101. And that tells me 2 big things: a, exposure management is real. So you're talking thousands of customers have already made this investment in our platform, and there's still a lot of cross-selling and upselling opportunities across what we've already landed with from a team perspective. And two, we have a ton of runway just within our existing base of customers, let alone the net new acquisition that I'll touch on in a few minutes, and that opportunity to land and expand with Tenable One. We have a lot of partners. There's a lot of work that Jeff, who runs this organization for us is doing around not only mobilizing our channel partners, but enabling them to not just sell our technologies, including Tenable One but to successfully design, implement and in certain cases, manage the platform for some of our maybe less sophisticated customers or customers, like Rick mentioned, who are going through some type of headcount reduction, but still need services wrapped around this key preemptive platform. And then lastly, similar to our footprint in Tenable one, we have a lot of big customers and no surprise. A lot of our big customers drive our biggest expansion. And we have a lot of midsized customers in the $100,000, $200,000, $300,000 range that we were starting to see a lot of engagement around driving more upsell expansion. Again, as we land more net new, providing that fuel to drive a double-digit growth engine in ARR over the next several years. So we think about how we're organized. This probably looks quite typical. So I'm not going to spend too much time on it as it relates to an enterprise SaaS go-to-market structure. But we've got enterprise, commercial and what we call a high velocity team as well sort of co-mingled with an e-commerce team that's supported by our world-class marketing team, again, shuttled to bag of the branding. When our sales team is screaming from the hilltops that are brand is amazing. You've nailed something because salespeople are unfortunately, almost a skeptical to [indiscernible] no offense. So I was super impressed with how the team responded because actually, black and yellow is not purple, not red, which is sort of how A lot of the world is branding themselves in cyber. So anyway, we've got an amazing marketing team that's helping, obviously, from a demand gen perspective, and supplementing again, a world-class channel organization and channel partners that are helping to drive demand, both for net new as well as existing customers and supported by field teams in the enterprise as well as hybrid teams in commercial and a high velocity team in what we call SMB. And I think the key thing here is we think of AI, which we're going to touch on speed and efficiency, actually glad said it multiple times, and I say it a lot within our teams now as I'm getting my hands around the business, is a massive opportunity across all segments, but obviously, within more of our high-velocity business. do not reduce headcount but to make the headcount we have significantly more productive and efficient. So our world-class partner ecosystem, again, pretty typical for an enterprise SaaS business. We sort of have 3 pillars. I think the one thing to call out is you shouldn't be thinking of a partner, let's say, like GuidePoint as living in one of these buckets. Many of our partners live in 2 of these sort of capabilities. And that's pretty -- again, pretty normal. I think as those businesses modernize and they look to provide more, what I'll call, round the box around the solution capabilities. They're not only going to resell technologies, but that they're going to implement and in certain cases, manage them. And then you've got sort of more pure-play players like an IBM and Accenture, who are less, I'd say, concerned or interested in the product resale side and much more around the broader business consulting and program design or redesign for CISOs who need assistance to really start to modernize their VM programs to an exposure management program. And lastly, you've got tech alliances. Obviously, Steve hit on the OpenAI announcements. I mean these I think are going to be table stakes for any cybersecurity vendor. It's going to allow us to move faster and stay ahead of the curve as it relates to AI-related threats, be in the know and co-partnering with them. As well as learning from them and leveraging their technology to actually move our platform faster and stay again ahead of the adversaries that we are all concerned about as we now sort of live in this new agent world. And then we've underpinned that with very typical Tech Alliance partnerships. One of the things I'll touch on in a few minutes is the fact that our exposure management platform is open. We have competitors that tend to want to platformatize the entire state and do everything they can to make [indiscernible] lives painful by forcing them to buy 1 size fits all. When the reality is the journey of both CISOs are on is a heterogeneous journey. So us having partnerships with the likes of AWS, Cisco and Splunk to name another 160 or key technology partners is critical. And underpinning that, when you think about the partnerships we have across Tech alliances, we have 300 integrations. Eric mentioned a few. So if you think of Jira, that's an integration. But Jira is a company. But they give to ServiceNow, we have multiple integrations to ServiceNow, 1 company multigenerations. So hence, why we have more integrations than partners expect that to grow significantly. And with the advent of the MCP protocol, which is an open -- or sorry, an AI networking protocol, you're going to see more ad hoc integrations at scale, which is super exciting as it relates to the fixing side of what we're delivering on the platform. So a little pivot. We talk a lot about machine speed attacks. We talked a little bit about AI and cyber what are we doing inside of the company as it relates to AI incentive go-to-market? We're doing a lot. So I'm going to hit just a few highlights here for you. So when you think about sort of the customer journey, we map our sales cycles against that. And we also map our enablement, how we drive demand gen through to post-sales experience. And so I'm going to hit a few highlights that we've already started. And Vlad hit this earlier, what we're doing inside of Tenable around trying to drive AI in our SDLC, yes, that's core to the product, but AI can drive efficiency everywhere in our business. And so we are in early innings, but we're already seeing really good gains as it relates to that in go to market. So genetic deal coaching seeing inside of Clari, which is a platform to use maybe the questions, the trap setting questions that the seller should use versus having to think of that on the fly. You think about click-to-chat sort of table stakes capability, but how can we use agents behind our click-to-chat platform to now streamline how our sales development reps get back to customers within machine speed where appropriate. And here's one that you hopefully will be interested in. So we talk a lot about Hexa and you might be thinking, well, you gate it yesterday, but we've got Terra talking about these use cases he's deployed, but we had an early access program. And I was one of the early access people as well, and I will try to Trump Eric's [indiscernible] Chief Revenue Officer can use it. So I've actually started to use Hexa in our demo environment just to become really, I'd say, astute understanding of what technical operators will leverage in this technology. And I do think it's going to free up the customers that we have and the prospects that we're working with around the drudgery and the complexity of working through even their head list or a traditional UX front end, but we're going to provide all 3 choices to the customers. But our solution engineers getting to the punchline are already starting demos based on the customers' top 3 top 5 pain points, either within Tenable One today, pre-ex or within other technology solutions that we're looking to augment and replace. So it's been a game changer for us already, and it's not even GA. Well, it's GA, sorry, 2 days ago. And then in post sales, again, pretty table stakes things, how do we give people in the customer success organization, real-time telemetry and call to action plans where we've got opportunity to cross-sell and upsell or if we see account risk within our customers. And this is all underpinned by a go-to-market operations team, again, world-class function within the business. that's helping us get insights to drive our sales leaders, SC leaders, channel leaders to the right spots to either double down or potentially invest in other areas as well as making sure our forecasts are done accurately weekly. We understand exactly what's happening moment to moment within the business. So now let me touch on our pricing and packaging. So I think for people that have been tenable for a while, probably the simplest way to think of what we're delivering was already said by Rick from GEICO. We're trying to drive simplicity and ubiquity with the new pricing that we've launched just earlier in late in April, so just less than a month ago. And so why we're doing that is we're trying to drive adoption of exposure management. And rather than counting multiple line items, which we become, again, fatiguing and super complex for customers, we were saying how can we simplify that buying journey and also the coverage journey for our customers. So many of our customers and Mark hit on this are maybe not quite ready for a full loan exposure management journey. So it's important to understand that while 1011 unlocks that capability, we do have a lot of customers that say, look, I'm not quite ready for this yet, but I want to take my existing VM environment, Tenable and start at least to experiment with the capabilities in my [indiscernible] layer and then over time, start adding other capabilities that are maybe adjacent to VM, like OT, identity, et cetera. And so when we think about the sales motion that we have, which I'll touch on the next slide, it's really trying to get siloed DM security tools. And if it's tenable, it's, let's say, [indiscernible] or SC or I/O or if it's one of our competitors, their legacy VM technology and get them to exposure management. It doesn't mean that VM goes away. Just think of it now as a use case, a vertical use case under a horizontal capability for Eric's slide that is exposure management. And the packages, we're not getting rid of VM. We still have customers that use it needed, but the packages now our traditional security products from a VM standpoint with 2 exposure management packages, foundation and advanced and in the case of foundation, just think of all the sort of basic or standard capability of an exposure management platform and advance, we get into more sophisticated use cases. And in the case of Hexa, both packages include Hexa -- but in the case of advanced, you get significantly more usage in that package. So the price per asset is higher. I think Matt is going to touch on sort of the economics that we're trying to deliver with the pricing and packaging. But ultimately, the advanced package is our more advanced, most advanced package and everything Eric has touched on would be included in the advanced package. So we're trying to make it very, very civil for our customers as it relates to their journey with Tenable. And we do see that we will have customers that sort of start where they are today, move to foundation and then over time, upgrade to our advanced package. So when you think about the on-ramps into the platform, there's really 3 simple ways that I'd like to talk to our sellers about it as we've kicked off me joining the company, being a few months in. And the first focus area, Mark and Steve hit this hard at sales kickoff. I was unfortunately not there. It was amazing, but still, it was good to sort of ride their coattails off a key focus area for the company, which was getting our existing VM base to Tenable on as fast as possible. And we're doing that because Tenable, as Vlad mentioned, provides multiple moats so it's a bit of a protective tissue against competitors, et cetera. So there's the decentive side of why it's strategic. But also it unlocks ridiculously valuable capability that siloed tools simply don't have. So like I said, we've already transitioned thousands of customers to Tenable One. We still have a lot of runway, over 60-some-odd percent to go. So that's a massive focus area for the sales organization and the channel organization. displacing competitors, whether it's a sophisticated Fortune 10 or 100, one of whom I spoke to yesterday that has a niche exposure management platform, a competitive VM technology, a competitive cloud technology they likely might start with 2 of those 3 use cases? Or is it straight modernization with the future proofing of our exposure management platform, we have the flexibility, especially with the new packages to land in either fashion. And while we still have DM technology to land more and more, especially with the capabilities of the likes of Hexa and the demands we're going to see from the market on things like MCP, I expect that we will see more and more lands with our Tenable One platform, either Foundation or advanced. And then obviously, once we land, we have a litany of use cases and asset coverage to drive. And I think it's very important to understand the simplicity of the asset coverage gives sophisticated organizations the ability to do things like double scanning. So I think we know there's a lot of endpoint detection and response vendors that have some basic VM capability. And we have some Fortune 100 CISOs to say, you know what, we trust your scan better than anybody else, but we already have an agent on their endpoint. We're going to double scan. And the good news for that customer, they pay once. If they want to drop the competitive agent, they don't have to pay, they get to save that money off that competitive, what we call displacement. But in the case of Tenable, they've got the coverage and they have the optionality and I think as some of the panelists said, they have the flexibility to move asset types to different use cases over time. And so that flexibility is critical as we go forward, I think, in this type of agentic world, and that's what Tenable One's platform and pricing provides. So this is an example of a very large major telecommunications company. The good news is, I think all 3 that we use on our phones today are tenable customers. So you have a 33% chance or 33.3% chance of getting it right. And this is a customer that's been with us sitting until -- since 2017, and they started like a lot of our enterprise Tenable customers, probably back even prior to 2017, they might have been doing some very basic Nessie scanning. In 2017, they made a big investment in Tenable SC along with our web app scanning technology. And this was, at the time, sort of modern core VM and like I mentioned earlier, you've got customers at different stages of their journey. This particular customer, like many Fortune 500, I would argue that their credit was already doing exposure management and I call it, version negative 1.0 in that they had various sensors like ours and others, they had a single database in the back end and a power BI front end with a lot of bubble gum and tape to drive workflow to do remediation that matter days and weeks because we know that has to be collapsed now into minutes and hours. And that's why they made sort of this journey, an accelerated journey over the last several years from what I'll call sort of very core VM use cases to a more broad-based sort of foundational almost exposure management use case, although we wouldn't have called it that in Phase II to then about a year ago, making a huge investment in Tenable to now become the brains as we like to call it, of their preemptive security posture, including everything from VM scanning Web App Scanning, cloud, identity, WAS, and we are now becoming the orchestrator of remediation for this very large Fortune 10 organization. So just to wrap up before I hand it over to Matt, 3 focus areas that we've got our go-to-market team lined up on over the next 8 months as we finish the year, but I anticipate these are going to be similar themes, the tactics may change over time, number one, land with Tenable One; number two, migrate and expand our VM values as fast as we can from VM to Tenable One. And then lastly, how do we deliver speed, scale and efficiency in go-to-market with AI and automation. And that's going to be, I think, a big factor as to how we continue to leverage on the income statement, still invest in sales capacity, but become smarter and smarter with how we have supporting capabilities in the business. Allow sellers to do what they do best, which is be in front of customers a position and sell Tenable One. So with that, we'll hand it over to Mr. Brown, who's going to call on stage and take us home.

All right. Thank you, Dino. Really appreciate it. our newest executive, been here only a couple of months. And as you can see, hit the ground running. So super happy to have Dino on board. You've heard a lot today. You heard a lot about how this market is changing. It's an absolutely shifting landscape. We wanted to go deep on the technical side. And so hopefully, you got that, you're able to hear from Vlad and from Eric. And then you heard from Meg on the new brand, you heard from our customers, what I want to try to do is pull this together for you and let you know how I expect that to impact our financial results over the next few years. First, I think it's worth taking you back to 2021 and which is the last time that we had Investor Day. Back in 2021, really exposure management was a collection of a whole bunch of different sets of tools, right? We had VM, we had web API, cloud identity. But these were all operating somewhat independently. It's pretty different today. Today, we have a unified platform, which you've heard a lot about, that platform is looking across all of the different asset types that customers have. It's focusing on what matters most, and then it's tying it together with a agentic capabilities that help orchestrate remediation. That's a big change from 2021. We've come pretty far. We've also come far from a financial perspective, so back in 2021, I'll go a little deeper. Steve touched on this already, but I want to drill into each of these areas a little bit. Our revenue back in 2021, $541 million. Today, at the midpoint of our guide for 2026, we've now smashed through the $1 billion threshold, growing at 15% CAGR over that period of time. Pretty impressive growth. How about from a profitability perspective? Even better. Profitability has grown from our op income back in 2021, $51 million, 9.4% of revenue. Fast forward, 2026, midpoint of the guide, we're now expecting $257 million in operating income. That's a 24% of revenue. It's an impressive 15 percentage point growth over those 5 years, so averaging 3 percentage points per year. With that increase in profitability comes an increase in cash. Unlevered free cash flow grew from $95 million back in 2021 to now more than triple that. We're expecting $290 million of unlevered free cash flow in 2026. That's a 25% CAGR over that period of time, more than 9 percentage points of growth. So really impressive. We've come pretty far. Today, as you heard, we've got over 40,000 customers that span 160 countries. We've got an incredible distribution network, 8,000 channel partners, many strategic partnerships, over 300 third-party connectors within our platform. So we've come a long way since 2021. But we also believe that this is really just the beginning. So we -- like I said, we drilled deep on some of these technical aspects over the last 1.5 hours. You've heard about where we've been, where we're going, where we are going and most importantly, what we're doing to help our customers stay safe. So these are exciting times for us at Tenable. Also really exciting and challenging times for our customers. You've heard about how AI is changing the attack surface. There's a proliferation of vulnerabilities, but these can be addressed with our Tenable One platform. As Eric laid out really nicely, Step 1 is this first layer. It's the surfaces and signals. It's continuous discovery. Step 2, it's making sense of this noise with the exposure data fabric. Step 3 is orchestrative remediation with Hexa. This is our key differentiator. Remember, the challenge for our customers is not discovering new vulnerabilities. The challenge instead is figuring out which of those vulnerabilities pose a risk to them in their specific environments on their assets, with their configurations, it's those specific risks, then the challenge is prioritizing them and fixing them. That's what Tenable One solves, and it's never been more important. To really lean into the opportunity, Dino touched on this with our new pricing and packaging. We knew that we needed to drastically simplify the pricing. And he talked about and actually a customer panel did a really fantastic job as well. Discussing not just the benefits of Tenable One and Hexa, which is, by the way, only available on the platform, but also this new simplicity of the pricing. This has been a pretty significant change. It reduces friction. Very important to reduce friction, not only for new opportunities but also for expansion. In the past, customers wanted to switch and mix and match assets in the middle of a contract term. I have to go through new approvals in the PO and procurement process. We don't want that friction. We've eliminated that. Now with it comes an uplift in price. Tenable One foundation is new. From going stand-alone VM to Tenable One foundation, it's a 6 percentage point price uplift. Going from stand-alone VM into Ten advanced, it's a 60% price uplift. But the price uplift, a little bit like Dino touched on is really just the beginning. What we're expecting is that expansion becomes far easier once those VM customers are into Tenable One foundation, they can much more easily expand within that platform and also much more easily upgrade to Tenable One advance. That's the goal. And importantly, Hexa AI is only available in these platforms. So while it's still pretty early, you've already heard positive feedback from some customers -- we're getting positive feedback from our customers and from our sellers. Okay. So why does it matter if a customer migrates to Tenable One platform? Well, first and foremost, and importantly, we know that it's a better customer experience. So clearly, better for the customer, but it's also better for Tenable. And here's why. We know that our Tenable One platform customers are our more strategic customers. They have longer contract durations with us, on average, 10% longer than non-platform customers. We know that our Tenable One platform customers spend more with us. We have a higher ACV. Tenable One customers spend 2x to 3x the annual contract value compared to non-platform customers. We know that our platform customers have a much greater opportunity for expansion. Our Tenable One platform customers expand at double the amount of expansion compared to non-platform customers. We know that it helps from a competitive differentiation standpoint. When we're in head-to-head bake off competitive situations, whether it's in a new situation or in a renewal deal, we have consistently higher win rates when we lead with the platform. Finally, we know, as I mentioned a minute ago, there's an attractive price uplift anywhere from 6% to go from VM to Tenable One Foundation, all the way up to 60%, again, and that's just on price alone. So what does that mean for growth within Tenable One. Well, what that means is our Tenable -- on revenue growth is growing in the mid-teens. And this is after normalizing for platform change. What do I mean for normalizing? What I mean is, if last year, a customer was outside of the platform, spent $100,000 with us. This year, they've migrated into the platform, and they're spending 115,000 with us. That's a 15% growth after normalizing for the platform, not 115%. But what it means is Tenable One has very strong growth. It's growing in the mid-teens. Now based on better pricing and packaging, exciting developments within the platform like Hexa AI, we believe that this growth is sustainable. Importantly, how does that then translate to the overall revenue growth algorithm for the company? Well, today, 2026, we know that the Tenable One platform represents a little more than 1/3 of our business. And again, growing in mid-teens. Nonplatform, roughly 2/3 of our business, and that's showing mid-single-digit growth. Now what we expect to have happen over the next several years and by 2029 is that our Tenable One platform revenue will continue to represent a greater share of the total business. This is what we believe 2029 looks like. 2029 Tenable One platform revenue will represent more than half of our business while growing in the mid-teens, non-Tenable One, the remaining portion continuing to grow mid-single digit. What that translates to is stabilizing growth from in 2026, where we're in high single-digit revenue growth to stabilizing growth into 2029, accelerating to high single-digit to low double-digit growth. Okay. That's the revenue side. The other side is profitability. That's been another really impressive part of our story. First and foremost, we know that we're investing for growth. We have an enormous opportunity in front of us. heard a lot about it today. So we're investing in sales capacity. We're investing in developing features and functionalities, particularly into the platform. But we also know that we can get some efficiencies and Dino talked about some of these on the go-to-market side. Others have touched on them. A lot of them are being driven by AI capabilities. We think we're going to be able to continue to have cloud optimization in our cost of sales. which means we'll be able to maintain gross margins of about 82%. But also some of those AI-powered efficiencies are going to allow us to rotate into high-impact areas for hiring such as in sales capacity, such as in specialty product development, while also continuing to get a little bit of leverage in the margin. Some of these AI-driven capabilities include automatic RFPs and quoting. It includes AI-powered SEs to help our sellers be more effective. in areas like general and administrative areas, it's things like AI-powered data clearing and aggregation. It's the type of normal things that you would expect to get efficiencies from using these new AI tools, but it's allowing us to rotate in and spend money where we think it's most effective. What this ends up translating to is about 1.5 points of operating margin growth each year. Okay. Moving on to capital allocation. So you can see all of that increase in profitability especially over the past several years has come with an increase in cash and a lot of it. I mentioned a few minutes ago that we'd seen our annual unlevered free cash flow more than triple from 2021 over to 2026. In fact, since 2021, we generated more than $1 billion in cash, and it's going to continue to go up from there. What this does is it gives us a ton of flexibility. We've had a history of using cash and inorganic investments in the form of M&A. And we've also leaned into our share repurchases especially lately. Share repurchases is represented here by the yellow bar have increased significantly over the past couple of years. The Board authorized an incremental $150 million of share repurchases at the start of the year that we've continued to lean into. And in the first quarter, we bought 6.1 million shares for $130 million leaving a little over $200 million left on the share repurchase authorization, which is represented by the dotted line here on the screen. We continue to believe that our stock is trading at prices that don't represent the fair value. And as a result, we've leaned heavily into share repurchases. And as you can see, the diluted share count is coming down. The weighted average shares outstanding has dropped. And in fact, at the end of Q1, it was down 5% year-over-year, and it was at the lowest level that it had been at in over 3 years. Finally, I'm going to pull it all together and share midterm targets. First, with 2026. This is consistent with the high -- with the midpoint of the guide, that we had given several weeks ago on our earnings call. High single-digit revenue growth, gross margin at 82%. We've got sales and marketing, R&D, G&A, at approximately 32.5%, 17% and 8.5%, respectively, operating margin at 24%, unlevered free cash flow at 27%. But as I mentioned, as Tenable One continues to make up a greater portion of our business and is growing in the mid-teens. We expect our revenue growth rate exiting 2029 to stabilize and then inflect tire, showing revenue growth of high single to low double-digit growth. We expect gross margins will be able to be maintained at approximately 82%. And within OpEx, we expect to get about 4 percentage points of leverage, spread out across sales and marketing, a little tiny bit in the R&D and then some in G&A as well, resulting in operating income, operating margin of about 28%, unlevered free cash flow of 31%. And that means we hit Rule of 40 exiting 2029. This translates to about 1.5 points of margin growth, as I mentioned before, from 2025 and to exiting 2029 . Okay. I think I made up some time. So I know that we are going to open it up for questions now. We're going to have to get set up with some chairs. So we'll go take a quick, quick 30-second pause and then we'll get Q&A invite everybody else back up here. Thank you.

We've got a lot of questions here.

Great. Rudy Kessinger, D.A. Davidson. Thank you guys for hosting. Matt, one metric you didn't touch on that I wanted to ask about was gross retention and how that's trended over the last several quarters, particularly as it relates to large platform vendors, we hear intersects all the time, CrowdStrike, et cetera, showing up in deals. And I'm curious, as you think about going forward, what is the risk on the stand-alone VM side growing slower than that mid-single digits. Because I think on the Tenable One side, I think with everything you guys have talked about, I could actually see upside to that mid-teens growth, but I think where I see the risk and where a lot of investors would see the risk is on that standalone VM side.

Yes, great question. So gross retention has been remarkably stable. That's something that we've seen quarter after quarter. As you know, we disclosed our net expansion rate and gross retention is a component of that. . Of course, the rest of that component is expansion. And even that rate, we are beginning to see signs of stabilization, right? Over time, that rate has been coming down. Underneath that, gross retention remarkably stable. And our expectation, as we make our way through the year is that, that rate in total, the total net expansion rate stabilizes as well. So that's kind of first piece. Second piece, the mid-single-digit growth on non-platform has also been quite stable. So being able to understand the dynamics and the opportunity as we see it, is we feel there's a solid floor and the opportunity for us now is to really lean into that growth, particularly in the platform. And then you're essentially shifting 20 percentage points of mix from platform in 2026 to exit in 2029, growing in that mid-teens rate to get that incremental 2 to 3 percentage points of revenue growth in that period of time.

And one last point. VM and exposure management especially is more important in the agenda era. There's more applications, more infrastructure, more identities, more agents, consequently more risk and more threats and more exploits. The number of vulnerabilities is increasing dramatically. There's 300,000, I think, since 1999. And 50,000 new CVEs added last year. This is no longer enriching CVE data. They can't keep up with the proliferation of new vulnerabilities. We're Entering an era unlike any other. So exposure management is going to be more important. VM is absolutely foundational to that, and it will provide tailwinds to growth, and we're confident of that.

Mike Cikos from Needham. I guess the question comes to the growth versus margin debate. We'll go back to Matt for a second, but great to see the margin expansion that you guys continue to execute on. What was the thought process? And I know that you guys have been putting this together on a multi-month, multiyear journey, right? But as far as the decision to continue to expand those margins versus potentially let's deliver stabilization of those margins and try to accelerate growth faster, right? And then the second piece, maybe more of a strategic question here, but you guys are definitively using the carrot approach to get people to adopt Tenable. Given the seamlessness of expansion and the dollar opportunity, why not use potentially more of a stick to help that penetration and expand at a faster clip?

Yes. Great question. So when we think about margin versus growth, we've always taken a pretty balanced approach but our expectation is around 1.5 percentage points of margin growth -- we know that, that is an amount that will allow us to continue to lean into and invest in that growth, right? . In the past, since 2021, we've grown margin 3 percentage points. This is actually a bit of a step down. The reason for that, again, is because we do see an enormous opportunity in front of us. And so we know that we can invest heavily in that area while still continuing to get 1.5 points of margin. The carrot and stick approach is also a really good question and I'll dish it .

Yes. Let me cover this one. That's an awesome question. trust me. It's something we talk about we debate all the time. But our thought process here, and this was even before Dino joined, we are laser-focused in regard to our selling and our channel organization, upgrading that VM installed base. We pay accelerated rates to our sellers for Tenable One. We have very aggressive incentive programs to touch all of those VM customers and migrate them to Tenable One. So those motions are taking place. And the other attribute is you can obviously see the margin improvement, right, by going to advance and going to foundation. But it's also one of those things where you've got to take the customer on the journey -- if you just automatically upgrade them instantaneously, they won't understand the benefit of the multiple assets that they could expand with. So there's some education. So when we go in, there's a huge sense of urgency to get them on to T1, but we also have to take them through the journey, so they actually get the value and the benefits through the process. And when they do, you see some of those examples like Dino has shown where they come in and then they start spending 7x. But I can just tell you, and it's even been more aggressive since Dino's joined, we are all over that VM installed base, moving them to T1, and we also are ultra aggressive in regard to competitive displacements. Going after our traditional competitors and nontraditional competitors. So that's another thing we spent a massive amount of time on also with T1.

Joe from Jefferies. And congrats on Hexa GA. I think you made it extremely clear why the lab vendors are friends, not foes. And I know you're embedding anthropic -- but I imagine you also have your own AI. Can you just talk when we think through Hexa, how much is embedded Anthropic versus your own AI? And I asked that more because I imagine a lot of your exposure management competitors will also be embedding the lab vendors I'm just curious on the differentiation and the secret sauce on that side?

Yes, I can take this. So the first thing I'd say is that it'll get a little nerdy in the answer. But Hexa is a model agnostic agentic harness. So we built it to run multi-model. In fact, today, we're running on a couple of different Anthropic models in production with customers and in our labs, we're doing things with other models as well. And so the -- of course, the models themselves are quite capable, but there's quite a lot of, I'll say, IP in the tools exposed to the models, how the data is fed to the models, the context created, when you use one model versus another model, ensuring that the outcome that the customer wanted when they said, go do a thing is actually the deterministic outcome that was created. And of course, it's early days still. So our expectation is that the foundational models will continue to get better and better and better, and the faster, the better from our perspective. But at the same time, you've got an acceleration of the complexity of tasks that customers are wanting to entrust to things like this. And so I expect that the gap of value that harness brings stays robust as far as they can see.

And some AI exposure, too. The stuff we're doing with AI exposure is pretty powerful also.

Yes, for sure. Yes, the AI security side in helping see the AI infrastructure and all the different attack paths that are there as well.

All right. Meta Marshall from Morgan Stanley. I guess a lot of your -- the conversation focused on kind of allowing customers to move at the pace that they're comfortable with. But how much of their -- is an acknowledgment by your customers that there's just going to have to be kind of more reliant on kind of automation of these systems in order to kind of protect themselves. And as you've been doing data with customers, how quickly do they kind of rely more on the automation?

I'll start and then others can kind of jump in here. We talked about certainly in the agentic era, we'll see a proliferation of vulnerabilities. And the one thing that's clear, I think Mark shared the stat is that mean time from vulnerability discovery to exploit is 1.6 days, talking to a lot of customers here today, CISO security executives. Look at the SLA time, it's not 48 hours. It's not 7 days, not 10 days, not 30 days. I think Eric mentioned, according to the Verizon breach data report is now 40-plus days. [ When it falls ] it's going like this, mean time to exploit is going like this, it's down dramatically. And this is really all about survival. I think what was considered possibly taboo years ago, which is get tickets in the hands of humans and let them do the fix, let them identify the risk doesn't scale the agentic era. So I think customers are now, I want to say, forced to move at machine speed are willing to accept a little more risk. They don't want to blow up things downstream we're seeing the transition to assisted remediation, but we know autonomous remediation orchestration is coming, and it's where you have a repeatable process, where there's clear governance and guardrails and where you think the risk downstream is minimal. But we are on this journey, and AI is taking us there, and we're leading our customers in that direction.

Maybe just to build on that slightly. This is actually the exact reason why we have levels of autonomy within Hexa and customers can choose the right level of autonomy or automation they'd like for specific tasks and according to their kind of -- where they are in the maturity curve. And another kind of thing to keep in mind, but right now, we're kind of talking about what's going on with vulnerabilities are coming and all that, we can actually decouple right, customers once they get going with this too remediation. We don't have to wait for yet another way of vulnerabilities. The job to be done does not change. Like the exposure -- the job to be done is exposure management spending exactly the same with customers as they keep going, I can mention a flywheel that just keeps going faster and faster and faster as things become more autonomous in the right context in the customer environment, right? And with time, customers will actually be able to get ahead of the breach fixed security hygiene regardless of whatever threat or vulnerability is going to be released next.

This is Jonathan Ho from William Blair. Just given the clearly growing importance of your platform, the significant capability gains that Hexa adds to that platform and the broad proliferation of assets that we expect. I'm just trying to understand why we can't see even faster growth than what you're talking about today. Is this just broadly conservatism? Are you looking for more visibility? I'm just trying to understand why it wouldn't be faster than sort of these growth levels. Steve is smiling.

Sure. Okay. I'll take the easy one. Look, I mean, that's absolutely our goal. I mean we're extremely optimistic in, not only where I think the market is, but where Tenable is specifically positioned in it. So clearly, a huge opportunity but also somewhat early days, right? This got the pace at which things are changing and happening really, really fast. So Hexa GA 2 days ago. Methos, preview was released on April 7, right? And so here we are in near end of May, things are happening quickly. Clearly, though, we think we've got the right strategy. We think we have the right approach. We think we have the right products. We think we have the right team. And so I'm extremely optimistic. I think the future is very bright. I also -- I don't think we need to get ahead of ourselves on where we think it's going.

Roger Boyd with UBS. I wanted to come back to the automated response question we just talked about a second ago. How much of that toolkit do you want to own yourself? And I know you launched patch management last year, but a lot of the conversation today was around keeping up with patches becomes increasingly difficult. So how are you thinking about the broader kind of realm of remediation that includes things like configuration management, asset isolation as far as enabling that automated response?

We're definitely leaning into that pretty hard with Hexa and Hexa enables that in a bunch of new ways that would have been really hard to do a year or 2 ago. And so, I mean, again, a couple of demos we showed if you're walking -- or you have the opportunity to walk for, I guess, the course closed now. But there were a bunch of our partners showing some of those kind of those capabilities as well. You'll see more from us pushing in that direction.

It's Saket at Barclays. I want to zoom out a little bit and Steve maybe touch on what you were talking about with more vulnerabilities and whatnot, right? So one of the earlier slides kind of has you scan, you find vulnerabilities and then you patch. I want to dig into each of those from just a value perspective, right? Scanning is something that I don't think Frontier models want to do nor do enterprises sort of trust any old model inside. So that's good, right? I think there's clear value there. But just to push a little bit to make sure the question is asked. For finding vulnerabilities is more of the value shift to the Frontier models since they're finding vulnerability faster, right? But on the other side, does more -- do you capture more value from patching, which now needs to be done at machine speed? So like there are a couple of kind of shifting values here. It feels like in the in those 3 processes that makes sense. Maybe I'm thinking about it wrong, but I'm curious how you think about that?

Yes, I'll start and others can kind of chime in here. But there is a clear distinction here. Number one, so first of all, I want to be very clear. What we do is more valuable and more important in the agentic era. And scanning becomes more important, but just to make that distinction, the Frontier AI model companies, they operate at the code layer. We find vulnerabilities in code. By the way, a vulnerability is not just a bug in a piece of software, a vulnerability/exposure is a misconfiguration, is an overprivileged identity, is the absence of a compensating control. So we're not in a vulnerability discovery business. We never have been, yes, we've discovered 500 0 days since 2018. It's not what we do. We can tell you if those exposures exist in the environment. We can tell you if those exposures can be connected and chained together to create a lethal attack path. That's really important. So what we do, we solve even more important. So scanning and the data collection infrastructure becomes more important. Prioritization is not optional. It's not severity scores, and it's not CDEs. It is survival in the agentic era, and we do that better than anyone. And the Frontier AI model companies will help us do better raising, better explainability of risk and enhances what we do. And then the final thing is really the ability to take action, which is what Hexa is all about today, and that's really our north star.

And if I can just pressurize the -- if you drill a level deeper, when you talk about finding a vulnerability, I think, it's important to be really precise. You basically say there's closed source. I worked at Microsoft for a long time. Microsoft last year found what? Roughly 1,100 CDEs. I don't know how many they found last year because I wasn't there last year. In the era I was there, we usually found about 2 to 3x what we actually patched. So better capabilities to find vulnerabilities, great, that's good for the world. That will turn into more things patched from closed source, great. Tenable doesn't play in that game, never have, don't want it, right? Then you got open source, right? Different game. There, while some open source libraries, I don't know if people read the Kearl article via a week or so ago, Kearl's one of the popular open source packages, has a particularly conscientious set of maintainers who've been actually pretty aggressive at using Frontier models over the last few years. And of course, the many cool tools that existed before they were Frontier models. They ran Methos on top of curl and found one, additional vulnerability. And that's not to say Methos isn't awesome. It's just to put in perspective kind of the difference of a really well studied code base, a really well-secured code base and then Methos is great. The victory is a sound one, right? The challenge on the open source side is the really good maintainers and well-funded maintainers might be able to keep up, maybe with this, but a lot of the open source used in the world is not. And so they are the challenges will the patches exist at all? Or certainly, will they exist in time? No, I think it's pretty clear. And so there, you've got to really look at how you're been compensating controls, how you have layered security, how you're reducing your exposure risk when there isn't a patch. But again, in that area, the finding of the vulnerability never part of our job, now what we want to be our job. As that explodes, you have an already hard job that as a defender, but you're trying to figure out of all those things out in the ecosystem, how many are you vulnerable to. That is the heart of what we do. And that's, as Steve mentioned, what we think will continue to have significant value and in fact, more value in the world with the tailwinds from AI.

Brian Essex from JPMorgan. I'd like to ask you a question actually. So historically, vulnerability management hasn't been at the top of the list of a lot of enterprises. But I'd love to hear your observations with those that have adopted Tenable One. What has your practice been for the percentage of assets that they scan throughout their networks? And then our view of that question is, do they share that -- do you share that exposure with maybe some of the EDR vendors that are moving into the space?

Yes. So there are a couple of points here. I think the vision of exposure management is exactly that is connecting all the dots. And one of the reasons we have 300-plus integrations is want to pull signals from tools like EDR, your cloud security products, whatever this you have across your enterprise stack, you don't have to replay and replace and only use a tenable solution, even if it's better in some cases. you can keep it. We just need the signal, right, exactly to collect those dots. And the reason for that, right, for customers because adversaries really go as a they -- they don't attack based on your own structure. They don't go only on your on-prem databases and data share cloud. They move laterally. They start with whatever is easiest, the weakest link, might be even the human [ pros ] phishing. And you have, I think, the latest number from Gartner, 70-plus security tools in an average enterprise and to make things slightly worse. You have different teams under the CISO running those tools, right? So it's a largely fragmented defense. So connecting those dots is super important to build things like attack path to understand, right? To go across all these signals. And out of these connect the dots to understand what's more important to me specifically right now. Tenable One or Hexa give them a better sense of urgency that they need to increase the penetration of the asset -- percentage of assets they need to scan in their networks?

Absolutely. It's both that, that comes from kind of creating that broad content, if you will. And also vulnerability management historically is a very kind of limited to specifically only do this on endpoints and the traditional cycle that used to work kind of -- there's some patch, I figure out if it's relevant for my specific server. I open up a patching window or in the process it takes like 2 months or so. I get it done, hopefully, right? But again, this is still relevant, but it's like one piece of a much bigger puzzle.

Any quantification of the lift you might see on the VM side?

Not today.

I appreciate it. Yes, I was just going to add to it, on that point that I think -- it depends on what vertical, what segment of the market we're speaking to as far as the comfort level, the speed at which their organizations are getting more broadly, deeply. So probably your organization is pretty mature. And I think what you're seeing with the Frontier AI models is people are saying like, okay, we do have to kick into gear authenticated scans, scanning everything. And I think we're going to ask similar questions like how frequently we should be looking at the speed of this. I think some of those will be driven by policy regulation and our own findings through capabilities like Hexa. So then you're going to see this moving quite rapidly over the coming weeks and months.

One last thing to add, the thing we're seeing with Hexa is kind of super cool to see. We talked earlier about the spill of trust, and this is many times of organizational processes inside the large enterprise. So if people see what Hexa can do for them, right, it allows our practitioners to actually show that thing to their management chain. And it literally opens the doors, build up more and more cycles, more and more levels of the funding. And again, that cycle is something that just keeps going.

Two more. And I know we are running late. So I appreciate everybody asking around.

Shrenik Kothari from Baird. So Steve, you started the presentation citing there's incremental TAM beyond exposure management from -- so added almost 100% over and about exposure management to AI attack. So for my first question is, are you already seeing the funding urgency and timing show up in terms of unlocking these budgets from that AI governance bucket. And part 2 is some of the broader platform players are starting to play in by leveraging their exposure workflows and aggressively leveraging Flex models to broaden [ peak ] over dollars also across modules. I know you touched upon Hexa from perspective of premium attach and up-tiering motion. Can you talk a little bit about how potentially Flex can accelerate that expansion as well?

I'll start off, and then I want to hand it over to Mark because I think you can add a lot of color here. The one thing I'll say is, if you look at -- yes, TAM has expanded significantly. First, I think the last time we updated our TAM was several years ago. So a $30 billion TAM per annum for exposure management, we said today, AI securing the threat vector of AI is an incremental $35 billion. If you look at -- there was a Wall Street Journal article earlier this week, but the average Fortune 500 company over the next 12-plus months, will each have 150,000 agents deployed, multiply that by 500, that's 75 million agents. There's arguably 100 million, tens of millions of companies in the world, 100 million plus. We are going to see a proliferation of agents unlike anything other. It's going to be ubiquitous. It's going to be autonomous. And it's one of the most important challenges in all of security. So I think it connects it back to go to market is, yes, customers are still wrestling with this issue. It's a very complex and challenging one. They're getting their arms around it, and it's absolutely driving more engagement. You heard that from Mark and you heard that from Meg.

Yes. A couple of things I'll add. And Matt and I and Aaron hit on this a couple of days ago in one of the investor conferences. So first and foremost, kind of anecdotally, right, since Methos and the Frontier AI models kind of explode on the scene, we have seen a dramatic increase in customer engagement. I think Steve and I mentioned on the call report in Q1, we said 100, we are literally at thousands of customer outreaches to us at very senior levels, CISO level engagement, talking to us about what and how we're dealing with it, what would be our remediation steps, what should they be doing in their environment from an exposure management perspective, right? So you're looking at some of the pipeline build that Gino and his team are all over, very, very happy and feel really strong with the signs that we're seeing. When you look at the competitive dynamic, and I think Vlad and Eric and even our customer panel hit on it, right, Tenable is the leader, the #1 player in the exposure management category and Tenable One is the #1 platform. And it's not just our customers, and Tenable is saying it. Gartner put us as #1. Forrester put us as #1, right? IDC put us as #1. When you were looking at building out this now mission-critical exposure management platform, it started and the genesis was it was world-class vulnerability management. And then you added those other components to get visibility on the entire tax surface with all of the native centers we now have, and now you're able to get the whole visualization, you're now able to tie in Hexa from an agentic AI perspective. We feel unbelievably confident. I can't say it strongly enough on our compete level right now. When you talk to our sellers, you talk to our team, our compete level against our traditional competitors and any new competitors, we feel unbelievably confident going against them.

Richard Poland from Wells Fargo. So mine is on Hexa in particular. I'm curious, we talked a little bit about the 6% uplift for Tenable One foundations, 60% for the advanced. How does the Hexa monetization work? Is that usage base? Like how should we think about that as part of the monetization?

So we chose to make Hexa's functionality tied to the platform. So what that means is we have to think the 2 layers of the platform. You've got the new packaging Tenable One foundation, Tenable Advance. Hexa, there's not good Hexa and bad Hexa. It's just Hexa. Now in advance, you have things like attack path analysis, which does not exist in foundation. So Hexa is smarter, in Advance because it has a smarter exposure graph that can do more and have more context. The way we're approaching this is we have -- you buy your license, and this is graduated based on how many assets you license, you get a certain amount of included Hexa with that, and then it's consumptive above that. So if you -- if you're particularly active, you might go a little bit over, and that's how we've approached it.

Yes. And I think it builds an opportunity again as I think originally, pre-Hexa prebidding here. We were probably thinking the Advance capabilities to Eric's point, attack path analysis is one thing you'd unlock. Well, now Hexa in a way becomes sort of an indirect upsell engine for us because they'll want to unlock some of those capabilities. So again, it's very early days, 2 days after GA, but you can tell the excitement we have. Again, we have customers that have leverage it that are validating the capabilities. But it's interesting that we have sort of this like what I call horizontal use case expansion opportunity, which is pretty easy to understand, VM infra cloud, AI exposure, et cetera, et cetera. But then Hexa, people wanting to unblock that to say, okay, actually in full blown capabilities for remediation attack path analysis is going to be pretty interesting to track over the next couple of months.

And last thing I'll hit it from a margin perspective. So as we model this out, which we've obviously worked very closely together on this, we have a negotiated agreement with Anthropic that's in place that includes spend across our entire company. It includes what we're doing operationally. It includes what we're doing in development, also includes cost of sales from Hexa. In building in the model we understood what would be included as part of the tiers, sort of free of charge, if you will. And the way that we've modeled it out is the incremental uplift that we will get from customers converting over more than pays for what it costs and what's included in the model. On top of that, there's, as I mentioned, an enormous expansion opportunity as customers begin to see the utility of Hexa. We think that's great. It will continue to expand and potentially then move up even to Advance that pays for it again. And then finally, as they bump against those limits, which we would love to see, frankly, we want usage, there is a pay per token that kicks in after that.

You guys want to close it up?

Yes. I think Mark and I are going to bring it home here. First and foremost, I want to thank you for attending our first Investor Day in many years. The change in this company has been extraordinary. We're in the midst of 3 major market transitions from visibility to action, from manual workflows to orchestrate it and automated remediation, and from siloed tools to an integrated platform, and one platform for taking action and reducing risk. The mandate has never been more important. The opportunity has never been bigger. And this team here on the stage has never been more excited. And so we're confident in what we're doing and our ability to execute.

I echo every single thing Steve just said. Hopefully, you guys can feel it. I know, Steve, myself, Matt, Erin, we spend a lot of time with you, folks. You can see this confidence level of this team right now, and especially even with new members being here at Tenable, I don't think -- I've been here for 6.5, coming up on 7 years. I don't think the confidence level as a company has never been higher, right? The tailwinds that are coming our way in our view are built for this exposure management platform. We're getting the validation from the customers. We're getting validation from the Frontier AI lab. I mean, Anthropic and OpenAI are saying the same things to us that we're saying to you guys about how these partnerships are going to be strategic for them. And the momentum you feel when you talk to customers, you talk to our partner community and you talk to our sellers is phenomenal. So we just now are all about execution, all about driving growth, all of the metrics that Matt has laid out is what we are laser-focused on. And we appreciate you guys coming, and look forward to talking to you guys in the future. Thank you very much.