Tenable at Cantor Fitzgerald: Navigating Strategic Shifts

On Tuesday, 11 March 2025, Tenable Holdings Inc. (NASDAQ: TENB) presented at the Cantor Fitzgerald Global Technology Conference, outlining its strategic evolution from vulnerability management to exposure management. While showcasing strong growth in exposure solutions and significant large deal activity, Tenable also expressed caution regarding federal spending in early 2025 due to ongoing fiscal constraints.

Key Takeaways

• Tenable’s shift from vulnerability management to exposure management has driven approximately 30% growth in exposure solutions.
• The company recently acquired Vulcan Cyber for $150 million to enhance its exposure management platform.
• Tenable reported over $900 million in calculated contract bookings (CCB) and revenue in the latter half of the year, with 11% CCB growth in Q4.
• The company plans to increase its research and development investment by over 20% this year.
• Despite a cautious outlook for federal spending, Tenable remains optimistic about long-term opportunities in the public sector.

Financial Results

• Tenable reported over $900 million in CCB and revenue in the second half of the year.
• The company achieved 11% CCB growth in Q4 and added more than 400 new enterprise platform customers.
• Exposure solutions saw over 30% growth, with cloud sales within this segment growing 100%.
• Tenable generated nearly $290 million in unlevered free cash flow and maintained high gross dollar renewal rates.

Operational Updates

• Tenable’s acquisition of Vulcan Cyber for $150 million aims to bolster its exposure management capabilities.
• A $250 million cloud acquisition in 2023 further supports its strategic expansion into cloud and operational technology environments.
• The company increased its sales and marketing expenditure to 43% of revenue in 2023 to support growth initiatives.

Future Outlook

• Tenable anticipates lower federal contributions in early 2025 due to a continuing resolution but remains positive about long-term prospects, particularly with the new CISA director nominee.
• The company is focused on becoming a "system of action" by driving remediation and risk reduction for its customers.
• Tenable plans to continue its strategy of organic development, strategic acquisitions, and partnerships to fuel growth.

Q&A Highlights

• Federal spending remains dynamic, with expectations of another continuing resolution until September.
• Tenable highlighted a significant seven-figure deal with a public sector agency in Europe.
• The company maintains a strong customer retention rate, averaging 15 to 20 years.

For more details, please refer to the full transcript below.

Full transcript - Cantor Fitzgerald Global Technology Conference:

Jonathan Recaver, Analyst, Kantor: So we’re gonna get started on Jonathan Recaver. I cover the cybersecurity names at Kantor. And with us, we have Steve Vince, who is a long time CFO, but also co CEO currently. So I think, you know, first off, I just want to mention, it’s really tragic what happened to to Amit. Really, you know, people who owed him to the industry, it’s a huge loss.

To that point, just just talk briefly about the the search, you know, the type of individual that the company is looking to hire or the type of experience. Does the person have to come from the the cyber world? We’ve seen some CEOs like Nikesh Apollo pulled from, not necessarily cyber, but he’s doing extremely well. Just what are the requirements that the company is looking for?

Steve Vince, Co-CEO & CFO, Tenable: Sure. Well, thank you for your condolences. Amit was our longtime CEO. He’s certainly an icon in the industry. And he was, he and I worked very closely together.

He was here for eight years. I’ve been here for ten, and we spent a a lot of time together. And the board is doing a search right now. Mark and I, Mark Thurman is our Chief Operating Officer. I’m the Chief Financial Officer together.

We’re co CEOs and we still carry our current titles as COO and CFO respectively. And the board’s retained the firm. They’re doing a search. They’re considering a number of external candidates, as well as internal candidates, including, you know, Mark and myself. And I think they have a lot of confidence in Mark and I.

But at the same time, look, we’re a company that has a vision. We have confidence in that vision and that mandate, which has not changed since 2038, which we can talk a little more about. And certainly, the board wants someone with a strategic mindset, someone who can continue to execute on that vision, continue to focus on growth and certainly, be able to take and win share in this major market opportunity that we call exposure management. So, thank you for your condolences.

Jonathan Recaver, Analyst, Kantor: We appreciate it. Yeah. No problem. So I just want to start off with a discussion on the, you know, the vulnerability management marketplace, the two other public companies that compete in the space. You know, it it’s well known that VM is kind of a foundational layer to understanding risk on premise.

But, you know, the three public companies seem to be going in, you know, three different directions. It seems that Rapid7 is focused more on security operations, which is a big problem, but not maybe as synergistic, intuitively to to be, excuse me, Qualit seems to be building up this kind of broad risk analytics and risk assessment platform. And, you know, they’re trying to do that internally for the most part, but it seems like real innovation has been lacking to some extent. And and Tenable is is moving from VM to this this exposure management category. So just just talk about that that strategic shift, why it makes sense for for your

Steve Vince, Co-CEO & CFO, Tenable: company? Sure. Well, Tenable, first and foremost, is the exposure management company. We help organizations understand and reduce their cyber risk. Our roots are in vulnerability management, which is assessing discovering and assessing network based devices for vulnerabilities and exploits.

But ever since 2018, when we went public, we said our mandate was really on the outgrowth of vulnerability management that we call exposure management. Gartner now calls it continuous threat and exposure management, which we can talk a little more about because Gartner, a little later this year, is coming out with an MQ for exposure management. It’s a category that we’ve created. So, you you know, years ago, our goal was not just to become the unequivocal leader in VM, which we are today. You know, we were not the market leader years ago.

We are now. We’ve invested in this market. It’s a strategically foundational market, but the outgrowth of that is what we call exposure management. And that’s a simple way to think about Tenable is in terms of breadth and depth, breadth in terms of the other asset systems and devices that we can assess across the attack surface. So taking that core exposure use case on the network and then applying that into web applications.

So over the years, we’ve brought new products to market, such as web apps. Think about Equifax, and we have a dynamic scanner that allows organizations and companies to scan web applications. We also apply that to public cloud environments, looking at the configuration of those public cloud environments, looking at vulnerable code in a publicly facing EC two environment and combining that with identity. So securing workloads in the cloud, it’s really important. Then also apply that to OT, operational technology, industrial control systems that were analoged and then more recently became digital and then more air gap and now we’re all interconnected.

Think critical infrastructure like manufacturing facilities, you know, wind turbines, power plants, the flow of water and oil across, you know, The US and outside. Those are all things that we assess. So we’re able to, expand across the assert the attack surface to assess vulnerabilities and exposures for different asset types, breadth, and when we’ve done so organically and inorganically, and then we’ve gone deeper in terms of the insights that we can deliver. So all along, our, this this mandate was not just to be able to do assessments across various asset types. It was to integrate all that data across all those different, systems and devices into a single platform to help customers understand risk holistically.

And, more recently, we’ve brought to brought to market our exposure management platform, which is seeing great traction, higher selling prices. And we believe that cyber is a big data problem, and we’re helping companies operationalize preventive security.

Jonathan Recaver, Analyst, Kantor: Yeah. Yeah. No. It makes sense, you know, from a strategic standpoint. I’m curious when you look at, you know, how the, you know, the competitive set will, will develop over the next couple of years.

You have, you know, Zscaler who announced the capability just recently, but that will take some time to to get off the ground. I would assume, follow-up those talking about exposure management. Talk about the importance of on premise vulnerability management to that broader capability. Do those companies need to also understand risks on prem? Can they compete with just the cloud portion?

And how do you position relative to them with that broader footprint you have?

Steve Vince, Co-CEO & CFO, Tenable: Yeah. We think we certainly position very well. We certainly have if you look at kind of the core VM market, it has evolved from something that was largely compliance driven to today. It’s something foundational. It’s a foundation part of your security program, and it’s one of those things that customers have to do.

And that’s not changing. Right? Yes. Workloads are moving to the cloud, and we can help customers assess, facing vulnerable workloads. But we live in a hybrid world.

Right? Most large companies, any company of consequence is going to have, you know, connected devices and assets that hang off their network or they’re going to have assets in public cloud environments or have web applications. So if you talked about the traditional VM incumbents, we all start roughly in a similar place, but have very different strategies. Rapid has a bit of a downward focus in the market, so they’re going broader in terms of the things they can do more on the managed service side, whether it’s, you know, on the, on the MDR piece or in the instant response side of it. Qualys is a little bit of a different profile just given the higher margin, certainly less investment on the R and D side and maybe from the go to market pieces.

Pieces. But, you know, this is a market, quite frankly, that we haven’t seen a lot of new entrants in the market. So we get questions often about CrowdStrike. We we got them, you know, year we’ve been getting them for years and even, years ago about Tanium. Right?

We just don’t see CrowdStrike in our win loss studies. CrowdStrike, what we see more is, they have the ability to impact deal sizes, because we’re focused on selling to mid and large sized customers. And, if a customer is looking to license, say, 300,000 assets from us, they may have an agent on their endpoint that’s a tier two or tier three asset that’s outside of their compliance policy that doesn’t have sensitive data. So maybe they’ll use CrowdStrike to do VM contacts for attack detection and response, not necessarily full blown vulnerability management. But our win rates are very high.

Whenever there’s a VM opportunity, there’s 68. We talked about the 65% to 70% win rates. When there is a VM opportunity, it’s our deal to win. And we have, and and we’re continuing to

Jonathan Recaver, Analyst, Kantor: Yeah. I think George Kurtz, his first company was Poundstone, right, which was a VM company, which he sold to McAfee. So people who don’t have history always think that he’s gonna

Steve Vince, Co-CEO & CFO, Tenable: be more And that’s why we’ve been getting questions about about CrowdStrike, but they they play in a

Jonathan Recaver, Analyst, Kantor: lot of different spaces, CrowdStrike. And and have you disclosed, if you look at exposure management, what that represents as a as a percent of of current calculated billings? How that’s changed over the last couple years?

Steve Vince, Co-CEO & CFO, Tenable: Yeah. In our q three earnings call, we’ve talked about, like, we provided a new growth outgo for investors. And keep in mind, this journey that we’ve been on over the years, right, roots and vulnerability management, but over the years have brought new products to market to be able to assess vulnerabilities and exposures across different systems, and then going deeper in terms of the insights that we can deliver. All that culminated in the launch of our exposure management platform. So over the years, more recently, over the last eighteen to twenty four months, we began selling and assessing, other devices, pub cloud, web applications outside of traditional VM.

So about 20% of our business today on an asset basis, because we have an asset based licensing model, is kind of the non traditional VM. We call that exposure solutions. That’s seen outsized growth, roughly 30% growth. Cloud is within that growing 100. So a lot of traction selling the platform, a lot of traction, certainly helping customers assess their public cloud environments.

And then consequently, we have certainly a good percentage of our business that’s seen high single digit growth in VM. And, and, you know, that growth that we’re generating today in vulnerability management, is growing slightly faster than market, certainly faster than our VM competitors. But the VM market certainly is foundational. It gives us the right to be able to assess these other assets and systems and gives us the right to be able to sell this broader exposure management platform.

Jonathan Recaver, Analyst, Kantor: Yeah. I mean, it’s it you know, platform is the, you know, word du jour Yeah. Across the public companies. But it does seem like what you’re trying to address is is really a data problem and having the data to be able to provide the insights to to act Yes. Effectively and quickly.

Yeah. So maybe we could just talk about fiscal ’twenty four, 4Q that you ended on a positive note. I think large deal activity was strong. Tenable One, was strong. Just, you know, talk about the overall execution through the year, the demand trends you saw and, you know, how that is playing out as we move into 2025.

Steve Vince, Co-CEO & CFO, Tenable: Yeah. We saw good stable growth the second half of the year. We did a little over 900,000,000 in CCB and revenue, and we can deliver the prints were clean both in the third quarter and the fourth quarter. In the fourth quarter, more recently, we added over 400 new enterprise platform customers, right, that speaks to green shoots and certainly lots of strong demand for customers that we’ve never had a relationship with. We have one of our best quarters ever for large deals, transacted a number of 6 and 7 figure deals.

So the size of the opportunities are getting bigger for us. That corresponds with the breadth in the product portfolio, the ability to play in adjacent larger TAMs, right, such as cloud and sell the exposure management platform. And then we also had a considerable beat certainly in the bottom line, both in terms of operating income and cash flow. So overall, we’ve been a balanced grower. We’ve seen good stable demand if you want to peel the layers back on the top line.

We had 11% CCB growth in the fourth quarter. Same thing in the third quarter. That’s high single digit growth in VM, and we’re talking about 30% plus growth in what we call the exposure solutions, next gen solutions. So as we look out into 2025, we see a lot of continuation of a lot of those trends. We’d, our guidance did imply a high single digit growth.

We were one of the first cyber companies to announce results, so sometimes we’re the canary in the coal mine. And one of the things that we said on the call was, you know, we’re very pleased with the print itself in the fourth quarter, you know, following strong results in the third quarter. But, we’re remaining certainly cautious about our outlook in Fed. So roughly 15% of our sales is US public sector, about half of that is federal government, the other portion of that state. Within Fed, we serve a lot of three letter federal agencies, both on the defense and the civilian and the intel communities.

And we think spend we’re expecting lower levels of contribution from Fed the first half of the year, as, you know, that situation continues to remain very dynamic. We think it’s the right approach to take. We are certainly hands down one of the clear leaders in Fed when it comes to security. We have a great relationship with the Fed. We know this administration is committed to strengthening our defenses.

We are very bullish on Fed long term, but short term, certainly a little less visibility. By the way, some of that may abate because today, the Trump administration announced a new director nominee for the CISA agency, the cybersecurity infrastructure security agency, which was an agency that the Trump administration created in 2018 many years ago. So certainly long term, big opportunity for us and will continue to be so.

Jonathan Recaver, Analyst, Kantor: And so it’s the highest single digit growth you forecasted for 2025 relative to the double digits you did in 4Q, does that really reflect that conservatism around Fed for The

Steve Vince, Co-CEO & CFO, Tenable: US part?

Jonathan Recaver, Analyst, Kantor: Yes. Correct. Okay. And it so specifically, are you seeing constraints in terms of these funding vehicles currently or you’re you’re you’re not sure how it’s gonna play out and hence the the conservatism? Or are you seeing some tightness, maybe some reflash or reshuffling people, that’s, you know, adding to concerns on whether deals can close?

Steve Vince, Co-CEO & CFO, Tenable: Yeah. Fair to do so. Well, first, I’ll say, just more broadly speaking, we’re in a CR continuing resolution, which means, you know, we’re not you’re not going to have a new federal spending budget, until the CR is resolved. Continuing resolution, which expires this week, by the way, that means, mission critical applications and projects can continue to renew under the CR, but certainly there’s less likelihood of new spending for new projects unless there’s puts and takes within budgets. CR is likely this week.

I doubt that a new spending bill will get passed by Congress. We’re likely to see another CR either in April or possibly more likely until September. I think that’ll just give the administration a little more time to work on kind of a new spending bill. So there, you know, certainly, we’ve under operated under CRs before. Tenable has done exceptionally well under CRs.

I think you’re just having some of the, you know, some of the pieces, you know, move around a little bit on spending priorities. No leadership really in CISA. Right? And CISA itself is, you know, certainly major projects, not only as a part of CISA, but outside of CISA for us. We’re not seeing deals, get canceled.

We’re not seeing deal sizes shrink. Question is really on the timing and the execution of those opportunities that we’re more cautious about. And I think we’re likely to see some of that. A lot of the quarter comes together in the back half, right, the last two weeks of the quarter. But it certainly does have the potential whether it’s on the defense side, on civilian side, certainly for that to happen.

But we’re certainly remain very bullish about Fed long term. Yeah. Okay. Just

Jonathan Recaver, Analyst, Kantor: going back to the core VM opportunity, you know, excluding what’s going on in Fed. I think you’ve talked about, you know, the possibility over time of returning to double digit growth. And I think you’ve made comments more near term that there are some compliance requirements that that could drive that and also repatriation of workloads from cloud to on premise. Just just talk about that. What specifically you’re hearing or seeing as it relates to those two dynamics?

Steve Vince, Co-CEO & CFO, Tenable: Yeah. I think there are certainly a number of potential tailwinds to inflect growth higher in vulnerability management. That’s not the expectations we’re setting, certainly with investors, just given the the outlook, which I think is certainly the right approach to take, but certainly within vulnerability management. Certainly, we’ll continue to see growth there in VM. Right?

The environments are very dynamic. There’s been a proliferation of devices and systems, and as customers place more of those, servers, desktops, laptops, peripherals into their environment, they increasingly look to us to help secure more of those. And we, consequently, you know, have a very healthy net dollar expansion rate. With regard certainly to, you know, more specifically on on on VM, you know, there’s a number of things that certainly can help drive growth higher. Number one, I would say, repatriation of public workloads, which is something that you mentioned.

According to a recent CIO survey, 80% of all CIOs are planning to repatriate some form of workload. So what does that mean? First of all, that means that as workloads move to the cloud, certainly, you know, that secular dynamic will continue, but what we’re seeing and this resulted in two sizable opportunities us in the fourth quarter, pure play VM opportunities, you know, we’re seeing a lot of companies, especially larger, more sophisticated companies say, hey, look, I live in a hybrid world, certainly workloads are continuing the move to the cloud, but there’s some workloads here that are not really critical. And you know what? I have less visibility in the cloud.

It’s perhaps a little more expensive. So I want to move them from public cloud back to network or private cloud where I have greater control. And so, again, we live in this hybrid world. We’re one of the few companies that can secure both your public cloud environments as well as your network and those hybrid compute environments. So certainly, that is one dynamic that we’re seeing that certainly can drive growth in VM.

The other thing is greater compliance requirements. Last year, we saw what went into effect is greater PCI compliance requirements. So historically, if you were a company that was collecting personal identifiable information, you were required to scan that server or that at that that asset, that system, certainly, periodically throughout the year. Now what we’re seeing is as a result of those compliance requirements for PCI is more frequent scans and more pervasive scans, not just on the system itself, but around the infrastructure that’s related, certainly to that that system. So we’re certainly seeing a lot of that, and that gives us the confidence.

And we’re investing. We’re the market leader. Any new opportunity in VM, we think is ours to lose, and we have high win rates. And so certainly, this market is here to stay.

Jonathan Recaver, Analyst, Kantor: Right. I mean, despite, you know, if if this repatriation didn’t happen, you have an opportunity to sell into those workloads that are in the cloud with your EM strategy, I would assume. Is that a similar dollar amount or is there a trade off? Is it more lucrative for you to, you know, secure those workloads that are on premise versus cloud? How does that look?

Steve Vince, Co-CEO & CFO, Tenable: Yes. You start looking kind of beyond kind of our core leadership in the vulnerability management market. As we’ve talked about before, this evolution from VM to exposure management, which includes the ability to ingest all this data from all these systems that we’re assessing. We’ll talk a little more about the Vulcan acquisition, but now with the ability to ingest third party data, including the the findings and the metadata. No security company can possibly assess everything.

Right? We’re not a firewall company. We’re not an EDR. We’re not a lot of things. But we do assessments really well on this on, for for the, for the things that we do assess.

But it’s this realization that security is a fragmented market. We want to be able to ingest data from other security providers, right, across all these different categories and then be able to enrich it and drive exposure management platform, and over 60% of our cloud sales are in the platform itself, the exposure management platform, which is an over used term I get, but it’s the integration of all these datasets into a single unified place that allows customers to understand risk. So it’s the integration of traditional VM, web apps, cloud security, OT, ASM, which is external Internet facing assets, all these different things that we assess as well as now third party assets to be able to help customers drive greater mobilization, greater remediation. And that’s where we think the securities market is going, evolving from what we’ve talked about over the years, which is this system of record to helping customers assess risk to, and understand risk, to the system of action, which is driving remediation, mobilization to helping customers reduce risk. So, this is where the market’s going, and Gardner would agree with us.

If you talk if you look at their MQ that they’re coming out with later this year, one of the things that they’ve defined about exposure management is the ability not only to discover, and ingest third party data, discover assets and ingest third party data to drive the prioritization. They also want you to be able to drive the remediation ops and the mobilization. That’s a big part of the value prop for exposure management.

Jonathan Recaver, Analyst, Kantor: Yeah. Yeah. Makes sense. So, you know, I don’t cover Tenable. And as I’m reading a lot of your material, I get confused sometimes around Tenable One and exposure management.

Can you just talk specifically about what is in Tenable One and how it might facilitate the the the success with your exposure management strategy?

Steve Vince, Co-CEO & CFO, Tenable: Yeah. We use them sometimes interchangeably, but, you know, platform Tenable one, the exposure management

Jonathan Recaver, Analyst, Kantor: One and the same.

Steve Vince, Co-CEO & CFO, Tenable: Almost one and the same. And so what it is is the integration of all these things that we assess now more recently with the acquisition of Vulcan, the ability to ingest data from other security providers, enrich it, drive the mobilization, and some of the, and automate a lot of these key workflows on the back end to help reduce risk. And Vulcan acquisition, by the way, is a preposition to going deeper and wider in AI, which I’ll be happy to discuss.

Jonathan Recaver, Analyst, Kantor: Yeah. We’ll get to that. I just wanted to get a sense. You have a base of, I think, approximately 45,000 customers. Can you just talk about the adoption of Tenable One?

Steve Vince, Co-CEO & CFO, Tenable: Yes.

Jonathan Recaver, Analyst, Kantor: Within that base?

Steve Vince, Co-CEO & CFO, Tenable: So if you talk about we have 45,000 customers, one of the largest customer bases of any security company, public or private. About 15% of our sales comes from a paid version of a product called Nessus, right. That’s roughly about 30,000 customers, if you will. And it’s a $3,000 to $6,000 annual recurring subscription. It is one of the most ubiquitous brands and products in all of cybersecurity.

It’s been there’s a free version of Nessus that’s been downloaded over 3,000,000 times cumulatively. It’s a paid version that’s 15% of our sales. It’s a cost effective on ramp into a larger enterprise platform sale. So you’re talking about consequently over 15,000 enterprise customers that we have using one of our enterprise solutions, whether it’s the VM solution or the exposure management platform or the ability to sell cloud and some of the other products standalone. And within those 15,000 plus enterprise customers, about 10%, a little more than 10% is using the platform.

And why do I mention that? Because we have, you know, this great relationship with our customers in VM, right? And customers in VM increasingly have this desire to assess other asset types, understand the risk in web apps and cloud as we’ve talked about. And so, right now about 10% of our enterprise customers are using the platform. And when they move from standalone VM into the exposure management platform, should I say, the ASP, increases anywhere from 50 to a % higher.

Yeah. Because the catalyst there is to assess other systems and so which we do a really good job of. So consequently 90%, it’s greenfield within the, within our own enterprise customer base. And let us not forget the ubiquity of Nessus, the 30,000 roughly customers who make the leap from a paid the paid version of Nessus into one of our enterprise solutions. It’s a cost effective on ramp to a larger platform sale.

So selling back into our base is certainly a big part of the growth strategy. Yes, we’re landing 400 plus new customers a quarter that we’ve never had a relationship with, green shoots there. But the success that we’ve had certainly to date, a lot of the opportunities within our own customer base. Yeah.

Jonathan Recaver, Analyst, Kantor: Yeah. It seems like a big opportunity. So Vulcan Cyber, I

Steve Vince, Co-CEO & CFO, Tenable: think, was a deal you announced this this quarter. Just just talk about why that makes sense, that strategic rationale and, the the financial impact. Sure. And it’s really back to this notion that, we believe that cyber principally is a big data problem, and we’re focused on helping customers operationalize preventative security. And if you look at spend historically in the cyber market, it’s really been on detect and respond type technology, certainly Megatam, a lot of large cap companies in that space, whether it’s, you know, EDR, firewall, whatever the case may be, so putting a wrap around something.

But over the years, what we said, we’ve talked about is really the opportunity to help customers, think more proactively about security. So yes, the term platform can get can be overused quite a bit, not only within prioritization. And, what Vulcan helps us solve, it helps us accelerate a lot of our roadmap. It’s very customer driven for us. And it’s this notion that, look, we want to be able to ingest data from all these different security providers.

If someone uses Wiz for cloud, that’s great. We can assess these public cloud environments or we can stand shoulder to shoulder with Wiz and that and ingest the data from, that the customer has in a using Wiz. Or we can ingest data from CrowdStrike. Or someone wants to use VM such as Qualys, we can ingest that data, combine that with our own assessment data. And it gives us hands down one of the largest exposure data sets of of any company in the market.

And we think going, you know, in the future, the real competitive mode will not be just features and functionality. It’s the ability to train data, to be able to train data in a way that delivers greater insights to customers. So again, back to this notion that cyber is really a big data problem. So Vulcan accelerates our roadmap, allows us to ingest data. There’s a lot of technology here that normalizes the data, unique assets, duplicate assets to be able to drive license counts higher for us.

And then on the back end, there’s a ton of enrichment mobilization, that automates some critical workflow. So for example, we can the combination of Vulcan and Tenable, we can, we can the combination of Vulcan and Tenable, we can discover an external unmanaged domain as part of your attack surface. We can then, it can launch automatically launch a scan using our web application product. We can discover vulnerability and then integrate by directionally with Jira, assign responsibility for remediating that that exposure to a specific individual, and then they can close loop it and comes back into the platform. So this is really important workflow.

These are really important pain points for our customer, evolving from just understanding risk to reducing it, reducing risk to this notion about the system of action in cyber.

Jonathan Recaver, Analyst, Kantor: Yep. Yep. Before I proceed, any questions from the audience?

Unidentified speaker: I mean, you talked a fair amount, Steve, about the the CR effect right now with the federal part of your business.

Jonathan Recaver, Analyst, Kantor: Just speak a little

Unidentified speaker: bit more about the sales motion of the private citizen world as well. Just how that difference

Steve Vince, Co-CEO & CFO, Tenable: Yeah. I would say certainly fed new and then upsell from existing. They’re very different. And look, with regard to the latter, we have high gross dollar renewal rates. They’re exceptional.

So when we land the customer, we keep our customer on average for fifteen to twenty years. Our expansion rates are anywhere from 10% to 20% depending on which macro because we sell more. They’re assessing more assets using Tenable. And so certainly high gross dollar rental rates, the upsell, the sales cycles tend to be much shorter. We have a trusted relationship with that customer.

And so we certainly have higher visibility into those sales just given the history with the customer. Then you have new opportunities, new opportunities depending really on, you know, which where you sit and where you’re playing. On the VM side, there are certainly in a market like this, there are fewer in number, but when those opportunities do come to market, we have high win rates, roughly 70%. And then for cloud and other areas, we’re seeing a lot of exit velocity there, a lot of market pull with cloud, OT and other asset types. When it comes to public sector, it’s a little different.

Certainly, much longer sales cycles, there’s usually programs from which that gets funded, certainly multiple stakeholders. We can be part of a broader solution or we could be, certainly, they could look to us to sole source something. And certainly, we spend a lot of time qualifying those, working to close those. And some of these opportunities are across agencies, across lots of agencies with on the defense side, across multiple maybe civilian. And we’re seeing also where a lot of traction too, which is a similar dynamic to US Federalists on the state side, local side.

We’re seeing, whole of state opportunities where there’s a number of agencies within a state, a number of municipalities where they’re increasingly looking to us to standardize across all these different agencies and municipalities. And so we’ve gotten some major traction there, and we continue to get traction here. And so that’s why the selling motions can be a little different, but hands down, we have the best tech in that market. It’s one of the reasons why we do a sizable percentage of our sales in federal and the state level, just because they’re arguably one of the most sophisticated cyber consumers in the world. They’re very demanding and expect a lot there, and we have we have delivered for them over the years.

Steve, are you guys looking at any non US governments, US funded governments? Good point. So when we say 15 per

Jonathan Recaver, Analyst, Kantor: None left.

Steve Vince, Co-CEO & CFO, Tenable: Yeah. None left. Yeah. I’ll say our well, first of all, when we say 15%, that’s US public sector, state and and and federal. That does not include the public sector agencies that we serve outside The US.

So we serve many. Our largest deal in the fourth quarter was a 7 figure deal, a sizable 7 figure deal, cloud standalone with, in a public sector agency in Europe. So yes, this is, you know, exposure platform, management platform, cloud in particular, is a global problem, and certainly, we got great traction there.

Jonathan Recaver, Analyst, Kantor: When you go ahead.

Steve Vince, Co-CEO & CFO, Tenable: Yes. We have been acquisitive more recently. We just announced the Vulcan acquisition, roughly $150,000,000 in purchase price. One of the other acquisitions that we announced in 2023 was cloud, certainly going deeper and wider in cloud. We have a very broad CNAP offering, and it was roughly $250,000,000 in purchase price.

So we look at the market and say, okay, certainly securities fragmented, lots of opportunities on the private side for us to be able to accelerate roadmap. It has to offer or provide a unique secular trend like growth in cloud or the convergence of IT and OT in the case of these industrial control systems that we’re trying to secure. But more importantly, we want strong go to market alignment. We know our swim lane. We know our buyer.

We want the same buyer, roughly has to expand the utility of the exposure management platform. So we’ll continue to be able to pull on all these levers both organically and where we’re continuing to innovate, obviously, inorganically with some of the acquisitions, and then also partnership, all three will be important to us. And we have, we’ve done a good job walking the margins up, which generate nearly, what, over $200,000,000 2 90 million dollars of unlevered free cash flow this year. We’re in a strong net cash position. And we’re doing a good job balancing growth and profitability.

Jonathan Recaver, Analyst, Kantor: That was my final question, just growth versus profitability. I mean, that operating margin non GAAP has really materially increased this this last twelve months. Did you feel that, you know, you’re leaving some on the table, especially when you look at CNAB and some of these hypercompetitive categories where the market is so nascent. I mean, why wouldn’t you be better served spending more for those opportunities?

Steve Vince, Co-CEO & CFO, Tenable: Yeah. Well, first of all, we don’t think we’re doing unnatural to drive that kind of leverage in in the business. 96% recurring revenue, exceptionally high gross dollar renewal rates, really good expansion rates within our own customer base. So some of that is really a natural evolution and a continuation of what we’ve been doing over the past couple of years. But if you look at how we’re managing the company, you know, we are certainly leaning in on growth.

So over the years, we’ve added a lot in terms of go to market. In 2023, we spent 43% of our revenue in sales and marketing. Last year, it was 36%. We’ve added a lot of this year, we’re adding quota capacity for the first time in probably eighteen months. We have confidence to be able to lean in at more capacity here there.

Yet, we’re becoming more efficient, and sales and marketing spend as a percent of revenue will continue to tick down even this year. And we’re taking a lot of that efficiency there, and we’re investing it back into R and D. We grew R and D 25% last year. This year, we’ll grow at 20% plus. We’re innovating.

We’re walking the margins up. We’re doing it in a very balanced way. So that feels really natural to us. Then M and A will certainly will offer or provide a means to, you know, provide even enhance the growth profile as well.

Jonathan Recaver, Analyst, Kantor: Yeah. Okay. Well, we’ve hit our time limit. So Steve, thank you very much.

Steve Vince, Co-CEO & CFO, Tenable: Thank you, Jonathan, for having us.

This article was generated with the support of AI and reviewed by an editor. For more information see our T&C.