Tenable at D.A. Davidson Conference: Strategic Moves in Exposure Management

On Tuesday, 10 June 2025, Tenable Holdings Inc (NASDAQ:TENB) participated in the D.A. Davidson 1st Annual Consumer & Technology Conference. The company showcased its strategic transition from vulnerability management to a broader exposure management platform. While Tenable highlighted its growth initiatives and competitive strengths, it also addressed challenges such as federal sector uncertainties affecting its financial outlook.

Key Takeaways

• Tenable is transitioning from vulnerability management to exposure management with Tenable One.
• The company reduced its 2025 revenue outlook due to federal sector uncertainties.
• Acquisitions like Vulcan and Apex enhance Tenable’s competitive edge and product offerings.
• Tenable maintains a moderate growth outlook in the federal sector, accounting for 15% of its business.
• M&A remains a priority for Tenable, alongside share buybacks.

Financial Results

• Revenue Growth: Initially guided at 7%-9%, now adjusted to 6%-8% due to market conditions.
• Federal Sector Impact: Two-thirds of the growth reduction is due to federal sector uncertainties, which represent 15% of Tenable’s business.
• Customer Acquisition: The company acquires 350-450 new customers per quarter, with 40%-50% being new to vulnerability management.
• Free Cash Flow: Expected to be in the mid-20s percentage range, with $60 million spent on buybacks in Q1.

Operational Updates

• Exposure Management Platform: Transition to Tenable One aims to consolidate asset types, including OT and cloud security.
• Vulcan Acquisition: Enhances capability to ingest third-party assets, with 40 integrations by mid-Q4 and nearly 100 by 2026.
• FedRAMP Certification: Achieved FedRAMP Moderate, facilitating discussions with federal customers.
• AI Security: Apex acquisition addresses AI security concerns, with over 6,500 customers using AI Aware.
• Cloud Security: Ormedic acquisition strengthens CNAP offerings, competing with Wizz and Palo Alto.

Future Outlook

• Revenue Growth: Vulnerability management, 80% of the business, is growing mid to high single digits; exposure solutions are growing around 30%.
• Federal Sector Growth: Moderate growth expected, driven by consolidation and modernization efforts.
• M&A Strategy: Continues to prioritize mergers and acquisitions to enhance growth and capabilities.

Q&A Highlights

• Competitive Landscape: Tenable competes with CrowdStrike and Microsoft but maintains a competitive edge in VM capabilities.
• Pricing Strategy: Third-party asset ingestion via Vulcan will be priced lower than tier-one assets.
• Customer Interest: Strong pipeline for party asset ingestion, with over 150 customers requesting demos.

Readers are encouraged to refer to the full transcript for more detailed insights into Tenable’s strategic directions and financial performance.

Full transcript - D.A. Davidson 1st Annual Consumer & Technology Conference:

Rudy Kessinger, Security and Infrastructure Software, D. A. Davidson: Okay. Thank you for joining us. My name is Rudy Kessinger, security and infrastructure software here at D. A. Davidson.

With us from Tenable, have co CEO, Mark Thurman Mhmm. SVP of FP and A, Chris Fritz. You guys for joining us.

Mark Thurman, Co-CEO, Tenable: Our pleasure. For sure. Great. Thanks for having

Rudy Kessinger, Security and Infrastructure Software, D. A. Davidson: us. Mark, I think if you could start off by giving just quick overview of Tenable and maybe what I don’t know if you guys call it this, maybe kind of Tenable two point o, if you will Sure. And really how you’ve expanded from the core vulnerability management market into the broader exposure management platform that you are today.

Mark Thurman, Co-CEO, Tenable: You bet. Absolutely. And we do. We talk a lot about exposure management. So if you just go back and look at the history of Tenable, mean, Tenable really was started from what was called the Nessus scanner, which was one of the most widely deployed cybersecurity tools on the planet.

Literally, we still do over 1,000 downloads of the Nessus scanner every single day. There’s over 4,000,000 copies out there in the marketplace, so one of the most widely deployed cyber tools out there. And then from Nessus, we then moved into kind of what we called on prem vulnerability management with security center. Then we migrated to cloud based vulnerability management with IO. And then from there, we really started pivoting to what was called risk based security and looking at all of the different risk scorings that you could do from a vulnerability perspective.

From there, we’ve truly migrated over the last two and a half years to be an exposure management company. So based on a bunch of internal innovation and acquisitions, we have expanded our total available market from just core based VM. We now assess assets in the OT space, in the identity space, in the cloud security space, attack surface management, the web application security space, and most recently, we acquired a company called Vulcan. So for the time ever, Tenable is gonna be able to ingest party asset types. So think about if a customer has CrowdStrike, Wiz, Palo Alto, Qualys, or Rapid, we’ll now be able to ingest those party assets into our Tenable One platform.

So, you know, the what we talk about with our customers every single day is really this category of exposure management and being able to migrate and move multiple asset types to one platform, which is Tenable. One. And that’s the big market dynamic. That’s the big shift that we’ve done. On top of that, moving our install base and our new customers to exposure management into Tenable One, we now are getting very, very involved and have been for the last four or five years in the AI security space.

So we just acquired a company called Apex, that allows us to look at and evaluate how you’re using AI from a generative AI perspective. So what are employees, and what are, partners doing with, say, you know, Enterprise Chat GPT or Gemini or Gronk, being able to not only assess within five minutes who and how they’re using it, but what data sets, what LLMs is it sitting on, how are they, you know, using it, and other data sets. So as we make this journey to an exposure management platform, the two big themes that I think is really important for people to understand is it’s going to be all about consolidating multiple asset types onto Tenable One and then being able to leverage AI not only for the software that you’re using from a generative AI perspective, but also the software that you develop internally within your code. And we’ll be able to assess that also.

Rudy Kessinger, Security and Infrastructure Software, D. A. Davidson: That’s a very helpful overview. You guys are coming off what was generally a strong Q1 start of the year. If you look at the numbers, you beat on all metrics and guidance. But you did lower the 2025 outlook, specifically on current calculated billings growth by a couple of points at the midpoint. Can you talk about just what drove that reduction and what you’re seeing in the market that had you take things down a bit?

Chris Fritz, SVP of FP&A, Tenable: Yes, I can tackle the numbers piece of that question, Rudy. So we had guided at the beginning of the year to 7% to 9% top line growth. And we, at the April on our call, took that down to 6% to 8%. It was a reflection really of two things that we saw in the market. and foremost was the federal sector, some uncertainty around the Doge activities.

That was really the height of the budget negotiations at the April when we did our call. And about twothree of that reduction was related to The U. S. Public sector. And so around 15% of our total business is related to the federal sector.

We have our DNA comes partially from the NEA, NSA, and we’re headquartered in Columbia, Maryland in the D. C. Area. So we have a leadership position there. To us, that’s really a question of timing.

Like these roadmaps and programs that were embedded in with our federal government customers remain a priority, and they’re going to happen. But we were facing some less visibility than normal in light of all of those activities. And that was the main reason for the reduction on the top line was to set ourselves up to succeed and that it wasn’t necessarily that we’d seen anything canceled, but just to ensure that the timing could match the guide. And then to a lesser extent, around the global trade and the tariffs, we as a bottoms up analysis as we prepared for the call, we saw instances where customers were putting more scrutiny. It might be European auto manufacturer who’s uncertain of what their top line looks like and so evaluating investments in cybersecurity a little more carefully.

And so those are really the two aspects that went into it.

Rudy Kessinger, Security and Infrastructure Software, D. A. Davidson: As we started to hear, I guess we were kind of done hearing from the April end companies, a lot of them talked about things kind of accretion to a halt post Liberation Day. And then to a certain degree, getting back to normal, I don’t know fully back to normal, but things improving in May relative to April. Have you guys seen that, any material shift as some of the tariffs have been rescinded and since then? Or is it still the same general dynamics that you were seeing?

Mark Thurman, Co-CEO, Tenable: Still the same general dynamics. We definitely have had a good two couple of months, and also our linearity has been very strong. You know, we are a back end loaded software company, so we do a lot of our business here in the last three to four weeks of the quarter. So, you know, we we felt good about what we saw in the two months. But I would still say the themes and the overarching, you know, a, the federal business still kind of coming together and understanding when some of the leaderships will actually be in place, so some of the leaders of these big organizations.

Because that was another big factor of the federal government. They lost a lot of cybersecurity leadership, so that means a lot of the projects were put on hold. But now that’s starting to get played out. And then from a macro perspective, you know, we still see, countries that have negotiated and countries that have a set plan with tariffs with, The United States. We’re seeing relatively good strength there.

But for a lot of the countries that are still up in the air in regard to how the tariffs are gonna play out, like the example Chris brought up, if you’re over in Europe and you’re a big, country, say Germany, and you’re trying to figure out from an automotive perspective how and when and how many cars you’re going to ship to The U. S. Based on tariffs, until all those things get negotiated, there’s still going to be a little bit of gray area. So our outlook hasn’t changed. We do see in the federal government, though, every week things are getting a little bit clearer.

So we’re getting some better visibility there. But the outlook still hasn’t changed.

Rudy Kessinger, Security and Infrastructure Software, D. A. Davidson: Could you maybe just on federal, maybe a finer point on what did the guide assume in federal for the half? Did it assume any down sell? Did it assume just minimal up sell? Was it dependent on certain people getting into seats at at the various agencies? Like, what did it assume on on federal?

Chris Fritz, SVP of FP&A, Tenable: Yeah. For the year, we’re continuing to assume a moderate pace of growth within federal. So not grounding to a halt by any means. I think the proof point in Q1 was we had a record number of million dollar deals across the company. One of those was in federal.

And I think the key there was helping our champion position the consolidation effects that Mark mentioned under a modernization heading. So bringing cyber in a very large organization centrally and doing it more efficiently, we bring to the table a lot of prioritization and analytics that helps our federal customer do more with the same resources or potentially less resources. So I think part of the constructive nature of the Fed that Mark mentioned that we’ve been seeing more recently is our ability to help position Tenable One into that efficiency mandate, and it really does deliver. And so those are some of the proof points.

Mark Thurman, Co-CEO, Tenable: Yeah. The the thing I’ll add to that, which I think is very important, it might sound like a small detail, but it’s not. So, a, the leadership getting into place in the federal government is super important. So NSA having a leader, CISA putting in a leader, really critical because those two organizations really drive a lot of the themes around what the federal government’s gonna do from a cyber perspective. The other great benefit for Tenable is we do feel very optimistic about our business in federal government.

Right? We have a huge amount of market share there. One thing that we do now have is we have FedRAMP Moderate. So we did not have FedRAMP Moderate coming into this year. So we just got that done here in Q1.

So what that allows us to do is with all of the installed base that’s sitting on core based VM with us, we now have the opportunity to go do the consolidation discussions that we’ve had with public and private companies over the last eighteen months to two years. We haven’t been able to do that in Fed because we didn’t have FedRAMP moderate. So with that, we now can go to the install base. We can talk about consolidation. The one thing that you will see during this administration and what Trump is really pushing down to all of the different agencies is cost cutting and efficiency.

And so by now having this consolidation story that truly resonates, meaning you can literally go into an organization and say, hey, if you have four or five different tools from independent software companies, you can get rid of those renewals, migrate that asset type onto Tenable One, the platform, get better visibility to your attack surface, get better visibility to what your risk profile looks like. We feel like that story will resonate. We’re seeing pipeline build increase. So we feel optimistic about what is going to happen in federal and state and local, but we just want to get better visibility and get some of these leaders in place and then get some of these procurement and contracting positions cleaned up. We don’t think those positions will be backfilled.

We think Doge kind of took a hammer to them. So figuring out how you actually move deals forward, how you negotiate contracts, how you get purchase orders out, just want to get a little more clarity from that perspective. So obviously, federal relatively higher federal exposure obviously weighed on you guys, I think, more than other companies in cyber. But I do think investors clearly have some concerns around the VM market.

Rudy Kessinger, Security and Infrastructure Software, D. A. Davidson: And I want, Mark, if you could maybe just address some of those head on. So firstly, I think it was a year or two ago when Steve said VM had been deprioritized a bit. And then if we look at Q1, you guys cut your outlook again, twothree from Fed, understanding that Rapid cut their numbers, Qualys implying lower growth in the half. As a group, you can see how investors get some concerns about the health of the market. So what are you seeing in the core VM market?

Is there still greenfield opportunity? Is it still a priority for customers? Just what does that demand look like?

Mark Thurman, Co-CEO, Tenable: Yeah. No, I think there is still definitely opportunity. And there’s no question it has definitely moderated in regard to growth rate for VM. You know, a lot of the positions in the larger deals that we did in q one and even q four, VM played a central role, but it was really more about the exposure management tenable one platform. Where VM still plays a huge percentage of those deals that we do.

It’s literally securing and making sure you have world class VM and then picking up those incremental asset types. So the guide that we built, it calls for just the basic growth rate, that single digit, mid single digit that Steve referred to. If there is any upside to it, we feel we’re going to be in a really good spot. If you look at Tenable, what’s interesting comparing us to, say, a Rapid or Qualys, we average anywhere from three fifty to four fifty brand new customers every single quarter. You look at us with 44,000 customers, and then you look at Qualys, which is whatever, ten, eleven, 13,000, Rapid, eleven, twelve thousand.

We’re 44,000. And we attract new customers every single quarter. Roughly on average, when you break out those three fifty to four fifty, roughly 40 to 50% is what we call greenfield, meaning they’ve never owned or bought VM before. And they’re coming to us, they’re becoming a Tenable customer. Now they could join Tenable from just a base VM perspective, so Tenable VM, or they could go full on with exposure management and come on board with Tenable One.

The other 40 to 50% is rip and replacing a Qualys and a Rapid7. So we’ve gotten a very efficient, effective motion going after those two competitors. And we referenced in Q1, you know, we did $6.07 figure deals, and a couple of those deals were replacements of Qualys and Rapid7. And I think some of the reasons you’re seeing Rapid especially struggle is they’re having a very difficult time hanging on to that install base. And we’re able to go in there and be able to move them onto Tenable One or onto our VM and be able to keep them.

So our compete level, like, we have some of the highest win rates we’ve ever had against our competitors, and we think that there’s still greenfield opportunity. But our hitting of our our guide for 2025 is not dependent on VM having this massive big rebound. It’s about continuing to execute

Rudy Kessinger, Security and Infrastructure Software, D. A. Davidson: It’s very helpful, and I appreciate the granularity on some of those The other investor concern, I think, VM is or maybe exposure management, if you will, is just some of the competitive dynamics. So obviously CrowdStrike, some other larger platforms in the space have come out with some products. They’ve talked about displacing legacy VM tools. Investors ask about that all the time. So how often do you see them?

Have they become a relevant competitor or not? Are the concerns way overdone or about right?

Mark Thurman, Co-CEO, Tenable: And so I think when you look at it, so you put that kind of the number one competitors would be like the Rapid and the Qualys, kind of from our historical perspective. We do see CrowdStrike. We do see Microsoft. We see Palo Alto more on the cloud side, the CNAP Prisma Cloud offering against our CNAP technology. Don’t see really anything, obviously, from a VM perspective from Palo Alto.

But with CrowdStrike and Microsoft, a, we’ve been seeing them for a couple years. We do not see a lot of them. To be fully transparent, when you look at our win loss ratios, we’re not seeing a significant amount of losses to CrowdStrike and Microsoft. Where they are able to go in and compete is if they’re a large CrowdStrike customer or Microsoft, and they can say, Listen, based on the big spend you have with us, we can look at your tier two, tier three. Very rarely, like very rarely, do they ever try to go in and rip and replace all of Tenable because they know where they’re going to get leverage is on pricing, and it’s really for those tier two, tier three assets.

So what we then do is we come in and we feel like when you look at exposure management, right, exposure management, this big trend that you’re seeing in this category, it’s driven off world class VM. And at the end of the day, Microsoft and CrowdStrike don’t have world class VM. We do. We’ve been in this space forever. And when you look at organizations that are changing the name of their VM practice or VM program office to exposure management, it’s happening with the VM team.

So we then technically explain to the customers exactly the differences in our tech compared to Microsoft Defender and CrowdStrike. I’ll give you as an example. When CrowdStrike rolled out their new networking vulnerability technology, we obviously have it in a lab. We work with it. And we literally were able to find 40% more vulnerabilities than CrowdStrike could find in this environment.

So when we explained to customers that 97% of all breaches and ransomware attacks happen on known vulnerabilities so think about that. Right? Ninety seven percent are known vulnerabilities that haven’t been patched, haven’t been remediated yet. If you’re willing to save a little bit of money but then not find 30% to 40% more vulnerabilities, as a CISO, you’re exposing your company and exposing your enterprise. So we go in there, we do that technical selling, and we’ve got very, very good win rates.

So we do see them, but we do not see them at fractionally. As much as they talk about that they’re going after legacy VM and they’re winning all these hundreds of millions of dollars, we do not see that at

Rudy Kessinger, Security and Infrastructure Software, D. A. Davidson: all. Yeah. So it’s very helpful. We’ve seen and this plays into maybe some of investor concerns, of course is just over the last few years, this shift away from best of breed vendors to more platform approach. And I’ve spoken to Palo, CrowdStrike customers, many investors have, who will purchase some products that they know are not the best out there.

And they’re Okay with that for whatever reason. Talk about the 20 ish percent of your business that’s non VM. What are the components? What’s the fastest growing? And kind of assess Tenable today and your ability to compete with some of those larger

In in the areas you’ve asked?

Mark Thurman, Co-CEO, Tenable: So we we feel extremely confident on our compete level. And, really, the strength of it, it comes down to Tenable One. Right? Because we aren’t seeing as much competition or individual bake offs, demos and POVs on independent, you know, cloud security or independent operational technology, independent WAAS, attack surface management, you’re really starting to see this discussion with CSOs about consolidating. And, again, I think the the value that Tenable has as a company, which is extremely differentiated, is being the biggest and the fastest growing from a historical VM perspective.

VM is really hard. It’s been around for a long time. And it’s really difficult to do at a world class level and have the accuracy, the scalability that we have. So when you look at our business, it is really about transforming that install base of 44,000 customers onto exposure management, consolidating those multiple other asset types that we refer to, like OT, like cloud, like web application scanning identity, onto one platform. And then the other big part that we’re doing is we acquired a company called Vulcan that now, the time, Tenable in the history of Tenable, we will be able to monetize, charge for party assets.

So as this integration with Vulcan into the Tenable One platform continues to mature, we launched integration on May 15. We’re starting to work white glove a bunch of customers. We’ll be able to go to customers, to your point that you brought up. And I know this is long winded, but I think it’s important. When you’re looking at a CrowdStrike or a Microsoft or a Palo Alto, obviously, no company is going to rip and replace those big players.

It’s just not going to happen. We view Tenable, though, where we can be very strong and really start being able to grow from an exposure management perspective, is we can consolidate asset types that are natural from an exposure management perspective. Things like OT, web application scanning, cloud, those are natural fits. And now with party, we can say to customers, you don’t need to replace CrowdStrike or Palo Alto or Wizz or Prisma Cloud. We can now ingest those party assets.

We can look at what type of vulnerabilities, misconfigurations, and exposures those assets have, be able to charge for them, which we’ve never been able to do before. And so we’re not forcing customers to rip and replace. We can say we can give you better visibility and be able to judge and look at your risk profile at a much deeper level now and be able to monetize it. So that’s going I think, be something that’s pretty exciting for us. We’ve been talking about it as a company for over eighteen months.

And now with the Vulcan acquisition, we’ll be able to deliver on that vision of ingesting party assets and automated remediation.

Rudy Kessinger, Security and Infrastructure Software, D. A. Davidson: Just to follow-up on that, the ingestion of party assets, obviously, it doesn’t require you to displace those other competitors in areas where they’re strong. But what kind of pricing can you charge for that? If I take a typical VM customer who adopts Tenable One and is doing that party ingestion for Wizzling Cloud or these other vendors, what kind of upsell could that be?

Mark Thurman, Co-CEO, Tenable: Yep. So the way they upsell, it definitely would not be for the same price point, the same margin, the same price point that you would be for a tier one vulnerability or exposure management tenable one asset. So it will be definitely at a cheaper price. But the beautiful thing is we’re not getting anything for that asset type today. Right?

So this is something we’ll be able to monetize it, we’ll be able to ingest it in, and be able to charge for something we’ve never charged to before. But we definitely will not be charging for that asset type at the same premium that we do for a Tenable One asset that we do today.

Rudy Kessinger, Security and Infrastructure Software, D. A. Davidson: What’s the willingness of the just talk to me about the customer conversations, the pipeline build around that, and the customer willingness to spend more. What’s the improvement in the risk reduction

Mark Thurman, Co-CEO, Tenable: standpoint? So when you take a look at it from internally, our pipeline build ever since we acquired Vulcan has been unbelievably strong. The key thing to keep in mind is we just literally announced the full, not even the full, we announced the integration on May 15. So we’re just literally rolling out. Like, we’re white gloving a bunch of customers right now.

Pipeline’s building. I think we’ve got over one hundred and fifty, one hundred and sixty customers that want demos and POVs. So there is absolutely demand. It’s now about integrating. So we’re we’re doing the initial integration now with certain certain companies that we already have the integrations done.

So Wizz, CrowdStrike, all of those asset types are integrated at an API level to be ingested, those party integrations are done. There’ll be roughly 40 integrations that will be done mid q of this year. And going into 2026, we’ll have close to 100 different apps and infrastructure that we’ll be able to ingest into Tenable. One. So this is, I think, going to be a big mover for us.

We also, in Q4, will be announcing mobilization and automated remediation and workflow, which is another big area that customers are looking to. So we’re excited. We want to get success. We want to get a bunch of victories. We want to get a bunch of customer examples that we’ll be able to share with the street.

But there is definitely demand and very strong pipeline built.

Rudy Kessinger, Security and Infrastructure Software, D. A. Davidson: I want to come back to cloud security. Obviously, that’s a component of that 20% that’s not in VM. And I know you said you don’t have a ton of deals that are coming in that are standalone cloud security. Maybe you have a bit more in OT, I’d imagine. But just talk about your cloud security portfolio.

Where are you strongest? Where are you adding? Do you have a full CNAP suite? And then as a follow-up on that, the Google acquisition whiz. How has that been a tailwind or not in the competitive So

Mark Thurman, Co-CEO, Tenable: a couple of things. So you look at it, we have a full blown CNAP solution. So we acquired that company, Ormedic, roughly two years ago. And so we have a full blown CNAP. We’ve got WPP.

We’ve got JIT. We’ve got DSPM, all of those capabilities. So when you look at it from a competitive standpoint versus like a Wizz or a Palo Alto Prisma Cloud, very, very similar solutions. So we’re very confident there. Where we win the majority of deals is in our install base.

So where we differentiate versus a Wizz, which is really good tech, right? So there’s no question about it. Wizz has a really good product, and they’ve built a great company. And they had a really good run for the last four and a half, five years. And our install base, though, when you tie in our CNAP capability, which is very similar to Wizz’s, but then you’re able to have it in one platform, meaning you can have it in a hybrid environment.

If you’re a whiz, you can’t look at any and assess any on prem assets. It’s just strictly cloud based, you know, CNAP capability. The majority of customers in the world are hybrid. So we have a very strong story when customers are with Tenable today. We migrated them over to Tenable One, and now we can assess all of their different cloud assets.

That is where we get the majority of wins. To your point, we don’t really look for, and we don’t have our our selling organization and our channel focused on independent, stand alone, cloud only deals. Now, we did that consciously because Wizz was doing very well. We said, let’s focus on that install base of 44,000 customers, that trust Tenable, that know Tenable. With the Wizz Google acquisition, it has definitely created a different dynamic that was not there before, common sense.

But we’re getting invited now to RFPs. We’re getting invited now to bake offs where they might be very happy Wizz customers. And I want to be very clear. It’s not like customers are just ripping out Wizz because that’s not happening. But you’re seeing big customers that have been with Wizz for three or four or five years that have two things: A, they’re spending a huge amount of money.

So if you talk to any customer that has been using Wizz, it is one of the most expensive cyber products they have in their stack. Some CSOs have told me they’re spending more on Wizz now than they are on CrowdStrike and Zscaler. So that is a customers, CSOs don’t want to do that just to protect their cloud environment. Like if you think about how broad and how wide reaching CrowdStrike and Palo and Zscaler are, price is a big issue. So we’re getting invited.

And then also, there are environments where the majority of Global 5,000 customers have multiple cloud hyperscalers. No one not no one. A lot of companies. Very, very when you look at the biggest customers, the majority of customers have Azure. They have AWS.

OCI is doing extremely well. We’re starting to see a ton of OCI out there in the market, by the way. They’re really, I think, doing a nice job. You see Alibaba. You see all these other players that are there.

So customers are saying, if Google owns this CNAP cloud security technology that we rely on solely, and if Google now owns it and we’re an AWS shop, are they going to prioritize AWS features? Are they going to be able to support, the AWS roadmap? Is AWS really going to want to share their six month, twelve month roadmap with Wizz that’s now part of Google in regard to collaboration and building new capability. That’s all to be determined. But customers are inviting us to the dance more often.

We’re getting involved in more RFPs. And so this is a net positive. How much of a net positive will be determined over the next two or three or four quarters and how much business we’re able to win. But we are getting openings that we didn’t have before. And maybe just and look, I hear that too

Rudy Kessinger, Security and Infrastructure Software, D. A. Davidson: about the whiz pricing. But even at your guys’ pricing on your cloud security deals, what what is the average deal size of a cloud security deal versus a typical VM deal?

Chris Fritz, SVP of FP&A, Tenable: Yeah. I would say it’s on par. There’s an advantage of volume. So if you’re consuming a lot of different asset types within Tenable. One, then you get a volume discount based on all those asset types.

And so that kind of can give us some pricing advantage. But the cloud security asset part of Tenable. One is substantial.

Rudy Kessinger, Security and Infrastructure Software, D. A. Davidson: Yes. Okay. I want to shift gears a little. So at RSA the other month, all we heard about was AI security across the board. You guys just made an acquisition.

Well, firstly, came out with a product, AIAware AIAware, yeah. I think not too long ago. And then you also made the acquisition of Apex You bet. So tell us a bit about your guys’ AI security product roadmap. And specifically, I guess, how is it different from every other company that says they’re gonna secure and solve the AI security problem?

Mark Thurman, Co-CEO, Tenable: So when you when you take a look at it so a couple things when you think of Tenable. Tenable has actually been in the AI game for seven or eight years. When you look at when we created our VPR scoring, when we created our ACR, capability, we were heavily involved in using machine learning and using AI. We then came out and launched what was called AI Exposure that sat across all of the Tenable One platform to leverage AI across all the different asset types. And then to your point, we announced, AI Aware, which had one of the fastest pickups in adoption, looking after and looking for shadow AI.

Where are people using AI? How are they using it? Are there any misconfigurations, any vulnerabilities that are going on from an AI perspective? I think we have over 64, 6,500 customers that are leveraging that capability today. When we then took a look at what was happening in the market because what you really want to get is specific use cases.

AI is being talked about at a high level across the board. I was just in The Middle East and over in Europe a couple weeks ago, and every government and end user discussion at the executive level started off with an AI discussion. And what they’re all struggling with is what is that specific use case? Like, how can we bring AI into our environment, into our cyber stack, but get and solve problems? And so when we were looking, and we looked at a bunch of different technologies, we continue to look at numerous technologies and companies.

So we will continue to be acquisitive and and innovate on an AI, journey that Tenable’s on. But we found APEX and some of the most intelligent founders, world class investors with Sequoia, unbelievably bright engineers. So when we found them and then the product and technology they were building, we felt like it was the best asset that was out there. And it’s going to be very specific to be able to go to our install base. It will be built into Tenable One, so we’re not going to sell it as a standalone.

It will be a capability feature set that we will monetize and charge for. And at the highest, simplest level, think of going to customers and saying, we’re going to look at AI, a generative AI that you use. So think about Enterprise Chat GPT, Gemini, Gronk, all those other different type of generative AI tools. We will, within five minutes, can come in, and we can assess and look at your entire environment. We can tell you what generative AI tools are being used.

We can tell you who’s actually using them. So out of your employee base, who’s using what. We can then say, what data set is being used with AI? Meaning, if you have an enterprise GPT license, you might not know that one of your employees is using it on a specific data set that might not have been authorized, that might not be governance. And that’s happening a ton.

And so with this technology, we’re able to go in, leverage it. They can get all of the different visibility of who’s using what. They can audit the environment. And then they can put in specific governance and remediation to stop the users to be able to look for vulnerabilities from an AI perspective. So we think it’s a very succinct, clean use case that maps in very well with what we’re doing with AI aware, and so we’re we’re excited.

And then we’re also gonna be able to leverage it to get better AI capability throughout all of Tenable. We’re going use them as a center of excellence from an AI perspective for

Rudy Kessinger, Security and Infrastructure Software, D. A. Davidson: the entire Got it. Shifting gears a little, you guys have done a great job expanding margins and free cash flow margins. You’ll have mid-20s free cash flow margins, high 20s, I think, unlevered free cash flow margins this year. Investors, I think, obviously, would like to see higher growth, right? And so what’s the strategy?

What gets you to a stabilizing or reaccelerating growth rate over the next few quarters or next year? What needs to go right for that to happen for Tenable?

Chris Fritz, SVP of FP&A, Tenable: Yes. So the growth algorithm, which you alluded to in your questions, about 80% of our business is vulnerability management, and that’s going mid to high single digits depending on the quarter. And then the 20%, it’s exposure solutions is growing around 30%. And so it’s putting all the right investments in place like Vulcan that we closed in February. We took our free cash flow for the year down to reflect that investment.

And so that’s a proof point of where we feel like we’re not capital constrained or margin constrained from putting all the right pieces in place. And if you run that growth algorithm at those growth rates, you get to double digit growth in the medium term. What we’re doing is trying to execute on putting all those pieces together within Tenable One to make that exposure management piece of the business grow even faster.

Rudy Kessinger, Security and Infrastructure Software, D. A. Davidson: Yes. Got it. On the free cash flow, you’re generating a lot. I think you spent $60,000,000 ish on buybacks in Q1. I know M and A remains a priority, but I guess in the interim with the stock where it’s at, should we expect that pace of buybacks to continue?

Is M and A a higher priority? How should we think about capital allocation?

Chris Fritz, SVP of FP&A, Tenable: Sure. I would say that M and A is opportunity dependent but always ranks above EPS and share buybacks. We have authorization to continue at the pace that we did in Q1. And I would think of history as being the best predictor of our outlook for the future. But we have plenty of capital to deploy within our M and A opportunity set.

And so it’s not a constraint.

Rudy Kessinger, Security and Infrastructure Software, D. A. Davidson: Yeah. Mark, back to you.

Mark Thurman, Co-CEO, Tenable: Yeah.

Rudy Kessinger, Security and Infrastructure Software, D. A. Davidson: You and Steve are co CEOs couple months into that role. I I know operating in that that kind of dynamic for a bit longer, of course. Investors, sometimes you see a start up with a founder and then more of a business oriented mind comes in, co CEOs. You don’t typically see co CEOs with a business of this scale and maturity. So how should we think about the split of duties here?

And then also on the CFO search, just any update on where you guys

Mark Thurman, Co-CEO, Tenable: are at You bet. So just, yeah, totally. And it is like when you look at it from the outside, having co CEOs for a publicly traded company is somewhat unique. The situation, though, for Tenable was unique also. So with the meat going through two different pretty significant rounds of chemo, Steve and I were really running the company in this way for quite a bit

So we were very used to building out and working collaboratively, communicating on exactly how we were gonna run the company. So we were very used to it. And the employee base and our customers were very comfortable with Steve and I leading the organization. And then, with the passing of Amit, we felt like when we looked at it strategically, it’s a huge benefit when you have two leaders that literally we use this term at Tenable all the time can check their ego at the door. Meaning Steve and I do not have egos in regard to making and having final decisions.

We make them together. And what you have is very unique. You have two very detail oriented subject matter experts. So my function as co CEO is to run all of the different customer facing go to market functions of Tenable. So I’ve got the sales org, I’ve got the marketing team, I’ve got the customer success team, the professional services, the tech support.

All of that aligns into me, which I’ve been doing for almost thirty years. Steve is obviously was CFO, still is CFO as we continue the search. So very astute in regards to the finances, obviously very detail oriented on the product side of the house, on the M and A side of the house, and the office of the cybersecurity team rolling into Steve. So it allows us to divide and conquer. This is a great example, where I am here today at this conference, and Steve is at the Gartner conference presenting to four or five different customer forums, meeting with a bunch of executives.

So you’re able to have the co CEO model, where you can divide and conquer. We talk four or five times every day. We always make our decisions together collaboratively. And it’s something that has been very effective and efficient. The other two points is we can execute in this way in regard to strategic initiatives.

We’ve acquired two companies as we’ve been co CEOs, Vulcan and Apex. We are able to recruit. We recruited a brand new chief product officer, Eric Dorr, who is a highly respected Google Cloud executive and at Microsoft for eighteen years, one of the predominant, most foremost thinkers, and execution machines in regard to building out cloud based cybersecurity tools. He has now joined Tenable. Right?

And so I think it’s going to be a model that’s extremely effective. It is unique, but it happened under a unique situation. And you get two leaders, in my view, that know how to run it and be able to effectively manage the team this way.

Rudy Kessinger, Security and Infrastructure Software, D. A. Davidson: Got it. That’s helpful. That’s good clarification. Mark, Chris, that’s all the time we have today, but appreciate the conversation. You bet.

And best of luck going forward.

Mark Thurman, Co-CEO, Tenable: Thanks, Rudy. Good seeing you, man. Appreciate it very Yeah. Thanks, Rudy.

This article was generated with the support of AI and reviewed by an editor. For more information see our T&C.