Tenable Holdings, Inc.
Q1 2019 Earnings Call Transcript

Published:

  • Operator:
    Greetings, and welcome to Tenable First Quarter Earnings Call. . Please note, this conference is being recorded. I will now turn the conference over to Andrea DiMarco, Vice President Investor Relations and Strategy. Thank you. You may begin.
  • Andrea DiMarco:
    Thank you, operator, and thank you all for joining us on today's conference call to discuss Tenable's First Quarter Financial Results. With me on the call today are Amit Yoran, Tenable's Chief Executive Officer; and Steve Vintz, Chief Financial Officer. Prior to this call, we issued our earnings release for the first quarter and financial results. It's available on our Investor Relations section of our website. Let me remind you that we'll make forward-looking statements during the course of this call, including statements relating to Tenable's guidance and expectations for the second quarter and full year 2019, growth and drivers in Tenable's business, changes in the threat landscape in the security industry and our competitive position in the market, growth in our customer demand for, and adoption of, our solutions, and planned innovation in new products and services. These forward looking statements involve risks and uncertainties, some of which are beyond our control, which could cause actual results to differ materially from those anticipated by these statements. You should not rely upon forward-looking statements as a prediction of future events. Forward-looking statements represent our management's belief and assumptions only as of today and should not be considered representative of our views as of any subsequent date. We disclaim any obligation to update any forward-looking statements or outlook.
  • Amit Yoran:
    Thank you, Andrea, and thank you for joining us on the call today. I'm pleased to share that Tenable delivered another strong performance for Q1. Revenue grew 36% year-over-year to $80.3 million and calculated current billings grew 25% year-over-year to $81.2 million. Our performance reflects the growing opportunity for Cyber Exposure, which we believe will become the industry standard for managing and measuring cyber risk in the digital era. Cyber Exposure provides broad visibility into exposures across all connected assets and deep analytics that translates this data into actionable intelligence. The evolution of vulnerability management and the compliance to a risk-driven, higher-value added process, includes deeper analytics that combine vulnerability data with the other indicators of risk, including threat intelligence and asset criticality. This provides a more comprehensive review of cyber risk that enables CISOs and executives to take appropriate action to reduce their risk and exposure. Responsible vulnerability management is the foundation of reducing cyber risk. According to Gartner's A Guide to Choosing a Vulnerability Assessment Solution report published in April of 2019, by 2022, organizations that use the risk-based vulnerability management method will suffer 80% fewer breaches. Over the past few years, the vulnerability management market has become a much more strategic and important focus for the enterprise due to growing recognition that many breaches can be prevented through a focus on the fundamentals of good cyber hygiene. Historically, VM was largely compliance driven. Security teams focused on a limited number of traditional assets to secure PCs, laptops and servers. And they conducted periodic scans, they were checking the box and moving on. Most enterprises assessed a small sample of their environment and conducted ad hoc scans in the spreadsheets to try to centralize and prioritize data. Today, as enterprises continue their path to digital transformation, there are new assets coming online all the time. Enterprises must first identify all assets on their networks ranging from desktop computers to connected printers and cameras to cloud deployments and operational technologies. Then they must assess every single device to identify, prioritize and result thousands of known vulnerabilities that hackers can exploit. The path of entry for hackers has multiplied, and the number of breaches - preventable breaches has increased exponentially. Because of the complexity of today's digital environment, vulnerability management has also become much more complex. It can no longer be responsibly managed in silos, on spreadsheets and with manual processes. It can no longer be a cobbled together type of approach with multiple tools or outsource of the annual audit. Enterprises today are looking for a continuous and comprehensive visibility and assessment of exposures across their entire compute environments with an enterprise-wide VM solutions, such as Tenable.sc or Tenable.io or with the combination of both.
  • Stephen Vintz:
    Thank you, Amit. As mentioned earlier, we are very pleased with the results for the quarter and excited about our outlook ahead. In particular, the investments we've made over the last several quarters in product and distribution are taking hold, and are reflected in the more optimistic outlook we are providing for the remainder of the year. I will discuss our Q2 and full year guidance momentarily, but will start with a review of our Q1 results. I'll begin by reminding you, except for revenue, all financial results we will discuss today are non-GAAP financial measures unless otherwise stated. As Andrea mentioned at the start of this call, GAAP to non-GAAP reconciliations may be found in our earnings release issued earlier today and on our website.
  • Amit Yoran:
    In summary, we continue to be excited about the opportunity in vulnerability management and pioneering cyber exposure. We believe that the combination of our differentiated technology, even stronger now with Predictive Prioritization, our data integration capabilities and our strategic approach to VM, position Tenable to successfully aid our customers in their journey to secure their digital transformation. We'd now like to open the call up for any questions.
  • Operator:
    . Our first question is from Melissa Franchi with Morgan Stanley.
  • Melissa Franchi:
    Congrats on the quarter. Amit, maybe we can just start with a very high-level question on the health of the vulnerability management market. Based on what you saw in Q1 and then just looking forward into the pipeline for 2019, how would you characterize the level of customer activity around VM relative to what you saw last year?
  • Amit Yoran:
    Yes. All indications and engagement with our customers and prospects indicates that the market continues to heat up. There is continued recognition that VM is an absolutely foundational part of a security program. And as you see Boards, audit risk committees and corporate directors, CEOs get more engaged in cyber issues, the foundational questions that they're asking are about what the state of their security program looks like. How exposed are they? How at risk are they? And those are foundationally questions that are answered from VM program. So we continue to see adoption and growth in account penetration in our existing accounts and we continue to see a pretty aggressive pace of new customer acquisition as well.
  • Melissa Franchi:
    Okay. That's helpful. And then a follow up for Steve. Just digging into the guidance for billings for - or current billings for FY '19, you posted 25% growth in Q1, and I think the midpoint is implying 27% growth for the full year, so a modest acceleration. Can you just walk us through what gives you confidence in that acceleration? And maybe discuss that in light of what you're assuming for the kind of deals coming back into the pipe in the second half?
  • Stephen Vintz:
    Sure. Well, we do see increasing momentum as we look out in the year, specifically the second half of the year, as our guidance will contemplate. Our investments continue to take hold both in terms of the product and sales. And product, we continue to see improved competitive positioning and differentiation both in terms of broad asset coverage as well as our analytic capabilities, such as predictive prioritization. And in terms of sales, we continue to have sales capacity and a large number of new logos and six figure customers and we're expanding into new geos and major economies throughout the world. So what all this means is that we're off to a good start for the year, and we're well positioned for a successful 2019 and what we believe is a very large and growing market.
  • Operator:
    Our next question is from Sterling Auty with JPMorgan.
  • Unidentified Analyst:
    This is Ned on for Sterling tonight. I have two questions. So I know you guys touched on little bit on the federal space, but I wanted to get a sense how was the men with Federal space given the shutdown and what that could mean for Q2? And in addition, if you guys could describe a bit the competitive landscape in the quarter and there are any changes to win rates?
  • Stephen Vintz:
    In terms of Fed, we did comment earlier but there were some modest impacts from Fed in Q1. But Fed came in better than expected in the quarter but more notably, the better than expected results was due to overall better performance across the board globally as well as across product portfolios. So Fed really has no impact on our outlook for the year. What we're really talking about is just timings in terms of quarterly flow. So the basis for the revised guidance is strictly on the basis of improved overall performance for the company.
  • Amit Yoran:
    Yes. I think maybe I'll just touch on the - competitive win rates remained very strong. We win far more frequently than we lose whenever we get into a competitive situation and feel like our product sets deliver superior functionality and capability. So frequently, when we're in competitive engagements, if the customers are doing diligence, if they're hands on testing the products with an exceptionally high win rate from a technical standpoint. So we feel very good about our win rates and have not seen any significant change or any deterioration of that during the course of the quarter.
  • Operator:
    Our next question is from Jonathan Ho with William Blair.
  • Jonathan Ho:
    Congrats on the strong quarter. I just wanted to start out with maybe some updated thinking around the Lumin timing. And maybe can you give us an updated thought on - in terms of how that will factor into 2019?
  • Amit Yoran:
    Yes I'll talk maybe a little bit about the Lumin update. As you know, over the last couple of months, about two months ago, we released Predictive Prioritization into our Tenable.sc product. And over the last week or two, we released Predictive Prioritization into the Tenable.io platform. The market reception for that capability has been very strong and as customers get into the deployment cycle, they're - we're already getting feedback from the field that it's radically changing how customers are thinking about their own vulnerability management programs and their enterprise risks. So we feel like we've got a great stepping stone for Lumin in getting customers conditioned to thinking about us, not only to gain insight into their vulnerabilities but also in how they analyze and think about those vulnerabilities and translate those vulnerabilities into enterprise risk. We continue to move forward with Lumin. Lumin will build on Predictive Prioritization by adding in an understanding of asset criticality and also performing key benchmarking capabilities and functions. We said previously that we anticipate a 2019 GA release for Lumin and that remains our commitment.
  • Jonathan Ho:
    Got it. Got it. And then can you talk a little bit like - I think you give an example of a customer that was buying both sc and io. Can you talk about maybe the - what the use case is for buying both of those products? And potentially what types of pain points you can solve by having both sc and io?
  • Amit Yoran:
    Yes. At this point, we have about 1,000 customers that are now using both Tenable.sc and Tenable.io where they have a majority of their VM capabilities in-house, on-premise they prefer to integrate with their on-premise platforms and leverage Tenable.sc. They also have some specific requirements if they want to leverage a cloud-based platform and infrastructure for us. So one common use case is mobile workforces, mobile agent technologies, where they want those systems to report back to their cloud infrastructures instead of having to punch holes through the firewall and tunnel those external data sets into an on-premise product or application. Other great examples include assessing cloud-based infrastructures through native connectors to the three major cloud providers, and the elasticity required in a lot of DevOps and container-based environments. So those are probably the three use cases that are most frequently driving a hybrid-type approach to the enterprise market.
  • Operator:
    Our next question is from Gur Talpaz with Stifel.
  • Gur Talpaz:
    Congrats on the quarter. Amit, first question for you. I wanted to talk about new asset coverage, specifically in both ICS, OT and then containers. And the question there is twofold
  • Amit Yoran:
    Yes. We're definitely seeing growing interest, and I part of it is - and I don't know if's is the cart of the horse and which one comes first in this case, but there's certainly more funding going into the market but there's also, I think, much more customer demand, greater awareness from the OT, from the operational side of the house in leveraging expertise, cyber security expertise that exist on the IT side of the house. And what we've seen over the last 18 months or so is that a lot of CISOs are now being given responsibility or at least invited over the fence and into the OT environments to help determine what the exposures and risks look like. From our perspective, we certainly focus or try and drive the point home that we can provide them a sort of unified view of their OT infrastructure along with their IT infrastructure. But it's not so much a unified view as much as it is nearly impossible today to assess an OT environment without also understanding the IT components that are part of that operational architecture. So you've got in these OT environments, a lot of common compute platforms and operating systems, and if you're only looking at the OT components, you're not really understanding the risk of the broader control system and the broader environment. So - and we think having that hybrid approach is critical, and we're seeing it in when we have competitive wins against pure-play OT vendors. And I think you're seeing some other IT vendors also provide this sort of converged approach to OT/IT.
  • Gur Talpaz:
    That's helpful. And maybe just another product-centric question around Predictive Privatization. It's something you chose to include in both sc and now io. Are you starting to see that create a differentiation and space between you and the competitive subset out there? And how has customer response been towards the inclusion of that into the products suite?
  • Amit Yoran:
    Yes. I'd say the market and the customer response has been extremely positive. When we tell them the story, they get really excited about the new capabilities, the fact that we've done a lot of sophisticated work around determining which vulnerabilities are exploitable, which ones have exploit code available on the wild, which ones are being leveraged by threat actors. And so the combination of these different perspectives helping them prioritize which vulnerabilities to go after. So we've heard a lot of positive feedback. And just - these are fairly recent releases and they're early in the adoption cycle. I literally was in Denver yesterday talking to an enterprise customer. And he opened up the meeting by saying, "thank you for Predictive Prioritization, it's literally changed how our security team thinks about vulnerability management." So the feedback is early but it's positive, and we remain very optimistic about it being a key differentiator for us.
  • Operator:
    Our next question is from Gray Powell with Deutsche Bank.
  • Gray Powell:
    Just a couple, if I may. So can you talk about how your enterprise sales motion has evolved over the last couple of years? And then are there any insights you can give on the growth of your direct sales reps this year?
  • Stephen Vintz:
    Yes. The one thing that we've made very clear is that we see a very sizable opportunity with VM and the broader mandate Cyber Exposure. As a result, given the confidence to continue to invest. So we continue to add self-capacity on a year-over-year basis, continue go into new markets, which we have planned for this year, and in particular, major - still major sectors of the economy that we're not addressing that we'll now have coverage on. But in particular, we also are adding named account reps, which we talked a little bit about last year. Those investments are taking hold. You can see the momentum that we're clearly demonstrating. In the enterprise market, we're adding a steady and healthy rate of new logos, over 300 a quarter. Increasing larger number of land and expands. And so we think - we're starting to see some early returns in the investments that we're making, not just in terms of coverage and capacity but also, in particular, the ability to transact larger deals with sales reps that are focused on the largest of accounts. So I think as we look out to the rest of the year, it's one of the reasons why we continue to have confidence, the one gives us the outlook that we're providing today.
  • Gray Powell:
    That's helpful. Then just a quick follow up. Any update on the mix of sort of revenue from new customers versus existing or the growth?
  • Stephen Vintz:
    No. Nothing notable in that regard.
  • Operator:
    Our next question is from Daniel Ives with Wedbush Securities.
  • Daniel Ives:
    Great quarter. So does it feel like conversations are becoming more strategic with customers relative to maybe where we were a year ago, even six months ago, just given what we're seeing in the field as well as your product suite?
  • Amit Yoran:
    I think that's fair to say. Over the last year or two that the VM market and understanding of what you have in your environment and where and how it's exposed has become one of the most important cybersecurity risk topics for corporate executives. So I'd say it's a fair characterization.
  • Daniel Ives:
    Okay. And then how much of your success now, even building of the pipeline, is relative to your execution in the product suite and the pipeline versus maybe even competitive peeking and sort of maybe a movement of share that's happened in the market? I mean maybe just anecdotally talk about that.
  • Amit Yoran:
    Yes. It's a great question. I think we compete effectively. I think we win more frequently than we lose. We certainly do displace competitors on occasion. There is also, I think, as you said, growing importance and understanding of the importance of VM. So there's a natural progression in growth within each account. We also look and do some fairly careful analysis of our large customer wins in any given quarter. We see consistently that about 30% of our new enterprise wins are coming to us from what we characterize as greenfield accounts. So enterprises that previously had no meaningful VM program. So they were relying on maybe an annual audit from some consultancy or a big four or something like that, and they're now realizing that they have to have this much more mature capability to an in-house vulnerability management and Cyber Exposure. So yes, I think there's a combination. I think, look, we're laser focused, we're a best-of-breed provider. I think we've increased our lead from our competitors. I think our enterprise accounts are recognizing that need more pervasive coverage in and across their environments. And also a lot of greenfield accounts waking up to the importance of VM.
  • Operator:
    Our next question is from Joshua Tilton with Berenberg Capital Markets.
  • Joshua Tilton:
    Just back to competition. And speaking with competitors, they have cited good win rates when competing for Nessus customers. Also, I've seen an increase in advertisements from some of your competition outright saying they have better scanners than Nessus and Tenable. Has it become more difficult to convert Nessus customers to more expensive offerings? Just maybe talk about the competitive landscape there possibly.
  • Amit Yoran:
    No. I think we consistently see very strong conversion rates from Nessus to our enterprise platforms. And I would suggest to anybody that does any meaningful testing, there's a qualitative and a quantitative delta of significance between us and any of our competitors. So I don't know if they're looking - what specifically they're talking about, but in head-to-head technical competition, it is exceptionally rare that we'll lose on technical testing.
  • Joshua Tilton:
    Okay. That's helpful. And then just a follow up really quick. Has there been any news of the Sea Turtle campaign or maybe Russian attackers using malware to specifically target operational tech? Does that drive incremental conversations around the industrial security SKU?
  • Amit Yoran:
    I think there has been a steady - yes, the short answer is yes, I think there has been a study, war drum of increased awareness in the OT world, and that's been probably driving a lot of the conversations between CISO and operational environments. And it's certainly the campaigns but it's also stories continuing to come out of - and case studies and analysis of actual losses being incurred. Some of the high-profile ones that you've seen in news, all - going back to not pitch in and before, where you're talking about hundreds of millions of dollars of tangible loss being incurred.
  • Operator:
    This concludes our conference for today. Thank you for your participation. You may disconnect your lines at this time.

Other Tenable Holdings, Inc. earnings call transcripts: