metamorworks
Reviewing Tenable: a leader in ‘Cyber Exposure’ technology
Cyber-Exposure is perhaps not the best sounding tag lines I have ever seen in the IT space. The company uses that phrase as shorthand for what it does. It is better described as the leader in the Vulnerability Management space and that is a decent position to enjoy. Tenable (NASDAQ:TENB) is one of the rare software companies I haven’t reviewed on the pages of SA. Too many software companies and too little bandwidth. To a certain extent, the omission has been simply one of prioritization. The company has grown rapidly – but not by some incredible percentage. Its non-GAAP profitability metrics are just now becoming impressive. Somehow vulnerability management, in which the company is the leader, has never seemed that exciting compared to other segments in the cyber-security world.
Vulnerability management is about preventing rather fighting the attacks of cyber criminals. How exciting can it be to process security scans? But vulnerability management is really a key component of the security posture of any enterprise, and the saying about an ounce of prevention worth a pound of cure is even more true in cyber security than in most other fields of endeavor given the enormous potential costs of hacks and breaches. Vulnerability management is unlikely to produce headlines in the same way the companies focused on cloud security and end points can, but most enterprises realize the absolute need for both technologies as part of a holistic strategy to combat cyber crime.
After reviewing the company’s products, competitive positioning and its outlook, I found a review and recommendation to be well warranted. Why consider Tenable as an investment at this point? In comparison with some other cyber security companies that are better known such as Palo Alto (PANW), Zscaler (ZS), Cloudflare (NET) and Crowdstrike (CRWD), Tenable’s valuation, despite its recent share price spike is more earth bound-its current EV/S based on my 4 quarter forward revenue projection is about 6.5X as of 8/2/23. And again, compared to the larger companies in this space, it’s year-to-date appreciation of around 24% is comparatively modest. Its share price has just recently made back the substantial loss that it had endured in the wake of reporting a difficult Q1, and guiding below the prior consensus.
Tenable recently reported the results for its Q2 operations. As opposed to last quarter which was a significant disappointment in terms of guidance, this time around, the company did achieve a noticeable beat in terms of revenues and non-GAAP earnings, but it also increased its estimates, both for the current quarter and for 2023. The increases weren’t huge, and were meant to be prudent, but they were nonetheless a positive indication, that the dire message from earlier in the year was no longer valid on the sales front.
Specifically, the company had forecast revenue of $190 million; actual revenues for Q2 were $195 million. The company had forecast non-GAAP EPS of $.13 for the period; it actually achieved non-GAAP EPS of $0.22. The company’s guidance, while still conservative, was above prior expectations. Revenue estimates for Q3 have gone from $196 million to $198 million, while non-GAAP EPS is now forecast to be $0.19 compared to the prior consensus estimate of $.16. For the full year, the company is now estimating that revenues will reach $790 million, compared to prior expectations of $781 million, while non-GAAP EPS is now forecast to be about $.68 compared to the prior consensus estimate of $.59.
The company had forecast free cash flow of about $178 million for 2023; it is now forecasting that free cash flow will reach $185 million, or a free cash flow margin of about 23%; the free cash flow margin in 2022 had been 19%.
Despite the spike in share price in the wake of the beat and raise quarter (about a 10% share price spike on the day after the release), Tenable shares remain at levels of valuation, particularly in comparison to other cyber-security vendors that I believe to be reasonable. My EV/S estimate based on 4 quarter forward revenue projection of about $855 million is 6.5X. Not perhaps at bargain levels, but lower than other investment alternatives in the cyber security space. Of course Tenable has not historically seen growth that has come anywhere close to the levels of many other cyber-security vendors. The focus of this article is essentially to investigate the probability of the company’s growth returning to significantly greater levels than either forecast or achieved in the recent past.
The cyber security space is full of niches and competitors. Many, if not most readers, are familiar with endpoint security, the technology to protect the physical endpoints in a network, or edge security, or cloud security. Vulnerability management, often abbreviated as VM, which is where Tenable lives, may not be as familiar for some. During the past year or so, Tenable has faced the same kinds of headwinds that most other enterprise IT companies have dealt with; its percentage growth went from 29% in Q1 2022 to 18% in Q1 of 2023. Actually, that is a better record than some of the more prominent companies in the space who have seen their percentage growth sliced by more than 50%. Vulnerability management has some level of customer concentration in the finance industry. At the end of Q1, in the midst of the mini-banking crisis brought on by the failures of First Republic, Silicon Valley and Signature, Tenable experienced an unusual check to its selling motion with many deals delayed. That set of issues did not recur in Q2, with the result that the selling environment returned to a more normal level, but it certainly did not return to the levels experienced earlier in 2022.
That said, Tenable is a far more profitable company these days then when it was growing more rapidly. Last quarter, the company’s non-GAAP operating margin was 15% compared to 7% in the year earlier period. The company’s free cash flow margin for the first half of the year has been 18% and should continue to grow from that point based on the company’s conference call commentary.
Will Tenable return to growth in the mid-20% range and above? I would be less than responsible in writing this if I said that the company had a clear line of sight to return to hyper growth. Last quarter the selling environment stabilized and deal metrics and close ratios showed an improvement from a Q1 that was challenged by a banking crisis at the end of the quarter. The company’s guidance is deliberately prudent; that said, if macro conditions improve, the opportunities certainly exist for Tenable’s growth to reaccelerate to 20% and potentially greater.
Currently published consensus expectations for Tenable revenue growth are for 15% this year and next year. To an extent, the published growth metrics are an effort to fit an analyst’s forecast into the company’s own projections. I don’t think that anyone really believes that the company’s revenue growth will slow down to 11.8% in its Q4-although that is the published 1st Call consensus. Most investors buying Tenable shares these days are self-evidently expecting stronger growth than is embedded in consensus expectations. I think that is a very reasonable expectation given the growth in the market, the company’s market share gains, and its upgrade potential in a less negative macro environment. If the soft landing scenario proves to be the right one, than it is reasonable to expect a return to 20%+ growth next year. According to the company spokesperson with whom I recently spoke, the opportunity for that to happen is there; it needs a better macro environment to be realized.
The Vulnerability Management space: What is it, and how has Tenable been doing
Vulnerability management is a specific niche in the overall market for cyber security software. Tenable is both a technology leader and a market share leader in the space. Here is a definition as to what is mean by the term when used in the cybersecurity world coming from Crowdstrike.
Vulnerability management is the process of identifying, evaluating, treating, and reporting on security vulnerabilities in systems and the software that runs on them. This, implemented alongside with other security tactics, is vital for organizations to prioritize possible threats and minimizing their “attack surface.”
There are numerous competitors in the space. Some of the vendors such as Tenable specialize in just vulnerability management and associated solutions; other companies such as Crowdstrike (CRWD) offer vulnerability management as part of an overall cyber-security solution. There is actually a standard definition as to what is a vulnerability compared to a risk or a threat. There are scores for vulnerability. The Crowdstrike blog linked above is probably the best and most succinct statement of vulnerability I have ever seen.
One of the more noteworthy trends in the enterprise IT space over the past several quarters in which demand has been constrained by macro headwinds is that many users wanted to focus on buying solutions from one or two vendors who offered a multiplicity of offerings on a single platform. I don’t want to say that trend is entirely past, but one reason I believe that Tenable was able to beat its forecast is that users are starting to regard Tenable as a platform vendor who can consolidate other point solutions in VM.
The company introduced Tenable One, its platform solution in Oct. 2022. Tenable One has taken off and last quarter was more than 20% of the company’s total business. It is the platform that allows users to acquire a holistic set of vulnerability solutions and associated technologies from a single vendor. As such, the ASP of Tenable One is 70% above the price of the company’s legacy Security Center product. One of the more significant growth opportunities for Tenable is to migrate its 13,000 enterprise customers to the Tenable One platform. Tenable One’s functionality has been tweaked and extended since its introduction, and the migration process is starting to happen-part of the upside last quarter was driven by early renewals and I imagine that upselling at the time of renewals will be a significant source of growth both in the next couple of quarters and over an extended period.
Tenable’s investor presentation calculates a TAM of $25 billion for its set of solution. Interestingly, while vulnerability management is the heart of what the company does, its TAM in the investor deck is supposedly but $5 billion. The TAM estimates however are very siloed because of the way 3rd party analysts look at the space and chop it up into pieces in their articles. Regardless of how the space is siloed and dissected, there is plenty of growth runway available for Tenable and its rivals to achieve strong growth for years to come. The issues in terms of growth are going to be those related to the macro environment, to the company’s competitive positioning and its specific product offerings, and to its sales execution.
The current consensus view with regards to revenue growth for Tenable is for 15% for this current quarter followed by a decline to 12% in Q4 and a rebound to just 15% next year. The guidance implies $3 million sequential growth this quarter and $9 million sequential growth in Q4. The company spoke to early renewals driving the upside this past quarter as a reason for its modest guidance for sequential revenue growth.
I think the details of the company’s guidance are more than a little improbable. Fact is, sequential revenue growth last year was $10 mil. Q2 to Q3 and then a further $9 mil. Q3 to Q4. Given the commentary on the call, that is about the least that might reasonably be expected if macro headwinds are indeed abating, the company is seeing traction for its OT offerings, and if SC customers are migrating to Tenable One. I think the company’s guidance is more than typically conservative based on my conversations; the number one priority is to prevent a miss or to have to lower expectations.
One of the things I noted the last time software companies dealt with an inflection from growth problems is that they were well behind the curve in making their forecasts. Of course that was during the recovery from the Great Financial Crisis and CFOs had reasons for ultra-conservatism. But the concept is the same. Given the many disappointments and upsets in terms of how forecasts for sales have not been achieved by this company and its peers over the past year, such a policy is only reasonably prudent. But while the forecast Tenable has made has been well received, the specifics shouldn’t be taken as gospel if indeed macro headwinds start to abate.
Tenable offers a variety of solutions to manage risk including offerings aimed at identifying vulnerabilities in terms of web applications, cloud/container, operational technology and active directory/identities. All of these solutions are part of a Tenable One subscription. Typically the company has used a land/expand go to market motion. That strategy has been under pressure during the last year as users deferred upgrades and expansions. That apparently changed last quarter, although because the dollar-based expansion metric is based on a trailing 12 month average, the number as reported actually fell from 113% to 111%. The metric should start to improve significantly as based on conference call commentary renewals are being done earlier and at higher values than in the recent past.
Tenable’s Product Strategy – How is it resonating?
Tenable started its life before the widespread move of applications to the cloud. So, it has solutions that address on-prem., and solutions that address cloud based and hybrid deployments. Tenable SC is a suite of vulnerability management tools that are available for analyzing the vulnerability of on-prem software. Tenable’s technology is based on Nessus. Nessus is a remote scanning tool which scans a computer and raises an alert if it discovers vulnerabilities. There are many plug-ins to Nessus. The product is offered in freemium mode. Nessus has a strong reputation in the industry it has been voted the #1 useful security tool by the Insecure survey. I have linked here to an article from that organization regarding Nessus and its advantages. The survey suggests several significant advantages that Nessus offers compared to other security scanning tools. To an extent, Nessus is considered to be the standard in vulnerability scanning tools. Nessus is the bottom tier of what Tenable offers. That said, even some current Nessus customers appear to have interest in migrating to Tenable One.
As mentioned, one of principle growth opportunities for Tenable is to migrate its Security Center customers to Tenable One. There is some thought that there is pent-up demand for Security Center customers to migrate to Tenable One which has advanced analytics, and other features not available in the Security Center offering.
Tenable has a solution offering called OT (Operational Technology). The company’s solution is based on an evolution of technology acquired when Tenable bought Indegy at the end of 2019. It has been gestating for a long period of time, and apparently started to achieve substantive growth in the last quarter. These days many physical devices are connected to the web-that is basically the concept behind the IoT. Something like 50% of a typical company’s operational technology infrastructure contains IT assets The Tenable OT Security technology provides visibility in terms of threats and vulnerability management. I have linked here to a more complete description of the service. I am not sure about the precise size of OT as a percentage of Tenasble bookings; the solution certainly has the potential to become a notable source of growth for the company. The company plans to add OT functionality to its Tenable One platform later this year.
As mentioned, in terms of product strategy the future of this company is its Tenable One offering. Last quarter, as mentioned, Tenable One represented more than 20% of new bookings, up noticeably from the results of the prior quarter when it was it had been in the teens percent. The company trebled the number of 6 figure deals to 63 last quarter; most of the increase was a function of the success of the Tenable One platform. Tenable One ASPs are something more than 70% greater than the ASP for SC. Migrating SC users to Tenable One, with the concomitant revenue uplift, is likely to be a key component in the return of the company to 20%+ revenue growth.
All of the major companies in the cyber-security world use and have used AI as the technology to identify anomalies and threats. Tenable makes the claim that its data lake is the largest repository of contextual data in the world. Of course there is no way I can possibly validate that, but there is no reason to believe it isn’t the case. The more data being ingested, the better results will be in terms of analyzing threats and vulnerabilities. The company is planning to announce additional capabilities leveraging AI at the Black Hat information security event which is to be held on 8/9-8/10. Given the fixation of investors with all things AI, it is possible that the company’s planned announcements at that event might prove to be market moving. That said, its use of AI is more evolutionary than anything else.
The company recently extended its use of AI as a tool in its identity risk offering. It is also using AI to make its offering “smarter” in the sense that it can more accurately identify risks. The company is starting to use generative AI to make its tools easier for customers to use. The CEO talked about, but was not specific about, monetization opportunities as the company infuses its solutions with more AI and with generative AI. The company provided the guidance it did despite its discussion of record pipelines and a more normalized selling environment. If it is able to monetize additional AI and generative AI capabilities, that would be an addition to what to me seems a highly de-risked forecast. That said, Tenable is not an AI stock, and no one should be buying the shares based on some expectation that generative AI technology will soon lead to a growth spike.
Competition in the vulnerability management space
Tenable has many competitors in its space of which the best known are probably Rapid 7 (RPD) and Qualys (QLYS). In addition, both Crowdstrike and Microsoft (MSFT) offer products in the space. The Gartner survey linked here suggests that Tenable is rated by Gartner’s reviewers as having advantages compared to the company’s major competitors.
It is a bit more difficult to identify the differences between Crowdstrike Falcon, Microsoft Defender and Tenable One, mainly because Tenable One is an extensive offering unlike both Falcon and Defender. Some users will choose Crowdstrike and Microsoft because their alternatives are part of a platform. The Microsoft and Crowdstrike offerings probably do not provide all of the functionality across a variety of threats and vulnerabilities when compared to Tenable. When it comes to smaller potential users, what is offered by Microsoft Defender is often judged to be adequate even it lacks some of the more advanced features that are part of Tenable One.
As best as I can determine, Tenable has been gaining share in the space, and continues to do so. It is certainly growing more rapidly than both Rapid 7 and Qualys. Rapid 7 tried to sell itself earlier this year and was unsuccessful due to valuation issues. The sale attempt probably has resulted in some enterprise customers reconsidering Rapid 7 expansions. Qualys has never been a rapid grower, even when there were no macro headwinds. With the advent of Tenable One, the company has most likely been seeing some success in consolidating vulnerability deployments of its customers. This is particularly the case as Tenable One can now ingest vulnerability and misconfiguration data from non-Tenable security tools.
Crowdstrike does use its Falcon Spotlight offering as a vulnerability management tool. That said, Falcon is focused mostly on endpoints, whereas Tenable One is a much more holistic offering that includes end-points and much besides. There isn’t a great deal of actual competitive activity between the two companies. If a user is looking for a holistic, best of breed VM solution, Tenable is going to win most of the time.
Microsoft Defender is a significant offering and competes strongly against Crowdstrike. It does have vulnerability management components as part of its offering but that has never been it focus. According to SIs, it rarely competes as a best of breed offering in the enterprise. At this point, Tenable has 43,000 total customers and 13,000 enterprise customers so it does compete against Microsoft, but that has not been a major factor in the company’s go-to-market paradigm. Overall, there is plenty of low hanging fruit amongst smaller competitors as well as Rapid and Qualys that Tenable has been and continues to be successful The CEO talked about increasing win rates during the latest conference call and the data seems to indicate that the company is gaining share in the vulnerability management space.
The vulnerability management space itself continues to achieve a CAGR of around 10% according to most of the market research reports I have seen. Tenable’s TAM as discussed above, includes several adjacencies not included in the standard definition of vulnerability management. Thus its CAGR can readily reach 20%-25% in a less difficult macro environment, and potentially more if its migration strategy shows significant success.
Tenable’s Operational Technology offering has a different set of competitors. I have linked here to a Gartner listing of competitors in the space. While many cyber-security companies are listed, the reality is that most competition to Tenable comes from a few private companies including Nozomi, Darktrace and Claroty. I confess to having very little familiarity with those vendors. There are many different definitions of what is meant by Operational Technology security. I have linked to one study here; others show a much larger market with a lower CAGR.
Tenable has been rated as one of the market leader in vulnerability management by 3rd party consultants for some time now. It is next to impossible to determine which competitors have the best or most comprehensive scans, and whose technology produces the best results in the shortest time. The company’s platform offering, soon to include its OT solution seems to be generating noticeably faster growth and market share gains and I saw nothing in my review of competitors that suggested that the environment is at least stable and probably improving for the company.
Tenable’s Business Model
Tenable’s business model has been making a sustained improvement for the last year. In fact, this last quarter showed an 800 bps improvement in operating margins year on year. The transition to non-GAAP profitability was particularly visible last quarter. It should be noted that the company uses a significant level of stock based comp. and it will almost surely continue to do so for the foreseeable future. Overall, stock based comp came to about 19% of revenues last quarter compared to 25% of revenues in the same quarter a year earlier. Stock based comp. grew by about 9% sequentially.
I account for SBC by using dilution in my calculation of valuation ratios. Tenable’s dilution was around 1% last quarter, and around 3.7% for the year as a whole, so I projected a 4% growth in weighted average shares for the next 4 quarters in calculating various valuation metrics.
Last quarter, the company’s non-GAAP gross margin was 79% essentially comparable to year earlier results. The sales and marketing expense ratio remained at an elevated level of 41.5%, compared to a bit over 46% the prior year. Non-GAAP sales and marketing expense declined about 3% sequentially. The company, in the wake of its Q1 difficulties, was more prudent in hiring sales people this last quarter.
Research and development spending was 15% of revenues, non-GAAP, last quarter, compared to 17% of revenues in the year earlier period. Research and development spending also showed a modest sequential decline.
The general and administrative expense ratio was down to around 9% of revenue last quarter compared to 11% of revenues in the year earlier quarter. General and administrative costs, like the other opex metrics showed a sequential decline in dollars going from Q1 to Q2.
Overall, non-GAAP operating income was $30 million or a non-GAAP operating margin of 15% compared to 7% a year earlier and to 10% in Q1. For the full year, the company is forecasting operating margin of about 12.6%. It is forecasting opex to grow from about $125 million in Q2, to about $130 million sequentially and to grow an additional 6%-7% sequentially between Q3 and Q4. I expect the company will continue to constrain expenses until macro headwinds consistently abate. Thus, there would be appear to be some upside potential to the margin forecast.
The company had a strong free cash flow quarter with the free cash flow margin reaching to more than 20%. The company had an increase in deferred revenue balance last quarter, a significant improvement when compared to Q1. Collections were also quite strong in the quarter. The company’s free cash flow margin will, for the most part, track pretty closely to its non-GAAP operating margin, although if the success of Tenable One continues, and large deals escalate, the company’s Q4 could see very strong growth in deferred revenue, and a corresponding spike in the free cash flow margin
Wrapping Up: Tenable’s valuation and summarizing the case to buy the shares
Tenable was able to beat expectations and raise its full year forecast in the recently reported quarter, reversing the negative trends seen in Q1. Business is still tough – just not as tough as in Q1 when the mini-banking crisis pushed a significant level of deals out of the quarter. Revenue growth was 19%. Growth in calculated billing was 15% and both EPS and free cash flow significantly exceeded expectations. While the company did raise guidance, there certainly was no exuberance in its forecast, although there certainly were positive demand signals that were discussed during the conference call.
If I had to describe Tenable’s valuation in a single word, it would be “reasonable.” Not cheap, but reasonable enough, particularly when considering the strong trend of free cash flow. The company is the category leader when it comes to vulnerability management, a key niche in the cyber-security world. It is gaining market share, and last quarter its OS initiative achieved some significant traction.
The company’s guidance is conservative by design. The selling environment has not returned to the strong conditions of 2021 and early 2022. But it has inflected from what appears to be a trough brought on in part by the banking crisis in March 2023.
My estimate for Tenable’s EV/S ratio is a bit greater than 6.4X. That is more or less average if the company achieves a 3 year CAGR in the low-mid 20% range. I rate that level of growth as a probability if indeed IT growth starts to recover from the growth recession experienced over the past year. The company’s relative valuation has become quite attractive as it continues to achieve higher profit margins most of which are converted to free cash flow. The company has projected a free cash flow margin of 23% for the current calendar year, and I have projected a free cash flow margin of 25% over the next 4 quarter. It is actually cheaper when considering the combination of growth and free cash flow margin than its rival Rapid 7, and it appears to be growing more rapidly.
The company is making appropriate investments to offer products infused with AI. Of course, the technology used to calculate vulnerability has been based on AI for some time. 3 months ago the company announced the availability of 4 new tools that can be used to build AI applications. The company will be demonstrating sophisticated generative AI tools at the upcoming Black Hat conference. It is possible that the company will announce specific generative AI SKU and discuss a monetization strategy. At this point, that is as much speculation as anything specific.
Many investors want to invest in the cyber security space without paying the valuations that have been achieved by companies such as Cloudflare, Crowdstrike and Zscaler. Even Palo Alto’s valuation has ascended noticeably. Vulnerability management hasn’t and probably won’t make headlines the way cyber security vendors can, when they stop breaches. A statistical analysis of scans isn’t all that sexy. But it is just as necessary, and in some cases, deploying vulnerability management has been a specific government mandate.
Tenable shares have not exactly traded in synch with the more prominent cyber security companies. The company’s high was set in April 2022, and its percentage decline was never of the magnitude of the higher fliers in the space. Including a less volatile cyber security company in a high growth portfolio will make sense for some investors. I think Tenable shares offer reasonable positive alpha with a little less volatility than many other cyber security alternatives.
