This conference call transcript was computer generated and almost certianly contains errors. This transcript is provided for information purposes only.EarningsCall, LLC makes no representation about the accuracy of the aforementioned transcript, and you are cautioned not to place undue reliance on the information provided by the transcript.
Tenable Holdings, Inc.
2/1/2022
Greetings. Welcome to the Tenable Q4 2021 Earnings Conference Call. At this time, all participants are in a listen-only mode. A question and answer session will follow the formal presentation. If anyone should require operator assistance during the conference, please press star zero on your telephone keypad. Please note this conference is being recorded. I will now turn the conference over to your host, Erin Carney, Head of Investor Relations. Thank you. You may begin.
Thank you, Operator, and thank you all for joining us on today's conference call to discuss Tenable's fourth quarter and full year 2021 financial results. With me on the call today are Amit Yaran, Tenable's Chief Executive Officer, and Steve Vince, Chief Financial Officer. Prior to this call, we issued a press release announcing our financial results for the quarter. You can find the press release on the IR website at tenable.com. Before we begin, let me remind you that we will make forward-looking statements during the course of this call, including statements relating to Tenable's guidance and expectations for the first quarter and full year 2022, growth in drivers in Tenable's business, changes in the threat landscape in the security industry and our competitive position in the market, growth in our customer demand for and adoption of our solutions, the potential benefits of our acquisitions, planned innovation, and new products and services. Tenable's expectations regarding long-term profitability and the impact of COVID-19 on our business and on the global economy. These forward-looking statements involve risks and uncertainties, some of which are beyond our control, which could cause actual results to differ materially from those anticipated by these statements. You should not rely upon forward-looking statements as a prediction of future events. Forward-looking statements represent our management's beliefs and assumptions only as of today and should not be considered representative of our views as of any subsequent date. We disclaim any obligation to update any forward-looking statements or outlook. For a further discussion of the material risks and other important factors that could affect our actual results, please refer to those contained in our most recent quarterly report on Form 10-Q and subsequent reports that we file at the SEC. which are available on the SEC website at SEC.gov. In addition, during today's call, we will discuss non-GAAP financial measures. These non-GAAP financial measures are in addition to and not a substitute for or superior to measures of financial performance prepared in accordance with GAAP. There are a number of limitations related to the use of these non-GAAP financial measures versus their closest GAAP equivalents. Our earnings release that we issued today includes GAAP to non-GAAP reconciliations for these measures and is also available on the investor relations section of our website. I'll now turn the call over to Amit.
Thank you, Erin, and thank you for joining us today. Today I'll discuss our financial performance in Q4, strengthened core VM, attraction with our individual exposure solutions, and the expansion and differentiation of our unified platform. With that, Let me first touch on our Q4 results. We saw tremendous strength in the fourth quarter, driven by contributions from all products and theaters. Our CCB growth for the quarter was 29%, capping the year where we saw accelerated growth at scale, balanced with profitability, including strong unlevered free cash flow. During Q4, we added 562 new enterprise platform customers and added 100 net new six-figure customers. Both are record ads for us in a single quarter. As the leader in VM, our expertise is finding assets, identifying how those assets are configured and how and where they're vulnerable, and prioritizing those vulnerabilities and exposures, guiding our customers on how best to manage risk. Nessus has been and continues to be the standard for assessing system security and vulnerabilities. Over the last few years, we've seen an acceleration of downloads of Nessus, and in Q4, we saw continued strength with Nessus customers on-ramping to our enterprise platforms. Our drive to lead the market in terms of vulnerability coverage, accuracy of our assessments, time to market for developing new checks as critical new vulnerabilities emerge, are highly appreciated and recognized by our customers. In Q4, Log4j highlighted and continues to highlight the strategic importance of discovering and managing vulnerabilities. Regardless of marketing claims, no WAF, no next-gen firewall, no EDR, no XDR, or any other product is able to assess, identify, and prevent the growing breadth of Log4j. Tenable already covers over 100 Log4j vulnerability detections, including direct checks and checks over HTTP, HTTPS, SNTP, POP3, IMAP, Telnet, SSH, SNMP, NTP, FTP, NetBIOS, and other protocols. And we've only begun to pull on the long tail of Log4j-related issues. If it's your mission within the enterprise to answer the question, how secure am I, How at risk am I? Then Tenable has differentiated itself as the market leader and platform to use. Enterprise attack surfaces keep expanding, creating opportunities for Tenable's exposure solutions. We saw another quarter of tremendous traction in our solutions for operational technology and Active Directory as we bring our expertise to these underserved markets. We believe we're the only vendor that provides complete understanding of IT and OT converged environments, coupled with a deep understanding of exposure and risk. This unique understanding of both of these environments enables us to provide a differentiated and compelling solution in the market. We also see strong traction in Tenable AD, our Active Directory security product, and expect that to continue to be a very attractive market for us. 86% of enterprises are expecting to increase their spending on Active Directory security in 2022. We believe we're solving a great pain point in this largely greenfield market where we have the leading technology. In addition to our traction in these markets, we're seeing strength in our cloud products and excitement around cloud expansion. We've long focused on helping our customers secure their cloud environments. Cloud-based capabilities require assessing the security of web applications and a deep understanding of containers. We've had cloud-native connectors for years, and more recently, we've introduced frictionless assessment. With continued demand from our customers to help them secure their cloud environments, we've extended our investment into infrastructure as code, into Kubernetes, and into cloud security posture management with the acquisition of Acurex. As we continue to build out and integrate our full portfolio of cloud capabilities, our reach expands all the way from the far left, from building and assessing vulnerabilities in code and fixing them pre-production, all the way through the far right, where we're discovering assets, evaluating drift and exposures in runtime. We identify misconfigurations and fix assets across their entire lifecycle. Tenable becomes the definitive place to go to for assessing and understanding risk across the entire cloud deployment, not just the development piece and not just the cloud and Kubernetes infrastructure configuration and not just the containers or the virtual machines themselves. If it's your job to assess cyber risk for the audit and risk committee, for the CSO, for the CEO, for the boards of directors, Tenable EP, our exposure platform, can help you understand cyber risk in the broader context of your business. Our market leadership in VM in assessing and addressing cyber risk put us in position of strength to evolve naturally with our customers into new environments. Security teams cannot properly assess risk in their IT environment without understanding and integrating risk from their AD environment, their cloud environment and others. They demand this unified integrated approach. And we're seeing this play out in the market. Tenable EP had another strong quarter and we expect that traction to continue as we're now expanding Tenable EP to incorporate more of our exposure solution, including Tenable AD and Tenable CS, which includes Infrastructure as Code, Kubernetes, CSPM, Container, and other cloud security capabilities. With these integrations, Tenable CS, as part of EP, will deliver a cloud-native application security platform as an integrated end-to-end security solution and a complete picture of cyber risk across the modern attack surface with unified visibility into code, configurations, assets, and workloads. Earlier today, we announced that we've reached an agreement on a tuck-in acquisition of an attack path analysis company in Israel called Symptom, which we expect to close this quarter. Symptoms technology maps vulnerabilities and exposures across asset types into attack paths and prioritizes how to address likely paths of exploitation. After the closing, this technology, when integrated into EP, will run alongside enhancements to Lumen and other market-leading analytics, enabling security teams to preemptively focus response efforts ahead of and during breaches. Serving our customers' needs to understand their cyber risk is what drives our vision and our expansion across VM, Active Directory, public clouds, and OT environments into an integrated, unified workspace. We believe augmenting EP's unified data sets and analytics with attack path analysis will enable Tenable to continue to extend our leadership in cyber risk management. The world of the CISO is managing many risks across many interconnected and interdependent systems. Assessing risk means understanding discrete elements of exposure, but also their interdependency. Weaknesses in identity and IT can affect OT and shut down a pipeline. Ransomware and nation state breaches breach IT and target Active Directory. At Tenable, we're not only focused on delivering best-of-breed technologies in exciting markets, We're pursuing a platform vision for understanding and managing cyber risk that we believe is unlike anything else available. And this brings me to the key conclusion I want to leave you with. Yes, we see strong performance in VM. Yes, we see strong growth and potential in our individual exposure solutions across Active Directory and operational technologies and cloud security. But if there's one single thought, one sole conclusion, it's this. that it's nearly impossible to accurately assess the risk associated with any one piece of technology in isolation. Our unified platform not only brings together market-recognized leading exposure solutions, we're bringing more of these data sets together in a unique cyber exposure platform with differentiated and compelling analytics. I'd like to turn the call over to Steve now.
Thanks, Amit. As Amit mentioned earlier, we are delighted with the results for the fourth quarter, highlighted by significant acceleration in CCB growth, a notable beat in earnings per share, and attractive levels of unlevered pre-cash flow. I will provide more commentary on each of these points momentarily, but first, please note that all financial results we discussed today are non-GAP financial measures, with the exception of revenues. As Aaron mentioned at the start of this call, gap to non-gap reconciliations may be found in our earnings release issued earlier today, which is posted on our website. Now on to our results for the quarter. Revenue for the quarter was $149 million, which represents 26% year-over-year growth. Revenue in the quarter exceeded the midpoint of our guided range by $5 million. Visibility remains high, as our percentage of recurring revenue was 95%. which is primarily a result of our annual prepaid subscription model. Revenue for the full year was $541.1 million, which represents 23% growth year over year. The outperformance in revenue is a result of accelerating growth in calculated current billings. CCB, defined as the change in current deferred revenue plus revenue recognized in the quarter, grew 29% year over year to $194 million. Q4 caps a very successful year for us in which we saw CCB growth accelerate throughout the year from 20% in Q1 to 23% in Q2 to 25% in Q3 and now to 29% in Q4. We attribute this inflection and growth to our differentiated VM capabilities, expanding product portfolio, and increased investment in sales capacity and go-to-market activities. During Q4, we saw strength across the board in both new and renewal business and in all geographies. It's important to note that we experienced very good linearity entering December and we're on our way to one of our best growth quarters of the year. However, after the discovery of Log4j in December, we saw a significant uptick in our expansion rates as customers increased coverage of both assets and applications. Our expansion rates also benefited from exceptional renewals, including win-backs and limited customer churn, all of which lifted our net dollar expansion rate. Likewise, we also saw outperformance in new logos, particularly in the mid-market through our inside sales efforts and from no-touch Nessa sales channels given the relatively short sales cycles. New logo sales from large market customers with longer sales cycles also saw strong close rates for opportunities that were already advanced in the Q4 pipeline. New pipeline build in the quarter for the large market was also very healthy. Now, in terms of metrics underpinning our strong financial performance, we added 562 new enterprise platform customers in the quarter, which is a record for us. And up from the 460 we added, in Q4 last year. We also had success with large deals as we added 100 net new six-figure customers in the quarter, which is up from 66 in the same period last year. Similar to new enterprise platform customers, the number of net new six-figure customers we added in Q4 is our largest ever in a single quarter and brings the total number of new enterprise platform customers, spending over 100,000 per atom to almost 1,100. From a product mix perspective, our exposure solutions, which includes Tenable IO, Tenable EP, NS Modules, Active Directory Security, and Operational Technology Security, continue to gain traction and saw outsized growth. We attribute this strong demand to our customers' need to assess risk holistically across IT assets, identities, and OT assets. While we saw strength in cloud use cases, it should be noted that Acurex contribution to CCB in the quarter was nominal since the acquisition closed in Q4 and Acurex infrastructure as code capabilities were not integrated into our go-to-market motion in the quarter. We believe Acurex's ability to assess and secure critical cloud infrastructure prior to deployment will significantly enhance our existing cloud capabilities and augment our strength in one-time environments. Accordingly, we plan to soon announce the availability of our more expansive cloud security offering and the integration of these capabilities with EP shortly. And given sales cycles, we expect CCB to begin to benefit in the second half of the year. In summary, we are delighted with the trend in the top line this year. Now, I'll turn to expenses, which include incremental investments and growth, and the operating expenses related to Acurex. I'll start with gross margin, which was 82% this quarter, down 70 basis points from last quarter. Gross margin for the full year was also 82%. Cost of sales increased sequentially due to higher public cloud and related costs associated with the increased customer usage of our products and costs related to scaling the Acura's infrastructure in support of a more expansive cloud security offering. We are also investing in a broader set of advanced analytics across the ATT&CK surface to help customers better predict ATT&CK paths and assess risk holistically. Looking ahead, we expect these investments to continue into 2022, which could modestly impact gross margin. Long term, we still expect gross margins to be in the high 70 to low 80% range. Sales and marketing expense for the quarter was $69.5 million, which is up from $60.7 million last quarter. Sales and marketing expense reflects higher wages and benefits related to hiring more sales reps, and other headcount as well as accrued payroll taxes. Further, it reflects higher commissions and variable compensation attributed to our strong sales performance in the quarter and increased investment in marketing for demand gen and brand building activities for our exposure solutions. Adding sales capacity and investing in our go-to-market efforts will continue to be an area of focus for us given the acceleration and growth in 2021. Our expanded product portfolio and the high level of sales productivity as well as our ability to generate an attractive ROI on new dollars invested. Sales and marketing expense as a percentage of revenue was 47% in Q4 compared to 44% last quarter. For the full year, sales and marketing expense as a percent of revenue was 44% and is expected to remain at or near this percentage in 2022. which will give us ample investment dollars to keep pace with the strong demand. R&D expense for the quarter was $24.9 million, which was consistent with $25.1 million last quarter. Although there was little change in R&D expense during the quarter, it should be noted that we added a sizable team of engineers in cloud security, attributed to our Kurex, and made other hires, which was more than offset by the amount of capitalized software development costs related to expanding our exposure platform, and an R&D tax credit we received. R&D expense as a percentage of revenue was 17% in Q4 compared to 18% last quarter. For the full year, R&D expense as a percentage of revenue was 18% and is expected to increase modestly in 2022 given the increased investment in cloud security, attack path analysis attributed to the symptom acquisition, and a broader set of predictive analytics and platform capabilities. G&A expense was $15.8 million compared to $15 million last quarter. As a percentage of revenue, G&A expense was 11% this quarter and last quarter, as well as for the full year. We continue to make investments in G&A to support the growth and scale of our business. We expect G&A expense as a percentage of revenue to remain flat in 2022. Income from operations was $11.9 million compared to $13.7 million last quarter. which reflects the items I just highlighted. For the full year, non-GAAP income from operations was $51 million compared to $25.8 million in 2020, which was a $25 million improvement despite the additional operating expenses attributed to the ALSAD and Acurex acquisitions. Operating margin was 8% for Q4 compared to 10% last quarter. Operating margin was 9% for the full year compared to 6% for the full year 2020. EPS in the fourth quarter was $0.05, which was $0.02 better than the high end of our guided range. For the full year, we generated $0.34 of earnings per share versus $0.19 last year. Now, let's turn to the balance sheet. We finished the quarter with $512 million in cash and short-term investments. Given our strong Q4 results, we saw a notable sequential increase in both accounts receivable and total deferred revenue. At year end, accounts receivable was $137 million and total deferred revenue was $531 million, including $407 million of current deferred revenue, which gives us a lot of visibility headed into 2022. Now, I would like to discuss cash flow. We used $160 million of cash to acquire Acurex and paid $3.2 million of interest on our credit facility in October. In Q4, we generated $22.4 million of unleveraged free cash flow. And for the year, we generated $95.2 million, which is a $50.9 million increase over 2020 levels. With 95% recurring revenue, high gross margins, and high renewal rates, we feel confident that we can continue to generate attractive levels of cash flow while continuing to invest in the business. Striking the right balance between growth and profitability has always been an area of focus for us. A good indication of this is our achievement of Rule of 40 for the fourth quarter and full year. Achieving this was years in the making and a long-term goal since our IPO in 2018, so we're very pleased to have achieved this important milestone. As a reminder, we define Rule of 40 as revenue growth plus unlevered free cash flow margins. With the results of the quarter behind us, I'd like to discuss our outlook for the first quarter and full year 2022. For the first quarter, we currently expect revenue to be in the range of 152 to 154 million. Non-GAAP income from operations to be in the range of 10 to 11 million. Non-GAAP net income to be in the range of 5.2 to 6.2 million, assuming interest expense of 3.5 million, and a provision for income tax of 1.3 million. Non-GAAP diluted earnings per share to be in the range of 4 to 5 cents, assuming 117.5 million fully diluted weighted average shares outstanding. And for the full year, we currently expect calculated current billing to be in the range of 750 to 760 million, Revenue to be in the range of $662 to $670 million. Non-GAAP income from operations to be in the range of $40 to $45 million. Non-GAAP net income to be in the range of $18.2 to $23.2 million, assuming interest expense of $14 million and a provision for income taxes of $8 million. Non-GAAP diluted earnings per share to be in the range of 15 to 19 cents, assuming 119.5 million fully diluted weighted average shares outstanding. Our strong performance in Q4 and the full year 2021 give us a lot of confidence in the business and our outlook for 2022. In that regard, there are a few comments I want to make that will provide important context to our guidance today. Our CCB guidance for the full year reflects 22 to 23% growth, which includes some continued tailwinds from log4j in Q1, with more modest contributions expected throughout the remainder of the year. Overall, we're very pleased to be providing CCB and revenue guidance today that is notably above the 20% bar we discussed during our investor day in December. In terms of profitability, we exit the year with an 8% operating margin in Q4. Our guidance is 6% to 7% from the full year 2022. which includes four to five million per quarter of operating expenses related to Acurex and to a lesser degree, Symptom. The incremental investments in R&D attributed to recent acquisitions expand our product suite strategically in port markets and strengthen our ability to deliver our cyber exposure vision. In terms of the quarterly flow of these investments, we expect to follow our historical seasonal patterns with higher weighting in the first half of the year, resulting in higher operating margins the second half of the year. As discussed earlier, we achieved Rule of 40 in Q4 and the full year 2021. So we believe making investments in the face of strong demand will position us well for continued growth and success. Long term, we are confident in our ability to continue to balance growth with profitability and become a Rule of 50 company. In summary, we're delighted with the results of the quarter I feel really good about the outlook we are providing today. I'll now turn the call back to Amit for some closing comments. Thanks, Steve.
We continue to see increasing levels of differentiation in our core VM capabilities. This is particularly exciting given the strategic role that many organizations are increasingly placing on VM. Our exposure solutions in OT and AD are seeing great traction. We're thrilled about the momentum we have in our cloud business, augmented by Accurix, forming an integrated, comprehensive cloud offering. And we believe that bringing these solutions and data sets into a unified cyber risk management platform with differentiated analytics, such as Lumen and attack path analysis, and others, positions us incredibly well for the long term. We delivered strong results in Q4, and are excited about the road ahead.
We'd now like to open the call up for questions.
Thank you. At this time, we will be conducting a question and answer session. If you would like to ask a question, please press star 1 on your telephone keypad. A confirmation tone will indicate your line is in the question queue. You may press star 2 if you would like to remove your question from the queue. For participants using speaker equipment, it may be necessary to pick up your handset before pressing the star keys. One moment, please, while we poll for questions. Our first question is from Hamza Fadarwala of Morgan Stanley. Please proceed with your question.
Hey, guys. Thank you for taking my question and a strong finish to the year here. Steve, maybe just first question for you. You mentioned the tailwind from Log4J. I was wondering if you could help us quantify what that actual tailwind was in Q4 and what the expectation is for 2022 from, you know, a growth contribution standpoint. You mentioned NRR was up. So, what was the net retention rate in Q4 relative to, you know, what you saw in the quarter prior?
Hi. Thanks for your question, and good question. As we've commented earlier, we saw some upside in the quarter related to Log4J. I think it's You know, the timing's important to note here. Log4j didn't surface until December, and we were well on our way to having our best growth quarter of the year, which is notable given the acceleration in the business we've demonstrated throughout the year. So as a result, the impact of Log4j in the quarter was more apparent in areas that had shorter sales cycles, such as renewals, expansion sales, and in terms of new business, more specifically in the mid-market and our no-touch necessary sales channels. But we're also very pleased to see pipeline and activity levels for larger deals inflect higher in the quarter. So we don't just see this as a pull forward of demand. I think the important point to note here is that Q4 caps a very successful year for us in which we saw accelerating CCB growth that benefited from our expanded product portfolio and the investments really were making and go to market that we started making the first half of the year. And as Amit commented earlier, what's really different about Log4J versus perhaps other vulnerabilities or even high-profile data breaches is the pervasiveness and the complexity of it, which is really a testament to our leadership in the market and the strategic nature of our products. And with regard to 2022, our CCB guidance for the full year does, which is 22% to 23% growth, does reflect some continued tailwinds from Log4J in Q1. given our level of visibility, as well as some contributions, more modest contributions throughout the year. But overall, we feel really good about the momentum in our business and our outlook for the year. We talked about the net dollar expansion rates. It was strong in quarter, and it lifted our net dollar expansion rate on an LTM basis back to close to pre-pandemic levels. So overall, really solid quarter for us, caps a very successful year and gives us a lot of confidence heading into 2022.
Steve, if I could just follow up on that, just on the net retention. So like you mentioned, it was back to pre-pandemic levels. I think over the last few quarters, the net retention, if I'm not mistaken, was trending between like 112, 113. Is it fair to say in Q4, it was back to that, let's say 115 to like, you know, 118 level even?
Yeah, so the distinction I'll make is LTM. What we talk about is on an LTM basis last 12 months. So if you have a really strong in-quarter renewal rate and expansion rates, it's going to drive a meaningful uplift on our LTM number. And we saw a meaningful uplift in our LTM number because of the strength in the quarter. So absolutely delighted with the result in the quarter. Obviously, expansion rate did benefit from log4j. But notwithstanding that, as I commented earlier, you know, we were on our way to having a good quarter. Linearity was really strong in the last few weeks of the quarter because a lot for Jay was particularly strong. And renewals and expansions benefited.
Okay. Got it. I'll let the others go.
Thank you.
Our next question is from Sterling Oddy of J.P. Morgan. Please proceed with your question.
Yeah, thanks. Hi, guys. So, first one is, you gave us the impact in operating expenses from Acurex and from Symptom, but can you give us a sense of what impact that had on the revenue line for guidance for 22?
For Acurex, Acurex closed in the fourth quarter, and as I commented, we have a full year expenses. Obviously, we're flowing through the guidance. It also reflects some additional operating expenses related to the Symptom acquisition, which we just announced. And I think it's important to note that Symptom is not going to be a separate SKU. It's going to be integrated with EP and in other areas of our product to provide a deeper and richer insight on our analytics. Amit can speak more directly to that. And with regard to Acurex, we are, you know, we've announced the expansion of our cloud security offering today. And, you know, that's a more expansive product that will begin to be selling. And given sales cycles, we would expect greater contribution in the second half of the year on CCB. And that is reflected in our guidance today as well.
And then maybe just one follow-up on the gross margin side, just to clarify a comment that you made. You mentioned the continued investments could have a modest impact on gross margins. Is that relative to the gross margin level in the fourth quarter, so we could see some additional pressure from that level or from the level for full year 2021?
It would be from Q4, based off of what we experienced in the fourth quarter.
Okay. And just modest impact and kind of stable through the year, or is there kind of a pattern where it kind of bottoms and starts to improve at some point?
I think for now what we commented earlier was directionally, obviously we expect strong sales in cloud. We're really pleased with the expansion of the product. And cloud will continue to represent a larger percentage of our sales. So as a result, what we're expecting is gross margins to track in line or trend modestly lower to the tune of about 100 bps. I think the safe assumption is That's something that we'll experience earlier in the year, and you should assume that going forward for the full year. And to the extent we do better than what our top-line guide calls for today, then obviously margins could continue to benefit from that because some of these costs are semi-fixed and not for a cost that we're making at least this year and will potentially drive margin leverage going forward.
Helpful. Thank you. Appreciate it.
Our next question is from Saket Kalia of Barclays. Please proceed with your question.
OK, great. Hey, guys. Thanks for taking my questions here. I mean, maybe first for you, you know, a lot of talk about EP in the call. I was just wondering, can you just expand a little bit on the success of the overall bundling strategy and how you're kind of thinking about that strategy in 2022 with bundling?
Yeah, when we first launched EP toward the middle of last year, we saw a lot of both the sales team and customers immediately gravitating toward it. Just the inclusion of web app scanning capabilities and the container security products and other things just make a lot of sense. And obviously the inclusion of Lumen sort of driving analytics on top of it. So we saw a very rapid increase adoption by both the sales team and customer base and gravitating toward EP. There are two, I think, key points to make here. One is there's a very natural progression for EP to include Active Directory capability, the full suite of cloud capability in it so that, again, when customers want to assess their risk, They're not going to one place. There's just a very natural unified reporting, dashboarding, a more holistic assessment of risk. And then the second point is that it's not just a bundling exercise the way kind of the EP packaging started out. It's not just a packaging or bundling exercise. There's real analytics that are now able to move across asset types, driving multiple asset types into Lumen and And again, the inclusion of new analytic methods like attack top analysis, we can make it an absolutely compelling platform.
Got it. Got it. That makes a lot of sense. Steve, maybe for you, for my follow-up, you know, nice start to the year with the CCB guide. I know the question was just asked just on inorganic contribution to revenue. But just to make sure it's asked, you know, is there any sense that you could give us on CCB guide for 2022? You know, I think you've got AllSid, you've got Acurex, and you've got Symptom in there. Any just rough sense for kind of how that 22% to 23% growth kind of looks from an organic perspective?
Sure. Well, as a reminder, the companies we've acquired are all very early-stage companies with minimal sales or go-to-market capability. So our sales to date primarily reflect the success of our go-to-market efforts and our ability to create and close pipeline opportunities post-sales. Um, you know, the timing's also worth noting on some of the acquisitions. Uh, we suppose all said, uh, in 2019, so we've had an OT offering now in the market for, for two years. Um, so we don't consider that inorganic growth. And then a character just recently closed in the fourth quarter. And, uh, that's, uh, you know, that's resulting in a more expansive, uh, cloud offering for us. It's going to be a newer motion. And we said earlier that we do expect contribution and it's reflected in our graph and our guide. to some degree, but we would expect it more the second half of the year. You know, that really leaves Acurex, which closed, or should I say that really leaves AltEd, our Active Directory product, which closed in April. And, you know, both AD and even OT did very well for us for the quarter and for the full year. We discussed the contribution to these products on a full year basis in our investor day. And I think it's fair to say we did even a little better than the 20 million we referenced in December. And we would expect continued growth in contributions from those products as well as more broadly our exposure solutions. But the one thing that I want to note here that's really important is really with regard to our go-to-market strategy, which is to increasingly integrate new capabilities and features into EP, our Unified Exposure Platform. Amit commented earlier, but it's worth repeating, it's nearly impossible to accurately assess risk associated with any one piece of technology or asset type in isolation. Our products really reinforce each other in the broader value prop of helping customers assess risk holistically, and that is across the attack surface. So breaking out sales of individual products going forward whose capabilities are included in EP or will be included in EP will become less meaningful given how we price and package our solutions and really helping our customers focus on the bigger problem.
Got it. Makes sense. Thanks, guys.
Our next question is from Andrew Nowinski of Wells Fargo. Please proceed with your question.
Great. Thank you. Congrats on that great quarter. I just want to start with a question on EP again. You've added a lot of components, as you mentioned, AD, and now it sounds like CS will be added to it as well. Can you just give us any color in terms of how much that would be increasing the price, and should we expect maybe accelerating growth in your $100,000 customers in 2022 because of that?
Yeah, and I'll turn that question over to Steve in just a minute. The way EP is designed is it's a premium – solution. It's a premium capability. It's a platform offering that delivers enhanced analytics on top of individual solutions. So if you use VM, you might want to purchase through EP because it would give you all the capabilities, the Lumen, LAS, all the other functionality. The same is true if you're using the cloud security product, and the same is true if you're using Active Directory. So The way we will monetize the new capabilities and these new products as they're added to EP is that it's a premium pricing, but you still have to pay the asset price for AD or for your cloud workloads and your assets in the cloud. So it's monetized both through an increased asset count as well as a higher price per asset because we're delivering some compelling value analytics on top of those assets.
Got it. That makes sense. And then I just want to do a question on maybe a clarification on your log4j expectations. I think you said you'll be certainly impacting Q1, but then it moderates after that. You know, if you kind of go back to some commentary, you know, from the CISA and, you know, the White House, they're claiming that this is going to create problems and potential issues for the next two plus years. So I'm wondering why, why do you, why do you think it's going to taper off, you know, after Q1 and not really be a driver, a strong driver, maybe even getting worse throughout the year?
Well, I think it's really, what's reflected in our guide, as I mentioned earlier, is certainly more Cal wins in Q1. To what degree we, Benefit beyond that, above and beyond the guidance we're providing today, really remains to be determined. So the guidance we're offering today respects continued contribution in the first quarter, reflects the strengths really of the overall business, not just for the quarter, but for the full year. So we think we're set up for success in 2022. It gives us confidence to provide the guide that we're providing today. We certainly have more visibility headed into the Q1. And we do really, you know, the remainder of the year. But to what extent it continues to benefit us, you know, to the level which we expect in the first quarter really remains to be seen. So we'll look forward to providing an update on our call in April.
That makes sense. Thanks, guys. Keep up the good work.
Our next question is from Gray Powell of VTIG. Please proceed with your question.
All right, thanks for taking my questions, and congratulations on a great quarter. Thank you. Yeah, absolutely. So, yeah, you highlighted that Billings growth accelerated in each of the last four quarters. You just exited the year at 29% growth. And, Steve, I know you want to keep people conservative, but do you see a scenario where things could further improve and maybe start growing in excess of 30% And then if so, I'd just be curious, like, what do you think are the most likely levers or things that could go right to get you there?
Well, look, the guidance we're providing today is 22 to 23%.
But, you know, that aside, we're chasing a massive market opportunity. We've expanded the product portfolio and we've gone into new markets and markets that are, that are, that are large and growing, uh, growing rapidly. We're making investments, too. I think that's one of the important things to note is that we started making investments more aggressively really the first half of the year, and it's making a difference really on the top line. Adding sales capacity, we're also achieving higher levels of productivity. We're continuing to evolve the product suite. And I think all that really makes a difference with the backdrop of not just high-profile data breaches, but threats that are very relevant to the problems that we're solving today. So I think it gives us a lot of confidence in our outlook in 2022. We're certainly not going to cap our growth rate, not by any means. This is a big opportunity. We're pleased to see the acceleration, and obviously we'll learn more as we work our way throughout the year.
Okay, that's really helpful. And then just one more quick one. So you all mentioned that a number of customers came back and expanded their coverage of assets in December following Log4j. Could you maybe just talk about what that looked like? Specifically, what percentage of assets were those customers covering before Log4j? And then what did coverage look like afterwards? Are we talking a doubling in coverage? I'm just trying to get a sense as to how that looks.
Yeah, I would say each customer situation is obviously different. I think in many instances, especially on the enterprise side, they would have some substantive coverage of their environment, but they would also recognize, hey, we haven't been covering these other assets. I mean, don't forget Log4J is a great example of an exploit which is completely portable over any system that runs Java. So they were even if you had pervasive coverage of your desktop servers and workstations, there's still lots of other compute devices in the environments that might be able to run Java and might be susceptible or cause problems with respect to log4j. So I think it's really customer-by-customer dependent, but I would not you know, sort of assume it's a natural doubling or anything of that nature.
Got it. Yeah, I was just making that up. I was just trying to figure out a rough, you know, ballpark increase.
Thanks, Greg. Cool. Thank you very much.
Our next question is from Brian Essex of Goldman Sachs. Please proceed with your question.
Yeah, great. Uh, thank you for taking the question and congrats on a nice set of results for the quarter. Um, yeah, just, I guess maybe a meet, um, you know, I think over the past few quarters or last quarter, we talked about, you know, penetration of MSSP channel. Um, how has contribution from the managed service providers in the quarter and, and how, particularly given the, the landscape and, and in the threat environment, um, you know, how is that, how is that traction progressing into 2022?
Yeah, I think the – I'll start with the second question. The progression of the fund environment, I think, becomes a sort of natural tailwind for us in that it increases visibility, it increases sort of executive awareness, and it increases concern among people making the – in the business leadership or in the leadership of the business to say, hey, Are we exercising a good standard of care with the data, the systems and the data that are entrusted to us? And so the very natural progression when you read about a high-profile breach, a threat actor, or a vulnerability is, are we susceptible to this? Are we vulnerable? How secure are we? How at risk are we? And that naturally gravitates people toward you know, the VM program, which is really the center for ground truth around answering those questions. You know, in terms of NSSP, it's an area where we, you know, we've made some investment. We continue to see, you know, very strong traction. We've got a, I think we put out a momentum kind of press release around our NSSP partners maybe six months or longer ago, and there's 300-plus MSSP partners that we operate with, but more specifically seeing very meaningful traction in sort of the 20 largest MSSP providers where we believe our capability can really differentiate itself and marries up with enterprise expectations and requirements. So we think it's an area where the investment is beginning to bear fruit, and I think more opportunity exists.
Got it. That's helpful.
And then maybe if I could touch on competitively how you're seeing the current environment for Tenable relative to either greenfield opportunities or competitive displacement, is that shifting at all on the back of the elevated threat environment, particularly with Log4J, where you know, your kind of best-of-breed status is causing a shift over to Tenable, or is it still, you know, or is kind of the, you know, enterprises without a formal vulnerability management platform being driven there because of the vulnerability environment? Maybe we can get, you know, any kind of shift in color that would be helpful.
Yeah, you know, Steve, I'll let you comment if there's any notable change on the greenfield. But, you know, typically we go out of our way to call this out on a quarter-and-quarter basis. It's been very consistently, you know, about a third of our new enterprise, larger new enterprise lands. I will say that, you know, there's notable differentiation, especially in high-profile, you know, vulnerabilities and breaches like Block4J where, Immediately, it's a known issue, the CISO or the CSO, or in many cases you can fill her up in the food chain, are asking questions about it. We're first to market in terms of detections for these capabilities, in terms of accurate detection for these capabilities, in terms of the flexibility and breadth of coverage that we have for these issues. So we had CISOs coming back or VM program managers coming back and saying, by this technology or that technology is telling me fine, and they found 12 instances of this thing, and we've got over 100 different checks. At this point, we're adding multiple new checks per day because there's an incredibly long tail on this. We're able to identify it over dozens of protocols and multiple applications where it's embedded. So this is, again, one of those issues where the breadth and complexity really allow enterprises to see the differentiation that we bring to the table in terms of coverage and accuracy. And I think that bodes well, at least in the early periods for us, you know, competitively. We've always enjoyed a strong competitive differentiation and competitive win rates. Awareness and the high-profile nature of, you know, newer breaches and Y4J will continue to highlight that for us.
Got it. That's helpful. And Steve, is it still the same split?
It is in terms of greenfield opportunities. Percent of greenfield opportunities, it did not change meaningfully in the quarter. So, yes, sizable greenfield opportunity and obviously our best-of-breed status in VM certainly is helping.
Got it. Very helpful. Thank you.
Our next question is from Rob Owens of Piper Sandler. Please proceed with your question.
Hey guys, this is Justin Roach on for Rob. Just was wondering if you could give some more color on the demand environment in the federal vertical and 4Q, given the strength you saw last quarter and how we should think about it as we move into 22. Should we see any differences in seasonality, just given the spending intentions here seem to be pretty high?
Yeah, we're very pleased with the approach the federal government's taking to cyber. It's much more aggressive. you know, lean in and, uh, uh, you know, previous administrations have shown, um, we see continued strength and health in our overall federal business. Um, we see a lot of both, you know, large funded and unfunded, uh, opportunities. And, and, and I think, you know, we'll continue to focus on that market. And, uh, uh, we don't, I will also say, you know, we don't see any, um, unanticipated change in seasonality from previous years and previous behaviors. Steve, I don't know if you have additional color to add on that.
No, well said. Got it. That's it for me. Thanks, guys. Thank you.
Our next question is from Jonathan Ho of William Blair. Please proceed with your question.
Hi, good afternoon. I just wanted to start out with some of your commentary around the Active Directory security opportunity. Can you maybe give us a sense of whether or not this could be another tip of the spear to maybe go with new customers that are maybe using an alternative platform? And does that maybe open up the opportunity to dislodge those competitors, I guess, longer term?
Absolutely it is, and I think especially in large enterprises where competitors have been entrenched for years or they've been locked in with multi-year contract engagement and they've integrated the VM product into other processes that they have and displacing them has been more challenging. In those instances, As soon as we mentioned VM or some of the cloud security capabilities that we're now bringing to market, there's definitely a very strong openness to engaging with us. And so we find that in those types of entrenched accounts, Active Directory becomes a clear differentiator and a door opener. And then once we're engaged, the natural move would be to try and broaden the relationships.
Got it. And then just a quick housekeeping question. Can you give us a sense of the percentage of customers that are maybe starting with EP at this point or maybe some color on those that are trading up to EP as well? Thank you.
Hi, Jonathan. This is Steve.
It's notable. I think one of the things we called out was we added 562 net new customers Our new platform customers in the quarter, which is a record for us, our best ever as a public company. That's up from 460 last year. And we're also seeing larger deals. So keep in mind, EP was a product that we launched in Q1. And it's gaining major traction here for us. And our mandate was always really about cyber exposure, really holistic risk assessments, more so than VM. So we're absolutely pleased with the results in EP and the early response. Just be mindful of sales cycles. That 562 new enterprise platform customers, a good portion of those or some sizable portion of those is attributed to EP. This is a product that we plan to lead with really in the mid-market and the enterprise market. You're seeing the impact first really in areas where we have shorter sales cycles, such with mid-market type deals. And the pipeline to be able to associate with that is also very significant, which I commented on earlier. So, you know, I think it's going to pave the way for, you know, teams acceleration and new business, more larger deals as we cover more areas of the attack surface.
Great. Thank you.
Ladies and gentlemen, due to time constraints, we ask that everyone limit themselves to one question per person going forward. Our next question is from Brad Reback of CIFL. Please proceed with your question.
Lucky I only have one. Quick question, Steve. As you think about headcount growth for calendar 22, should that be in line with revenue growth?
You know, we don't guide the headcount growth, but I think it's fair to say that, you know, given the investments that we're making, that we're going to see certainly acceleration in the headcount growth. And I think, you know, more so than what we saw in 2021. And the two big areas are going to be R&D and sales and marketing. So R&D, especially just given, you know, the product roadmap and, you know, the innovation that's planned for the upcoming year, as well as the acquisitions, specifically related to Acurex, and more recently sent them here. So certainly continue investments in R&D. And then on the sales and marketing side, we know when we make investments in sales and marketing in that quota capacity that there's a clear return. You know, we have a lot of momentum in the business. I think our execution and performance this year certainly demonstrates that. So we're certainly putting more wood behind both sales and marketing and R&D. We ended up with a backdrop of a really strong threat environment on the heels of a good quarter and a strong year. It gives us a lot of confidence to do so. So there's certainly more growth in total headcount the upcoming year than what we experienced last year and specifically in those areas.
And what was 21 growth? Can you remind us?
Again, we don't disclose growth in headcount, but it was probably more directly in line with overall growth in revenue.
Great, thanks.
Our next question is from Dan Ives of Wedbush. Please proceed with your question.
Yeah, just one question. So with EP, I mean, how much of a door opener is that even to larger enterprises? And is there potential that that accelerates almost some of the sales cycles? Thanks.
I think it's absolutely a door opener in two forms. One is it forces a more strategic conversation with large enterprises, right? And the large enterprises are struggling with, okay, I'm going to use this technology from a cloud-native infrastructure perspective. I've got nothing really helping me with AD. I'm going to use that technology for VM. You know, this other thing for, you know, my building automation and my, you know, my OT infrastructure. And it just becomes very complex when you're looking for whether it's a log4j or whether you're trying to assess overall cyber risk. You're trying to figure out, okay, well, what's my state and how do I reduce that risk? So it helps in two key areas. One is a more strategic conversation with those large enterprises and opening doors that way. And the second is when you're talking about EP, you're also having a conversation about all of those asset types, which can be problematic, which the CISOs are very concerned about, and helping them understand, okay, well, how big of an issue is this versus other things I have in my environment. And how do I compare the state of readiness from one business unit to another and from one asset type to another? And what should I prioritize fixing? So helping them with a higher order analytic. And so we think it's a great engagement at a more strategic level.
Thanks.
Our next question is from Mike Sikos of Needham & Company. Please proceed with your question.
Hi, team. Thanks for getting me on here, and good to see that 22% to 23% growth bogey out there to start the year. My question really circles back to some of the commentary on the quota-carrying reps. Tenable's discussed its ramping investments in these reps, and I think the average rep takes about 10 months to ramp. So for 4Q, The hires that we saw that quarter, was that the highest carrying reps of any quarter in calendar year 21? And then on that go-to-market, is there the need for a separate overlay for specific products or the sales reps selling the entire portfolio?
Hi, Mike. This is Steve.
So I think your first question was go-to-carrying reps and just directly with Q4 higher than at any other point in the year? The answer to that is yes. We invested the first half of the year, but given the acceleration of the business that we saw throughout the year, it gave us more confidence to do more investment in sales and marketing. I think looking back on the year and then looking out in 2022, we expect to get more quota capacity in 2022 than in 2021. yes is the answer to your first question. I guess with regard to your second question, I want to make sure I understand that. Could you repeat it, please?
Absolutely. So the question is really around the new products that you're bringing on. We think about, I know Symptom is going to be integrated into EP, and you're talking about expanding EP with AD, CS, but is there a need to have a separate overlay for the sales team to sell any of these products or is the overall sales team is able to go out there and sell the portfolio in its entirety at this point?
There's definitely the ability for our core sales reps to sell the portfolio. We're not acquiring and launching a series of very disparate, very distinct technologies, which are kind of loosely coupled as the core team goes out and talks about EP and the fact that EP does not only include IO and VM, but also includes AD and cloud security, which includes container and Kubernetes and CSPM and infrastructure as code and all of these things. So it's a more strategic message Now, obviously, as you start unpacking that, conversations can very quickly get to a level of depth where a core rep or a core engineer might not yet have the requisite expertise. And so for some period of time, we'll continue to have specialists which can really do an incredibly deep dive with the team that manages domain controllers in the enterprise or that want to talk – about specific control systems and other parts of the cloud environment.
Terrific. Thank you for the insights, guys. Appreciate it.
Our next question is from Andrew Smith of Barenberg Capital Markets. Please proceed with your question.
Hi, guys. Thanks for taking my question. Could you just compare demand across the different solutions of core VM, AD, and OT? I know there have been several high-profile attacks in the last 12 to 18 months that have been linked to operational technology and the company's Active Directory, which I believe is driving awareness for those products. But just curious if you could compare demand across the different solutions of Core VM, AD, and OT. That would be great. Thanks.
Super high, super high risk, and super high risk. We're operating in a high-threat environment, I think, as you called out, There have been some, you know, very high-profile breaches, specifically, you know, calling a pipeline JVS and into those operational technologies. You saw CISA calling out, you know, some concerns about attacks against U.S. critical infrastructure and operational technology environments. So that's – it's incredibly high-profile. A lot of 4J profiling, obviously, you know, sort of core VM at, you know, just the beginning, but obviously with web app scanning and other capabilities, you know, closely on the heels, as well as some of the cloud security capabilities that we bring to the table. But the exciting part, you know, this sort of very natural observation is that, you know, when you look at something like Colonial Pipeline, it wasn't just an OT system's went out or was shut down, at the root of it was a compromise of IT systems and Active Directory. And so all of these things are completely intertwined. You cannot assess OT security today without also being able to assess IT and Active Directory and these other aspects which are completely meshed in in operating environment. And the same is true of identity and cloud and IT. So we think all of these things, whether it's the high-profile OT breach, the log4j vulnerability, which, oh, by the way, exists and manifests itself in OT environments as well, all of these things provide the type of visibility for in our individual solutions, but also for the strength of our platform.
Perfect. Thank you.
We have reached the end of the question and answer session. I will now turn the call back over to Amit Yoran for closing remarks.
Great.
I'd like to just thank everybody for joining us for the call. We're Super excited about the results we're able to deliver in the fourth quarter in 2021. And I'm very excited, obviously, about the acquisition that we announced today and very excited about the opportunity in front of us. Look forward to future engagement.
This concludes today's conference. You may disconnect your lines at this time. Thank you for your participation and have a great evening.