Tenable Holdings, Inc.

Greetings and welcome to Q3 2025 earnings conference call. At this time, all participants are in a listen-only mode. A brief question and answer session will follow the formal presentation. Should anyone require operator assistance during the conference, please press star zero on your telephone keypad. As a reminder, this conference is being recorded. It is now my pleasure to introduce your host, Erin Carney, Vice President, Investor Relations. Thank you. You may begin.

Thank you, Operator, and thank you all for joining us on today's conference call to discuss Tenable's third quarter 2025 financial results. With me on the call today are Co-Chief Executive Officers Steve Vince and Mark Thurman and Chief Financial Officer Matt Brown. Prior to this call, we issued a press release announcing our financial results for the quarter. You can find the press release on our IR website at tenable.com. We will make forward-looking statements during the course of this call, including statements relating to our guidance and expectations for the fourth quarter and full year of 2025, growth and drivers in our business, changes in the threat landscape in the security industry and anticipated shifts towards preemptive security approaches, our competitive position in the market, growth in customer demand for and adoption of our solution, including Tenable One, our exposure management platform, Our ability to expand integration with third-party tools and data sources and grow our ecosystem, planned innovation, research and development investments, and new products, services, and initiatives, and our expectations regarding long-term profitability and free cash flow. These forward-looking statements involve risks and uncertainties, some of which are beyond our control, which could cause actual results to differ materially from those anticipated by these statements. You should not rely upon forward-looking statements as a prediction of future events. Forward-looking statements represent our beliefs and assumptions only as of today and should not be considered representative of our views as of any subsequent date. And we disclaim any obligation to update any forward-looking statements or outlook. For a further discussion of the material risks and other important factors that could affect our actual results, please refer to those contained in our most recent annual report on Form 10-K and subsequent reports that we file with the FDC. In addition, all of the financial results we'll discuss today are non-GAAP financial measures with the exception of revenue. These non-GAAP financial measures are in addition to and not a substitute for or superior to measures of financial performance prepared in accordance with GAAP. There are a number of limitations related to the use of these non-GAAP financial measures versus their closest GAAP equivalent. Our press release includes GAAP to non-GAAP reconciliations for these measures. I'll now turn the call over to Steve.

Thanks, Erin. Before we get started, I want to welcome Matt Brown to the Tenable team. Matt comes with tremendous experience and has hit the ground running since he joined us in August. With that, let's get into the quarter. In Q3, we exceeded all of our guided metrics, delivering 11% year-over-year revenue growth and 23% operating margins. We continue to see strong growth from Tenable One, our exposure management platform, which represented approximately 40% of new business during the quarter. We added 437 new enterprise platform customers in the quarter, a 13% increase compared to Q3 of 2024. Notably, half of all those customers are landing with exposure solutions with strong momentum globally. We believe our strong new platform traction reflects a fundamental shift in cybersecurity away from detection and response technologies and more toward a more preventative and preemptive approach. The reactive approach to cyber is where the tools, the budgets, the compliance priorities have lived for many years, simply trying to detect breaches. In fact, more than 95% of all cybersecurity spend today is on post-breach technologies. So consequently, less than 5% is spent on preemptive security. Now, the good news here is that that mix is expected to change significantly over the ensuing years, and we're starting to see signs of that shift with Tenable One. The obvious question is, why is this happening now? The short answer is AI. AI is dramatically reshaping the threat landscape. as attacks have become faster, more automated, and more sophisticated, exposing the limits of traditional reactive defenses. The takeaway here is that it's no longer just about firefighting. It's about fireproofing, and exposure management is helping customers make that shift. Market-leading exposure management starts with unified visibility, but it's more than just seeing assets, domains, and systems across your environment. It demands intelligence, context, and the ability to mobilize that insight into action. It's not just about knowing that a vulnerability exists, but understanding that it's on a critical asset that is actively exploited and sitting on a direct attack path to your crown jewels. It's also about using AI, not simply to find flaws, but to anticipate how an adversary may move through your environment and to see your organization the way an attacker does. and moreover, to mobilize before attackers do. We believe Tenable One is uniquely positioned to win in this next phase of security in this new AI world, given our roots and our strategic direction. Our foundation in vulnerability management gives us the data, the scale, and credibility to lead the shift toward exposure management. And we're building on that strength with focused investment and innovation. Notably, R&D is up over 20% year-to-date. reflecting significant investments in Tenable One that unify visibility, insight, and action across the full attack surface. In Q3, we launched Tenable AI Exposure, leveraging technology from Apex to give CISOs visibility into and control over the risk associated with generative AI. The solution helps organizations discover AI usage across their environments, understand how it impacts their attack surface, and identify potential exposure stemming from AI-enabled applications, code, and user behavior. It is a powerful example of how we continue to extend Tenable One to stay ahead of emerging threats. We also surpassed 300 validated integrations in the Tenable One platform, underscoring our progress in creating the most open and the most interconnected exposure management platform in the market. This open ecosystem is a key differentiator These integrations go beyond technical connectivity to unify visibility and insight across tools and data and teams. By breaking down silos between vulnerability management, cloud security, identity, OT operations, and the broader ecosystem of third-party tools, we are advancing how customers unify data, apply contacts, and orchestrate faster in a more coordinated way. As we continue advancing this vision, we are building a platform where connectivity drives action, where customers don't just see risk, they can act on it. Finally, we advanced our vulnerability priority rating across different domains, allowing for higher levels of smarter orchestration and mobilization for exposure management. This gives organizations even sharper precision in determining which risks demand immediate actions. Most enterprises are flooded with findings, and the challenge is not just seeing vulnerabilities, but knowing which ones matter. By combining real-world threat intelligence, contextualized asset data, and AI-driven analytics, our enhanced VPR helps customers focus their remediation efforts on the exposures that matter most. We believe that these innovations across visibility, insight, and action, combined with our growing open integration ecosystem, And our focused investment on preemptive security and R&D are what differentiate Tenable among the many vendors now laying claim to the exposure management space. And our quarter-wide customers are turning to us. I'd now like to turn the call over to Mark to discuss how customers and the industry are responding to the shift to exposure management and how we are leading them through this change.

Thanks, Steve. We believe Tenable is leading the transformation to exposure management and the industry is taking notice. We were recognized as a leader in exposure management by two of the industry's top analyst firms during Q3. In July, Tenable was named a leader in the Forrester wave for unified vulnerability management solutions. In August, we were recognized as a leader in the IDC marketscape for exposure management platforms. And in September, IDC again reported Tenable ranked number one in its latest market share report. As Steve mentioned, one of our defining strengths and what shines through in every customer story is Tenable One's ability to unify visibility, insight, and action across the modern attack surface. We're now extending that power to include both Tenable Native and third-party data, giving customers an even more complete view of risk. But exposure management is more than a technology. It's a journey that requires a new mindset We're listening closely to our customers by helping them chart that path step by step. Our Exposure Management Leadership Council and our Exposure Management Maturity Model have become critical guides in that journey. The Leadership Council, which launched this quarter, brings together some of the most forward-thinking CISOs and security leaders to share insight and best practices from their own exposure management transformations. Their feedback helps shape our platform roadmap and ensures we're focused on solving the challenges that matter most. Our new exposure management maturity model gives organizations a framework to assess where they are today and what it will take to advance in their exposure management journey. It helps them measure progress, identify gaps, and prioritize the investments that will have the greatest impact. Together, Our exposure management leadership council and maturity model are helping customers turn exposure management from an abstract goal into a disciplined strategy for the future. Through these initiatives, we're helping customers evolve their approach from managing vulnerabilities to embracing a true preemptive security mindset. It's how they move from reacting to risk to staying ahead of it. That's what Tenable One is designed to deliver, the clarity, intelligence, and context to see threats before they strike. As Steve highlighted, we're leading the way with the most comprehensive exposure management platform in the market, helping our customers build stronger, smarter defenses for the AI era. Let me give you some real-world examples from the quarter. First, we captured a major new logo with a global commercial real estate investment services firm, displacing the top cloud security provider and an incumbent vulnerability management player to consolidate onto the Tenable One platform. Like many large enterprises, this customer faced growing complexity of a hybrid environment with assets spread across on-prem infrastructure, multiple cloud providers, and third-party systems. Tenable One was selected for its superior technical capabilities across cloud security and vulnerability management. It was also chosen for its ability to unify data and context across their entire ecosystem. This consolidation immediately filled critical visibility gaps, streamlined operations, and reduced the cost and complexity of managing risk across a fragmented landscape. We also had another major win this quarter with a national electric utility provider in EMEA to accelerate their critical infrastructure transformation. Like many in the energy sector, this organization is navigating the growing convergence of IT and OT environments with operational technology increasingly coming under the responsibility of the CISO. They selected Tenable, as their exposure management partner for our ability to integrate complex technical requirements and deliver a cohesive, scalable OT security framework across their national distribution network. By unifying visibility and context across IT and OT assets, Tenable is helping them eliminate silos and protecting critical infrastructure at a national scale. We also secured a six-figure expansion with a leading technology provider serving the public sector, converting them from our standalone crowd product onto the Tenable One platform. This is a strategic shift for the customer, driven by their need to unify visibility and control across a complex hybrid environment, supporting sensitive government workloads. This multi-year agreement enables them to consolidate onto tenable one over time, simplifying operations, reducing vendor sprawl, and strengthening compliance across both commercial and public sector deployments. These customer wins reinforce that our strategy is absolutely working. We are earning larger, longer-term commitments by delivering strategic value and deeper integration into our customer environments. At the same time, we believe these wins reflect the broader industry shift that is now underway from reactive post-breach defense to preemptive security. As this shift accelerates, we believe Tenable is exceptionally well positioned for sustainable growth, with exposure management becoming the foundation of modern cybersecurity programs worldwide. With that, I'll turn the call back over to Matt to dive deeper into the results for the quarter.

Thanks, Mark. I want to thank everyone for the warm welcome, and I'm really excited to be here. I look forward to seeing new and familiar faces over the next couple of months. With that, I'll jump into the results for the quarter. We're encouraged by the strong third quarter, exceeding the high end of the range on every metric we guided to for the quarter. Revenue was $252.4 million, representing growth of 11.2% year-over-year. The year-over-year growth in revenue for the quarter, as well as outperformance relative to guidance, was underpinned by a solid foundation of renewal business, strong tenable one adoption, and better than expected contribution from professional services. Our percentage of recurring revenue remained high at 95% this quarter. We're continuing to see solid momentum in Tenable One, as customers are increasingly turning to our platform to bolster their preemptive security programs. The strength and new platform growth in the quarter drove calculated current billings, or CCB, to 267.5 million, a year-over-year increase of 7.7%. While short-term remaining purchase obligations, or CRPO, grew 12.9%. These measures are beginning to diverge due to changes in upfront billings patterns and increasing contract durations, which we expect to persist in the midterm. Net dollar expansion rate was in line with expectations at 106%. Non-GAAP gross margin was 81.6% for the quarter. an increase from 81.4 percent in Q3 2024. We're encouraged by our ability to slowly but steadily increase non-GAAP gross profit year over year, both on a quarter and year-to-date basis. Year-to-date non-GAAP gross margin was 81.8 percent, compared to 81.3 percent for the nine months ended in the prior year. Non-GAAP income from operations was 58.9 million, or 23.3% of revenue, compared to 45 million, or 19.8% of revenue, in Q3 2024. Although we continue to make targeted investments during the quarter, including growth of more than 18% in research and development related expenses year over year, we were able to drive continued leverage in the business as a whole. Our investment in innovation is a result of our focus on delivering the most comprehensive exposure management platform to our customers. On a year-to-date basis, non-GAAP income from operations grew to 155.3 million, or 21.0% of revenue, compared to 124.8 million, or 18.8% of revenue in the comparable period last year. Non-GAAP earnings per share for the quarter was 42 cents compared to 32 cents in Q3 2024, an increase of 31.3%, reflecting the increase in profitability combined with a decrease in diluted shares outstanding. Turning to the balance sheet, Cash and short-term investments totaled $383.6 million. We generated $58.5 million of unlevered free cash flow during the quarter, compared to $60.8 million in Q3 2024. This brings the year-to-date unlevered free cash flow to $189.6 million, a year-over-year increase of 24.7%, putting our annual guide well within reach. During the third quarter, we repurchased 2 million shares for $60 million. In total, we have now repurchased 8.3 million shares for $300 million since November 2023, and have $250 million of repurchase authorization remaining. We intend to continue to repurchase shares, which we believe is an effective use of capital. Turning to the financial outlook for the remainder of the year. With the results of the third quarter behind us, we've gained incremental visibility into the full year. And as a result, we are raising our full year guidance at the midpoint across most of our guided metrics. Specifically, we are increasing our full year guidance at the midpoint for CCB and now expect a range of 1.040 to $1.048 billion, representing a year-over-year increase of 7.7% at the midpoint. We expect revenue for the fourth quarter to be in a range of $249.1 to $253.1 million, representing a year-over-year increase of 6.5% at the midpoint. For full year 2025, we are raising our revenue guidance range to $988 to $992 million, representing a year-over-year increase of 10.0% at the midpoint. We expect non-GAAP income from operations for the fourth quarter to be in the range of $55.7 to $59.7 million, or 23.0% of revenue at the midpoint. For full-year 2025, We are raising our non-GAAP operating income guidance at the midpoint and now expect a range of $211 to $215 million, or 21.5% of revenue at the midpoint, representing a year-over-year increase of 100 basis points. We remain committed to balancing top-line growth with a steady increase in profitability. We expect non-GAAP net income for the fourth quarter to be in the range of 47.9 to 51.9 million, representing a year-over-year decrease of 1.6% at the midpoint. For full year 2025, we are raising our non-GAAP net income guidance at the midpoint and now expect a range of 185 to 189 million, representing year-over-year growth of 17.9% at the midpoint. We expect non-GAAP earnings per share for the fourth quarter to be in the range of 39 cents to 43 cents flat at the midpoint compared to Q4 2024. For full year 2025, we are raising our non-GAAP earnings per share guidance to $1.51 to $1.54 representing year-over-year growth of 18.2% at the midpoint. In closing, we'd like to thank the entire Tenable team and our customers and partners for a great result. We're very pleased with the steady execution the team has delivered this quarter and our incremental optimism for the rest of the year, as reflected in the increased guidance ranges we've provided. Mark, Steve, and I thank you all for joining and we look forward to seeing you at the UBS and Barclays conferences in the coming weeks. We are happy to open the call up for questions. Operator?

Thank you. We will now be conducting a question and answer session. If you would like to ask a question, please press star 1 on your telephone keypad. A confirmation tone will indicate your line is in the question queue. You may press star 2 if you would like to remove your question from the queue. For participants using speaker equipment, it may be necessary to pick up your handset before pressing the star keys. One moment, please, while we poll for questions. The first question is from Saket Kalia from Barclays. Please go ahead.

Okay, great. Hey, guys. Thanks for taking my question here, and welcome, Matt.

Thanks, Saket.

Hey, guys. I'll just keep it to one question. Steve and Mark, maybe for you, U.S. Federal is, of course, a really important vertical for Tenable. Can you just talk a little bit about how that performed this quarter? And given the current situation, maybe give us a little historical context of how the business has performed around prior shutdowns as we think about any potential impact going into Q4. Does that make sense?

It does, Hackett, and thank you for your question. This is Steve. We have major market leadership in public sector and U.S. federal in particular across a wide range of three-letter federal agencies spanning civilian, defense, and intel. And CRs are not new, nor are government shutdowns. We have seen them before, and we've demonstrated an ability to execute in these environments. And we're particularly pleased with the results this quarter. Public sector and U.S. federal in-line expectations, which is very notable given the seasonally high mix of U.S. federal business.

So overall, a good result for us for the quarter. Very helpful. Thank you.

The next question is from Brian Essex from J.P. Morgan. Please go ahead.

Hi. Good afternoon. Thank you for taking the question. And, Matt, congratulations on the new role for me as well. Looking forward to working with you again.

Thanks.

And, you know, nice consistency out of the gates as well. So certainly appreciate that. I guess maybe to follow on a Socket's question for you, Matt, you know, I was down in D.C. last week and met with CISA, and it was clear that things were going to get incrementally uglier this week as agencies run out of money, particularly for essential employees where, you know, CISA is focused. But we'd love to hear, you know, from your perspective, you know, given that I guess, deceleration that's baked into the 4Q, like just basically what's implied by your full year guide, the deceleration of revenue in the 4Q. What are you contemplating within guidance and what kind of scenarios might lead for upside to your expectations for the quarter and for the year?

Yeah, I think the first thing to note is just the steady execution that we had in Q3 under the current environment of uncertainty. And keeping in mind, Q3 is a higher proportion of Fed for us relative to other quarters in the year. So with that backdrop, we look ahead to Q4, which seasonally is a smaller Fed quarter for us, and see relatively minimal exposure. Now, of course, there's a couple million dollars that could be at play here or there, but generally we feel very positive about the pipeline that we see. Renewals continue to come in very strong. We think we've got good line of sight. So we think we're not especially exposed in this fourth quarter.

Got it. Maybe can I sneak in a quick follow-up for Mark? Just with regard to the impact of the expiration of CISA 2015, and what that might have on CVE reporting. Any impact that you might envision for the core VM portion of your business?

Yeah, right now, based on feedback with customers and talking to a bunch of partners and obviously our employee base, we're not really projected to see any type of negative impact right now. As it plays out, we'll obviously be monitoring it closely. But right now, based on a lot of our conversations and contacts and relationships we've got going on, And the federal government, we're not really anticipating any significant downside there.

Super helpful. Thank you so much.

The next question is from Mike Sikos from NeedM&Go. Please go ahead.

Great. Thanks for taking the questions, guys. And congratulations to you, Matt. Looking forward to working together. Thanks. Before I ask my second question, which is more tied to the billing, I just wanted to ask, Matt, since this is your first earnings call here with the firm, can you help us think about if there were any changes to guidance philosophy or what you're bringing to the finance function here now that you got a couple months in the seat?

Yeah, I think generally no substantial changes to our approach to guidance. I will say I was just extremely pleased to come in and see a very high-functioning team, not just within finance, but across the entire organization. I feel like we're really focused on the right things, and the team is all growing together. So I would say no major shifts in the way that we're approaching guidance.

Okay. And then the follow-up is, again, on that billing side. Just trying to get a better sense of the different puts and takes here, right? If we have the a three million issue of upside this quarter versus where people were expected we're nudging up the low end of the guide by two million um you guys are talking about increased visibility into year end um can you just discuss how you guys uh thought about putting out this this range and some of the different puts and takes there as it pertains to that visibility you're talking to sure um i think that the very brief takeaway is you know as we sit here today

we're feeling incrementally more positive about the year than we were three months ago. That's as a result of a strong Q3, but also visibility into Q4. So it represents, you know, it's a small guidance increase at the midpoint for CCB of a million, but that flows down too. So taking up the guidance to revenue and taking up the guidance to non-income, all those things are things that we're happy we're able to do which is as a result of us feeling better about the year on balance.

Terrific. Thank you very much, guys. The next question is from Rob Owens from Piper Sandler.

Please go ahead.

Great. Thank you for taking my question. And Steve really enjoyed the discussion up front on fireproofing versus firefighting in terms of where things are going. You know, to that end, if I look at your enterprise ads versus your 100,000 ACV customers, maybe you can parse what's going on there. And are you seeing more new customer additions up front and you're starting to see just velocity increase on that front as some of these trends are changing? And if that's the case, maybe you could add some color around the 100,000 ACV customers. Thanks.

Sure. Well, as you noted, our mix-up business can change from quarter to quarter. This quarter has higher concentrations with U.S. Federal. And as we mentioned, we were very pleased with the results there. We're also very pleased with strong quarter for new business for us. We added 437 new enterprise platform customers, which was one of our strongest quarters, I would say, to date. And look, on a year-to-date basis, too, new lands have been strong. We're also, as we've talked about on the prior quarters, is that we've demonstrated an ability with our exposure management platform to transact larger deals. We're delivering incremental value to customers. Transaction sizes and deal sizes are getting larger and on average anywhere from 50 to 90% plus in comparison to standalone VMs. So overall, we're pleased with the velocity of lands this quarter. We're pleased with our ability to continue to do larger deals. And there's always some interplay from one quarter to the other. And I think it really speaks to the continuing momentum of the platform and the ability to help customers sort through all of this fragmented visibility, this overwhelming noise and alerts. and all this manual remediation to help them unify visibility, insights, and action to reduce risk. And so it's certainly something that we're pleased to see with the continued traction of the platform.

The next question is from Meta Marshall from Morgan Stanley. Please go ahead.

Great, thanks. Maybe a couple for me. Just first in terms of noted commentary on the OT market, just wanted to know if there's efforts underway kind of either with R&D or go-to-market to kind of better take advantage of some of those opportunities. And then second, just kind of noting the 18% increase in R&D, Just in terms of the answer to the previous question of trying to simplify environments for customers, just what are some of the other investments, whether that's professional services or go-to-market, are you making to help simplify the offering for customers? Thanks.

Yeah, great question. I'll take the first part on the OT market and what we're seeing, and then I'll pass it over to Steve to talk about some of the investments from a research perspective. So we are seeing a dynamic in the market and it's been happening really all year, but it's happening I think at a bit of a faster pace where you're seeing this convergence of the OT market and the CISO getting a lot more responsibility and visibility over those OT assets. And one of the deals that we referenced you know, in the earnings announcement was that consolidation story. So we're seeing a lot of not only our install-based customers wanting to look at and be able to ingest those OT assets into Tenable One, but also new customers where they're saying, we don't want to have two distinct products and technologies, one looking at traditional IT assets and then another one looking at OT assets. So you're seeing that convergence and it is speeding up. When you also look at some of the market dynamics around the AI data center build out, that is a big area for us. We're seeing a lot of demand when companies and organizations are building out data centers. They need operational technology to monitor all of those different asset types. And we're starting to see significant pipeline growth and closing deals in that area. So we were very pleased and have been pleased all year with our OT performance, and we will continue to focus in on it from a go-to-market perspective. I'll pass it over to Steve now to talk about some of the R&D questions.

Yeah, with regard to R&D and the investments we're making, they're paired with increased confidence and our ability to execute in this big market that we call exposure management. And it's really centered around three things. Number one is the ability to unify visibility, and in particular, ingest data from other security providers so we can help customers see any asset, whether it's on their factory floor, in their network, or even in their cloud environment. And then, moreover, is the ability to normalize and dedupe all of that to tie it to mobilization and orchestration on the back end so we can help customers reduce risk. And then last, I would say, and really important, is helping customers secure their AI attack surface. And leveraging AI in a way where we're able to deliver greater insights to customers. And AI adoption of applications has dramatically expanded the attack surface and certainly made us all more successful to exploit. Intentible plays a really big role there as we're able to discover all AI applications, whether they're internally developed or even shadow AI. And then we're able to assess those for risk, including determining vulnerabilities and misconfigs. And now with AI exposure, we can go and inspect and control at the prompt level the AI applications that enterprise use the most. So we have a lot of traction with AI, pleased with the innovation we've done today, but there's certainly a lot more to do. And we believe principally the real winners in this new AI world will be companies that can assess a wide range of domains, ingest data from other security providers, and then really combine all that proprietary exposure data with AI to anticipate tax not simply to respond to them. And that's a foundational change in the security market, shifting away from detect and respond more towards pre-active and preventative approaches.

Great. Thank you so much.

The next question is from Jonathan Ho from William Blair. Please go ahead.

Hi. Good afternoon, and congratulations on the strong results. Can you give us a sense of what percentage of your total base is now on Tenable One? And it seems to me like there would be some opportunity to upsell more into the base once they've adopted the platform. So can you also talk about maybe the potential for uplift going forward on the platform?

Thank you. Hi. Yes.

As you know, we have roughly 40,000 customers 40,000 plus, should I say, and approximately, we'll call it 18,000 use one of our enterprise offerings. And of those, 3,000 plus are using Tenable One. So we've got good traction to date. It's 40% of our total new sales. And so there's a significant opportunity not only to expand within the existing customers who have adopted Tenable One, but moreover, to continue to see

further traction within our customer base. Thank you.

The next question is from Joseph Gallo from Jefferies. Please go ahead.

Hey, guys. Thanks for the question. And Matt, congrats on the new role. Looking forward to working together. It was great to hear the exposure management momentum. As we start to get ready for next year, in your convos with customers, where is the prioritization for exposure management in their budgets? And then historically, I think you give some sense of following your billings in 3Q, just any commentary on what billings can look like in 26 or confidence in sustaining the current levels would be helpful. Thanks.

Yeah, I'll take down the budget question from the customer perspective, from exposure management perspective. You know, I think one of the bright spots that we're really starting to see is, you know, we talked about all of the different analysts that are starting to cover the exposure management category. And coming out as the leader and the number one player in that category has given us lots of visibility, especially at the CISO level. And so now when we're sitting down with customers, we're not actually having to educate a lot of the CISOs what exposure management is and how it is so different from vulnerability management. They're hearing about it. They're seeing it. And so you're starting to see budgets being allocated that way. You're starting to see budgets in regard to consolidation, which is really one of the biggest motions we have in regard to going after and talking about exposure management and justifying it is really looking at that consolidation play. So that momentum is there, and it's gaining traction, and that continues to play out in the market, not just with customers, but we're also seeing our resellers and our partner communities around the globe start to build out exposure management practices and gain visibility there too.

Yeah, and I can answer your second question. So what we're really happy about is that there is this move in particular to Tenable One. Roughly a third of our business now is in Tenable One. Increasingly, we're seeing new customers adopting Tenable One. That's exactly what we're focused on. And we think that sets us up well for the long term. in going and really capitalizing on this exposure management environment. With respect to 2026, we're really focused on 2025 and closing out and continuing to execute there. And it's just too early to talk about 2026 at this point. But importantly, we feel like we're doing all the right things to put us in the right spot. Makes sense. That's helpful. Thank you.

The next question is from Patrick Colville from Scotiabank. Please go ahead.

Hi, this is Joe Vandrick on for Patrick Colville. Steve, I think you mentioned earlier that there's a lot more to do on AI innovation. So I was hoping you could expand a bit more on that, maybe talk about how you're thinking about the roadmap and how you're planning to add these new AI security products or solutions. Would it be organically or through M&A?

I think we would certainly consider both, and successful companies pull both levers here. And I think it's centered around the fact that the threat environment that we're experiencing today is unlike anything we've seen before. Adversaries are moving with incredible speed, skill, and sophistication. and leveraging LLMs and AI to create flawless hyper-realistic phishing emails that bypass both human suspicion and traditional email filters. We're also seeing, you know, executive cloning, cloning of executive faces and voices for socially engineered attacks. So, certainly, bad actors are moving with incredible speed. we're seeing the weaponization of AI, which is resulting in the discovery of more vulnerabilities. And perhaps more concerning is not just more vulnerabilities in this all new digital world of AI, but it's the exploitation of those have become much faster. Meantime, from vulnerability discovery to vulnerability exploitation has compressed dramatically. So, and this necessitates a completely new approach to security. You know, today, 96, on every dollar in cybersecurity is spent on detect and respond technologies. Consequently, 4% is on proactive security. Gartner estimates over the next five years that that mix will change dramatically. And so we'll see a disproportionate amount of spend more towards proactive security. And the goal here is to move Tenable. Our role in this world is to evolve from not just providing visibility but to be able to correlate vulnerabilities with threats and exploit chatter with criticality of those assets. So we can highlight likely paths of exploit. So organizations can look at their enterprise through the lens of adversaries, and they can identify attack paths that are most meaningful to them. So exposure management is really at the epicenter of all of that. And it's a category that continues to grow. And we've received recognition from IDC and some of the others that Mark talked about earlier, given our attraction with exposure management. And we're super excited about what's ahead for us.

Makes sense. Thank you.

The next question is from Roger Boyd from UBS. Please go ahead.

Awesome. Thanks for taking the question. You talked about the longer, more strategic deals, and it seems like that's been a consistent trend over the past couple of quarters and clearly evident in the nice acceleration on RPO and bookings this quarter. Can you just further quantify what you're seeing there, what you're doing there from a sales perspective? And with these longer contracts, what's the overlap with customers adopting 1001 exposure management? Thanks.

Yeah, you bet. I mean, it's a really... phenomenal dynamic that we're seeing, right? The great part of this, and you see it in the RPO numbers, is we have customers, not only new customers, but our install base that want to get longer-term, three-year commitments, right? They're seeing the roadmap. They're seeing how we're evolving exposure management, right, how we're building this technology and building Tenable on the platform. And when we are able to articulate that and explain to them where we're headed, you know, the customers are buying in, and they're buying in aggressively, and they're making long-term commitments. And so we're very, very focused on the install base that Steve identified, going after those 18 to 20,000 commercial and enterprise customers. Anyone that's on VM, getting them upsold to tenable one, that is our motion. We are driving that aggressively. And then for the new logos, one of the very cool things when we identified, which is an extremely high number, 437 new logos in the quarter, a very significant portion of those customers were tenable ones. So that is a pretty cool trend, and we'll be able to then upsell those customers over time. And so I think when you see customers willing to sign up for long-term contracts, when they understand where you're headed and you're truly building an enterprise-scale platform, that's an extremely positive sign for us.

Appreciate the call, Mark, and congrats, Matt.

The next question is from Joshua Tilton from Wolf Research. Please go ahead.

Hey, guys. Thanks for taking my questions. And, Matt, it's good to hear your voice again. Two for me. First one, hopefully kind of easy, more of a clarification. Is there any way you can just help us understand what the inorganic contribution to Billings was in the quarter and how we should think about the inorganic contribution to Billings for the full year? And then I have a follow-up.

Yeah, very insignificant, Josh, for both the quarter and the year.

Okay, very helpful. And then maybe just to follow up, and I preface the question with not here to hold you to any numbers, but I think part of what was great about you in your previous role is you had a pretty predictable playbook on how you wanted the financial profile of the business to kind of unfold on an annual basis. And I think investors really appreciated that. So again, not here looking for numbers, but maybe how do you think about your ability to leverage some of the playbook from your previous role and kind of deliver or help deliver a more consistent message around the durability of the financial profile for Tenable going forward?

Oh, man, that is quite a setup. So, I mean, here's the way that I look at it. Tenable has a really incredible business and is getting only better and more strategic with our move to exposure management. So when you look at the underlying fundamentals and the fact that 95% of revenue is subscription and recurring, there is an opportunity to make sure that we can continue to grow top line while also continue to add profitability. And I think there are some spots in the P&L where we've done that already over the past couple of years, but we'll continue to do that. going forward into the future where we can continue to get more leverage out of the business. So I think there's a lot of opportunity to do some of the same things that I've done before.

Appreciate it. Thank you, guys.

The next question is from Adam Borg from Stiefel. Please go ahead.

Awesome. Thanks for taking the question. Of course, welcome and congrats to Matt. Maybe just on the macro, we talked a lot about the Fed is great to see in line with expectations. Any other color you could share, just demand environment overall, be it at the upper end of the market, the mid-market, geography, vertical, any other color would be really great. Thanks so much.

No, I think demand was pretty even, really, across the board. We talked about the seasonally high mix in U.S. Federal, and we were pleased with the results there. Talked about strength in new lands and new logos, 437. And obviously the continued traction with the platform. And I think that's really the highlight of the quarter here. The one takeaway is that the ability to close platform sales, the ability to assess a wide range of domains, the ability to unify action, unify insight, and deliver increased visibility from both the things that we assess, assets that we assess, as well as ingest data from others is resonating. It's a big market opportunity. We believe we're the clear leader there, and it's good to see the validation and recognition from our customers.

Great. Thanks so much.

The next question is from Johnson Rick Haver from Cantor. Please go ahead.

Yeah, hey guys. I'm curious to hear how conversations might be changing with the pending with Google deal. How much of a concern is multi-cloud support? And then just, you know, broadly looking at tenable cloud security, how is it performing? I mean, it does look like a market that is increasingly competitive. But, you know, when you look at your positioning relative to the broader exposure management opportunity, it seems like that could be a differentiating factor. So maybe you could just elaborate on those two questions.

Yeah, you bet. No, absolutely. And, yeah, it is definitely an active conversation without a doubt, right? So a lot of CISOs are really looking at it. And we mentioned this on a couple of previous calls once the announcement was first out there, but you're really starting to see it pick up because now it's becoming reality. Now customers are getting a true sense of how they're going to come together within Google. And we are doing a significant amount of presentations, demonstrations, and POVs. in WIS accounts. When we look at Q3, we had a bunch of deals that we were able to go in and actually do displacements. One of the deals we highlighted on the call was a displacement of not just a WIS account, but also an incumbent VM player. So to the point that you brought up in the question, this consolidation story around a platform that centers around exposure management, being able to ingest multiple different assets into a hybrid platform, so both on-prem and in the cloud and in OT and in identity and other areas, that absolutely resonates. And so we are, you know, I use the term getting invited to a significant amount of more dances, and we continue and we will continue to expect that to happen, you know, throughout Q4 and going into next year. So we are very, very optimistic about our cloud business centered around Tenable One.

That's great to hear. Thank you.

The next question is from Todd Weller from Stevens. Please go ahead.

Thanks for taking the question. In the past, we've talked about kind of the growth equation to drive, you know, top line acceleration. Wanted to see if you could just kind of revisit that and give us an update. Continued momentum with Tenable One and exposure management. you know, is great and that's much higher growth. And then you have like the traditional VM piece. So how are you thinking about those components? How are you thinking about the VM kind of sustainable growth? And is it really just a math equation and time of the exposure piece continuing to get bigger? Or is there anything that can happen on the VM side that can drive kind of improved growth there? Thank you.

Yeah. Yeah. I think you've hit on the main components there. So we're 100%. focused on Tenable One and driving customers to Tenable One. And our belief is that once they're there, they will continue to expand. So whether they're doing pretty much just core VM there today, we're seeing opportunities where they then expand within Tenable One to take on more EM type activities. So that's encouraging. When you zoom out from Tenable One and you look just at VM versus EM, EM is obviously today a smaller part of our business, but it is growing much faster. So our expectation is that over time, while VM is a stable grower, EM is growing much faster, and that helps drive that growth algorithm overall.

Thank you. The next question is from Junaid Siddiqui from Truist. Please go ahead.

Great. Thank you for taking my question. You highlighted now supporting over 300 validated integrations. How are these integrations contributing to deal velocity and deal sizes?

Yeah, well, it's centered around this belief that no one security company can secure all domains, all assets across the attack surface. Today's attack surface is a sprawling ecosystem of traditional security IT devices, cloud environments, identities, both human and machine, as well as OT industrial control systems that power a lot of our critical infrastructure. So over the years, the attack surface has expanded, right? No longer about securing servers in a data center or laptops in an office. And so we think exposure management is really centered around this belief of A, assessing things that are foundational, like traditional IT devices, like cloud environments, both pre and post production, like OT assets, and even looking at the important contacts around the identities of those. But also the ability to ingest data from others. We believe in an open platform, we believe you should be able to partner for this kind of data to deliver this kind of insight to customers, all centered around this notion of unified visibility and insight and action. So it's foundational to what we do. We think the connections matter. We think it gives us certainly more breadth, the ability to deliver more insights, and more importantly, the ability to help our customers mobilize and orchestrate fixes on the back end and correlate vulnerabilities with exploit chatter, with asset criticality.

That's really important to do that in a very cohesive way. Thank you.

The next question is from Shrenik Kosari from Robert Baird. Please go ahead.

Thanks for taking my question. Congrats and welcome, Matt. Mark, Steve, you cited number one at 40% of new business was improving ASPs and deal sizes. It seems like the platform growth as a person of new business is hovering in near that 40% mix. Just what do you think are going to be the biggest unlocks to further accelerate this platform access as a passenger of new business? Are you thinking something along the lines of pricing, packaging, exploring something like Flex? Are you also thinking more field enablement and increased S&M investments? Just curious, and then follow up for Matt.

Yeah, so you highlighted a couple of great areas right there, right? And so those areas we're looking at. But I think one of the best things we've got in front of us is we've got the opportunity to expand in that install base, right? So as Steve kind of highlighted the numbers, we've got phenomenal opportunity to go expand within our huge, massive install base. So that is like the number one focus for us is getting that expansion. When you then look at the innovation that we've done around third-party ingest, We're now seeing here in Q4 a bunch of quotes going out to Tenable One deals that have third-party asset types. So we'll be able to monetize that third-party asset type. So that will start taking off. We talked about our AI strategy and what we did with Apex and how we'll be able to start monetizing that in Q4 and especially going into 2026. Now that is on the back of some of the things you highlighted. So obviously evaluating pricing and packaging strategies and marketing strategies Those are all things that we're very much on top of. But there is very tangible, specific things that we're doing today that to get the growth and the expansion within Tenable One, and we're going to continue to march down that road.

Great. Very helpful. And Matt, just very quickly from your perspective in terms of what you've seen so far, how do you plan to now kind of balance all the priorities that just laid out versus incremental operating leverage just in terms of your your priorities, how should we expect 2016?

Yeah, I think we expect to continue to both grow top line and add incremental margin. And so when we look at places on the P&L where we can expect to go get that margin, it's a little bit like what you should have seen in this quarter's results, actually, where you're going to get a little bit out of gross margin, you're going to get a little bit out of sales and marketing and G&A, and we are going to probably give a little bit back in R&D because we're continuing to invest in the platform. So, and we're going to, you know, there's going to be, obviously, no one quarter is going to be exactly like the next. We're going to continue to invest in sales capacity as well, but The point is, as you grow revenue, you're able to just get a little bit more leverage.

Got it. Thanks a lot.

The last question is from Gray Powell from BTIG. Please go ahead.

Okay, great. Thank you very much for working me in. Greatly appreciate it.

A lot of good questions have been asked. Maybe I just had one on my list that has not.

What kind of traction are you seeing with the APEX acquisition and AI exposure? And I'm not sure if you said this, but how should we think about it impacting ASPs with Tenable One or potentially driving just incremental adoption of the platform?

Sure. And so that's an acquisition that we announced, I think, the last quarter or several months ago. And really the plan from an integration perspective was to natively build those capabilities in the platform and then come to market with a more expansive AI offering, which we're pleased to see us do at Black Hat. So we did that over the summer. We brought to market AI exposure. AI exposure gives us the ability to not only discover AI applications and shadow AI, but now gives us the ability to inspect at the prompt level usage of AI. It is a foundational piece in our broader AI strategy, and the AI strategy is really centered around a couple of things. Number one, contextualize risk with AI, which we've been doing for some time and we continue to do, and that's generate risk-based prioritization. That is really dynamic and constantly updated, so AI acts really as this risk co-pilot The second thing is really a journey that we've been on, which is autonomous remediation agents. And right now, we're able to integrate bidirectionally with the CMDBs and the ticking systems. And the focus is really on generating tickets with precise remediation steps to orchestrate patch deployments and enforce configuration baselines. But part of the goal here over the course of time is this continuous learning and adaptation and use AI as a means not only to deliver greater insight, but have customers benefit from this network effect of 40,000 plus customers that global telemetry that we've collected over the last 20 years to do safer auto remediation. And so we can not only just not just respond to threats, but also anticipate them. So we're super excited about our place in this world with AI, EM, exposure management is taking on greater importance. Obviously, we expect continued welfare and continued traction with the offering itself.

Understood. That's a lot of good color. Thank you.

This concludes the question and answer session and today's teleconference. You may disconnect your lines at this time. Thank you for your participation.