Greetings, and welcome to the Tenable Second Quarter 2018 Earnings Conference Call. [Operator Instructions] As a reminder, this conference is being recorded. I'd like to turn the conference over to your host, Andrea DiMarco. Thank you. You may begin.

Thank you, operator, and thank you all for joining us on today's conference call to discuss Tenable's financial results for the second quarter of 2018. With me on the call today are Amit Yoran; Tenable's Chief Executive Officer; and Steve Vintz, Chief Financial Officer. Prior to this call, we issued a press release announcing our second quarter 2018 financial results. You can find the press release on the IR website at tenable.com. Before we begin, let me remind you that we will make forward-looking statements during the course of this call, including statements relating to Tenable's guidance and expectations for the third quarter and full year 2018; growth drivers in Tenable's business; changes in the threat landscape in the security industry and our competitive position in the market; growth in our customer demand for and adoption of our solutions; our expectations regarding long-term profitability; and planned innovation and new products and services. These forward-looking statements involve risks and uncertainties. Some of which are beyond our control, which could cause actual results to differ materially from those anticipated by these statements. You should not rely upon forward-looking statements as a prediction of future events. Forward-looking statements represent our management's beliefs and assumptions only as of today and should not be considered representative of our views as of any subsequent date. We disclaim any obligation to update any forward-looking statements or outlook. For a further discussion of the material risks and other important factors that could affect our actual results, please refer to those contained in our IPO prospectus and our other SEC filings, which are available on the SEC website at sec.gov. In addition, during today's call, we will discuss non-GAAP financial measures. These non-GAAP financial measures are in addition to and not a substitute for or superior to measures of financial performance prepared in accordance with GAAP. There are a number of limitations related to the use of these non-GAAP financial measures versus their closest GAAP equivalent. Our press release that we issued today includes GAAP to non-GAAP reconciliation. And now let me turn the call over to Amit.

Thank you, Andrea, and thank you for joining us on our first earnings call. I'd like to thank our customers, employees, partners and investors for their support, which together made our recent IPO possible. This was a very important milestone for the company, and we look forward to building on our rich history in the years to come. We are pleased with our second quarter results and the start of our life as a public company. As a reminder, we provided preliminary ranges for some of our second quarter results in our IPO prospectus. I'm pleased to share that our actual results compared favorably to those preliminary ranges for revenue, calculated current billings and non-GAAP loss from operations. Our second quarter was highlighted by strong worldwide demand for our enterprise platform offerings, SecurityCenter and Tenable.io and by increasing strategic importance of Cyber Exposure. For those of you that are new to Tenable, we want to provide some background on our company and market opportunity, given that this is our first call. Our vision at Tenable is to help organizations understand and reduce their cybersecurity risk. We believe digital transformation is driving radical change. The proliferation of new types of digital technologies have resulted in a rapid expansion of the cyberattack circus. Cybersecurity risk has increased exponentially and is now a top priority in boardrooms around the globe. Improving cybersecurity and better managing risks starts by understanding the state of your security and answering key foundational questions such as where are you exposed? How should you prioritize efforts based on risk? Are you reducing exposure over time? And how do you compare to your peers? Tenable helps organizations answer these critical questions about cyber risk. We're already a recognized leader in the traditional vulnerability management market. 20 years ago, we introduced…

Thanks, Amit. Let me now dive deeper into Tenable's second quarter 2018 financial results and our business outlook. I'll begin by mentioning that except for revenue results, which are GAAP, all financial results we will discuss today are non-GAAP, unless otherwise stated. As Andrea mentioned at the start of the call, GAAP to non-GAAP reconciliations of these financial measures can be found in our earnings press release issued earlier today. I would also like to remind you that we included ranges for preliminary results for Q2 revenue, calculated current billings and non-GAAP loss from operations in our IPO prospectus in July, just prior to our roadshow. That said, I'll start my review of the quarter with the income statement. Revenue for the quarter was $63.6 million, representing a 44% increase over the same quarter last year, which is a testament to the growing strategic importance of VM and the broader Cyber Exposure mandate. It's also worth noting, our growth and scale are driven by our recurring revenue, which we expect will continue to track in the 85% to 90% range going forward. Please note that when we refer to recurring revenue, we include revenue from subscription and maintenance contracts and exclude revenue related to professional services and perpetual licenses as such amounts are not available for renewal. Before we move off revenue, let me cover the highlights of our adoption of ASC 606 in 2017. First, the revenue presented herein reflects the adoption of 606 on January 1, 2017, on a modified retrospective basis. So the year-over-year comparisons are on the same basis. Second, under 606, revenue from perpetual licenses is recognized over 5 years. And finally, sales commission expense is deferred over periods ranging from 3 to 5 years based on product. Commissions are amortized over 5 years for…

Thanks, Steve. In summary, we're excited to begin our journey as a public company and are off to a good start. We're pioneering a new category as we transform the VM market with our broader and higher value add Cyber Exposure strategy. We believe the combination of our differentiated technology and approach, combined with the growing strategic priority of understanding Cyber Exposure risk position Tenable to build a very large business over time as we become a system of record for cybersecurity and risk. We now like to open the call for any questions.

[Operator Instructions] Our first question is from Melissa Franchi from Morgan Stanley.

I guess, to start just at a high level, Amit, for you, a 39% current billings growth, that's definitely well ahead of overall vulnerability management. Wondering if you could just maybe parse through where this strength is coming from across share gains in traditional VM with SecurityCenter wins or the extent to which you are seeing momentum in selling into what you define as like modern IT assets through Tenable.io?

Sure. I think, in short, we're seeing strength and opportunity across all of those segments. In the traditional VM market segment, we have great focus and have chosen not to diversify into other market segments as competitors or other participants in this space have. So that allows us to have a deeper level of investment in -- prove our capabilities and continue to refine our capabilities. We actually just put out a piece of research over the past couple of weeks showing that organizations -- about half of the organizations are still operating with fairly immature vulnerability management practices. So we see continued growth and tremendous opportunity as the VM market continues to expand and more importantly, even organizations that have some VM program in place mature those programs and practices and expand the coverage of their VM programs within their enterprises. We're also seeing early momentum and tremendous interest in understanding Cyber Exposure more broadly than in the traditional IT asset space. So organizations coming and looking and doing evals and pilots and some early adoption of vulnerability and exposure insight into what's happening in the world of DevOps with their containers and micro services, what's happening in their cloud environments and also looking at both IoT and increasingly, some early adoption now in looking at exposure around OT environment. So -- and we're confident in the growth opportunity in the core VM market but also quite excited about the opportunity for growth in these new areas of technology that are core to enterprise risk.

Okay, got it. And one follow-up, if I may. As a new customer -- or the new enterprise customer adds continued to be pretty strong, to what extent is that coming from upselling the Nessus base versus gaining share from some of your competitors? And then can you just remind us what the catalyst would be for a Nessus customer to move into SecurityCenter or Tenable.io?

Yes. We're seeing a pretty consistent behavior in the adoption of new enterprise logos where about 1/3 of those sales are coming from the pay for Nessus Professional customer base. So we've got about 2 million downloads and users in the freeware community, we've got about 19,000 customers paying for the Nessus Professional edition. And then, in any given period, we'll see about 1/3 of our new enterprise sales or enterprise platform sales coming to us from that Nessus Pro customer base. Those -- that adoption from Nessus Professional to the enterprise platform is primarily driven by a more robust set of APIs and a feature and functionality in the enterprise platforms that make them more attractive than the Nessus Professional Scanner, which is ultimately optimized for audit types of use cases. So in addition to the APIs, more mature dashboarding, reporting, feature and functionality, better integration into other enterprise infrastructure, products, also a diverse set of -- much more diverse set of data acquisitions. So it's not just the active scanner, you get the Nessus network monitor, the passive asset discovery and vulnerability profiling technology, the container inspection for DevOps environments, the continuous monitoring and continuous view types of capabilities that come with the enterprise platform. That has enabled us, and we believe will continue to enable us, to compete effectively with our primary competitors. And I think the complement to that is that we also have seen numerous examples that would have us believe that it's not necessarily a switching market. We see customers of Qualys and other providers in the space making acquisition of our technology as well and leveraging both platforms and still, they are blended and overall spend in overall vulnerability management remains some of the most cost-effective security dollars spent. So we believe that, that trend will continue.

Our next question is from Sterling Auty from JPMorgan.

One question, one follow-up. I know a lot has not changed since the IPO. But I noticed recently some advertisement on YouTube, and it brings to mind the question, where are you seeing the biggest drivers in terms of top-of-funnel lead generation at this point? And where are you investing it moving forward?

For Tenable, I think it's been pretty consistent that the top-of-the-funnel lead generation activities have really stemmed from Nessus and the Nessus freeware community, and that remains a very active and very healthy community. Certainly, in the -- in this -- in the security -- in the technical security community, it remains one of the most broadly used and deployed pieces of software out there. And so we think that will continue. And from our perspective, that's a primary source for lead generation and for, I think just as importantly, brand awareness, trust and credibility in the community. Recent survey showed that about 2x as many security professionals were using Nessus as any other vulnerability management product out there. So again, the mind share, the brand, the trust that comes associated with that.

Great. And then can you clarify or help us understand? In terms of Lumin, what should be our expectations around the rollout of the product and how that should ramp as a product in terms of generating revenue?

So we haven't -- we're obviously progressing with our beta program. We had an oversubscribed beta program. We expanded it to letting the second wave of beta customers, and we're getting tremendous feedback from that. The interest and enthusiasm for Lumin has been very strong, and the feedback has been both positive and insightful for us as we continue to evolve and lead the market, the capabilities in that end of the market. In terms of expectations for release, I think we've got an incredibly strong brand and position of trust with Nessus and Tenable. We want to make sure that when we put that product out to market, that it provides the type of experience and capability that users have come to expect of Tenable. So we haven't -- we're leaving it much more as a functionality, capability and quality criteria than a timing criteria. And we don't view -- while we're extremely confident in Lumin, we don't view Lumin as a significant contributor to revenue over the next few periods.

Our next question is from Gray Powell from Deutsche Bank.

So maybe just to start off, how are you thinking about the longer-term opportunity with Tenable.io? I think it was contributing about 25%, give or take, of new business. So how do you see that mix changing over the next couple of years?

Well, Gray, this is Steve. Tenable.io is an increasing part of our overall mix of business. Q2, as a percentage of sales, Tenable.io is up sequentially over Q1. Long term, we're excited about the platform. It's also a preposition to selling other modules for new asset types, such as container security, cloud security. And also, with regard to Lumin, which is our telemetry and benchmarking application and also addresses Cyber Exposure more broadly, Lumin is specifically built on the Tenable.io platform. So we see a natural evolution in our business, strong demand not only just for Tenable.io domestically and abroad but also for SecurityCenter as a whole, and we're pleased with the demand we're seeing at the product level.

I guess I would just add a little bit to that. In -- I think there's maybe a misconception that products are mutually exclusive. We already have thousands of customers on Tenable.io, we have hundreds of customers -- Tenable.io customers, which are also SecurityCenter customers, where they're leveraging SecurityCenter. They want to keep their core VM programs in-house both from a performance standpoint, security standpoint. But they want to leverage some of the modern asset types of Tenable.io. They want to be able to participate in the analytic products like Lumin or some of the modern asset types or other functionality that's included in Tenable.io. So they've chosen a hybrid approach, and the 2 platforms are designed to work hand in glove and really coexist very effectively.

Got it. That's very helpful. And then this one might be a little bit early. I mean, I know Lumin is still in beta. But just how should we think about the upsell opportunity with Lumin once it's officially available? And just for example, like, if a customer's spending $100,000 per year with Tenable today, either SecurityCenter or Tenable.io, what do you see is the incremental upsell opportunity with Lumin?

We're very optimistic about the incremental upsell opportunity for Lumin. If you look at some of the startups and other companies, they are trying to deliver analytic capability on top of VM data. I think over the last couple of years, there's been sort of this awareness or resurgence of understanding that there is incredible value in the VM data and so you've seen a couple of startups pop up trying to deliver analytic value, prioritization, risk metrics on top of vulnerability data. From a asset pricing model perspective, which is how they're charging, they're actually commanding a premium pricing over and on top of what the VM vendors are getting for producing the vulnerability data itself on a per asset basis. So we're confident they don't -- both the market exists and the market has been conditioned to place great value on there. So we believe we'll be successful in upselling this value proposition with those types of pricing premiums to our existing enterprise accounts. And I think also notably, Lumin is designed to, again, not be dependent upon Tenable being your sort of exclusive or core VM provider. So we'll be able to deliver Lumin capability on top of other people's VM products and platforms. And so that represents incremental revenue opportunity for customers that have chosen other VM platforms.

Our next question is from Gur Talpaz from Stifel.

So Amit, if look at the VM space, you're seeing the emergence of new players in areas like ICS and containers. As you talk to customers, are you seeing heavier interest here in consolidating these functions around a single vendor? And then I guess more broadly speaking, how do you think about the fragmentation that exists not just with security, both in VM itself as you think about the fragmentation across broader IT and OT?

Yes, I think the -- your assertion is a valid one. I think it speaks to a renewed recognition in the market on the importance of VM, how important it is to the overall security posture and the overall understanding of risk to the enterprises. So as enterprises embrace new technologies and leverage technology in their new business models, you're seeing a need and startups being created to help generate an understanding of exposure in some of these newer technology market segments. So from a -- we think that, that's a valid observation and speaks to the importance of the types of insight that we provide. And we also believe very strongly that we've got a very active and dedicated customer base across both the enterprise and the Nessus product lines that have come to trust the Tenable and Nessus brands and believe that we'll be competing from a position of strength as we have credibility and trust in the security community to sell visibility and understanding of exposure into these new technology spaces as well as the added advantage of having a holistic visibility or holistic approach to understanding your exposures and risk across both the legacy and modern asset types. So we think it speaks to the importance of the market, and we feel like we'll be competing very favorably in some of these new market areas against some of the point solution and point product vendors that have popped up recently.

Yes, that's helpful. And Amit, you've been in this space for a long time. You talked a lot in the prepared remarks about Cyber Exposure. Are you seeing a shift in customer mentality towards risk management, towards just prioritization, away from kind of the historical binary approach that we've seen in security? I mean, are you seeing customers sort of start to echo some of the things you're talking about right now?

I think that's definitely the case. And there's -- while -- it's something that I've got tremendous confidence in and enthusiasm for, given my own experience in this space. I think you've got a lot of empirical data that shows us that, that's starting to happen. You're seeing that as a top concern from the survey of the National Association of Corporate Directors. You're seeing it from the SEC issuing new guidance around not only breach disclosure but disclosure of cybersecurity risks to the enterprise. And so for instance, if you look at the RSA show floor this past year, one of the core themes or trends is the introduction of a whole lot of new companies and looking to deliver better solution, better understanding of enterprise cybersecurity risk and also a lot of CISOs and enterprises looking for solutions in that space. So we think when it comes to understanding how secure you are, how exposed you are, what your level of risk looks like, how you compare to your peer group, we think that Tenable is perhaps uniquely positioned to deliver that type of insight across the customer base with both our history in the space as well as the capabilities that we're introducing with Lumin.

Our next question is from Jonathan Ho from William Blair.

Just starting out with maybe the U.S. federal government space, just given the upcoming end of fiscal year. Can you talk a little bit about maybe what you see from an opportunity standpoint and just maybe whether you're seeing any shifts there in terms of adoption of VM and other types of technologies?

In recent periods, I've learned to no longer try and predict what happens in the federal space. But we are -- in all seriousness, the Fed has been a strong vertical market for Tenable historically, and we've got confidence that it will continue to be a strong and important market for us going forward, not only as a consumer of our technologies but also as, I think, a broader definer of requirements and influencer in critical infrastructure and other segments of the market. If you listen to comments made by Secretary Nielsen in -- the Secretary of Homeland Security, others, they've recently kicked off an initiative around a national cyber risk center and are placing greater emphasis. And there's a lot more rhetoric and prioritization around cyber risk management, we think, based on our participation in the continuous diagnostics and monitoring programs, the CDM program for the federal government, in the Department of Homeland Security. We think that we can play an incredibly critical role in how government and also the private sector looks at and understands cyber risk and the importance that a mature VM and Cyber Exposure program could play in that understanding of risk. So we're well aligned with, I think, the federal government's view of the world. And I think we're well aligned with the messaging that they're creating and using both internally as well as putting out into the market and that, that really -- it kind of resonates not only with our view of the world, but I think with a lot of the key CISOs as well as corporate leadership at the CEO and Audit Risk Committee level that we speak with.

Great. And then we've seen that the SecurityCenter 5.7 was recently released. Can you maybe talk a little bit about the enhancements that come with that? And has historically new versions of the product driven any type of accelerated cycle or any sort of timing shifts relative to purchases? Just want to get a sense of how to think about that.

Yes. I think what you're seeing with SecurityCenter 5.7 and I think -- there are a series of releases here happening across the enterprise products and also into the Nessus product line, I think you're seeing continued enhancement of integration into enterprise platforms that our customers are asking for specifically in 5.7, the integration with PAM types of solutions for privileged access management. There is also the integration and improvement of integration into Mobile Agent Workforce support and I think this sort of investment coming from Tenable, certainly in Tenable.io but also in SecurityCenter. And I think you'll see it going forward in Nessus and other product lines, an evolution in helping our customers manage not only the desktop, servers and workstations that they've traditionally relied on Tenable for assessing risk around, but the modern asset base and also integration through open APIs as well as more scripted integrations into other enterprise platforms that they're leveraging. Again, as a best-of-breed focused provider, we want to work very elegantly with patch management solutions, with configuration management solutions, with SIM types of products and platforms, mobile platforms that enterprises have selected to use and deployed already.

This concludes the question-and-answer session as well as today's teleconference. You may disconnect your lines at this time. Thank you for your participation.