Tenable (NASDAQ:TENB) is a leading vulnerability management software provider that is trying to expand its capabilities into complementary adjacent security verticals. This is a necessary strategy, as cybersecurity is consolidating towards broader platforms, but it is changing the basis of competition and could eventually threaten Tenable’s viability as a standalone company.
Market
Vulnerability management software aims to identify, classify, prioritize, and remediate security issues that could potentially be exploited. Successfully implemented, a vulnerability management platform allows organizations to:
- Gain visibility across the attack surface
- Anticipate threats and prioritize remediation efforts
- Improve decision-making through a greater understanding of risk
Trends like cloud computing, IoT, and remote work are expanding the attack surface, complicating vulnerability management:
- Identity and access management systems used to control user privileges are a potential weak point
- Operational technology is increasingly becoming linked to existing IT systems and the internet
- Remote work and mobile workforces have resulted in a proliferation of personal devices
- Virtual machines, containers, etc. are common in the cloud
Security teams must identify, prioritize and resolve vulnerabilities, a task that has been made more difficult by a proliferation of environments and a shortening of development cycles in recent years. As a result, automation is likely to take an increasingly large role in vulnerability management in the future.
Figure 1: Proliferation of Environments Needing Protection (Tenable)
Cloud security has also resulted in DevOps and supply chain risks, with shift-left security evolving in response. DevSecOps aims to help DevOps teams detect and fix vulnerabilities and misconfigurations early in the software development lifecycle. While a range of companies (developer platforms, observability vendors, cloud security vendors, etc.) are positioning themselves to capitalize on this opportunity, Tenable’s vulnerability management background could be leveraged to gain a foothold.
As a result of these trends, and the fact that customers want to consolidate vendors, Tenable’s addressable market extends beyond vulnerability management, into areas like identity security, cloud security, and OT security. Tenable’s TAM is reasonably large, but its core market is quite small and its success in adjacent markets is not guaranteed.
Table 1: Tenable’s Total Addressable Market (Created by author using data from Tenable)
Macro volatility is clouding Tenable’s near-term outlook, although vulnerability management appears to be less impacted than many software segments. Tenable is confident that vulnerability management remains a strategic focus for customers, although the company has observed a number of signs of less favorable market conditions, including:
- Backend loaded quarters
- Longer sale cycles
- Increased scrutiny of large deals
In the first quarter market conditions led to a number of highly qualified committed deals falling out of the quarter. Many of these deals were with customers in the banking and financial services and technology and telecom industries. Demand reportedly remains strong though, with Tenable’s new pipeline generation exceeding expectations in the first quarter.
Figure 2: Job Openings Mentioning Vulnerability Management in the Job Requirements (Revealera.com)
Tenable
Tenable is a leading provider of exposure management solutions. Exposure management refers to the measurement and management of cybersecurity risk, and expands on vulnerability management which is focused on the discovery and remediation of Common Vulnerabilities and Exposures.
Tenable offers a range of products and services, including:
- Tenable.io – Vulnerability Management solution that provides visibility of all assets and associated vulnerabilities, internal and regulatory compliance violations, misconfigurations, and other cybersecurity issues.
- Tenable.io Web Application Scanning – Automated Vulnerability Scanning for modern web applications.
- Tenable Lumin Exposure View – Measurement tool that helps customers score cyber risk across their organizations.
- Tenable.cs – Cloud Security solution that enables security teams to assess the security posture of their cloud environments.
- Tenable.ad – Active Directory security solution that enables users to find and fix weaknesses before they are exploited and detect and respond to ongoing attacks.
- Tenable.asm – External Attack Surface Management solution.
- Tenable.sc – On-premises Vulnerability Management offering.
- Tenable.ot – Operational Technology Security solution that provides threat detection, asset tracking, vulnerability management, and configuration control capabilities.
Figure 3: Tenable’s Platform (Tenable)
Tenable One
Tenable One is a cloud-based Exposure Management Platform which aims on providing proactive cyber risk management. Tenable One provides a range of functionality like vulnerability management, cloud security, identity exposure, and external attack surface management. It also unifies a variety of data sources to provide greater visibility and help security teams to prioritize efforts.
Tenable One incorporates the following Tenable products:
- Tenable.io
- Tenable.io Web Application Scanning
- Tenable Lumin Exposure View
- Tenable.cs
- Tenable.ad
- Tenable.asm
Acquisitions
Tenable has acquired a number of companies in recent years to support the expansion of its business. These have generally been smaller technology acquisitions or acquihires, rather than acquisitions to boost current revenues.
- Indegy was acquired in 2019 for USD78 million
- Alsid was acquired in 2021 for USD98 million
- Accurics was acquired in 2021 for USD160 million
OT Security
OT security is a target growth area for Tenable. The company wants to provide a unified risk-based product for OT & IT converged environments, with active/passive capability & situational awareness.
Tenable acquired Indegy in 2019 to create a unified, risk-based platform spanning both IT and OT security. In the past CISOs haven’t had the visibility necessary to measure and manage OT risk in the same way as IT risk. Indegy is an OT and industrial network security specialist, and the acquisition was expected to expand Tenable’s capabilities from vulnerability management to asset inventory, configuration management, and threat detection.
Active Directory
Vulnerability management for identity/access is another focus area for Tenable. Alsid was acquired in 2021 to support this part of the business. Alsid offers software to monitor the security of Active Directory in real time. Active directory security is an important capability as exploiting user privileges via Active Directory is a commonly used tactic in many hacks. Alsid discovers new attack pathways, detects ongoing attacks, and recommends remediation actions without the need to deploy agents or leverage privileged accounts.
Cloud Security
Tenable offers a number of cloud security products, with a focus on Infrastructure as Code security and runtime CSPM. The Accurics acquisition helps to build out Tenable’s cloud security and shift-left security capabilities. Accurics’ enterprise offering scans IaC for misconfigurations and monitors provisioned cloud infrastructure for drift. This enables security teams to assess and secure infrastructure both before it is deployed and at runtime.
Competitors
Tenable has grouped its competitors into a number of categories:
- Vulnerability management and assessment vendors – Qualys (QLYS) and Rapid7 (RPD)
- Diversified security software and services vendors – Microsoft (MSFT) and Palo Alto (PANW)
- Endpoint security vendors with vulnerability assessment capabilities – CrowdStrike (CRWD)
- Public cloud vendors
- Providers of point solutions that compete with some of Tenable’s features.
- Internally developed software
Tenable has stated that competitive dynamics have never been more favorable. This belief appears to be the result of the length of tech evaluations falling by 10% YoY. Customers want to consolidate spend onto the one platform, and within vulnerability management, Tenable appears to be the platform of choice.
While Tenable has a strong competitive position within vulnerability management, the expansion of platforms in adjacent categories and the desire of customers to consolidate vendors represent a threat. Vulnerability management may become a feature of broader platforms rather than a standalone product, particularly if complementary capabilities rise in importance.
Vulnerability management tools can only scan for known vulnerabilities, potentially making threat intelligence an important complementary capability. Cybersecurity is also becoming a data problem, providing an advantage to vendors with a larger footprint. This could make companies like CrowdStrike and Palo Alto Networks a serious threat in time, although based on current offerings this appears to be a way off.
Financial Analysis
Tenable One is responsible for a mid-teens percentage of new business and a high single-digit percentage of overall business. Within Tenable One, Tenable is also seeing adoption outside of vulnerability management. Despite this, overall growth is only modest at the moment.
Tenable is expecting roughly 16% revenue growth YoY in the second quarter. For the full-year revenue growth is currently expected to be around 14%.
Figure 4: Tenable Revenue (Created by author using data from Tenable)
Tenable’s growth is somewhat limited by the fact that vulnerability management is a relatively small market offering limited growth, with expansion into adjacent opportunities driving much of the company’s recent growth.
Figure 5: Exposure and VM Growth (Tenable)
Tenable’s dollar-based net expansion rate was 113% in the first quarter and gross retention was also strong, demonstrating strength amongst existing customers. Net new customer figures were weak though, indicating that Tenable is finding it difficult to land new customers at the moment. While this is understandable in the current environment, it will weigh on growth going forward.
Figure 6: Tenable Net New Customers (Created by author using data from Tenable)
The number of job openings mentioning Tenable in the job requirements has been fairly steady in recent months, which could be indicative of a stable demand environment. This certainly looks favorable relative to vulnerability management job openings.
Figure 7: Job Openings Mentioning Tenable in the Job Openings (Revealera.com)
Tenable’s operating profit margins have generally been improving over time, despite gross profit margins trending down as the SaaS business grows. Tenable’s growth has been reasonably efficient in the past, which should eventually lead to a decent level of profitability.
Figure 8: Tenable Profit Margins (Created by author using data from Tenable)
Earlier in the year Tenable had plans to invest more aggressively in go-to-market capabilities, although Tenable job openings have fallen off significantly in the past few months. This could indicate that market conditions have become more difficult than expected earlier, or that Tenable’s focus on profitability has increased.
Figure 9: Tenable Job Openings (Revealera.com)
Valuation
Based on its current growth and profitability, Tenable’s stock is priced broadly in line with peers. While the company may continue to do while going forward, Tenable’s current financial performance appears to be less impacted by the demand environment than many companies, meaning growth is less likely to reaccelerate when the macro environment improves. Over a longer time frame, it is also unclear how Tenable will be impacted by the growth of security platforms offering broad functionality.
Growth will continue to decelerate going forward and the growing importance of the cloud business will continue to weigh on margins. This, along with an uncertain future makes for an unfavorable risk-return ratio at the current valuation.
Figure 10: Tenable Relative Valuation (Created by author using data from Seeking Alpha)
Read the full article here