Tenable Completes Acquisition of Alsid

Investor Q&A

The combination of Tenable and Alsid brings together two pioneers in risk-based vulnerability management and Active Directory security. Both advanced threats and more common hacks have long-focused on Active Directory as a means to enable lateral movement and establish persistence. Over the last 14 months with the work from home trend, and now SolarWinds hack, the importance of users and what they can do or have access to has never been more instrumental to risk management.

Why Active Directory?

Active Directory security is a complex problem and seldom done securely. As we've seen with the flurry of hacks, ranging from the sophisticated SolarWinds compromise all the way down to typical ransomware attacks, bad actors go after the Active Directory infrastructure to gain lateral movement and establish persistence. This risk has never been more acute than it is today. With so many people working remotely and often using personal devices to connect to corporate systems, Active Directory is playing a critical role in managed single sign on. We believe that tightly controlling the privileges of accounts, particularly in Active Directory environments, is as foundational to reducing risk to the business as the basic blocking and tackling of configuration management and deploying security updates.

Why now?

Understanding account access to systems and how those cascade across compute environments is a strategic and important complement to vulnerability management and systems hygiene, and is increasingly imperative to holistically managing risk, especially in complex cloud and hybrid environments. With more employees working remotely, it is an ideal time for organizations to increasingly focus on securing accounts -- employees, service contractors, temporary workers, and others -- and their access to and permissions within Active Directory as strategic to their cybersecurity posture.

What does Alsid do?

Alsid for Active Directory monitors the security of Active Directory in real time. By identifying weaknesses in the pathways with a lightweight, agentless approach, Alsid rapidly recommends remediations that disrupt any possible attack path without deploying disruptive agents that could introduce risk into the environment. The solution continuously and non-disruptively discovers new attack pathways and detects ongoing attacks in real time, recommending remediations without the need to deploy agents or leverage privileged accounts.

Where is Alsid located and who founded it?

Alsid is headquartered in Paris, France. Alsid was founded in 2016 by two former incident responders from the French National Cybersecurity Agency (ANSSI), Emmanuel Gras and Luc Delsalle, who have joined the Tenable team to help lead the operations going forward.

Why is this solution important to Tenable and to Vulnerability Management?

This acquisition extends the breadth of Tenable’s leadership in risk-based vulnerability management to accounts, managing account privileges in the same way as IT assets and risk. Tenable's coverage now includes Active Directory security for even the most complex enterprise user environments, combining vulnerability data, threat intelligence and account permissions for a more holistic view of risk and the ability to predict which issues to fix first. We view the acquisition of Alsid as a natural extension into user access and permissioning. This acquisition is a strategic complement to our Cyber Exposure vision to help organizations understand and reduce cyber risk across the entire attack surface.

Are companies shifting from on prem Active Directory to the cloud? Will you be competitive in the cloud/with Microsoft Azure deployments?

Active Directory deployments remain largely on-prem today with some workloads shifting to Azure AD. Most of our large enterprise customers maintain a hybrid Active Directory deployment. This is one reason why the acquisition of Alsid is so compelling. They fully support these complex hybrid deployments. We believe this is critically important because Alsid’s platform secures existing on-prem and hybrid environments.

Are you bringing over some pipeline and some capacity?

We are excited to welcome their talented, specialized team of Active Directory security professionals. The company has been largely focused on product development, but we expect to be able to bring over a building pipeline, Active Directory expertise in sales and sales engineering and a customer base, including many overlapping customers. The exciting opportunity here is to leverage our distribution channels and enable our salesforce to sell the product over the longer term.

Do you anticipate the Active Directory security product would have the same buyer as VM?

We do. We believe the teams focused on auditing and securing Active Directory are largely the same buyer as VM and the office of the CISO. The purchase is often in collaboration with IT/Identity teams but frequently the security of the Active Directory falls under the CISO office.

Who are Alsid’s target customers?

Alsid’s capabilities are broadly applicable, but where we believe they really shine is in complex organizations with multiple domains and business units, often with a history of acquisitions and correspondingly complex Active Directory deployments. Alsid’s go-to-market motion has been focused on large enterprises, very much in line with our GTM.

How does Alsid sell their solutions?

Alsid has a Software-as-a-Service (SaaS) solution and an on-premise deployment option but both are sold via an annual prepaid subscription model.

What is the revenue model?

Alsid has not yet adopted ASC 606, but we anticipate ratable revenue recognition treatment for their SaaS offering, consistent with our model. For the on-premise offering, we expect to recognize revenue related to the license at the time of delivery and revenue related to ongoing updates and support over the term of the arrangement.

What is the overall growth profile of the company?

Alsid is expected to contribute approximately one percentage point of growth to revenue and calculated current billings in 2021.

What are the expected transaction costs associated with the deal?

We expect to incur $5-6M in acquisition-related expenses.

What is the anticipated impact on OpEx?

Alsid has approximately 100 employees, located primarily in France. While many of these employees are Active Directory-focused product engineers, there are a number of GTM teams in other countries that have been added recently to capture the global demand. We anticipate the incremental opex will be in the range of $15-20M for the stub period.

Do you expect the same impact on free cash flow as OpEx?

FCF in 2021 is expected to be impacted to a lesser extent than the impact to OpEx and expected to be accretive some time in 2022. The acquisition is not expected to impact our free cash flow generation over the longer term nor our ability to expand our free cash flow margin for the year.

How can I learn more?

Please feel free to reach out to us at https://investors.tenable.com/investor-resources/contact-ir.

Forward Looking Statements
This Q&A contains forward-looking information that involves substantial risks, uncertainties and assumptions that could cause actual results to differ materially from those expressed or implied by such statements. Forward-looking statements in this communication include, among other things, statements about the potential benefits of the acquisition of Alsid, product developments and other possible or assumed business strategies, anticipated earnings enhancements or potential growth opportunities, anticipated capital expenditures, new products and potential market opportunities. Risks and uncertainties include, among other things, our ability to successfully integrate Alsid’s operations; our ability to implement our plans, forecasts and other expectations with respect to Alsid’s business; our ability to realize the anticipated benefits of the acquisition, including the possibility that the expected benefits from the acquisition will not be realized or will not be realized within the expected time period; disruption from the acquisition making it more difficult to maintain business and operational relationships; the inability to retain key employees; the negative effects of the consummation of the acquisition on the market price of our common stock or on our operating results; unknown liabilities; attracting new customers and maintaining and expanding our existing customer base, our ability to scale and update our platform to respond to customers’ needs and rapid technological change, increased competition on our market and our ability to compete effectively, and expansion of our operations and increased adoption of our platform internationally.

Additional risks and uncertainties that could affect our financial results are included in the section titled “Risk Factors” and “Management’s Discussion and Analysis of Financial Condition and Results of Operations” in our Annual Report on Form 10-K for the year ended December 31, 2020 and other filings that we make from time to time with the Securities and Exchange Commission which are available on the SEC’s website at www.sec.gov. In addition, any forward-looking statements contained in this communication are based on assumptions that we believe to be reasonable as of this date. Except as required by law, we assume no obligation to update these forward-looking statements, or to update the reasons if actual results differ materially from those anticipated in the forward-looking statements.