CYBER EXPOSURE MANAGING AND MEASURING CYBER RISK IN THE DIGITAL ERA FEBRUARY 2019
Forward-Looking Statements This presentation includes forward-looking statements. All statements contained in this presentation other than statements of historical facts, including statements regarding our future results of operations and financial position, our business strategy and plans and our objectives for future operations, are forward-looking statements. The words “anticipate,” believe,” “continue,” “estimate,” “expect,” “intend,” “may,” “will” and similar expressions are intended to identify forward-looking statements. We have based these forward-looking statements on our current expectations and projections about future events and financial trends that we believe may affect our financial condition, results of operations, business strategy, short-term and long-term business operations and objectives and financial needs. These forward-looking statements are subject to a number of risks, uncertainties and assumptions. Moreover, we operate in a very competitive and rapidly changing environment. New
risks emerge from time to time. It is not possible for our management to predict all risks, nor can we assess the impact of all factors on our business or the extent to which any factor, or combination of factors, may cause actual results to differ materially from those contained in any forward-looking statements we may make. In light of these risks, uncertainties and assumptions, the future events and trends discussed in this presentation may not occur and actual results could differ materially and adversely from those anticipated or implied in any forward-looking statements we make. You should not rely on forward-looking statements as predictions of future events. Although we believe that the expectations reflected in the forward-looking statements are reasonable, we cannot guarantee future results, levels of activity, performance, achievements or events and circumstances reflected in the forward-looking statements will occur. Neither we, nor any other person, are under any duty to update any of these forward-looking statements after the date of this presentation to conform these statements to actual results or revised expectations, except as required by law. You should, therefore, not rely on these forward-looking statements as representing our views as of any date subsequent to the date of this presentation. Moreover, except as required by law, neither we nor any other person assumes responsibility for the accuracy and completeness of the forward-looking statements contained in this presentation. This presentation also contains estimates and other statistical data made by independent parties and by us relating to market size and growth and other data about our industry. This data involves a number of assumptions and limitations, and you are cautioned not to give undue weight to such estimates. Neither we nor any other person makes any representation as to the accuracy or completeness of such data or undertakes any obligation to update such data after the date of this presentation. In addition, projections, assumptions and estimates of our future performance and the future performance of the markets in which we operate are necessarily subject to a high degree of uncertainty and risk. By receiving this presentation you acknowledge that you will be solely responsible for your own assessment of the market and our market position and that you will conduct your own analysis and be solely responsible for forming your own view of the potential future performance of our business. This presentation includes non-GAAP financial measures which have certain limitations and should not be considered in isolation, or as alternatives to or substitutes for, financial measures determined in accordance with GAAP. The non-GAAP measures as defined by us may not be comparable to similar non-GAAP measures presented by other companies. Our presentation of such measures, which may include adjustments to exclude unusual or non-recurring items, should not be construed as an inference that our future results will be unaffected by these or other unusual or non-recurring items. See the GAAP to Non- GAAP Reconciliation section for a reconciliation of these non-GAAP financial measures to the most directly comparable GAAP financial measures. All third-party trademarks, including names, logos and brands, referenced by us in this presentation are property of their respective owners. All references to third-party trademarks are for identification purposes only. Such use should not be construed as an endorsement of our products or services. 2
Empowering every organization to understand and reduce their cybersecurity risk
At-A-Glance >27,000 >50% >25% $0M Primary institutional capital Customers of Fortune 500 of Global 2000 raised prior to IPO Revenue(2) $267 ~2M Subscription ($ in millions) Cumulative, unique Business model downloads $188 $124 $93 160+ 1,200+ Countries Employees 2015 2016 2017 2018 YoY Growth 33% 51% 42% 1. See Endnotes for additional information related to the figures presented. 4 2. We adopted ASC 606 on January 1, 2017 using the modified retrospective method. The 2015 and 2016 consolidated statements of operations were not adjusted for the adoption of ASC 606.
Investment Highlights One of the most recognized brands in security Data asset drives network effects Unique approach to secular growth opportunity High growth, recurring model System of record for security 5
Digital Transformation Increases IT Complexity and Cybersecurity Risk Growth of Adoption of Applications Cloud Computing Proliferation of Rise of IoT and OT DevOps 6
Cybersecurity Risk is Business Risk Casino Gets Hacked Through Its Vital Boeing computer network infected with Internet-Connected Fish Tank WannaCry virus – is it safe to fly? Thermometer 7
Evolving Vulnerability Management to Cyber Exposure Cyber Exposure Prioritization Scoring Depth of Analytics Trending Benchmarking IT Cloud Vulnerability IoT OT Management Breadth of Visibility 8
Depth of Analytics - Predictive Prioritization Threat-based vulnerability prioritization • Predicts likelihood of successful exploit in 28 days • Vulnerability Priority Rating (VPR) derived from 150 data sources • Dynamic, changes with threat landscape True Competitive Differentiation • Focus on the 3% that matters • Continuously updated Foundational for Cyber Exposure 9
Asset-Centric The Journey to Cyber Exposure Business Context Benchmarking Strategic Decision Support Cyber Exposure Predictive Prioritization IT-Centric Technical Context Day to Day Management Are we reducing our risk over time? Where should we Prioritize based on How do we compare Where are we exposure? to our peers? exposed?
Understanding Cyber Risk is Strategic and Foundational Cyber Exposure Protection Detection and response 11
Technology Ecosystem Enhances Platform Value 50 Integrations 39 Technology Partners 12
Deeply Trusted Brand Amongst Large Global Community Over 2M cumulative, unique Vulnerability management downloads of Free Nessus globally(1) skills on LinkedIn 2,000,000 Tripwire There are ~750K security professionals in the U.S.(1) 1,500,000 1,000,000 Rapid7 500,000 - Qualys 13 1. Please see the Endnotes section of the Appendix for further detail.
Data Asset Drives Significant Network Effects Tenable Research (Data science insights) Valuable Nessus Customers Data community Asset Tenable R&D 14
Tenable Can Be the System of Record for Security HR CRM IT SECURITY 15
Large and Underpenetrated TAM Traditional vulnerability Bottoms-up analysis (1) management market 2019 TAM $16Bn $ in billions New analytics products 13% $6.0 CAGR Modern IT assets $3.7 Expand Penetrate traditional IT assets in existing customer base Traditional vulnerability management market $267M 2018 Revenue Existing 2017 2021 Land customers 16 1. Please see the Endnotes section of the Appendix for details on source information.
Differentiated Go-to-Market Efficiently Addresses All Organizations Word of Mouth Marketing Channel-in & Community Internet Events / Advertising / PR Opportunities • Nessus on-ramp contributes to land and expand model • Broad channel engagement, Free / Paid Back-to-Base Lead Evaluations Cross-selling serving both enterprise and On-ramp Products Marketing mid-market Generation o Currently, channel drives over 20% of new enterprise leads TOUCH NO TOUCH • Growth in enterprise account Sales Model Inside Field Customer management model Channel eCommerce sales sales success Fulfillment Channel 17
World Class Customer Base 27,000+ >25% >50% Customers of Global 2000 of Fortune 500 USDA DOD DOE VA SSA 18
Customer Examples Highly Dynamic Cloud IoT + Cloud IT/OT Environment Fortune 100 Retailer Super Major O&G JV Single platform for Cyber Exposure across 2 million+ Securing over 100,000 assets including store kiosks IT/OT bundle with SC and ICS securing the entire assets spanning traditional and modern IT assets and connected roasting machinery converged IT/OT environment from web app to POS and cloud environments 19
Growth Strategy Acquire new enterprise platform customers Expand asset coverage Invest in technology and expand use cases Accelerate international expansion 20
Experienced Management Team and Board Amit Yoran Steve Vintz Jack Huffard Jennifer Johnson CEO & Chairman CFO Co-Founder, COO & Director CMO John Negron Renaud Deraison Ofer Ben-David Steve Riddick Bridgett Paradise CRO Co-Founder & CTO CPO General Counsel Chief People Officer Art Coviello Ping Li Jerry Kennelly Former Chairman and CEO, RSA General Partner, Accel Former Chairman and CEO, Riverbed Brooke Seawell Richard Wells Kim Hammonds Director, Tableau & NVIDIA Managing Director, Insight Former COO, Deutsche Bank 21
Financial Overview FEBRUARY 2019
Financial Highlights Rapid, recurring revenue growth at scale Balance and diversified model Land-and-expand model Capital efficient business 23
Rapidly Growing Revenue $75 (1) (1) Annual Revenue Quarterly revenue $69 $ in millions $ in millions $64 $267 $59 $54 42% $49 CAGR $44 $188 $40 $36 $34 $29 $124 $26 $93 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 2015 2016 2017 2018 2016 2017 2018 YoY Growth 58% 53% 45% 50% 46% 44% 42% 39% 24 1. We adopted ASC 606 on January 1, 2017 using the modified retrospective method. The 2015 and 2016 consolidated statements of operations were not adjusted for the adoption of ASC 606.
Composition of Revenue % Revenue by line item(1)(2) % Recurring(1) 3% 2% 3% 20% 32% 27% 86% 89% 77% 71% 65% 2016 & 2017 2018 2016 2017 2018 Subscription Perpetual and maintenance Professional services 1. We adopted ASC 606 on January 1, 2017 using the modified retrospective method. The 2015 and 2016 consolidated statements of operations were not adjusted for the adoption of ASC 606. 25 2. Maintenance revenue is $26 million in 2016, $29 million in 2017 and $33 million in 2018.
Strong Growth in Calculated Current Billings Calculated current billings(1) $350 Annual, $ in millions 6 36% $326 Growth $300 $97 5 35% 42% $87 CAGR Growth $250 $236 4 $71 $200 $64 $158 3 $150 $115 2 $100 $50 1 $0 0 2015 2016 2017 2018 Q3 2017 Q3 2018 Q4 2017 Q4 2018 26 1. Figures presented here are Non-GAAP financial measures. Please reference Appendix for a reconciliation of GAAP to Non-GAAP financial measures.
Landing Higher Value Customers 453 New logo enterprise LTM $100K+ ACV accounts(2) up 28x platform customers(1) 387 340 1,178 307 1,017 265 786 216 181 145 124 100 74 45 55 33 16 19 2016 2017 2018 Q1'15 Q2'15 Q3'15 Q4'15 Q1'16 Q2'16 Q3'16 Q4'16 Q1'17 Q2'17 Q3'17 Q4'17 Q1'18 Q2'18 Q3'18 Q4'18 1. Chart represents new enterprise platform customer acquisitions excluding upsells. Enterprise platform customer defined as a customer 27 that has licensed Tenable.io or Tenable.SC for an annual amount of $5,000 or greater. 2. Chart represents the number of customers with $100K and greater of annual contract value for the last 12 months.
Multiple Ways to Land and Expand Annual contract value • Nessus serves as a cost- effective on-ramp to larger enterprise platform sales • Elastic, asset-based pricing model Nessus upsells New logos On-ramp: • Proven land-and-expand Platform strategy Nessus • 89% recurring revenue(1) More assets and applications 1. Recurring revenue figure for 2018. 28
Income Statement and Cash Flow Highlights Three Months Ended December 31, Year Ended December 31, (in thousands) 2018 % of rev 2017 % of rev 2018 % of rev 2017 % of rev Revenue $75,221 $54,117 $267,360 $187,727 ~85% Cost of revenue 12,399 8,378 43,167 25,588 Gross profit 62,822 84% 45,739 85% 224,193 84% 162,139 86% Gross margin Operating expenses: Sales and marketing 47,380 63% 32,784 61% 173,344 65% 116,299 62% Research and development 21,169 28% 15,633 29% 76,698 29% 57,673 31% General and administrative 13,864 18% 8,945 17% 46,732 17% 28,927 15% ~30% Total operating expenses 82,413 110% 57,362 106% 296,774 111% 202,899 108% Investment in R&D Loss from operations $(19,591) -26% $(11,623) -21% $(72,581) -27% $(40,760) -22% Net cash used in operating $(1,554) $(5,452) $(2,559) $(6,266) activities Modest cash burn Purchases of property and equipment (1,593) (1,127) (5,733) (2,755) Free cash flow $(3,147) $(6,579) $(8,292) $(9,021) 29
Investment Highlights One of the most recognized brands in security Data asset drives network effects Unique approach to secular growth opportunity High growth, recurring model System of record for security 30
Non-GAAP Reconciliations Calculated Current Billings: We define calculated current billings, a non-GAAP financial measure, as revenue recognized in a period plus the change in current deferred revenue in the corresponding period. We believe that calculated current billings is a key metric to measure our periodic performance. Given that most of our customers pay in advance (including multi-year contracts), but we generally recognize the related revenue ratably over time, we use calculated current billings to measure and monitor our ability to provide our business with the working capital generated by upfront payments from our customers. We believe that calculated current billings, which excludes deferred revenue for periods beyond twelve months in a customer’s contractual term, more closely correlates with annual contract value and that the variability in total billings, depending on the timing of large multi-year contracts and the preference for annual billing versus multi-year upfront billing, may distort growth in one period over another. The following table presents a reconciliation of revenue, the most directly comparable GAAP measure, to calculated current billings for each of the periods presented: Calculated Current Billings: 2015 2016 2017 2018 Q3 2017 Q4 2017 Q3 2018 Q4 2018 Revenue $93,466 $124,371 $187,727 $267,360 $48,980 $54,117 $69,440 $75,221 Deferred revenue (current), end of period 54,721 88,011 154,898 213,644 137,521 154,898 191,578 213,644 Deferred revenue (current), beginning of period(1) (33,163) (54,721) (107,006) (154,898) (122,190) (137,521) (174,277) (191,578) Calculated current billings $115,024 $157,661 $235,619 326,106 $64,311 $71,494 $86,741 $97,287 1. In connection with adopting ASC 606, we recorded $19.0 million of current deferred revenue on January 1, 2017 related to perpetual license revenue recognized in prior periods. 32
Endnotes REFERENCED FROM PAGE 4: 1. All figures presented are as of December 31, 2018, unless otherwise noted. 2. We believe our ability to expand sales with customers is most effectively measured by our dollar-based net expansion rate. We utilize dollar-based net expansion rate to measure the long-term value of our customer relationships because it is driven by our ability to retain and expand the revenue generated from our existing customers. We calculate dollar-based net expansion rate as follows: • Denominator: To calculate our dollar-based net expansion rate as of the end of a reporting period, we first establish the ARR from all active subscriptions and maintenance from perpetual licenses as of the last day of the same reporting period in the prior year. This represents recurring payments that we expect to receive in the next 12-month period from the cohort of customers that existed on the last day of the same reporting period in the prior year. • Numerator: We measure the ARR for that same cohort of customers representing all subscriptions and maintenance from perpetual licenses based on customer orders as of the end of the reporting period. We calculate dollar-based net expansion rate by dividing the numerator by the denominator. REFERENCED FROM PAGE 13: 1. Unique downloads are based on each unique email address utilized to register for the use of Nessus Home. 2. Determined by data available through CyberSeek, part of the U.S. Commerce Department’s National Institute of Standards and Technology. REFERENCED FROM PAGE 16: 1. Traditional Vulnerability Management Market includes the Policy and Compliance and Device and Application Vulnerability Assessment segments as reported by IDC in their Worldwide Security and Vulnerability Management Forecast, 2017–2021, dated January 2018. 33