Tenable Holdings Inc (TENB) 2018 Q3 法說會逐字稿

Greetings, and welcome to Tenable's Third Quarter Earnings Call. (Operator Instructions) As a reminder, this conference is being recorded. I would now like to turn the conference over to your host, Andrea DiMarco, VP Investor Relations and Strategy.

Thank you, operator, and thank you all for joining us on today's conference call to discuss Tenable's financial results for the third quarter of 2018. With me on the call today are Amit Yoran, Tenable's Chief Executive Officer; and Steve Vintz, Chief Financial Officer. Prior to this call, we issued a press release announcing our third quarter 2018 financial results. You can find this press release on the IR website at tenable.com.

Before we begin, let me remind you that we will be making some forward-looking statements during the course of this call, including statements relating to Tenable's guidance and expectations for the fourth quarter and full year 2018; growth and drivers in Tenable's business; changes in the threat landscape in the security industry and our competitive position in the market; growth in our customer demand for, and adoption of, our solutions; Tenable's expectations regarding long-term profitability and planned innovation and new products and services. These forward-looking statements involve risks and uncertainties, some of which are beyond our control, which could cause actual results to differ materially from those anticipated by these statements.

You should not rely upon forward-looking statements as a prediction of future events. Forward-looking statements represent our management's beliefs and assumptions only as of today and should not be considered representative of our views as of any subsequent date. We disclaim any obligation to update any forward-looking statements or outlook.

For a further discussion of the material risks and other important factors that could affect our actual results, please refer to those contained in our most recent quarterly report on Form 10-Q filed with the SEC on September 7, 2018, and subsequent reports that we've filed with the SEC, which are available on the SEC website at SEC.gov.

In addition, during today's call, we will discuss non-GAAP financial measures. These non-GAAP financial measures are in addition to, and not a substitute for or superior to, measures of financial performance prepared in accordance with GAAP. There are a number of limitations related to the use of these non-GAAP financial measures versus their closest GAAP equivalents. Our press release that we issued today includes GAAP to non-GAAP reconciliations for these measures.

And now let me turn the call over to Amit.

Thank you, Andrea, and thank you, everyone, for joining us on the call today. I'm pleased to share that Tenable delivered another strong performance in our second quarter as a public company. Revenue grew 42% year-over-year to $69.4 million, and calculated current billings grew 35% year-over-year to $86.7 million. We continue to expand our leadership position as we define the Cyber Exposure market. As Steve will detail in a moment, we're raising our guidance for the full year based on our third quarter results and positive outlook for the remainder of the year.

Our third quarter saw continued strength in demand for both Nessus Professional and our enterprise platform offerings: Tenable SecurityCenter and Tenable.io, which you'll hear me refer to as SC and I/O for short.

Enterprise demand was strong across a wide range of verticals, including strong performance in the seasonably strong Fed sector as well as in each of our major geographic theaters of operation. The end result was continued strong volume with the addition of over 200 new Enterprise platform customers in the third quarter.

We also saw the continued adoption of Tenable as a strategic enterprise platform for Cyber Exposure, as evidenced by the addition of 47 new 6-figure customers. We also added to our 7-figure customer base during the quarter.

Before we move on to customer highlights, we appreciate that many investors are still relatively new to the Tenable story, so I'd like to take a few minutes to reiterate what we do and why customers choose Tenable for their Cyber Exposure strategy. Cyber Exposure builds on our roots in vulnerability management and expands our value proposition in 2 key ways: the breadth of visibility across a wider set of asset types; and the depth of analytics to better understand and communicate Cyber Exposure to the business, both of which are critical to accurately assessing cyber risk.

One of the biggest drivers for our market continues to be organizations moving to new technologies, such as web applications, cloud infrastructure, DevOps containers and micro services, IoT and automation of operational technologies. These nontraditional IT assets are growing rapidly and, by nature, may introduce more risk. They cannot be assessed for vulnerabilities and security issues with traditional methods, such as active and agent-based scanning.

Tenable is well positioned to capitalize on this long-term shift, since we're able to help organizations address their cyber exposure regardless of where they are on their digital transformation journey.

We provide visibility into organization's Cyber Exposure across the widest breath of assets, spanning IT, cloud, IoT and safety critical OT with a series of analytic capabilities that help customers prioritize and manage their cyber exposure and translate vulnerability data into business insights. Our platforms can be deployed either on premises or in the cloud, depending on customers' needs.

Together, our platforms assess millions of assets for over 24,000 customers around the globe. As I noted up front, we're seeing strong demand for both SC and I/O. The momentum of I/O is robust, as many customers have a cloud-first mentality. But we also continue to see strong demand for our on-prem SC offering. In fact, a growing number of customers are expanding their on-prem deployments to include modern asset types. Tenable is well positioned to cover these expanding use cases with a wide range of deployment options.

With that, I'd like now to highlight a few noteworthy use cases in a few new 6-figure customer wins in the quarter. Our first new customer example is a multinational Fortune 500 engineering and manufacturing company. This company had deployed a legacy VM solution from a competitor, but over the years became increasingly concerned that they were not getting comprehensive scan results. The customer told us that Tenable.io was selected to support their cyber exposure strategy due to our comprehensive vulnerability assessment capabilities, our seamless integration and our flexible reporting features, in addition to our ability to help them improve their assessment of cyber risk holistically across modern asset types, such as containers and web applications.

In another example, a large not-for-profit organization purchased both SC and I/O. This customer had been using a competitor with limited reporting capabilities to measure and communicate cyber risk. Organization-wide initiatives to migrate to the cloud proved challenging for their legacy solution with their reporting and scale limitations. Tenable's solution allowed the customer flexibility between SC and I/O as business requirements for moving to the cloud evolve over time; to satisfy customers' immediate goals for better data and better reporting, and we're able to provide them a path to the cloud on I/O. I/O also solved their AWS VM requirements.

We also continue to expand our relationship in the public sector. Over the years, we've worked hard to build a clear leadership position in the public sector, and we continue to strengthen that lead during the third quarter. We closed several significant deals across the U.S. federal government, including within DoD, intelligence community and civilian agencies, highlighted by new 6-figure competitive displacement with a large civilian agency of the U.S. government. It was a very strong quarter with respect to both renewing and expanding our relationships with existing Fed customers. We also continued to be the predominant solution under DHS's Continuous Diagnostics and Mitigation program, or CDM for short. In addition, we sold our first industrial security deal within the federal government.

An expansion we'd like to highlight in the Enterprise sector occurred with a large global payment processor. After cobbling together multiple VM solutions for years, this customer purchased both SC and I/O last year. Less than 8 months later, they expanded coverage by almost 50% to cover a recently acquired data center, expanded coverage by another 250% to include their mission-critical production environment. This is a great example from a customer shifting from multiple tactical VM solutions to our strategic Cyber Exposure platform, which encompasses a range of IT assets and modern compute platforms, such as cloud environments. And this type of story is one that we hear regularly.

We also closed an expansion deal with a European manufacturer operating in 50 countries. This customer purchased I/O last year as an upsell from their Nessus Pro to help them cover assets in their European and Asia-Pacific operations. This year, they expanded coverage by almost 2x to cover the U.S. operations in an attempt to have a more holistic platform for visibility across their globally distributed assets. This is another typical expansion for Tenable.

We're also seeing increased global interest in our platform for operational technologies with notable focus in industrial security wins from within the federal government and energy sectors, including one of the largest wind power producers in EMEA. While these initial control system deals do not represent a significant portion of our Enterprise business, they are very important strategically and highlight a long-term growth opportunity for Tenable.

Overall, the breadth of these customer examples reflects strong momentum across our major platforms with new and existing customers across a diverse set of verticals as well as geographies. In addition to our customer wins, we'd also like to highlight some of our product innovations and recognitions. We're honored that Tenable recently received a Growth Excellence Leadership Award from Frost & Sullivan, that underscores our continued leadership in the core vulnerability management market and, equally importantly, recognizes the differentiated depth and breadth of our Cyber Exposure strategy. They highlighted our comprehensive visibility into traditional and modern IT and OT assets, and our product innovations, such as I/O and industrial security.

Focus and innovation within Cyber Exposure market are foundational to Tenable. We believe a core reason for our success and differentiation from our competitors is that while others diversified into multiple security markets, Tenable has doubled down to drive innovation and vulnerability management.

During the third quarter, we upgraded our VM solutions with features that strengthened integration, enhanced usability and increased coverage of assets. We released Tenable SecurityCenter 5.7, adding integration capabilities for privileged access management, enhanced capabilities for mobile workforce at scale and updates in the Nessus agents. We also released several highly innovative features focused on Nessus Professional. Nessus 8 added live results. These are real-time updates that virtually eliminate time to assess vulnerabilities through inferences based on existing scanned meta data, even when disconnected from the network. Nessus 8 customers will also benefit from the Grouped View, a feature designed to group issues into a single thread to help customers better manage workloads.

Nessus has cemented its position as the industry's most widely used vulnerability assessment solution for applications with nearly twice as many security teams using this solution as any other competitive offering. This provides Tenable with incredible market awareness and credibility with security professionals.

We also significantly increased our coverage of OT devices. Our latest passive network monitoring release for industrial security extended our OT device coverage by several thousand, including devices from Siemens, Schneider, Rockwell, Honeywell, Mitsubishi and many other leading ICS and skated device manufacturers.

During the quarter, we also enhanced our strategic security alliance with ServiceNow with new bidirectional integrations for both SC and I/O. Our new integration with their vulnerability response module provides customers with a closed loop remediation process from discovering machines to finding the vulnerabilities to orchestrating patching to verifying successful remediations. Our new integration also includes bidirectional asset syncing from Tenable.io directly to ServiceNow CMDB, helping to ensure that security teams receive the same level of visibility as IT teams into assets across the modern enterprise.

And our new integration gives customers the ability to directly import Tenable.io vulnerability data into ServiceNow with its ITSM workflow for faster remediation.

Lastly, we continue to advance the development of our Cyber Exposure scoring, benchmarking and peer comparison product, Lumin. We believe that Lumin will enhance our ability to help customers measure and benchmark their cyber exposure, both over time and against their peers. Lumin is designed to provide our customers with strategic decision support they need to properly align security and IT business objectives.

Now let me turn the call over to our Chief Financial Officer, Steve Vintz, and then, I'll come back to summarize at the end.

Thanks, Amit. Let me now dive deeper into Tenable's third quarter 2018 financial results and our business outlook. I'll begin by reminding you that except for revenue, all financial results we will discuss today are non-GAAP, unless otherwise stated. As Andrea mentioned at the start of this call, GAAP to non-GAAP reconciliations of these financial measures can be found in our earnings press release issued earlier today.

Revenue for the quarter was $69.4 million, representing 42% growth over the same quarter last year, and it's also above the high end of our guided range. Revenue was higher than expected due in part to better calculated current billings in the quarter as well as strong inter-quarter flow. It's also worth noting that 89% of our revenue in Q3 was recurring, which is a benefit of our subscription model.

As you may recall, we include revenue from subscription and maintenance contracts in recurring revenue but exclude professional service and perpetual license revenue in this definition, as such amounts are not available for future renewal. Since we're on the topic of perpetual licenses, as a reminder, under ASC 606, we recognize revenue from perpetual licenses ratably over 5 years versus revenue recognition upfront previously.

I briefly mentioned our subscription model earlier, but once again as a reminder, we sell our software primarily on an annual subscription basis with a term that is generally 1 year in length, although, some customers prefer multi-year contracts. Substantially, all of our contracts are paid upfront. The value of a contract can be based on the number of IPs or assets purchased.

Now with that as a backdrop, I want to walk you through our calculated current billings. Since swings in the percentage of billings from multi-year prepaid contracts can meaningfully skew growth in total billings, higher or lower in a given period, we believe calculated current billings is a better proxy of the underlying momentum of the business and generally correlates to annual contract value, or ACV, which is how we manage the business.

Calculated current billings, defined as the change in current deferred revenue plus revenue recognized in a period, grew 35% year-over-year to $86.7 million in the third quarter of 2018. This growth in scale is a testament to the growing strategic importance of VM and the broader Cyber Exposure opportunity that we are addressing.

For Q3 in particular, which is the end of the U.S. government's fiscal year, we're very pleased that Federal contributed over 20% of our total billings in the quarter. This is consistent with our continued position and strength in this market. Now while Fed sales do seasonally trend higher in the quarter, the third quarter, Fed typically represents less than 15% of our total annual billings. Amit highlighted earlier our success in the federal market, but in short, we are very pleased with our growing presence in this important sector.

In addition to the public sector, let's discuss some other growth drivers for the quarter. In simple terms, this comes down to winning new customers, retaining customers and growing the value of our relationships with customers.

In the third quarter, we added 258 new Enterprise platform customers, which is relatively consistent with last year. While we had a strong quarter with expansions in our customer base, we added a significant number of new Enterprise logos in the quarter, and we believe there is a long runway to continue to do so.

Given our continuing focus to land and expand larger deals in the Enterprise market, it is natural to expect some level of variability between volumes and deal sizes on a quarter-to-quarter basis.

As it relates to large deals, we had 387 customers spending in excess of $100,000 in annual recurring revenue on an LTM basis at the end of the third quarter, which is up 79% over the same period last year. Within this category, we also added a higher number of $500,000 to 7-figure customers, as compared to recent quarters. This resulted in an increase in ASPs for our new Enterprise business in the quarter. The takeaway here is that we are seeing strong demand in the market and are experiencing continued momentum from new customer acquisition, upsell and renewals.

I'll now turn to expense and profitability. Gross margin for the quarter was 84%, down from 85% in Q2 but came in better than expected. As previously discussed, we are making investments in our public cloud infrastructure in connection with our Tenable.io cloud platform. These investments are currently scaling better than expected, so gross margin has been contracting more gradually than anticipated, even as I/O continues to grow as a percentage of sales. However, we do expect gross margins to settle in for low 80% range to high 70% range over time.

Now turning to operating expenses. We are focused on improving operating leverage in our business over the long term, but in the near term, we are investing for growth. Sales and marketing expenses for Q3 were $41.8 million compared to $29.2 million in the third quarter last year. This represents 60% of total revenue for the quarter, consistent with Q3 last year and an improvement from Q2 levels.

Our investments in building our global sales organization tend to be weighted towards the beginning of the year, which produces leverage over time as new members of our sales team ramp their productivity. R&D expense in Q3 was $18.1 million compared to $15.4 million in Q3 last year. As a percent of total revenue, R&D was 26% in the most recent quarter versus 31% in Q3 last year.

Innovation remains a top priority for us across all of our products, but especially around data science, analytics and coverage of new paradigm assets, including OT, web app, cloud and containers.

For Q3, we have also capitalized $600,000 or approximately $1.5 million year-to-date related to the development of Lumin.

G&A expense was $10.3 million for the quarter compared to $6.2 million last year. As a percent of total revenue, G&A was 15% in Q3 versus 13% in Q3 last year. The increase largely reflects the occurrence of public company costs. Our non-GAAP loss from operations in the quarter was $12.2 million, better than our guidance of a loss of $17.5 million to $16.5 million and compared to a loss of $9 million in the third quarter last year.

Non-GAAP operating margin was negative 18%, consistent with the third quarter last year. Pro forma non-GAAP loss per share was $0.14, also better than our guidance of a loss of $0.19 to $0.18 and compared to a loss of $0.12 in the same period last year. The pro forma weighted average shares assume the preferred shares outstanding before our IPO were converted to common stock at the beginning of all periods presented.

As a reminder, we are using pro forma shares for historical periods and guidance, solely for comparability purposes. We finished the quarter with $287 million in cash and cash equivalents and short-term investments, having closed our IPO in July. Our free cash flow burn was $2.9 million for the quarter compared to a burn of $1.9 million in the third quarter of 2017. We started our ESPP program in August, which contributed approximately $2.3 million to our free cash flow in the quarter. The first stock issuance under the ESPP program will be in March of 2019, which will reduce our free cash flow by approximately $8 million to $9 million in Q1. But we believe we will -- it will have minimal impact on the overall free cash flow for the full year 2019, as the second half of the year will reflect proceeds from the new offering period. In short, we're pleased with the efficiency and cash flow of the business, and we continue to target positive cash flow by the time we exit 2020.

Now turning to guidance. For Q4 2018, we currently expect revenue to be in the range of $72.5 million to $73 million; non-GAAP loss from operations to be in the range of $14 million to $13 million; non-GAAP net loss to be in the range of $13.6 million to $12.6 million; and pro forma non-GAAP loss per share in the range of $0.15 to $0.14, assuming a weighted average shares outstanding of $92.2 million.

For the full year 2018, we currently expect revenue of $264.6 million to $265.1 million, which is up from our prior guidance of $260 million to $261 million. We are also increasing our annual guidance on calculated current billings. For the full year 2018, we expect calculated current billings of $321 million to $322 million, which is up from our prior guidance of $314 million to $316 million and compares to the $235.6 million for the full year 2017. We now expect non-GAAP loss from operations to be in the range of $52.3 million to $51.3 million; non-GAAP net loss to be in the range of $53 million to $52 million; and pro forma non-GAAP net loss per share in the range of $0.63 to $0.61, assuming a weighted average shares outstanding of $84.8 million.

And now, let me turn the call back to Amit for some closing comments.

Thanks, Steve. In summary, we continue to be excited about pioneering cyber exposure. We're partnering more and more with customers interested in strategic approach to vulnerability management. We believe the combination of our differentiated technology and strategic approach to the market position Tenable for success in this journey. Thank all of you for joining the call today. We look forward to seeing many of you during our events coming up in November. We will be participating in the Stifel Midwest One-on-One Conference, November 8 in Chicago and the BTIG Tech Conference, November 14 in New York City. We also expect to be in New York and Boston and likely, San Francisco before the end of the year, so we hope to see many of you in person. We appreciate your interest in Tenable.

We'd like now to open up the call for any questions.

(Operator Instructions) Our first question comes from the line of Sterling Auty from JPMorgan.

Can you hear me okay?

We can.

All right, great. Just wanted to start with, Steve, is there anything to read into the current billings growth was actually a little bit slower than the revenue growth? I know they're both really high growth rates, but I just want to check to see if there's anything that we should be reading into that.

No, we're very pleased with our performance in the quarter. Nothing fundamentally has changed in the business. We're generating very strong top line growth at significant scale, outgrowing the market by a wide margin here. So our outlook in Q4 and our results in Q3 reflect good growth at scale. And the takeaway here is, we're in the midst of a major market opportunity. We believe we're making the right investments in the business to drive attractive long-term growth.

All right, great. And then, just one more on the technology side. Amit talked about the integration with ServiceNow. Are you finding that the main source of traction with that is customers actually asking and wanting that capability? Or are you actually at a point where you're seeing ServiceNow bringing you into opportunities for new customer opportunities?

Yes, I think the ServiceNow partnership is a great example where it's really driven -- was driven initially by market demand. We had a lot of joint customers, a lot of ServiceNow customers looking for VM solutions and vice versa. And so, the sales teams ended up just working a lot together out in the field in various customer accounts. And then over time, formalized a partnership and have generated a more thoughtful, top-down approach with joint marketing activities, joint account management and joint sales calls. So it's one that -- it's a partnership that we've seen bear fruit and one that we have great confidence in going forward.

Our next question comes from the line of Melissa Franchi from Morgan Stanley.

Okay. I just wanted to dig into the Fed vertical just a little bit more. The commentary there suggested it was a very healthy quarter. So I'm just wondering, is it -- was it meaningfully different than what you've seen in previous years? And if so, what's driving that? And to the extent to which it was a healthy quarter, is that driven by government demand or is it driven mostly by -- or more so, by investments that you're making in that vertical?

I think we have a strong federal quarter in a seasonally strong federal quarter. I think it's really in line with our expectations. We saw several high-profile renewals and expansions occurring and new 6-figure adds. We feel very good about our position in federal, and we're seeing very strong demand in the federal market for vulnerability management solutions and increasingly, I think for the first time, we've seen the federal customer base looking more closely at the Cyber Exposure market opportunity and understanding that they have need for the capabilities that we bring to the table. So, in line with our expectations, and I think continued confidence in our position in the federal market going forward.

Okay, that's helpful. I have one follow-up question on the technology. The industrial security SKU or application on Tenable.io, you announced recently that you've extended that to OT devices beyond Siemens. And so, I'm just wondering, I mean, if you could just talk about how that extends the opportunity in industrial security and to what extent was that driven by customers looking for that extension and that greater visibility or is it more just getting ahead of potential opportunities?

I think the expansion is probably more of a core requirement in the control system world. We -- I think we released a product that had pretty good coverage, I think, with thousands of control system devices and also, simultaneously announced a strategic partnership, a global partnership, with Siemens, and we've been working very closely with a number of very large enterprises. The truth is that in these control system environments, you don't find that they have any one particular vendor brand as an exclusive provider. And so, as you look at the traffic, as you look at these control system environments, they've got a diverse set of vendors in there, whether it's Siemens, Honeywell, GE and Schneider and so on and so forth. And so, the recent updated release of our industrial control system offering expands the number of devices that we can profile and understand by several thousand. And we think that, I don't want to call table stakes, but when you're operating in these complex environments and you're looking at it, at the traffic, if you're looking at 75% of that traffic and say, hey, it's unknown to me, that doesn't sit well with customers. If you can identify and profile a vast super majority of the devices and the infrastructures they've had, I think that's, sort of, a core requirement for customer success.

Our next question comes from the line of Gray Powell from Deutsche Bank.

Just a couple, if I may. So you guys are growing about 40% give or take versus peers at closer to 20%, in the market they call it low teens. Can you talk about how much of that is greenfield versus replacement? And then, just your confidence level on maintaining that gap going forward.

Yes. To the first part of the question, I think we're confident that there's significant untapped potential in the VM market. We've done a fair bit of in-depth analysis, and our finding is that about 50% of the customer base out there is still immature in their VM efforts, in terms of how they are approaching and thinking about VMs. So there's a lot of maturity that we can help customers go through as their needs -- as they recognize the, sort of, increased need for VM as a core part of their security practices. We also see -- we have done some analysis, and we've seen that about 1/3 of the enterprises out there are -- have not yet embraced an enterprise-wide VM solution. So no doubt, they've got regulatory requirements. They've bought, they've deployed VM solution for PCI or some other, 1 data center, 1 business unit, some portion of their infrastructure. But they have not embraced VM as an enterprise-wide requirement and understanding of what their overall cyber risk looks like. So we've got great confidence in, ultimately, the size of the opportunity in front of us in VM, the growth potential for the VM market and believe that we can build a very successful enterprise focused on that. Now our strategy includes a superset of VM. VM is a core building block and requirement for this broader vision around cyber exposure. So it's not just VM, it's also understanding the control system. The IoT infrastructure, the cloud environment, the DevOps containers and web applications. And it's also been helping to do a much deeper job of analyzing that exposure data. So from a risk metrics perspective, from a prioritization perspective, from a benchmarking perspective. So when you combine all of those, we have tremendous confidence in our ability to deliver growth over an extended period of time.

Got it. That's really helpful. And if I could just sneak one more in, just really quickly. Can you just talk about any early feedback on Lumin? And how quickly we should expect that to ramp-up once it goes GA next year?

Yes, I think we continue to operate Lumin in beta mode. We've gotten lots of great feedback and continue to get lots of great feedback during the beta program. It's been very positive, and we remain extremely confident that the type of insight that we can provide in terms of understanding risk, benchmarking it across peers is incredibly important to VM, and ultimately, a Cyber Exposure strategy. Our data science -- and Steve mentioned, our data science team is a significant contributor and differentiator in the analytics space, and we anticipate that we'll go to GA with Lumin in 2019.

Our next question comes from the line of Gur Talpaz from Stifel.

So, Amit, you talked about your first ICS deal with the U.S. Fed. And I wanted to ask, within that deal, and more broadly speaking, how important is having a broadly holistic platform that can span both traditional VM and nontraditional use cases in winning such deals?

Thanks, Gur. I think it's a great question and obviously, you highlight, I think, some insight that you have. We see a lot of interest -- I think, broadly, the market sees a lot of interest in the control system world and the critical infrastructure world. These are critical business processes that are automated and now at risk. What we've found over the last couple of years is that it's not only just the, sort of, digitization of the control system world that makes it exposed but it's also that those control system environments have been invaded, if you will, by other general-purpose IT components. And so, when you're looking at control systems, when you're looking at industrial systems, it is very difficult -- or I'd say, it will be incomplete to look at those control systems without understanding the IT systems on those same networks that the control systems rely upon. So we believe it's a core competent -- critical component and a strategic differentiator versus some pure play point products, which might only look at the OT components in isolation.

That's really helpful. And then in the commentary, you talked about a set of customers using both Tenable.io and SC in conjunction. Typically, I would've thought about them, kind of, being separate solutions, either you pick one or the other, but it sounds like there is a use case for both in conjunction. How typical is that? Are you seeing more of that? And can you walk us through that use case?

Yes. It's actually -- I'd say, the number of customers and the frequency with which that happens is probably far greater than I would have originally anticipated. Although, now in, sort of, hindsight and as we experienced the growth, it does make sense. Those customers frequently have already deployed SecurityCenter, they're already customers, they are already confident in Tenable as a provider to help them gain insight into their environments. But they have need for hybrid -- they're operating hybrid environments. They have a mobile workforce that they don't want to punch holes in the firewall to be able to maintain a vulnerability status for those mobile workforces. They want to assess their networks from the outside and see what their exposure looks like from an external perspective or they have other their cloud-oriented requirements. And so, what we've seen is even in the SecurityCenter customer base, there's been an adoption, an extension, if you will, in leveraging the new technology that we made available in the cloud platform in Tenable.io. And so, we're seeing it as an extension there and we're also seeing it with new customers, which select to go with a hybrid approach right off the bat.

Our next question comes from the line of Jonathan Ho from William Blair.

Can you hear me okay?

Sure can.

We can.

I just wanted to start with maybe some thoughts around your commentary about where we are in terms of the adoption of some of these newer assets. Can you maybe give us a sense of what inning we're in and where you're seeing maybe more rapid adoption happen relative to the assets that you kind of listed off?

Yes, if you assume it's a 9-inning game and not an 18-inning game, I would say, we're still in the early innings, and I don't know if it's in inning 2 or inning 3. But my gut feel is that we're in that first 1/3. So we see growing adoption, we see customers, sort of, order moving in this direction. We're now landing 6-figure transactions in these new asset types. We're seeing existing customers start with modest deployments but increasingly talking about more broad deployments in their modern asset types as well. And so, even in customers which are making the selection to become Tenable customers, even where they're not purchasing modern asset type coverage yet, we're hearing pretty consistent feedback that the ability to expand that and they have plans and designs to expand that and they have a need for those modern asset type -- visibility to those modern asset types. So we're seeing that as a consistent theme that the strategy aligns with their security program point of view and aligned with where they want their programs to head. I think we're still in the early innings, maybe somewhere between the second and third inning, but we're confident that the direction and the trend are well aligned with the customer requirements and the market.

Great. And then, there have been a few acquisitions that have been made, particularly in the cloud vulnerability market by some of the bigger competitors and the broader security space but maybe not traditional VM providers. Can you talk a little about how much overlap you might have there? And maybe, how you can compare and contrast your offering relative to some of the newer acquisitions that have happened?

Yes. I think there certainly is some overlap. I don't know if I would describe it as a 15% or 20% overlap. I wouldn't describe it as a 50% overlap. I think it's significantly lower than that. And if you look at the companies that have made acquisitions there, it's really the larger, more established firewall vendors that, to some extent, have the perception or they've taken some criticism for what their strategy looks like and how relevant they will be and what their future looks like in primarily, a cloud-based world. And so, I think a lot of the features that they are focused on, a lot of the functionality that they've really tried to embrace is a firewall-like functionality for cloud environments. Now those -- the companies which have been acquired, I think, primarily focused on that control plane but they did have some assessment capabilities. So like I said, there is some overlap, but I think the use case, the mindset, the customer base, and I think the development path for those acquired properties is likely, kind of, divergent with where Tenable's capabilities and future capabilities will look like in the cloud world specifically. And so, we view it as visibility. So when you turn to us for understanding your exposure on the network, you want to understand that in the cloud. And I think that's -- the firewall vendors are also thinking, hey, you want the control of your network, you want the control in the cloud environment. So there's some overlap. But I think it's divergent strategies, not ones that are converging or likely to conflict more going forward.

Our next question comes from the line of Daniel Ives from Wedbush Securities.

So maybe, like to the point before about like an inflection point, larger deals obviously, product expanding in terms of portfolio into '19 with Lumin. Maybe if you could talk anecdotally how your conversations with customers have changed. Is it -- as obviously you become a bigger piece of the solution of a cyber risk exposure, maybe you could just talk anecdotally if we think where we were 6 months, a year ago?

Yes, I think there's a couple of things worth noting here. One is the Tenable journey, the other is the customer journey and maybe, the third is, kind of, like how the market is evolving. I think the Tenable journey is -- look, we -- this company grew up as a very technology-oriented company. It was all about the accuracy of the scan, the flexibility of the technology, how we achieve better results. There wasn't a whole lot of emphasis on the enterprise go-to-market notion, the account management aspects, the enterprise support aspects of the relationship. And so, we've been on the journey over the last couple of years and continue to make great progress. And so, that enable us to have more strategic conversations with our customers than we've had historically. I think customers are on a journey understanding the importance of VM and Cyber Exposure. If you go back and look at where they were 2 years ago, vulnerability management was, kind of, a little bit of a tired market. There was a compliance driver but many enterprises didn't view VM as a strategic component in their security program. As you've seen a lot of high-profile breaches, whether it's sort of Equifax, the WannaCrys, the NotPetyas of the world. The things that became very costly in the news to many large enterprises. You see corporate leadership asking questions of the security program, hey, are we susceptible to that? How are we managing risk? How exposed are we? And those questions point to the VM program and have increased the prioritization that customers and the strategic view that customers have of their VM programs. And so, I think there's a couple of trends here, which really become tailwinds and enable us to have more strategic enterprise-wide conversations with chief information and security officers and senior executives. And I think Lumin and the types of analytics that we've developed and are working on going forward, I think play to, and are a result of, some of those conversations.

Got it. And I just have a question -- I mean, I was hearing before but obviously, you guys are doing extremely well in the field, spending well on R&D perspective and maybe this for Steve, like how do you, sort of, balance going to the next year in terms of growth and starting to look at profitability relative to now being in such a position of strength?

Again, this is Steve. With regard to 2019, we aren't specifically commenting on 2019 at this time. We'll provide our outlook for the year on the upcoming call in February. That said, we feel very good about the momentum of the business and how we're executing. And given the positive margin trends that we highlighted in the call today, and Amit also underscored earlier, we're at the early stages of a multibillion-dollar market opportunity. We're confident we can deliver strong growth for the time to come. That said, when you look at our top line growth, while we're growing -- enjoying good growth on good scale, we're not growing at all cost. We're very mindful of the bottom line. We're continuing to make progress on operating margins on a year-over-year basis. You can see even some of the leverage that we're demonstrating here today on this call. And a good leading indicator of that, I think, will be -- is the cash flow burn. It's been fairly modest this year. So our focus is to, kind of, lean in to top line growth, all while we march towards positive cash flow and profitability. And what we've commented on earlier with regard to cash flow is that we expect to be cash flow positive by the time we exit 2020. The great results we're delivering today only reinforces that notion, and we're excited about the opportunity ahead.

Ladies and gentlemen, we have reached the end of the question-and-answer session. And this does conclude today's conference. You may disconnect your lines at this time. Thank you for your participation.