Tenable Holdings Inc (TENB) 2018 Q4 法說會逐字稿

Greetings, and welcome to Tenable's fourth quarter earnings call. (Operator Instructions) As a reminder, this conference is being recorded.

I would now like to turn the conference over to your host, Andrea DiMarco, VP Investor Relations and Strategy. Please go ahead.

Thank you, operator, and thank you all for joining us on today's conference call to discuss Tenable's fourth quarter and full year 2018 financial results. With me on the call today are Amit Yoran, Tenable's Chief Executive Officer; and Steve Vintz, Chief Financial Officer. Prior to this call, we issued a press release announcing our fourth quarter and full year 2018 financial results. You can find the press release on the IR website at tenable.com.

Before we begin, let me remind you that we will make forward-looking statements during the course of this call including statements relating to Tenable's guidance and expectations for the first quarter and full year 2019; growth and drivers in Tenable's business; changes in the threat landscape and the security industry and our competitive position in the market; growth in our customer demand for and adoption of our solutions; Tenable's expectations regarding long-term profitability and planned innovation and new products and services. These forward-looking statements involve risks and uncertainties, some of which are beyond our control, which could cause actual results to differ materially from those anticipated by these statements. You should not rely upon forward-looking statements as a prediction of future events. Forward-looking statements represent our management's beliefs and assumptions only as of today and should not be considered representative of our views as of any subsequent date. We disclaim any obligation to update any forward-looking statements or outlook.

For a further discussion of the material risks and other important factors that could affect our actual results, please refer to those contained in our most recent quarterly report on Form 10-Q filed with the SEC on November 8, 2018, and subsequent reports that we file with the SEC, which are available on the SEC website at sec.gov. In addition, during today's call, we will discuss non-GAAP financial measures. These non-GAAP financial measures are in addition to and not substitute for or superior to measures of financial performance prepared in accordance with GAAP. There are a number of limitations related to the use of these non-GAAP financial measures versus their closest GAAP equivalent. Our earnings release that we issued today includes GAAP to non-GAAP reconciliations for these measures and is also available on the Investor Relations section of our website.

And now let me turn the call over to Amit.

Thank you, Andrea, and thank you for joining us on the call today. I'm pleased to share that Tenable delivered another strong performance as we closed out 2018 on the high note.

Revenue in Q4 grew 39% year-over-year to $75 million and calculated current billings grew 36% year-over-year to $97 million. Our strong momentum highlights the rising importance of and growing investments in Cyber Exposure. As we talk to customers in the field, we consistently hear that vulnerability management remains a top priority for 2019. Understanding and reducing cyber risk remains a strategic C-suite and board-level issue. Tenable is increasingly recognized as a strategic and foundational component of these efforts.

With a successful Q4 and 2018 behind us, we'd like to highlight why we believe Tenable is a category-leading security company. First, we continue to believe the vulnerability management market is much larger than anticipated by traditional market research, given the rapid proliferation of connected devices.

Second, we are marching to the enterprise, adding hundreds of new logos every quarter and consistently increasing our 6-figure customer base. And third, we are reinvigorating VM and pioneering enterprise understanding of Cyber Exposure including the broader attack surface and corresponding business impact.

The discovery and disclosure of vulnerabilities only continues to grow in volume and pace. While there are considerable amounts of legacy and end-of-life applications still posing residual risk, the proliferation of connected devices increased the surface of attack and created more and more vulnerabilities. One of the biggest drivers for our success continue to be this digital transformation. According to Gartner's February 2018 forecast, IoT security worldwide 2018, says IOT endpoints will grow at a 32% CAGR, reaching an installed base of 25 billion units by 2021. As such, a growing number of our customers are expanding their deployments to include these modern asset types, such as cloud, web applications, containers, operational technologies and Internet of Things.

The rapid growth we are seeing in cloud, IoT and nontraditional devices validates our view that the VM market is much bigger than forecast developed by traditional market research.

We expanded our IoT asset coverage across both Tenable.io and Tenable.sc last year. Our coverage of embedded devices, point of sale systems, teleconference and surveillance devices and other IoT assets grew over 50% in the second half of 2018 versus the first half.

Cloud asset coverage grew over 3x in second half of 2018 compared to the first half. The momentum of cloud deployments is robust and driving strong adoption of our Cyber Exposure solutions. On the Operational Technology front, we continue to make meaningful progress. Originally only available on Tenable.io, we've added OT capabilities to Tenable.sc in Q4.

In Q4 we also sold our first 6-figure Tenable.sc industrial control system bundle, an exciting win with a major oil and gas joint venture. This example is more evidenced in the increase in IT/OT convergence within organizations. We're seeing more OT security purchasing power shift to include input from this CISO suite. This plays to Tenable's strength in the market and creates a broader opportunity for us to assess both the IT and OT environments.

When I talk to customers, they're in various stages of their digital transformation, and try to get visibility into all the new connected devices. They recognize that VM is a foundation of a solid cyber strategy. That's why they're looking to do VM more holistically, with breadth across all asset types, many of which they currently lack visibility into. They want to do it better and more efficiently with greater depth of analytics. They want a Cyber Exposure solution.

And with that, I'd now like to highlight a few noteworthy new 6-figure customer wins in the quarter. A large European insurer purchased Tenable.io, with web application scanning, PCI and container to overhaul their VM strategy, and start maturing their Cyber Exposure understanding. This company needed a solution that would align to their transformative global digital plan, and deliver a solution in a complex environment across traditional and modern assets. This example highlights a typical customer journey from VM to Cyber Exposure.

Another new customer win is a multiplatform purchase, both SC and I/O together by a national healthcare company. This company had a very manual and unsustainable VM effort. They quickly realized the need for an enterprise-wide solution to manage their growth and reduce the risk of new vulnerabilities. They ultimately purchased SC and also I/O for external scanning processes. They chose Tenable due to our hybrid offering and our scalable enterprise-wide Cyber Exposure vision. While this was a modest competitive displacement, it was also largely greenfield as the incumbent was only used for external scanning.

We'd also like to share a couple of 6-figure Nessus upsell wins in the quarter. A global e-commerce company purchased Nessus last year and was looking for a more strategic VM solution in addition to considering cloud and container security as separate project efforts. This customer recognized the value in Tenable.io's unified strategy that included cloud and containers scanning all in one platform and purchased Tenable.io plus container coverage.

Another 6-figure Nessus upsell win is an SC win for a national healthcare company. This company was also looking for a scalable strategic, on-premise Cyber Exposure solution. They choose Tenable for our scalable architecture, our hybrid offering and our reliable brand.

We also continue to expand our leadership position in the public sector. Maintaining a clear leadership position in the public sector is a priority, and we strengthened that lead during the fourth quarter. Tenable was awarded a expanded 7-figure contract with the Department of Defense to provide Assured Compliance Assessment Solution called ACAS. For over 5 years, DISA, the Defense Information Systems Agency and the defense community have relied on Tenable and ACAS as a de facto enterprise-wide solution for VM.

We look forward to continue to provide DISA and the DoD with a fast, accurate, cost-effective and highly scalable VM platform to detect and counter known cyber threats to DoD enterprise assets in realtime.

And lastly, we had another large-scale expansion in a Fortune 100 retailer. This retailer expanded from 500,000 assets in early 2018 to 1 million assets this past summer. And then to 2 million assets in the fourth quarter, and there continues to be a great growth opportunity in the account. This customer is a great example of the expanding needs of enterprises to assess Cyber Exposure across traditional and modern assets, covering everything from web properties to point of sale devices.

To build on our market leadership, we made a decision earlier in 2018 to increase our investment in research, both to help our customers accelerate their cyber exposure transformation and help us focus our efforts on the rising issues that matter most to our customers.

Our 2018 Vulnerability Intelligence Report founded enterprises identify an average of 870 new vulnerabilities daily with over 100 ranges critical on the common vulnerability scoring system, CVSS, which is an industry standard measurement. The current lack of rigorous prioritization suggest that organizations are struggling to remediate these increasing vulnerabilities, and consequently are unable to make strategic technology decisions.

In the fourth quarter, Tenable announced Predictive Prioritization capabilities for both our Enterprise platforms, SC and I/O. Predictive Prioritization combines Tenable-collected vulnerability data with third-party vulnerability and threat information and analyzes them together with the advanced data science algorithms developed by Tenable Research. These data science algorithms analyze vulnerabilities using machine learning to anticipate the probability of a vulnerability being leveraged by threat actors. This innovative capability enables organizations to focus on the approximately 7% of vulnerabilities with reliable public exploit and focuses resources on an even smaller portion of those most likely to be exploited by threat actors, down to just 3%. Predictive Prioritization will be made available over the next few weeks and months as a core capability for our enterprise customers. This is yet another example of Tenable extending our leadership position and differentiating ourselves with our Cyber Exposure vision.

Looking ahead, we continue to advance the development of our Cyber Exposure scoring, benchmarking and peer comparison product, Lumin. During our beta customer discussions, we received valuable feedback that prioritization of vulnerability, which was originally contemplated as part of Lumin, was viewed as something that should be a core competent of those base VM use cases and platforms. Given the enthusiastic feedback, we accelerated the development to build predictive prioritization into SC and I/O to make sure all of our enterprise platform customers had access to this critical functionality. Lumin will build upon and greatly expand the value of predictive prioritization by providing a deeper layer of insight, based on asset criticality data.

Criticality data enriches vulnerability information with the asset's business context to strengthen the overall Cyber Exposure score. Lumin will also help customers measure and benchmark their cyber exposure with over time and against their peers. We remain very excited about the opportunity for Lumin in 2019.

Before I move off product innovation, I want to note a new addition to our product organization. Ofer Ben-David is joining as our new Chief Product Officer. Ofer will lead Tenable's global product organization into the next phase of Cyber Exposure solutions for managing and measuring cyber risk in the digital era. He is one of the most respected and innovative engineering leaders in enterprise software, having built large-scale cloud-based and on-premise solutions for some of tech's most iconic companies.

As we continue to push the pace of innovation in the market, we also remain focused on strengthening our reach through strategic partners and integrations. In the fourth quarter, we announced an integration with AWS Security Hub that is designed to provide users with a comprehensive view of their high-priority security alerts and compliance status. We also announced that Tenable.io is now available for purchase in the AWS marketplace. This allows customers to seamlessly build VM including the automated discovery and assessment of cloud infrastructure assets to manage, measure and reduce cyber risk across cloud environment.

Now let me turn the call over to our Chief Financial Officer, Steve Vintz, and then I'll come back to summarize in the end.

Thanks, Amit. The fourth quarter marked a strong finish to a very successful year for Tenable.

Let me dive deeper into the quarterly results as well as highlight the full year 2018 financial results and our business outlook for the year ahead. I'll begin by reminding you that except for revenue, all financial results we will discuss today are non-GAAP financial results. Unless stated otherwise, as Andrea mentioned at the start of this call, GAAP to non-GAAP reconciliations may be found on our earnings press release issued earlier today, and on our website.

Now onto the results for the fourth quarter. Revenue for the quarter was $75.2 million, representing 39% growth over the same quarter last year. It's worth noting that 90% of our revenue in Q4 was recurring, which is a benefit of our subscription model. As you may recall, we include revenue from subscription and maintenance contracts a recurring revenue, but exclude professional service and perpetual license revenue, such amounts are not available for future renewal.

Since we're on the topic of perpetual licenses, as a reminder, in 2017, we began recognizing revenue from perpetual licenses ratably over 5 years in accordance with ASC 606. With that as a backdrop, I want to walk you through our calculated current billings. We believe calculated current billings is a good proxy of the underlying momentum of our business as it generally correlates to annual contract value, and it's how we manage the business.

Calculated current billings defined as the change in current deferred revenue plus total revenue recognized in the period, grew 36% year-over-year and $97.3 million in the fourth quarter of 2018. This growth in scale is a testament to the rising importance of VM and the broader cyber exposure opportunity that we are addressing.

Let's discuss customer momentum, which is an important driver of growth for us. In the fourth quarter we added 337 new enterprise platform customers with an increasing mix towards larger deals. In terms of large deals, we added 56 net new 6-figure customers in the quarter. These are customers who spend in excess of $100,000 annually on an LTM basis. This represents the largest number of net new 6-figure customers in our company's history. This brings the total number of customer spending in excess of 6 figures to 453. The takeaway here is that we are seeing strong demand in enterprise both domestically and abroad, and are experiencing continued momentum, adding new customers and expanding the value of the relationships with existing customers.

I will now turn to expenses and profitability. Gross margin was 85% in the quarter, which is the same as last year and up from 84% in Q3 of this year. As a reminder, we are making investments in our public cloud infrastructure in connection with the delivery of our Tenable.io platform. These investments are scaling better than expected and having less of an impact on gross margin in short term. However, we continue to add new functionality and have points of presence globally, and long term, expect gross margins to settle in the low 80s to high 70% range over time.

Now turning to operating expenses. We are focused on improving operating leverage in our business over the long term. But in the short term, we are investing for growth. Sales and marketing expense in Q4 was $44.5 million compared to $32.2 million in the fourth quarter last year. This represents 59% of total revenue for the quarter, down from the mid-60% range in the first half of the year. As a reminder, sales and marketing expense as a percentage of revenue is typically higher in the first half of the year due to a large number of industry and other events as well as incremental investment in sales capacity in the first half of year, which produces leverage over time.

R&D expense in Q4 was $19 million compared to $15.2 million in Q4 last year. As a percentage of revenue, R&D was 25% versus 28% in Q4 of last year. Innovation remains a top priority for us across all our products but especially around data science, analytics and coverage of new paradigm assets, including OT, IoT, cloud and containers.

G&A expense was $11.2 million for the quarter compared to $7.8 million last year. As a percentage of revenue, G&A was 15% versus 14% in Q4 of 2017. The increase largely reflects new costs associated with being a public company.

Our non-GAAP loss from operations in the quarter was $10.8 million. This compares to a loss of $9.2 million in the fourth quarter last year. Non-GAAP operating margin was negative 14% compared to negative 17% for the fourth quarter last year.

Pro forma non-GAAP net loss per share was $0.12, which was better than our guidance of a loss of $0.15 to $0.14 per share. Focusing on the balance sheet. We finished the fourth quarter with $283.2 million in cash and cash equivalents and short-term investments.

It's also worth noting, we early adopted the new lease guidance in Q4, as of January 1, 2018. The new guidance does not change how we record rent expense but required us to derecognize the previously recorded construction in progress asset and related financing obligation with building our new headquarters. For existing leases, the guidance also requires a balance sheet gross-up of a liability for the present value of the remaining lease payments, and a corresponding right-of-use asset that is combined with the lease incentives. As such, we have $10.3 million of operating lease liabilities and $8.5 million of right-of-use assets at December 31, 2018. In terms of cash flows, our free cash flow burn was $3.1 million for the quarter compared to a burn of $6.6 million for the fourth quarter of 2017.

As a reminder, we started our ESPP program in August, which contributed $4 million to our free cash flow in the fourth quarter. The first stock issuance will be on March 1 of 2019, and our free cash flow in Q1 is expected to be negatively impacted by $5 million to $6 million from the contributions previously received as they are reclassed to a financing activity. On an annual basis, however, the ESPP is not expected to have a significant impact on free cash flow. Overall, we are pleased with the efficiency and cash flow of the business.

As a reminder, in 2019, we expect to incur approximately $10 million of nonrecurring CapEx related to the build-out of our new headquarters, which will primarily impact free cash flow for the second half of the year, although we continue to target turning free cash flow positive by the time we exit 2020.

Quickly touching upon the financial highlights for the full year. Revenue was $267.4 million, an increase of 42% over 2017. Calculated current billings was $326.1 million, an increase of 38% year-over-year; gross margin was 85% compared to 87% in fiscal 2017; non-GAAP loss from operations was $49.1 million or 18% of revenue compared to $32.4 million or 17% of revenue last year; and finally, free cash flow burn was $8.3 million, inclusive of $6.3 million of the ESPP contributions, which represents a burn of 3% of revenue in 2018.

Now let's turn to guidance. For first quarter of 2019, we currently expect revenue to be in the range of $77.5 million to $78.5 million; non-GAAP loss from operations to be in the range of $17 million to $16 million; non-GAAP net loss in the range of $18 million to $17 million; and pro forma non-GAAP net loss per share in the range of $0.19 to $0.18, assuming a weighted average common shares outstanding of 93.2 million.

For the full year 2019, we currently expect revenue of $338 million to $343 million; calculated current billings of $410 million to $415 million; non-GAAP loss from operations in the range of $60 million to $55 million; and non-GAAP net loss in the range of $59 million to $54 million. Pro forma non-GAAP net loss per share is expected to be in the range of $0.62 to $0.57, assuming weighted average common shares outstanding of 95.1 million.

As it relates to guidance, our outlook contemplates lower contribution from the U.S. federal government in Q1 due to uncertainties surrounding federal procurements, which we believe will have little impact on the year overall.

And now I'll turn the call back to Amit for some closing comments.

Thanks, Steve. In summary, we continue to be excited about the opportunity in vulnerability management and pioneering cyber exposure. We are partnering more and more with customers interested in a strategic approach to understanding their cyber risk. We believe the combination of our differentiated technology, even stronger now with Predictive Prioritization and our strategic approach to the VM market, position Tenable to successfully aid our customers in this journey.

We'd now like to open the call up for any questions.

(Operator Instructions) Our first question comes from the line of Melissa Franchi with Morgan Stanley.

Amit, you had a very good enterprise customer adds this quarter. I'm just wondering if you can talk about the runway that you have within your Nessus space in terms of upgrades. I think the last metric we had was maybe 19,000 Nessus customers, and now you have over 6,000 enterprise customers. So what's a reasonable conversion rate in terms of that base going into SC or I/O? And then have you seen any change in the conversion in the most recent quarter?

Melissa, this is Steve. I'll take a shot here. So we have a total of 27,000 total customers as a whole, and most of those are Nessus Pro customers. As we mentioned before, Nessus is a cost-effective way to seed the market, but it's also an on-ramp to a larger platform sale. On average as much as 1/3 of our total enterprise sales can come from the paid Nessus customer base. With that as a backdrop, over the past couple of quarters, we made a point of emphasis here to highlight the growth and momentum in enterprise. And we think the growth momentum in enterprise is reflective, a, of the product set; b, of the to go-to-market that we have, somewhat unique in the sense that we price exceed the market, proper building out the enterprise capability and distribution. So overall, the pull-through that we're gaining from Nessus does lift enterprise, and then once we land the customer, whether it's a new logo or an upsell from a paid Nessus customer, we have a history, of course, as you know, expanding the relationship with our asset-based pricing model.

Yes. I think the only thing that I would add to there is recent efforts in the product organization to add new and innovative capability to the Nessus product line as well. First is the addition of live results to Nessus, which we think is very innovative and very compelling where as new vulnerabilities are discovered a lot of times you don't have to go out and do a rescan, which environments can be very complex. But you have very good telemetry already collected and visibility, understanding to a vast majority of new vulnerabilities, whether or not you have them before you even conduct a new scan. And as well as a series of capabilities which we'll be launching in the near future, which we believe will increase our Nessus pull-through. So some ties between the Nessus professional customer base and uplifted capabilities they can get using those products in conjunction with the enterprise platform products. So we think that there is a compelling opportunity, it's not yet really been tapped into or monetized in a strategic way.

Okay, that's helpful. And then just following up with Steve. Steve, your comments on federal for Q1 were helpful. I'm wondering if you could just elaborate a little bit specifically if you saw any disruption in Q4 from the federal closure. And then if you could may be quantify the extent to which you're assuming fund disruption in Q1, and if you're seeing the backlog starting to open up already?

Sure. Well, first and foremost, and Q4 was an area of outperformance for the company, I think versus the guidance, it was, calculate our current billings, a little more than $4.5 million. We're pleased with the results for Fed in the fourth quarter, so the uncertainties around Fed had no impact on the fourth quarter for us. For the whole, Fed represents less than 15% of our total sales with a sizable percentage of that coming in the third quarter, as you know due to the Fed's fiscal year-end. We do close new business, though, throughout the year, new and renewal business. And the outlook today, as I mentioned earlier, contemplates lower contribution from Fed in Q1 with offsetting amounts in Q2 and Q3. So while we believe uncertainty surrounding Fed will not impact calculated current billings, for the year as a whole, it does more modestly impact revenue, and therefore, profitability in Q1, just due to later quarterly flow. That aside, our guidance reflects strong outlook in Q1 and the year as a whole and we're pretty excited and confident about our U.S. Federal business and believe, long term, it's a significant compelling opportunity for us.

Our next question comes from the line of Sterling Auty with JPMorgan.

One of the follow-up on, I think the comment you made in the prepared remarks about some of the deal size within probably enterprise and the 100k-plus ARR accounts. Just wondering, are you seeing bigger initial deals as well as expansion deals. And specifically, within the expansion, how much of that are you seeing coming from customers as you mentioned, just adding more devices and broader coverage within the company versus adding more feature functionality to their relationship with you?

Sterling, it's a great question. I think very clearly for us, the answer is both. We're seeing larger -- as we become more enterprise-oriented in our go-to-market motions, our messaging, our positioning. Moving upscale in the enterprise we're seeing larger initial lands and bites, and I think that's also reflective of organizations with very mature, largely greenfield and their understanding of cyber, really stepping in, in a meaningful way as well as continued beating of the war drum and expansion in our existing enterprise accounts and moving them down that journey from tactical VM to much more strategic motions. Steve, I don't know if you have any additional comment.

No, we have the land that expand model, so it's a combination reflecting higher land and also more attractive expands, and we have 27,000 total customers. Even though we added a record number of net new 6-figure customers in Q4 and clearly we're demonstrating momentum in enterprise. The total number of 6-figure customers is 450. So we have a substantial opportunity right in front of us within our own customer base, even though we're adding hundreds of new customers a quarter.

All right. Great. And then one follow-up. You mentioned the momentum in go-to-markets, how would you characterize the ramping of the resources that you added as you were coming public? And kind of where do you stand now? And how should we think about the incrementals of the marketing investment that you outlined. How much of that is really going to be headcount driven to add capacity versus maybe some of the marketing aspect to drive awareness?

Well, it's a combination of both. In terms of -- we have been clear about our investment strategy, a new dollar invested has a pretty short payback. On average it's 12 to 14 months for the company, gives us confidence, conviction to continue to invest in sales. So we're adding sales capacity. I will say headed into 2019, we have a more mature sales force now than we did this time last year. Over 50% of our sales force is in some phase of a ramp, but we have a higher percentage of reps that have been here 12 months or longer. So we're pleased to see that. The other lever -- so we're going to continue to add sales capacity given the payback and the strong unit economics. The other lever for us is channel, we're the only company in the VM space that has a 100% commitment to the channel. We think that's important. We are seeing continued increases in channel and business. Years ago 4% of our sales are inbound from a channel. And today -- and that continues to increase to a very meaningful percentage. So there's lots of levers we can pull on our go-to-market, one is Nessus in terms of ability to seed the market, create awareness; two is in terms of building up distribution with feet on the street and adding sales capacity. And the third thing is pulling the levers on the channel, which we think is really important.

Our next question comes from the line of Jonathan Ho with William Blair.

Just wanted to start out with Lumin. Can you give us maybe a little bit of an update in terms of the timing for release? And maybe what the expectations are in terms of billings and revenue that are maybe built into your 2019 guidance?

Yes, I'll start off a little bit with the Lumin timing. As you know we've, throughout the later part of 2018, embarked on a beta program with a number of significant customers, processed that feedback. We actually took what many of our customers told us was very compelling capability in the Lumin beta, but capability they felt was really a core use case, or a core capability for the VM use case, the vulnerability management use case. And that was this concept of Predictive Privatization. Hundreds of new critical vulnerabilities discovered every day and you're just using CVSS scoring, and how do you prioritize what matters most, the inclusion of threat intel and exploitability and using a lot of data science models that our team has built, and the feedback we got was, hey, that's great capability. It's compelling differentiation. But because it's the prioritization of vulnerabilities, our customers felt like it was really something they'd like to see in our core VM platform. So we've moved to add that predictive prioritization to both Tenable.sc and Tenable.io. And so we accelerated those motions in the enterprise platforms. We've drawn line, if you will, honing in the Lumin capabilities to extend outside of core VM use cases, specifically to assess and understand the criticality of assets, the business context around those assets and then all of the capabilities that we've been developing around benchmarking and peer comparison, which are really business types of analytics outside of the core VM use case, and we're confident based on the beta feedback that those are products or those combinations of capabilities form a product that we can charge for separately in Lumin. And we anticipate that being delivered, as we said previously, in 2019.

And then in terms of our guidance today, it does not reflect any meaningful contribution from the sales of Lumin.

Can you also, as a follow-up, just give us a little bit of a sense of what Ofer brings from the Chief Product Officer standpoint, and maybe what potential changes this could signal in terms of your product strategy?

Yes, I think it's -- there really isn't a strategic change in the product strategy. It's sort of an increase of scale and capability, as we step onto a larger stage of a larger development organization. We're committed to both the on-prem customer base, the cloud-based capability. And really what we found is the hundreds and hundreds of customers, which have chosen a hybrid-based approach, and we think that, that sort of accurately reflects how customers most frequently live in their IT environment. Something Ofer brings a very strong experience base to the table both for on-prem enterprise software for cloud-based SaaS architectures and delivering these capabilities at scale. So we're really excited about his add to the strength of the team.

Our next question comes from the line of Gur Talpaz with Stifel.

Amit, we talked about servicing new vectors like IoT, containers and cloud, and we also talked a lot about the continued success in pushing upstream to the enterprise. And I guess what I want to ask first was, are these 2 functionally interrelated? Meaning are you seeing better success in the enterprise because you're able to service these nontraditional environments relative to your peers?

I think the answer is both. I think that there is a -- and I think the market and some of the analysts out there are putting out adjusted guidance as to the attractiveness of the core VM market. So I'm a firm believer that there is still continued attractive growth opportunity for Tenable and to all VM providers in that core VM market. That said, we do see a significant differentiation in our strategy and our investment in this broader Cyber Exposure category, so it's a meaningful capability. We're seeing increased adoption of these new modern asset types among the enterprise platform customers. And even for those customers that are not yet adopting those modern asset types, they are asking informed questions about our capabilities in those areas because they're signifying that while the CSO might not yet have responsibility for the OT environment or for the IoT environment, they know that these things are coming and they want to be prepared, and having a provider that gives them the visibility and the confidence to assess those infrastructures I think is a critical differentiator.

That makes sense. And maybe an extension of that question. You said something on the call that I though was interesting, talking about sort of IT/OT convergence, and the increasing importance of the CSO in some of these OT environments. And what I sort of want to know was, does your breath of coverage, meaning your ability to service both IT and OT, is that a differentiator versus the kind of the new startups that are coming out there that only do only OT environments or are pure play in nature and can't span across the spectrum like you can?

Yes, I think it's critical and that's a great question. I think it's critical in 2 different aspects. In one aspect, OT environments today are almost never pure OT. By definition they're convergence of general-purpose compute, their -- all of the traditional IT assets have completely invaded even standalone OT environments. So our ability to assess both IT and OT in an elegant fashion gives us a much better understanding of the true risk of those operations as opposed to a kind of point product that is strictly focused on the OT componentry without an in-depth understanding of the IT that is part of that environment. The second dimension that I think is a strategic advantage for us is that unlike previous years, where you saw operators keeping the CISO and the IT departments at bay, saying, "Hey, these are OT, this is Operational Technology, it's very different. You guys go play in your IT sandbox, we got this covered." I think the recent awareness of cyber issues in the OT world have caused those operators to turn to their CISO and say, "Hey, can we get some help here?" And so we're seeing great, over the last year, an increasing influence of CISOs in helping operators understand their OT environments. And so it is a position of strength that we have this brand, that we have the trust, that we have the customer base and the confidence from the CISO so that when questions come up about discovery and understanding of the level of exposure in OT environments, how do you assess them at the beginning of this journey, that trusted relationship with the CISO is really a leg-up for us.

Our next question comes from the line of Gray Powell with Deutsche Bank.

Just a couple of on my side. So to start, can you talk about the pace at which you see customers developing more formalized vulnerability management programs. I think at some point last quarter you mentioned that about 40% of new customers did not have a formalized program in place before signing with you. So is that correct? And is that a good proxy for the portion of the market you think is a greenfield opportunity?

Yes, that's one that we measure pretty consistently coming, especially, from our largest deals, our largest accounts. A couple of dozen largest accounts every quarter, where those deals are coming to us from, and understanding who are we displacing or not displacing. And some quarters, it's 40%, 40% plus, some quarters it's 25%. And so it does vary quarter-to-quarter, but I think order of magnitude, 1/3 -- roughly 1/3 of the enterprise customer base comes to us, our new customers come to us from what we characterize as greenfield. And by greenfield, that doesn't mean there's absolutely no VM, it means they don't have an enterprise-wide VM program. So they might be looking at specific PCI systems and compliance requirements, maybe particular data centers or architectures or types of systems or business units. But it's really not an enterprise VM program. And so in any given period, about 1/3 of the new sales come to us from what we characterize as largely greenfield market opportunity.

Got it, that's really helpful. And then just a follow-up on the Predictive Prioritization comments. So is there an impact to SC and I/O pricing of adding Predictive Prioritization to those products? And then just how big of a differentiation is that versus your closest competitors?

There is no currently contemplated price uplift from -- or to the SecurityCenter and Tenable.io customer base. We think it is a compelling capability. It's compelling differentiation and we've heard that in the beta cycles when this capability was originally part of the Lumin product. And so we anticipate pretty broad adoption, and we also think it will help set the stage for broader adoption and more upsell capability.

(Operator Instructions) Our next question comes from the line of Dan Ives with Wedbush Securities.

So my question is, when you're taking a typical customer life cycle and trying to convert them to more of the VM suite. Take us through maybe the opportunities and -- but even the challenges in that progression from a sale cycle perspective.

Yes, I think the opportunity can be externally driven, it can be brought in through marketing activities, it can be brought in through broader awareness of activities happening in the security industry. So typically, breach occurs, Audit Risk Committee Chair, CEO, Board of Directors, CIO, they start asking questions, well, how secure are we? How exposed are we? Are we vulnerable to that? And when you ask those types of questions, the foundational system of record for answering those questions ultimately is the VM program. And so there are an external set of activities, whether they're driven by sales, marketing or other marketing activity, which could spur maturation of the VM program as well as internal-based drivers. So new CISO comes in, new CIO comes in, wants to -- new program gets launched, company wants to embrace new technologies, whether it's cloud, OT, digital transformation, automation, robotics in manufacturing or warehouse and inventory management. And all of those types of initiatives can frequently spur questions around security and the need for an enterprise understanding of risk associated with embracing those transformations. So I think both those external and internal drivers exist.

Got it. Okay. So just on the government -- because obviously we're getting a lot of questions from investors on it. How should we think, not exact breakout, but in terms of the government set, you talk about DoD, so obviously none of the military affected. But on the civilian side, how should I think about the government business in terms of the exposure to civilian and Homeland Security versus DoD and military?

No, we would characterize it as really all the same. And look, 15% -- approximately 15% of sales come from the Fed. We have a very sizable footprint within the Fed. We serve most 3-letter federal agencies. And it's a source of pride for the company. That said, just giving some of the uncertainties surrounding it, we chose to take a more cautious tone, specifically in the first quarter. And what we commented was that quarterly flow from Fed will be more modest in Q1, but we view that largely as timing, and as a result, we're thinking about billings perspective, we'll offset that in Q2 and Q3. But I guess, less of an impact in civilian and more so really on the DoD side of things.

Our next question comes from the line of [Josh Hilton] with Berenberg.

In regards to the IT/OT opportunity, are you seeing situations where Siemens or Rockwell will automate a factory or do some type of IoT build-out for a smart connected factory and then bring Tenable in to the security side? Or maybe just some high-level commentary on what's driving the deals on the OT side?

Yes, I think the OT side is really coming to us from 1 or 2 different motions. It's either our engagement with the CISO and the CISO having an increased role and responsibility in OT environments. In going through our strategy, our vision for Cyber Exposure and the market opportunity, just kind of talking them through the requirements and the capabilities there tends to uncover requirements that are not currently being addressed by existing providers or new responsibilities being picked up by the CISO. The second, as you suggest, comes from a more OT-focused discussion. We announced about a year ago, a strategic global partnership with Siemens. The first phase of that partnership was really focused on helping us refine and expand maybe capabilities of our products in OT environments, so you might imagine, these are extremely complex environments getting access to the types of data sets and systems deployed there, making sure that we understand both the protocols, the applications, we can identify the assets as well as their vulnerabilities. The second phase of that partnership involves a stronger combined go-to-market motion that's primarily driven by Siemens where they have a lot of engagement with the operators themselves.

Okay, that's very helpful. And then maybe just more specifically on the go-to-market strategy. On a scale of 1 to 10, how ramped would you say your sales forces is behind the new strategy?

We're aligned -- our core sales team, are by no means, OT experts. This entire category of Cyber Exposure, the complexity, the differentiation we bring to the market in terms of VM, selling to the CISO. I'd say that's the primary focus and core capability that we're building our sales go-to-market notion around. And also identify OT opportunities, we then have a limited number of focused experts that bring a much greater depth of OT experience and understanding to the table to assist them in those motions. We otherwise rely on partners like Siemens that are more actively engaged with the OT side of the house as opposed to the IT and the CISO side of the house, where our sales team has primary engagement.

Ladies and gentlemen, we have reached the end of the question-and-answer session. This concludes today's conference. You may disconnect your lines at this time. Thank you for your participation.