SBN

2022 Cybersecurity Annual Earnings Recap (Part 2)

2022 Cybersecurity Annual Earnings Recap (Part 2)

This article continues coverage of 2022 annual earnings for cybersecurity companies. Part 1 discussed Cloudflare, Check Point, CyberArk, and Fortinet. Today, we're going to take a look at Qualys, Rapid7 and Tenable — three direct competitors in the vulnerability management market.

The strategy for each company is expansion into other adjacent product categories to broaden their platform and consolidate other standalone vendors. Each is executing their strategy in a slightly different way with varying levels of (early) success. We'll cover some of the nuances as we break down the earnings for each company.

2022 Cybersecurity Annual Earnings Recap (Part 2)

From Qualys's annual earnings press release:

Qualys, Inc. (NASDAQ: QLYS), a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions, today announced financial results for the fourth quarter and full year ended December 31, 2022. For the quarter, the Company reported revenues of $130.8 million, net income under United States Generally Accepted Accounting Principles (GAAP) of $28.3 million, non-GAAP net income of $38.9 million, Adjusted EBITDA of $55.1 million, GAAP net income per diluted share of $0.74, and non-GAAP net income per diluted share of $1.01. For the full year ended December 31, 2022, the Company reported revenues of $489.7 million, GAAP net income of $108.0 million, non-GAAP net income of $146.5 million, Adjusted EBITDA of $218.6 million, GAAP net income per diluted share of $2.74, and non-GAAP net income per diluted share of $3.72.

"We are pleased to report another quarter of strong revenue growth, profitability, and cash flow generation," said Sumedh Thakar, president and CEO. "In 2022, we continued to innovate, introducing new applications as well as enhancing existing applications, to further strengthen our market position in the cybersecurity space. As validated by the 2022 SC Awards having named Qualys' Vulnerability Management, Detection and Response as the Best Vulnerability Management solution, we believe that our natively integrated platform that is detecting, remediating, and reducing cyber risk brings a highly differentiated value proposition to organizations and positions us well for durable profitable growth."

Qualys's recent financial performance has been much better than the overall tone of the earnings call. Their financial performance is nicely summarized in a chart from their investor deck, which compares Rule of 40 calculations across peers in both cybersecurity and SaaS:

2022 Cybersecurity Annual Earnings Recap (Part 2)
Source: Qualys Q4 2022 Investor Presentation

Qualys maintained this level of financial performance despite being (in their own words) focused on investments in R&D and sales and marketing. From CFO Joo Mi Kim:

2022 was another notable year of product innovation for Qualys as we continued our product leadership while growing revenues by 19%, maintaining our gross margin at 81% despite inflationary pressures, and generating EBITDA margin of 45%. While our profit margin was well-above our industry peers, 2022 was a year of investment for Qualys with both R&D and sales and marketing growing faster than revenues.

I summarized the strategy behind their investments during a previous analysis of their earnings:

Qualys is at an interesting juncture as a company. They have long been known for vulnerability management, dating all the way back to their beginnings in 2000 when they became the first SaaS-based vulnerability management platform. They're a market leader in vulnerability management, but the company has struggled with growth relative to top performing cybersecurity companies…

Qualys is a notable exception among public cybersecurity companies because they're profitable at the expense of growth. To increase growth, they are now pursuing a broader platform strategy with product consolidation as its primary value proposition.

Just over a year later, their platform strategy is starting to shape up. The company is still a work in progress (one of the major themes from the annual earnings call), but there's a lot to learn from their transformation.

Enterprise buyers want consolidation and quantifiable outcomes.

Add Qualys to the list of cybersecurity companies with consolidation as a major theme on the earnings call. In the words of CEO Sumedh Thakar:

I’ve met with over a hundred CISOs over the past few months, and their message is clear; they are looking to pivot to a platform-based solution to solve their complex security problems.

They went as far as publishing a slide showing exactly which vendors and categories their cloud platform can consolidate:

2022 Cybersecurity Annual Earnings Recap (Part 2)
Source: Qualys Q4 2022 Investor Presentation

Their roadmap for consolidation is more illustrative than reality at this point. Outside of Qualys's core vulnerability management capabilities, other areas of the platform are still maturing. For example, their endpoint security product isn't yet mentioned or included in Gartner's latest Magic Quadrant for Endpoint Protection Platforms. However, this visual is a clear demonstration of the company's vision and strategy.

Signs of progress are starting to show. Sumedh Thakar discussed customer perception of their platform and strong growth in large accounts:

As more and more customers are beginning to perceive Qualys as a leading security platform they can leverage to solve their complex and difficult security problems, we are growing increasingly confident in our ability to drive growth and gain market share.

This is evidenced by the continued growth in our large customer spend, with customers spending $500,000 or more with us growing to 116 in Q4 up 27%, from a year ago.

This theme is consistent with several other large cybersecurity companies. However, Qualys's large account growth comes with a tradeoff: they're struggling with mid-market and SMB customer segments. More on this later.

Sumedh Thakar shared one of the most insightful perspectives I've seen on consolidation during this year's earnings calls:

…everybody is talking about security budgets and the layers being added and the scrutiny, but really it's a question of the spend that you're putting in security is that giving you meaningful outcomes from a risk reduction perspective and that's really the question that's being asked.

If we're going to spend this money, are we getting a risk reduction? And that's where the TruRisk that we introduced last year and the enhancement that we have done now, it has resonated well with the CISOs, because now we're able to give them risk score and they're able to actually tie the spend that they're doing to bring that risk score down and really able to quantify how that investment is making sense.

So it's not just the projects in security you're executing, but what is the outcome that you are bringing? And I think that's kind of what's resonating with our customers.

Risk quantification (and the topic of measurement, more broadly) has always been a tricky subject in cybersecurity. In difficult economic periods, business leaders want their CISOs to measure and quantify spend and outcomes. There's no way around it, even though it's difficult to do in this profession.

Qualys is facing challenges with economic uncertainty, especially in mid-market and SMB.

Qualys's leadership team talked a lot about the impact economic uncertainty had on the company during Q4 2022. Their assessment and 2023 guidance couldn't have been more blunt. From Joo Mi Kim:

Q4 was a tough quarter for us. As Sumedh mentioned, it was lower-than-expected bookings performance. And what we've assumed in the 2023 guidance is that that condition continues.

Their specific challenges seem to lie in mid-market (SME) and small business (SMB) sales. Another pointed analysis from Joo Mi Kim:

…where we've seen the lack of growth and the inefficiency if you will is on the SME and SMB space, where if you take a look at as an example, customers who spent less than $20,000 with us, the count really didn't grow that much and that's been a drag on our business. That's where we're really focused on right now with the new product and packaging, we knew that there was friction.

The company seems to be caught in the middle of top-down enterprise sales and bottom-up adoption with Product-Led Growth (PLG). Two anecdotes show the tension. First, operating expenses skyrocketed in Q4 because of spend on sales and marketing:

Operating expenses in Q4 increased by 25% to $58.4 million, primarily driven by the growth in sales and marketing investments including higher headcount and related costs as well as spend on trade shows.

However, Sumedh Thakar mentioned product-led growth and alignment of product marketing multiple times on the call:

…aligning product marketing, product management, product market being and driving more product-led growth, we believe we can use our platform itself as a way to create more opportunities for our sellers to show the value prop much more quickly.

In cybersecurity, it's hard (but not impossible) to have both top-down and bottom-up adoption. Companies like Cloudflare (discussed in Part 1), HashiCorp, and others have done it with varying degrees of success. Qualys is aiming to be one of the rare companies that has both sides of the growth equation working.

Qualys is well positioned for vulnerability management in hybrid environments.

Qualys introduced TotalCloud in October 2022, officially marking their entry into the hot Cloud-Native Application Protection Platform (CNAPP) market. The launch was partly fueled by the company's Blue Hexagon acquisition in October 2022.

Sumedh Thakar gave some commentary about both on the earnings call:

Additionally, TotalCloud, which is our cloud-native risk management solution for public clouds, is now GA, and since our acquisition of Blue Hexagon in October, we’ve already added a new Cloud Detection and Response module to our TotalCloud solution.

As organizations increasingly prioritize moving workloads to hybrid and multi-cloud environments, we view this new ML/AI-based technology for zero-day threat hunting and response as another strong competitive differentiator in a rapidly evolving market.

For all the hype about cloud security and the well-funded companies in this market, a practical problem remains: large enterprises are going to have material amounts of on-premise infrastructure for a long time. We're probably talking decades.

That's a tough dilemma for both security leaders and product companies during this long and unpredictable period of transition. Cloud security products aren't built for on-premise environments. Yet security leaders need to keep both types of environments secure.

Enter Qualys — a company originally built for on-premise infrastructure, yet early enough and agile enough to adapt their vulnerability management product into a SaaS offering. Sumedh Thakar shared several interesting comments about how enterprises with hybrid environments are behaving:

…customers are looking for flexibility moving workloads from on-prem into cloud multi-cloud and back…

…feedback has been very positive because of the comprehensiveness of the scanning capability that we bring and sort of just focusing on a snapshot-only scan or agent-only scan, we're giving them the most flexible options.

Our large enterprises are excited about it instead of looking at cloud-only security solutions that only give them visibility near the cloud. Most companies applications have or hybrid some of it is in cloud some of it is in on-prem, and they want to see the overall risk…

Even with the buzz and large financing rounds in cloud security, Qualys has an important role to play as an established leader in vulnerability management and adjacent domains.

2022 Cybersecurity Annual Earnings Recap (Part 2)

“Rapid7 ended the year with revenue, operating profit, and free cash flow that exceeded our targeted ranges. Amidst an evolving economic landscape, we see customers continuing to expand their wallet share around our leading Insight platform, with ARR per customer growing double-digits from the prior year,” said Corey Thomas, Chairman and CEO of Rapid7.

Rapid7 is delivering solid financial results despite being a company in transition from its well-known vulnerabilty management product to a multi-product Security Operations company. A quick summary of revenue growth from CFO Tim Adams:

Full year revenue of $685 million grew 28% over the prior year and exceeded the high end of our guidance range.

The company's strong FY22 performance was somewhat overshadowed by rumors of an acquisition. Let's get straight to that.

Rapid7's leadership team didn't comment on acquisition rumors…but let's discuss them anyway.

The most significant news about Rapid7's annual earnings was barely discussed on the earnings call. On February 1st, Reuters reported the company is exploring a take-private sale. Investors liked the idea — Rapid7's stock price jumped 31% on the day the news surfaced:

2022 Cybersecurity Annual Earnings Recap (Part 2)
Source: Google Finance

Comments on the rumored acquisition was the first question out of the gates for the analyst Q&A portion of the call. Unsurprisingly, CEO Corey Thomas wasn't able to address the question directly, but his commentary gave some important context:

…we have a pretty massive opportunity in front of us, and we’re executing well against this. In that context, it’s not a shocker that people will talk about us, because we have both a good opportunity, and we’re well positioned to actually capture that opportunity in the broader market. That said, we just have a policy [of not commenting] on numerous speculation and we’re going to continue that.

In this current phase of large cybersecurity take-privates, these are the exact criteria private equity buyers are looking for. Rapid7 isn't financially performing on the level of the very highest performers in cybersecurity, but it's a quality company with well-established assets in vulnerability management and pentesting to build from.

Moving beyond the earnings call and into speculation about what a take-private sale might look like, two analysts provided important commentary about the deal structure. First, from Matt Hedberg at RBC:

While we wouldn't expect RPD to go for a multiple as high as that of SAIL, given its SaaS mix-shift, strategic pivot away from VM to DevSecOps and positive margins, for reference, 8.0x EV/NTM revenue would imply ~$90 per share.

Next, from Fatima Boolani at Citi:

RPD's inferior financial profile/end-market dynamics vs. recent cyber M&A does cast the 8-9x EV/S transaction precedents as a high watermark, in our view, but we think the rest of the aforementioned ingredients at work do offer credible reasons for a potential transaction outcome.

Both analysts are pointing out that the deciding factor for an acquisition would likely boil down to the valuation and underlying factors that drive the multiple. The 8-9x EV/NTM multiple referenced by both analysts implies the acquisition price could be well over $10 billion.

We've seen transactions of that size happen recently. Proofpoint's acquisition by Thoma Bravo is a good comparison in terms of company size. Revenue as of the company's 2020 fiscal year (its last full year of reporting as a public company) was $1.05 billion — compared to the $685 million in revenue just reported by Rapid7 for its 2022 fiscal year. Thoma Bravo paid $12.3 billion for Proofpoint.

Several factors have to align for a deal of this size to materialize, so it's hard to predict what will happen with Rapid7 in 2023. This is definitely the headline to monitor, though.

Rapid7's focus for consolidation is on increasing ARR per customer.

Like many other public cybersecurity companies, Rapid7 is executing its own strategy for building a multi-product portfolio to drive vender consolidation among its customers. They took a slightly different approach to explain their strategy. It's worth a quick look.

Rapid7's leadership team believes there is a lot of upside for ARR growth at existing customers:

2022 Cybersecurity Annual Earnings Recap (Part 2)
Source: Rapid7 Q4 2022 Investor Presentation

The graphic illustrates that the path towards ARR growth is through vendor consolidation. For Rapid7, this means extending beyond their traditional entry point of vulnerability management to upsell additional products in their platform.

On the earnings call, Corey Thomas explained their strategy and clarified how vulnerability management — the product Rapid7 is most well known for — fits into the company's broader product strategy:

Our strategy is pretty straightforward. As we are taking a cloud-first because that’s what strategic assets are as we go forward, and a holistic risk view and a holistic threat view of the environment.

In that context, vulnerability management is strategic. We have people working on that. We have teams who are dedicated to it. But it is a feature and component of our platform.

We are a SecOps cloud-first company that actually offers vulnerability management as a part of our platform that allows people to have the visibility that they need to manage our overall security. As part of that overall strategy, it is just a part of our offering included in the price point.

Proactively driving consolidation is important enough that the company's sales metrics are weighted towards increasing ARR per customer over adding new customers, at least for the near term. Again from Corey Thomas:

…we have an increased focus with our consolidation offerings on our installed base across the company…

…we do expect internally to see a much heavier weighting towards ARR per customer versus new customer adds because we have a pretty good installed base is actually looking to actually consolidate that we have great relationships with, and is looking to be oriented towards the future that’s actually more cloud-based.

We’ll add customers in the future. But right now, we’re heavily focused on ARR per customer.

While this may sound like a conservative "protect the base" strategy, it's probably the best thing for the company to do as it transforms its product portfolio and, you guessed it, navigates an uncertain econoy in 2023.

More concerns about the economy in 2023, but from a customer point of view.

Add Rapid7 to the long list of company leaders with concerns about the economy in 2023. We don't need to keep discussing that.

The insightful part about Corey Thomas's commentary was how he articulated the mindset of a customer and how they're thinking about the impact to their organizations:

Customers continue to face an evolving and complex threat landscape and there remains broad-based executive and board level support for cybersecurity projects. Despite this fundamental demand, the ability to obtain incremental budgets for these projects has gotten more difficult in the current environment.

As a result, CISOs are being forced to scrutinize and prioritize our budgets, driving longer deal cycles and more uncertainty around deal timing as contracts take longer to push through procurement. This dynamic is exacerbated by the increasing size of our deal opportunities as we gain traction as a platform consolidator.

Despite a challenging budget environment, we're seeing certain tailwinds gain traction. Constrained security budgets are accelerating customers' focus on security vendor consolidation with greater value being placed on the efficiency and impact of integrated platform technology in a fragmented IT landscape.

So, budgets are generally stable, but not increasing. And buyers are heavily scrutinizing and prioritizing every dollar they spend.

Further complicating the problem, security has some domain-specific challenges with wage inflation and manual processes:

…what we actually see is…every organization is trying to figure out how to get a handle on spending. It really comes down to sort of like two big things. As you said, security is one of the bigger wage inflationary areas. So they’re actually trying to figure out how to actually think about managing the fact that they've got a lot of overhead and an expensive talent market, so how to manage that. And there’s lots of actually security tools that require a lot of manual interaction.

We actually tackle both of those, which is why we believe that we actually have lots of leverage over the mid and the long-term is from a core platform perspective, we built a broad platform, but we have the core capabilities that mostly we have a heavy automation focus that’s really focused on driving the productivity of our customers and security operations across vulnerability management, across cloud security and a cost detection and response.

It's an interesting conundrum that partially explains the cybersecurity industry's (relative) level of durability so far during the economic downturn.

2022 Cybersecurity Annual Earnings Recap (Part 2)

From Tenable's annual earnings press release:

Tenable Holdings, Inc. (“Tenable”) (Nasdaq: TENB), the Exposure Management company, today announced financial results for the quarter and year ended December 31, 2022.

“We are very pleased with our Q4 results as we exceeded our expectations on the top and bottom line,” said Amit Yoran, Chairman and CEO of Tenable. “We are seeing incredible traction with Tenable One, which helps customers understand and reduce risk across the interconnected attack surface. Product innovation, coupled with continued focus on financial performance, including strong free cash flow generation, position us well in this fluid market.”

Tenable is in an interesting place as a company — now well into their transition from the company's founders to the next generation of leadership. They're also firmly established as a multi-product company that has successfully built upon its vulnerability management roots (with Nessus) and is now seeing early financial results on an integrated security platform.

In many ways, Tenable is the precursor to HashiCorp in our industry — a company with strong open source roots (Nessus, in the case of Tenable), that grows through bottom-up adoption, and successfully builds a company around the open source offering.

All of this adds up to the positive momentum the company talked about on its 2022 annual earnings call. Their Tenable One platform offering is working, and the company's financial and competitive landscape is seeing positive changes as a result.

Tenable is one of the few companies who had a good Q4 and is optimistic about 2023.

Tenable turned in strong financial performance for its 2022 fiscal year with full year revenue of $683.2 million, a 26% year-over-year increase. In the current economic environment, they'll get some scrutiny from analysts for a $92.2 million net loss on the year. I'd rationalize it by saying they're in a position to take market share and need to sustain growth-level investments longer than companies in other less competitive markets.

Their 2022 results speak for themselves — Tenable is one of the only companies with strong momentum and (relative) optimism heading into 2023. Look no further than Q4. From CEO Amit Yoran:

Additionally, we had another strong quarter with large deals as we added 140 net new six-figure customers, which is a record for us and is up 40% year-over-year.

Even more importantly, the number of six-figure deals accelerated throughout the year, further validating our corporate strategy and demonstration of the momentum we are building.

And more specifics from CFO Steve Vintz:

Underpinning our better than expected topline results is strong customer demand. Specifically, we added 571 new enterprise platform customers and 140 net new six-figure customers in Q4. While both metrics are exceptional, large deals, in particular, grew 40% year-over-year.

How did they do it? By executing a strategy of channel partnerships and layering on multiple products beyond their core vulnerability management offering — long before it was needed. From Steve Vintz:

The takeaway here is the investments we've made over the years to build a vast ecosystem of partners and extend our global reach allow us to effectively serve customers of all sizes in most major markets for traditional VM or increasingly for unified risk and exposure management.

When turbulent economic conditions hit, it's too late to jumpstart growth strategies like channel partnerships and product portfolio expansion. Both of these take time to develop, and Tenable was fortunate and intelligent enough to start both at the right time.

For Tenable, this adds up to confident CFO and lots of optimism about 2023:

…we're delighted with our results for the quarter, which gives us a lot of confidence heading into 2023. We're beating the top and bottom-line, added hundreds of new customers and closed a record number of large deals in one of the most highly dynamic markets we see in many years.

Tenable One's early success is driving the strategy and narrative around vendor consolidation.

Every cybersecurity company has talked about vendor consolidation in annual earnings calls, but Tenable has one of the most concrete and data-driven narratives around their story. There are several factors in play that span product strategy, a paradigm shift in vulnerability management, and macroeconomic conditions.

First, a few comments on product strategy and positioning from Amit Yoran:

As the market leader in vulnerability management, we're seeing great demand in the market, including new customer acquisition, renewals, and expansions. Our years of leadership in VM has put Tenable in a great position to target bigger, more strategic deals as customers continue to move beyond traditional VM to understand and reduce their cyber risk. We believe this thesis is driving the acceleration of six-figure deals.

Every security practitioner knows about Nessus and Tenable. They walk into any company or opportunity with instant credibility in their core vulnerability management market. That's a great start, but the trend Yoran mentioned about customers moving from traditional VM to broader cyber risk management is what's important going forward.

Another way to think about this mindset shift is the idea of preventative security — identifying vulnerabilities earlier in their lifecycle, often before a CVE is even created. He went on to explain this paradigm shift, why it's hard, and how Tenable is positioned to win:

Operationalizing preventative security has been an objective in the market for a long time. It's really hard to do and it requires a deep understanding of vulnerabilities, context and prioritization. It's our long history of understanding exposures at a very deep level that uniquely positions us to deliver on this objective.

[Customers] can look at a more complete understanding of cyber exposure, a more complete perspective of risk, a much more compelling set of analytics, including attack path analytics and asset inventory types of things, which they haven't historically gotten with the vulnerability management program.

We're still in the early days of this paradigm shift, but it's an important one. The companies (public, startups, or otherwise) who lead the transition from traditional VM to proactive, risk-based exposure management are going to thrive.

Finally, Tenable has a logical story behind market conditions and how consolidation benefits them. What stands out to me is how much more specific they were about exactly how they drive vendor consolidation. From Amit Yoran:

…by [customers] increasing their Tenable One spend to cover not only traditional VM, but also look at a cloud-based assets or also looking at their identity, we can offer them some volume-based pricing, which ends up being much more attractive than going to one vendor for VM, going to another vendor for external attack surface management, going to another vendor for cloud security. So, we're seeing great leverage in go-to-market function, and it really has been resonating with customers. We expect that trend to continue, if not accelerate.

There was no complaining about budgets or delayed sales cycles. Yoran's point of view is that budgets are there if you can demonstrate the value and benefits of consolidation:

So, customer budgets are there. I think to the extent that we can become a cost-effective vendor consolidation platform play for them. There's a lot of interest, a lot of strategic dialogue around that. And I think customers are very excited about some of the newer analytics that we've introduced with Tenable One.

All three of these factors add up to Yoran being confident about the future of Tenable One and the impact it will have on the company in 2023:

So, we look forward to updating you during the course of the year, but I feel like Tenable One looks like it will continue to play a larger and larger factor throughout the year and going into next year.

Tenable's competition is shifting from traditional vulnerability management companies to broader security platforms.

A less obvious theme from Tenable's annual earnings discussion was the changing dynamics around their competition. At a high level:

  • There is some uncertainty around Tenable's traditional competitors in the vulnerability management market.
  • Other large cybersecurity companies are building vulnerability management products, bringing new competition to Tenable's core market.
  • Tenable is continuously broadening its product portfolio with Tenable One, igniting new competitions in markets outside of vulnerability management.

First, the existing vulnerability management market. Amit Yoran was asked about Tenable's competition and the acquisition rumors surrounding Rapid7. He wasn't able to comment directly, unsurprisingly, but did offer this:

Yes, I mean, obviously, we wouldn't speculate about that, but I feel really good about the competitive environment. We are pretty consistent saying that we have exceptionally strong win rates especially in this market against our primary competitors. That remains — those win rates remain exceptionally strong.

And while we don't have a specific update to that, I'd say anecdotally, continues to climb in the sales team feels exceptionally confident going into any VM opportunity, but those are really ours to lose. And candidly, they feel like Tenable One gives them a very significant value differentiated capability to talk about as well.

This is anecdotal, and obviously unsurprising to hear such confidence coming from a CEO, but interesting nonetheless during a time where a lot of other leaders aren't feeling confident or optimistic.

An analyst asked about increased competition from other large cybersecurity companies starting to offer vulnerability management products. Amit Yoran summarily dispatched them:

Yes, there's been a lot of vendors over the course of years, making a lot of noise about VM going back four, five-plus years, Tanium, CrowdStrike, Microsoft others. And what I would tell you is they make noise. We see them for a quarter or two and then very quickly their sales team understand that their products are inferior and they start gravitating to their core markets and candidly, where their companies are investing much more aggressively in logging, SEIM, and elsewhere.

So, especially in a product like VM where independent audit is an important function and where we feel like we've got a quantitatively and qualitatively differentiated product and experience and understanding the enterprise. We almost never see those larger IT vendors participating and certainly never see them beyond a first phase of competition.

This is hilarious commentary for an earnings call. Banter aside, Tenable clearly doesn't view this type of competition as a serious threat. I don't take this as being overly dismissive, either — just that Tenable's leadership team is aware of their market leadership position.

Finally, Amit Yoran discussed competition and market opportunities in two new markets — Identity Threat Detection and Response (IDTR) (Note: My words for the market, not his.) and Operational Technology (OT). Here's what Amit Yoran said about IDTR:

Active Directory is a trick and mess to deploy in any large environment and almost impossible to keep clean when you look at the number of pieces of software and the complexity of Active Directory, the number of pieces of software we should modify as they get installed into an enterprise environments.

So, having a solution — and most organizations don't have a solution in this area. The security teams know it's a big problem. They maybe do a consultant and an annual audit or assessment of their Active Directory environments, which is clearly not enough.

So, we feel like there's tremendous market opportunity. The sales team has a lot of confidence in the Active Directory product and bringing it into customers. We had a great quarter with Active Directory in Q4. So, excited about the potential, both in 2023 as well as Active Directory playing an increasingly large role in Tenable One and some of the analytics that we're unlocking with Active Directory and identities.

The overview of the problem is absolutely correct — every large organization struggles with securing and maintaining their Active Directory domains. I also agree about the market opportunity.

The interesting part about competition is that ITDR (Identity Protection, in CrowdStrike terminology) is that it brings Tenable into competition with non-tranditional competitors. CrowdStrike and SentinelOne are both heavily invested in this space, as I discussed in detail during my review of both companies' annual earnings last year.

There are also several well-funded startups competing in this space, including Authomize, Oort, Semperis, Spera, and more. The strategic question is whether security leaders want to buy these products from security platform companies like Tenable and others or standalone companies.

Finally, Amit Yoran described new competition in OT like this:

In terms of competitive dynamics and competitive landscape, I'd say we're predominantly competing against just a small number, two or three private pure-play-focused vendors in the OT space. We feel like our technology is compelling and really leads the market when it comes to looking at the converged IT/OT environment.

So, if you look at a factory floor today or if you look at pipeline operations or other OT environments, they are exclusively OT. They have a bunch of IT systems, IT control systems in those factory floors as well. And so we're, I think, unique in our ability to deliver incredible insight for overall risk of facility, which would include both OT and IT, and we think it's a significant competitive advantage for us.

There is a similar theme here: when security leaders are buying OT security products, do they want to buy it as part of a platform, or from a pure-play company in the space? Time will tell, but it's interesting to think about now.

Overall, it's an exciting time for Tenable, especially as they head into 2023 with a lot of positive momentum and traction in new product categories.

*** This is a Security Bloggers Network syndicated blog from Strategy of Security authored by Cole Grolmus. Read the original post at: https://strategyofsecurity.com/2022-cybersecurity-annual-earnings-recap-part-2/