Tenable Holdings, Inc. (TENB) CEO Amit Yoran on Q3 2018 Results - Earnings Call Transcript

|
About: Tenable Holdings, Inc. (TENB)
by: SA Transcripts

Tenable Holdings, Inc. (NASDAQ:TENB) Q3 2018 Results Earnings Conference Call October 30, 2018 5:00 PM ET

Executives

Andrea DiMarco - VP, Investor Relations and Strategy

Amit Yoran - Chief Executive Officer

Steve Vintz - Chief Financial Officer

Analysts

Sterling Auty - JPMorgan.

Melissa Franchi - Morgan Stanley

Gray Powell - Deutsche Bank

Gur Talpaz - Stifel

Jonathan Ho - William Blair

Daniel Ives - Wedbush Securities

Operator

Greetings, and welcome to the Tenable Third Quarter Earnings Call. At this time, all participants are in a listen-only mode. A question-and-answer session will follow the formal presentation. [Operator Instructions] As a reminder, this conference is being recorded.

I'd now like to turn the conference over to your host, Andrea DiMarco, VP, Investor Relations and Strategy.

Andrea DiMarco

Thank you, operator, and thank you all for joining us on today's conference call to discuss Tenable's financial results for the third quarter of 2018. With me on the call today are Amit Yoran, Tenable's Chief Executive Officer; and Steve Vintz, Chief Financial Officer. Prior to this call, we issued a press release announcing our third quarter 2018 financial results. You can find this press release on the IR website at tenable.com.

Before we begin, let me remind you that we will be making some forward-looking statements during the course of this call, including statements relating to Tenable's guidance and expectations for the fourth quarter and full year 2018, growth drivers in Tenable's business, changes in the threat landscape in the security industry and our competitive position in the market, growth in our customer demand for and adoption of our solutions, Tenable’s expectations regarding long-term profitability, and planned innovation and new products and services.

These forward-looking statements involve risks and uncertainties, some of which are beyond our control, which could cause actual results to differ materially from those anticipated by these statements. You should not rely upon forward-looking statements as a prediction of future events. Forward-looking statements represent our management's beliefs and assumptions only as of today and should not be considered representative of our views as of any subsequent date. We disclaim any obligation to update any forward-looking statements or outlook.

For a further discussion of the material risks and other important factors that could affect our actual results, please refer to those contained in our most recent quarterly report on Form 10-Q filed with the SEC filings on September 7, 2010 and subsequent reports that we file with the SEC, which are available on the SEC website at sec.gov.

In addition, during today's call, we will discuss non-GAAP financial measures. These non-GAAP financial measures are in addition to and not a substitute for, or superior to, measures of financial performance prepared in accordance with GAAP. There are a number of limitations related to the use of these non-GAAP financial measures versus their closest GAAP equivalents. Our press release that we issued today includes GAAP to non-GAAP reconciliations for these measures.

And now let me turn the call over to Amit.

Amit Yoran

Thank you, Andrea, and thank you everyone for joining us on the call today. I’m pleased to share that Tenable delivered another strong performance in our second quarter as a public company. Revenue grew 42% year-over-year to $69.4 million and calculated current billings grew 35% year-over-year to $86.7 million.

We continue to expand our leadership position as we define the Cyber Exposure market. As Steve will detail in a moment, we’re raising our guidance for the full year based on our third quarter results and positive outlook for the remainder of the year.

Our third quarter saw continued strength in demand for both Nessus Professional and our enterprise platform offerings, Tenable SecurityCenter and Tenable.io which you’ll hear me refer to at SC and IO for short. Enterprise demand was strong across a wide range of verticals including strong performance in the seasonally strong fed sector as well as in each of our major geographic areas of operation.

The end result was continued strong volume with the addition of over 200 new enterprise platform customers in the third quarter. We also saw the continued adoption of Tenable as a strategic enterprise platform for Cyber Exposure, as evidenced by the addition of 47 new six figure customers. We also added to our seven figure customer base during the quarter.

Before we move on to customer highlights, we appreciate that many investors are still relatively new to the Tenable story. So I would like to take a few minutes to reiterate what we do and why customers choose Tenable for their Cyber Exposure strategy. Cyber Exposure builds on our roofs in vulnerability management and expands our value proposition in two key ways: The breadth of visibility across a wider set of asset types and the depth of analytics to better understand and communicate Cyber Exposure to the business, both of which are critical to accurately assessing cyber risk.

One of the biggest drivers for our market continues to be organizations moving to new technologies such as web applications, cloud infrastructure, DevOps, containers, and microservices, IoT and automation of operational technologies. These non-traditional IT assets are growing rapidly and by nature may introduce more risk. They cannot be assessed for vulnerabilities and security issues with traditional methods such as active and agent-based scanning. Tenable is well-positioned to capitalize on this long-term shift since we are able to help organizations address their Cyber Exposure regardless of where they are in their digital transformation journey. We provide visibility into organizations’ Cyber Exposure across the widest breath of assets, spanning IT, cloud, IoT and safety with critical OT, with the series of analytic capabilities that help customers prioritize and manage their Cyber Exposure and translate vulnerability data into business insights.

Our platforms can be deployed either on-premises or in the cloud depending on customers’ needs. Together our platforms assess millions of assets for over 24,000 customers around the globe. As I noted upfront, we are seeing strong demand for both SC and IO. The momentum of IO is robust as many customers have a cloud-first mentality. But we also continue to see strong demand for our on-prem SC offering. In fact a growing number of customers are expanding their on-prem deployments to include modern asset types. Tenable is well-positioned to cover these expanding use cases with a wide range of deployment options.

With that, I would like now to highlight a few noteworthy use cases and a few new six figure customer wins in the quarter. Our first new customer example is a multinational Fortune 500 engineering and manufacturing company. This company had deployed a legacy VM solution from a competitor. But over the years became increasingly concerned that they were not getting comprehensive scan results. The customer told us the Tenable.io was selected to support their Cyber Exposure strategy due to our comprehensive vulnerability assessment capabilities, our seamless integration and our flexible reporting features, in addition to our ability to help them improve their assessment of cyber risk holistically across modern asset types such as containers and web applications.

In another example, a large not-for-profit organization purchased both SC and IO. This customer had been using a competitor with limited reporting capabilities to measure and communicate cyber risk. Organization wide initiatives to migrate to the cloud proved challenging for their legacy solution with the reporting and scale limitations. Tenable’s solution allows the customer flexibility between SC and IO as business requirements for moving to the cloud evolve over time. The satisfied customers’ immediate goals for better data, and better reporting and we’re able to provide them a path to the cloud on IO. IO also solved their AWS VM requirements.

We also continue to expand our relationship in the public sector. Over the years we’ve worked hard to build a clear leadership position in the public sector and we continued to strengthen that lead during the third quarter. We closed several significant deals across US federal government, including within DoD, intelligence community and civilian agencies highlighted by new six figure competitive displacement with a large civilian agency of the US government. It was a very strong quarter with respect to both renewing and expanding our relationships with existing fed customers. We also have continued to be the predominant solution under DHS' Continuous Diagnostics and Mitigation program or CDM for short. In addition, we sold our first industrial security deal within the federal government.

In expansion we’d like to highlight the enterprise sector occurred with a large global payment processor. After cobbling together multiple VM solutions for years this customer purchased both SC and IO last year. Less than eight months later they expanded coverage by almost 50% to cover a recently acquired data center. In Q3 they expanded coverage by another 250% to include their mission-critical production environment. This is a great example from a customer shifting for multiple tactical VM solutions to our strategic Cyber Exposure platform which encompasses a range of IT assets in modern compute platforms such as cloud environments, and this type of story is one that we hear regularly.

We also closed an expansion deal with a European manufacturer operating in 50 countries. This customer purchased IO last year as an upsell from their Nessus Pro helped them cover assets in their European and Asia Pacific operations. This year they extended coverage by almost 2x to cover their US operations in an attempt to have a more holistic platform for visibility across their globally distributed assets. This is not a typical expansion for Tenable.

We’re also seeing increased global interest in our platform for operational technologies with notable focus in industrial security wins from within the federal government and energy sectors including one of the largest wind power producers in EMEA. While these initial control system deals do not represent a significant portion of our enterprise business, they’re very important strategically and highlight a long-term growth opportunity for Tenable.

Overall, the breadth of these customer examples reflect strong momentum across our major platforms with new and existing customers across a diverse set of verticals as well as geographies.

In addition to our customer wins, we’d also like to highlight some of our product innovations and recognitions. We’re honored that Tenable recently received the Growth Excellence Leadership award from Frost & Sullivan that underscores our continued leadership in the core vulnerability management market, and equally importantly, recognizes the differentiated depth and breadth of our Cyber Exposure strategy. They highlighted our comprehensive visibility into traditional and modern IT and OT assets and our product innovations such as IO and industrial security.

Focus and innovation within Cyber Exposure market are foundational for Tenable. We believe a core reason for our success in differentiation from our competitors is that while others diversified into multiple security markets Tenable has doubled down to drive innovation and vulnerability management.

During the third quarter, we upgraded our VM solutions with features that strengthened integration, enhanced usability and increased coverage of assets. We released Tenable SecurityCenter 5.7 adding integration capabilities for privileged access management, enhanced capabilities for mobile workforce at scale and updates in the Nessus agents. We also released several highly innovative features focused on Nessus Professional. Nessus 8 added live results. It’s a real time update that virtually eliminate time to assess vulnerabilities through inferences based on existing scanned metadata even when disconnected from the network. Nessus 8 customers will also benefit from the grouped view, a feature designed to group issues into a single thread to help customers better manage workloads.

Nessus has cemented its position as the industry's most widely used vulnerability assessment solution for applications with nearly twice as many security teams using the solution at any other competitive offering. This provides Tenable with incredible market awareness and credibility with security professionals.

We also significantly increased our coverage of OT devices. Our latest passive Network Monitor release for industrial security extended our OT device coverage by several thousand, including devices from Siemens, Schneider, Rockwell, Honeywell, Mitsubishi and many other leading ICS and stated device manufacturers.

During the quarter, we also enhanced our strategic security alliance with ServiceNow with new bidirectional integrations for both SC and IO. Our new integration with their vulnerability response module provides customers with a closed loop remediation process from discovering machine to finding the vulnerabilities to orchestrating patching to verifying successful remediations. Our new integration also includes bidirectional assets syncing from Tenable.io directly to ServiceNow CMDB helping to ensure the security teams receive the same level of visibility as IT teams into assets across the modern enterprise. And our new integration gives customers the ability to directly import Tenable.io vulnerability data into ServiceNow with its ITSM and workflow for faster remediation.

Lastly, we continue to advance the development of our Cyber Exposure scoring benchmarking and peer comparison product Lumin. We believe that Lumin will enhance our ability to help customers measure and benchmark their Cyber Exposure book over time and against their peers. Lumin is designed to provide our customers with strategic decision support they need to properly align security and IT business objectives.

Now, let me turn the call over to our Chief Financial Officer, Steve Vintz, and then I'll come back to summarize at the end.

Steve Vintz

Thanks, Amit. Let me now dive deeper into Tenable's third quarter 2018 financial results and our business outlook. I'll begin by reminding you, that except for revenue, all financial results we will discuss today are non-GAAP, unless otherwise stated. As Andrea mentioned at the start of this call, GAAP to non-GAAP reconciliations of these financial measures can be found in our earnings press release issued earlier today.

Revenue for the quarter was $69.4 million, representing a 42% growth over the same quarter last year, and it’s also above the high end of our guided range. Revenue was higher than expected due in part to better calculated current billings in the quarter as well as strong intra-quarter flow. Its also worth noting that 89% of our revenue in Q3 was recurring which is a benefit of our subscription model.

As you may recall, we include revenue from subscription and maintenance contracts in recurring revenue but exclude professional service and perpetual license revenue in this definition as such amounts are not available for future renewal.

Since we are on the topic of perpetual licenses, as a reminder, under ASC 606, we recognized revenue from perpetual licenses ratably over five years versus revenue recognition upfront previously.

I briefly mentioned our subscription model earlier. But once again as a reminder, we sell our software primarily on an annual subscription basis with a term that is generally one year and less, although some customers prefer multiyear contracts. Substantially all of our contracts are paid upfront. The value of a contract can be based on the number of IPs or assets purchased.

Now with that as a backdrop, I want to walk you through our calculated current billings. Since swings in the percentage of billings for multiyear prepaid contracts can meaningfully skew growth in total billings higher or lower in a given period, we believe calculated current billings is a better proxy of the underlying momentum of the business and generally correlates to annual contract value or ACV, which is how we manage the business.

Calculated current billings, defined as the change in current deferred revenue plus revenue recognized in a period, grew 35% on a year-over-year to $86.7 million in the third quarter of 2018. This growth in scale is a testament to the growing strategic importance of VM and the broader Cyber Exposure opportunity that we are addressing.

For Q3 in particular, which is the end of the US government's fiscal year we are very pleased that federal contributed over 20% of our total billings in the quarter. This is consistent with our continued position and strength this market. Now while fed sales do seasonally trend higher in the quarter, the third quarter, fed typically represents less than 15% of our total annual billings. Amit highlighted earlier our success in the federal market, but in short, we are very pleased with our growing presence in this important sector.

In addition to the public sector, let's discuss some other growth drivers for the quarter. In simple terms this comes down to winning new customers, retaining customers and growing the value of our relationships with customers.

In the third quarter, we added 258 new enterprise platform customers, which is relatively consistent with last year. While we had a strong quarter with expansions in our customer base we added a significant number of new enterprise logos in the quarter and we believe there is a long runway to continue to do so.

Given our continuing focus to land and expand larger deals in the enterprise market, it is natural to expect some level of variability between volumes and deal sizes on a quarter-to-quarter basis. As it relates to large deals, we had 387 customers spending in excess of $100,000 in annual recurring revenue on an LTM basis, at the end of the third quarter, which is up 79% over the same period last year.

Within this category, we also added a higher number of 500,000 to seven figure customers as compared to recent quarters. This resulted in an increase in ASPs for our new enterprise business in the quarter. The takeaway here is that we're seeing strong demand in the market and are experiencing continued momentum from new customer acquisition, upsell and renewals.

I'll now turn to expense and profitability. Gross margin for the quarter was 84%, down from 85% in Q2 but came in better than expected. As previously discussed, we are making investments in our public cloud infrastructure in connection with our Tenable.io cloud platform. These investments are currently scaling better than expected. So gross margin has been contracting more gradually than anticipated, even in IO continues to grow as a percentage of sales. However, we do expect gross margins to settle in to low 80% range to high 70% range over time.

Now, turning to operating expenses we are focused on improving operating leverage in our business over the long-term, but in the near-term we are investing for growth. Sales and marketing expenses for Q3 were $41.8 million compared to $29.2 million in the third quarter last year. This represents 60% of total revenue for the quarter, consistent with Q3 last year and an improvement from Q2 levels.

Our investments in building a global sales organization tend to be weighted towards the beginning of the year, which produces leverage over time as new members of our sales team ramp the productivity. R&D expense in Q3 was $18.1 million compared to $15.4 million in Q3 last year. As a percent of total revenue R&D was 26% in the most recent quarter versus 31% in Q3 last year. Innovation remains a top priority for us across all of our products, but especially around data science, analytics and coverage of new paradigm assets, including OT, web app, cloud and containers.

For Q3, we've also capitalized $600,000 or approximately $1.5 million year-to-date related to the development of Lumin. G&A expense was $10.3 million for the quarter compared to $6.2 million last year. As a percent of total revenue, G&A was 15% in Q3 versus 13% in Q3 last year. The increase largely reflects the occurrence of public company costs.

Our non-GAAP loss from operations in the quarter was $12.2 million, better than our guidance of a loss of $17.5 million to $16.5 million and compared to loss of $9 million in the third quarter last year. Non-GAAP operating margin was negative 18%, consistent with the third quarter last year.

Pro forma non-GAAP loss per share was $0.14, also better than our guidance of a loss of $0.19 to $0.18 and compared to a loss of $0.12 in the same period last year. The pro forma weighted average shares assumed preferred shares outstanding before our IPO were converted to common stock at the beginning of all periods presented.

As a reminder, we are using pro forma shares for historical periods and guidance solely for comparability purposes. We finished the quarter with $287 million in cash and cash equivalents and short-term investments having closed our IPO in July. Our free cash flow burn was $2.9 million for the quarter compared to a burn of $1.9 million in the third quarter of 2017.

We started our ESPP program in August, which contributed approximately $2.3 million towards free cash flow in the quarter. The first stock issuance under the ESPP program will be in March of 2019, which will reduce our free cash flow by approximately $8 million to $9 million in Q1, but we believe we will have -- it will have minimal impact on the overall free cash flow for the full year 2019 as the second half of the year will reflect proceeds from the new offering period.

In short, we’re pleased with the efficiency and cash flow of the business and we continue to target positive cash flow till the time we exit 2020.

Now, turning to guidance. For Q4 2018, we currently expect revenue to be in the range of $72.5 million to $73 million. Non-GAAP loss from operations to be in the range of $14 million to $13 million. Non-GAAP net loss to be in the range of $13.6 million to $12.6 million. And pro forma non-GAAP loss per share in the range of $0.15 to $0.14, assuming a weighted average shares outstanding of 92.2 million.

For the full year 2018, we currently expect revenue of $264.6 million to $265.1 million, which is up from our prior guidance of $260 million to $261 million. We are also increasing our annual guidance on calculated current billings. For the full year 2018, we expect calculated current billings of $321 million to $322 million, which is up from our prior guidance of $314 million to $316 million and compares to the $235.6 million for the full year of 2017.

We now expect non-GAAP loss from operations to be in the range of $52.3 million to $51.3 million. Non-GAAP net loss to be in the range of $53 million to $52 million. And pro forma non-GAAP net loss per share in the range of $0.63 to $0.61, assuming weighted average shares outstanding of 84.8 million.

And now, let me turn the call back to Amit for some closing comments.

Amit Yoran

Thanks, Steve. In summary, we continue to be excited about pioneering Cyber Exposure. We’re partnering more and more with customers in strategic approach to vulnerability management. We believe the combination of our differentiated technology and strategic approach to the market position Tenable for success in this journey.

Thanks all of you for joining the call today. We look forward to seeing many of you during our events coming up in November. We will be participating in the Stifel Midwest one-on-one conference on November 8th in Chicago, and the BTIG Tech Conference November 14th in New York City. We also expect to be in New York and Boston and likely San Francisco before the end of the year. So we hope to see many of you in person. We appreciate your interest in Tenable.

We'd like now to open-up the call for any questions.

Question-and-Answer Session

Operator

At this time, will be conducting a question-and-answer session. [Operator Instructions] Our first question comes from the line of Sterling Auty from JPMorgan. Please proceed you’re your question. Sterling, your line is now live.

Sterling Auty

Just want to start with Steve. Is there anything to read into the current billings growth was actually a little bit slower than the revenue growth, I know they are both really high growth rates but I just want to check and see if there's anything that we should be reading into that?

Steve Vintz

No, we are very pleased with our performance in the quarter, nothing fundamentally has changed in the business. We are generating very strong top-line growth at significant scale outgrowing the market by a wide margin here. So our outlook in Q4 and our results in Q3 reflect good growth of scale. And the takeaway here is, we’re in the midst of a major market opportunity we believe, we are making the right investments in the business to drive attractive long-term growth.

Sterling Auty

Alright, great. And then just one more on the technology side. Amit, you talked about the integration with ServiceNow, are you finding that the main source of traction with that is customers actually asking and wanting that capability? Are you are actually at a point where you are seeing ServiceNow bringing you into opportunities for new customer opportunities?

Amit Yoran

Yes, I think the ServiceNow partnership is a great example where it’s really driven -- was driven initially by market demand. We have a lot of the joint customers, a lot of ServiceNow customers looking for VM solutions and vice versa. And so the sales teams ended up do working a lot together out in the field with various customer accounts. And then over time finalized the partnership and have generated a more thoughtful one top-down approach with certain marketing activities, joint account management and joint sales call. So it’s one that -- it’s a partnership that we've seen bear fruit and one that we have good confidence in going forward.

Operator

Our next question comes from the line of Melissa Franchi from Morgan Stanley. Please proceed with your question.

Melissa Franchi

I just wanted to dig into the fed vertical just a little bit more. A commentary there suggests it was a very healthy quarter. So I'm just wondering was it meaningfully different than what you have seen in previous years. And if so what's driving that? And to the extent to which it was a healthy quarter, is that driven by government demand? Or is it driven mostly by -- or more or so by investments they are making in that vertical?

Amit Yoran

I think we had a strong federal quarter and a seasonally strong federal quarter, I think it’s really in line with our expectations. We saw several high profile renewals and expansions occurring and new six figure adds. We feel very good about our position in federal. We are seeing very strong demand in the federal market for vulnerability management solutions and increasingly I think for the first time we have seen the federal customer base looking more closely at the Cyber Exposure market opportunity and understanding that they have need for the capabilities that we bring to the table. So, in line with our expectations and I think continued confidence in our position in the federal market going forward.

Melissa Franchi

I have one follow-up question on the technology. The Industrial Security Secure application on Tenable.io, you announced recently that you have extended that to OT devices beyond Siemens. And so I'm just wondering Amit if you could just talk about how that extends the opportunity in Industrial Security? And to what extent that was driven by customers looking for that extension and that greater visibility or is it more just getting ahead of potential opportunity?

Amit Yoran

No I think the expansion is probably more of a core requirement in the control system world. I think we’ve released a product that had pretty good coverage I think with thousands of control system devices and also simultaneously announced a strategic partnership, a global partnership with Siemens and have been working very closely with a number of very large enterprises. The truth is that in these control system environments you don't find that they have any one particular vendor brand as an exclusive provider. And so as you look at the traffic, as you look at these control system environments, they’ve got a diverse set of vendors in there whether it’s Siemens, Honeywell, GE, and Schneider and so on and so forth. And so the recent updated release of our Industrial Control System offering expands the number of devices that we can profile and understand by several thousand and we think that, I don’t want to call TableSafe, but when you're operating in these complex environments and you’re looking at it -- at the traffic, if you're looking at 75% of that traffic and say hey it’s unknown to me, that doesn’t fit well with customers. If you can identify and profile the vast majority of the devices and infrastructures they had I think that’s sort of a core requirements for customer success.

Operator

Our next question comes from the line of Gray Powell from Deutsche Bank. Please proceed with your question.

Gray Powell

Just a couple if I may. So you guys are growing about 40% give or take versus peers at closer to 20%, in the market they call it low teens. Can you talk about how much of that is prefilled versus replacements and then just your confidence level on maintaining that gap going forward?

Amit Yoran

Yes. So first part of the question, I think we’re confident that there’s significant untapped potential in the VM market. We’ve done a fair bit of in-depth analysis and our finding is that about 50% of the customer base out there is still immature in their VM efforts in terms of how they're approaching and thinking about VM. So there’s lot of maturity that we can help customers go through as their needs -- as they recognize the sort of increased need for VM as a core part of their security processes. We also see -- we’ve done some analysis, and we see that about a third of the enterprises out there are -- have not yet embraced an enterprise wide VM solution. So there’s no doubt they’ve got regulatory requirements, they’ve bought, they’ve deployed VM solution for a PCI or some other one data center, one business unit, some portion of their infrastructure. But they have not embraced VM as an enterprise wide requirement and understanding of what their overall cyber risk looks like.

So we have got great confidence in ultimately the size of the opportunity in front of us in VM, the growth potential for the VM market, and believe that we can build a very successful enterprise focused on that.

Now our strategy includes a superset of VM. VM is a core building block and requirement for this broader vision around Cyber Exposure, so it’s not just VM, it’s also understanding the control system, the IoT infrastructure, the cloud environment, the DevOps containers and web applications and also in helping to do a much deeper job of analyzing that exposure data. So from a risk metrics perspective, from a prioritization perspective, from a benchmarking. So when you combine all of those, we have tremendous confidence in our ability to deliver growth over an extended period of time.

Gray Powell

And let me just sneak one more in just really quickly. Can you just help with any early feedback on Lumin and how quickly you should expect that to ramp-up once it goes GA next year?

Amit Yoran

Yes I think we continue to operate Lumin in beta mode. We've gotten lots of great feedback and continue to get lots of great feedback during the beta program, it's been very positive and we remain extremely confident that the type of insights that we can provide in terms of understanding risk benchmarking it across peers is incredibly important to VM and ultimately our Cyber Exposure strategy. Our data science and as Steve mentioned our data science team is -- has been contributor and differentiator in the analytic space and we anticipate that we will go to GA with Lumin in 2019.

Operator

Our next question comes from the line of Gur Talpaz from Stifel. Please proceed your question.

Gur Talpaz

So Amit you talked about your first ICS deal with the US Fed and I want to ask within that dealing more broadly speaking, how important is having a broadly holistic platform that can span both traditional VM and non-traditional use cases in winning such deals?

Amit Yoran

So I think it's a great question and obviously highlights I think some insights that you have. We've seen a lot of interest, I think broadly the markets sees a lot of interest in the control system world and the critical infrastructure world. These are critical business processes that are automated and now at risk. What we've found over the last couple of years is that it's not only just sort of digitization of the control system world that makes it exposed but it's also those control system environments have been invaded if you will buy other general purpose IT components. And so, when you're looking at control systems, when you're looking at industrial systems, it is very difficult or I would say it would be incomplete to look at those control systems without understanding the IT systems on those same networks that the control systems rely upon. So we believe it's a critical component and a strategic differentiator versus some pure play point products which might only look at the OT components in isolation.

Gur Talpaz

And then in the commentary you talked about a set of customers using both Tenable.io and SC in conjunction. Typically, I would've thought about kind of being separate solutions either you pick one of the other, but it sounds like there are the use case for both in conjunction. How typical is that, are you seeing more of that and can you walk us through that use case?

Amit Yoran

Yes, it's actually I would say the number of customers and the frequency with which that happens is probably far greater than I would've originally anticipated, although now in sort of hindsight and as we experience the growth, it does make sense. Those customers frequently have already deployed SecurityCenter, they are already customers they are already confident in Tenable as a provider to help them gain insight into their environment, but they have need for their hybrid -- their operating hybrid environments. They have a mobile workforce that they don’t want to punch holes in the firewall to be able to maintain vulnerability status for those mobile workforces. They want to assess their networks from the outside and see what their exposure looks like from an external perspective, where they have other cloud-oriented requirements. And so what we have seen is even in the SecurityCenter customer base there has been an adoption and expansion, if you will, in leveraging the new technology that we made available in the cloud platform in Tenable.io. And so we are seeing an expansion there and we are also seeing it with new customers which select to go with a hybrid approach right off the back.

Operator

Our next question comes from the line of Jonathan Ho from William Blair. Please proceed with your question.

Jonathan Ho

I just wanted to start with maybe some thoughts around your commentary about where we are in terms of the adoption of some of these newer assets. Can you maybe give us a sense of what inning we are and where you're seeing maybe more rapid adoption happen relative to the assets that you kind of listed off?

Amit Yoran

Yes, I assume it’s a nine inning game and not an 18 inning game. I would say we are still in the early innings. I don’t know if it’s in inning two or inning three but my gut feel is that we are in that first period. So we see growing adoption, we see customers sort of moving in this direction more now landing six figure transactions in these new asset types. We are seeing existing customers start with modest deployments but increasingly talking about more broad deployments in their modern asset types as well. And so even in customers which are making the selection to become Tenable customers, even where they are not purchasing modern asset type coverage yet, we are hearing pretty consistent feedback that the ability to expand their plans and designs to expand and they have a need for those modern asset type -- visibility to those modern asset types. So we are seeing that as a consistent theme that the strategy aligns with their security program point of view, and align with where they want their programs to head. So I would say we are still in the early innings, I mean somewhere between the second and third inning, but we are confident that the direction and the trends are well aligned with the customer requirements, and the market.

Jonathan Ho

And then there have been a few acquisitions that have been made particularly in the cloud vulnerability market by some of the bigger competitors and the broadly security space maybe not traditional VM providers. Can you talk a bit about how much overlap you might have there? And maybe how you can compare and contrast your offering relative to some of the newer acquisitions that have happened?

Amit Yoran

I think there certainly is some overlap, in other words I would describe it as 15% or 20% overlap. I wouldn’t describe it as a 50% overlap, I think it’s significantly lower than that. And if you look at the company that have made acquisitions there, it is really the larger, more established firewall vendors that to some extent have the perception or they’re taking some criticism for what their strategy looks like and how relevant they will be and what their future looks like in primarily a cloud-based world. And so I think a lot of the features that they’re focused on, a lot of the functionality that they’ve really tried to embrace is a firewall like functionality for cloud environments. Now those -- the companies that have been acquired are I think primarily focused on that control plane but they did have some assessment capability. So like I said there’s some overlap but I think the use case, the mindset, the customer base and I think the development path for those acquired properties is likely kind of divergent with where Tenable’s capabilities and future capabilities will look like in the cloud world specifically. And so we view it as a visibility, so when you turn to us for understanding your exposure on the network you want to understand that in the cloud and I think that’s the firewall vendors are also thinking hey you want the control of your network, you want the control in the cloud environment. So there’s some overlap but I think it’s diverging strategies, not one that are converging or likely to conflict more going forward.

Operator

Our next question comes from the line of Daniel Ives from Wedbush Securities. Please proceed with your question.

Daniel Ives

So may be like to the point before about -- again inflection point, larger deals, obviously product expanding in terms of portfolio and to maintain with Lumin. Maybe you could talk anecdotally how your conversations with customers have changed, is it -- as obviously you become a bigger piece of the solution of the cyber risk exposure, maybe you could just talk anecdotally what we think we were six months a year ago?

Amit Yoran

Yes. I think there’s a couple of things worth noting here. One is the Tenable journey. The other is the customer journey and maybe the third is kind of like how the market is evolving. I think the Tenable journey is we -- this company grew up as a very technology-oriented company. It was all about the accuracy of the scan, the flexibility of the technology, how we achieved better results. There wasn’t a whole lot of emphasis on the enterprise go to market notion, the account management aspects, the enterprise support aspects of the relationship. And so we’ve been on this journey over the last couple of years and continue to make great progress. And so that enables us to have more strategic conversations with our customers than we’ve had historically. And customers are on this journey understanding the importance of VM and Cyber Exposure.

If you go back and look at where we were two years ago, vulnerability management was kind of a little bit of a tired market, there was a compliance driver, but many enterprises didn't view VM as a strategic component into their security program. As you’ve seen a lot of high profile breaches whether it's sort of Equifax, the WannaCrys, and NotPetyas of the world, the things that became very costly in news to many large enterprises, you see corporate leadership asking questions of the security program, hey are we susceptible to that, how are we managing risk, how exposed are we? And those questions point to the VM program and have increased the prioritization, the customers and the strategic view that customers have of their VM programs. And so I think there is a couple of trends here which really become tailwinds and enable us to have more strategic enterprise-wide conversations with our Chief Information Security Officers and Senior Executives, and I think Lumin and the types of analytics that we have developed and are working on going forward, I think play too in our results of some of those conversations.

Daniel Ives

And I just have a question, I mean I was hearing before but obviously you guys are doing extremely well in the field, spending well right on R&D perspective. And maybe this is for Steve. Like how do you sort of balance going into the next year in terms of growth and start and then look at profitability relative to now being in such position of strength? Thanks again.

Steve Vintz

Hey, Daniel. This is Steve. With regard to 2019, we aren’t specifically commenting on 2019 at this time. We will provide our outlook for the year on the upcoming call in February. That said, we feel very good about the momentum in the business and how we are executing. And given the positive market trends that we highlighted on the call today and Amit also underscored earlier we are at the early stages of a multibillion dollar market opportunity. We’re confident we can deliver strong growth for the time to come. That said, when you look at our top-line growth while we’re growing and doing good growth on good scale, we’re not growing at all cost. We are very mindful of the bottom-line, but continue to make progress on the operating margins on a year-over-year basis, you can see even some of the leverage that we are demonstrating here today on this call. And a good leading indicator of that I think will be -- is the cash flow burn. It's been fairly modest this year. So our focus is to kind of lean in on the top-line growth, all while we march towards positive cash flow and profitability. And what we've commented on earlier with regard to the cash flow is that we expect to be cash flow positive by the time we exit 2020. The great results for delivering today only reinforces that, that notion and we’re excited about the opportunity ahead.

Operator

Ladies and gentlemen, we have reached the end of the question-and-answer session. And this does conclude today's conference. You may disconnect your lines at this time. Thank you for your participation.