Forward-Looking Statements
This Annual Report on Form 10-K, including the sections entitled "Business," "Risk Factors," and "Management's Discussion and Analysis of Financial Condition and Results of Operations," contains forward-looking statements that involve known and unknown risks, uncertainties and other factors that may cause our actual results, levels of activity, performance or achievements to be materially different from the information expressed or implied by these forward-looking statements. Statements that are not purely historical are forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended. In some cases, you can identify forward-looking statements by the words “anticipate,” “believe,” “continue,” “could,” “estimate,” “expect,” “intend,” “may,” “might,” “objective,” “ongoing,” “plan,” “predict,” “project,” “potential,” “should,” “will,” or “would,” or the negative of these terms, or other comparable terminology intended to identify statements about the future. These forward-looking statements include, but are not limited to, statements concerning the following:
These statements represent the beliefs and assumptions of our management based on information currently available to us. Such forward-looking statements are subject to risks, uncertainties and other important factors that could cause actual results and the timing of certain events to differ materially from future results expressed or implied by such forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to those discussed in the section titled “Risk Factors” included under Part I, Item 1A. Furthermore, such forward-looking statements speak only as of the date of this report. Except as required by law, we undertake no obligation to update any forward-looking statements to reflect events or circumstances that occur after the date of this report.
Item 1. Business
Overview
We are the first and only provider of solutions for a new category of cybersecurity that we call Cyber Exposure. Cyber Exposure is a discipline for managing and measuring cybersecurity risk in the digital era. We are building on our deep technology expertise in the traditional vulnerability assessment and management market and expanding that market to include modern attack surfaces and provide analytics that translate vulnerability data into business insight.
Digital transformation is driving radical change. As organizations modernize their IT infrastructure and adopt cloud or hybrid cloud architectures that are no longer housed in the confines of their corporate networks, they have less visibility and control over the security of these assets. Organizations are also increasingly implementing modern solutions, such as Internet of Things, or IoT, devices and application containers, to enable the rapid development and deployment of new products, services and business models, as well as to drive operational efficiencies. Further, safety-critical Operational Technology, or OT, such as Industrial Control Systems, are now network-connected and need to be secured from cybersecurity threats. This digital transformation increases IT complexity and cybersecurity risk as attack surfaces expand. We refer to an organization’s inability to see the breadth of the modern attack surface and analyze the level of cyber exposure as the Cyber Exposure Gap.
While other functions in an organization, such as finance and operations, have a system to help them manage and measure risk, to date, cybersecurity risk has not been adequately measured and understood. Our platform is built to be the Cyber Exposure Command Center for an organization’s Chief Information Security Officer, or CISO. Our platform provides the CISO with unified visibility into the organization’s state of security and enables security teams to prioritize and focus their remediation efforts. Our platform also translates vulnerability data into actionable business metrics and insights that boards of directors and executives can understand and use to make strategic decisions. We believe our Cyber Exposure solutions are transforming how security is managed and measured and will help organizations more rapidly embrace digital transformation.
Our platform offerings provide broad visibility into security issues such as vulnerabilities, misconfigurations, internal and regulatory compliance violations and other indicators of the state of an organization’s security. We also provide deep analytics to help organizations measure trends in their cyber exposure over time. Our platform integrates and analyzes data from our native collectors alongside IT asset, vulnerability and threat data from third-party systems and applications to prioritize security issues for remediation and focus an organization’s resources based on risk and business criticality.
We have experienced rapid growth in recent periods. In 2018, 2017 and 2016 our total revenue was $267.4 million, $187.7 million and $124.4 million, respectively, representing year-over-year growth rates of 42% from 2017 to 2018 and 51% from 2016 to 2017. Our net loss was $73.5 million, $41.0 million and $37.2 million in 2018, 2017 and 2016, respectively.
Our Platform Offerings
Our vision is to empower every organization to understand and reduce their cybersecurity risk. We are the first and only platform designed to provide broad visibility and deep insights into cyber exposure across the entire modern attack surface, as a result of which we believe our platform can become the system of record for cybersecurity.
Our Enterprise Platform Offerings
Our enterprise platform is built to serve as the Cyber Exposure Command Center, enabling organizations to answer foundational and strategic questions such as:
Our enterprise platform offerings, including Tenable.io, Tenable.sc, previously referred to as SecurityCenter, and Industrial Security, are built to provide organizations with the breadth of visibility to accurately understand both traditional and modern attack surfaces and the depth of insight that stems from risk-based analytics, prioritization and benchmarking. Our Cyber Exposure platform automatically discovers assets, including those in cloud environments, and assesses these assets for the presence of vulnerabilities, internal and regulatory compliance violations, misconfigurations and other cybersecurity issues, analyzes and prioritizes cybersecurity risks based on the likelihood of a vulnerability being exploited and the business criticality of the asset, and provides an objective way to measure an organization’s cyber exposure.
We offer two solutions for vulnerability management which provide flexible deployment options based on a customer’s maturity in moving to the cloud. Tenable.io is our software as a service, or SaaS, offering for vulnerability
management, and Tenable.sc is our on-premises vulnerability management offering, both of which enable organizations to quickly and accurately identify, investigate and prioritize vulnerabilities and misconfigurations across a range of traditional IT assets, such as networking infrastructure, desktops and on-premises servers, and modern IT assets, such as cloud workloads, containers, web applications, IoT and OT assets. Enterprises typically start with vulnerability management to secure traditional IT assets and expand their deployment over time to cover more traditional IT assets and/or more types of modern assets by deploying additional applications. For organizations with hybrid IT environments, some customers choose to expand their deployments to include both Tenable.sc and Tenable.io as an integrated solution spanning both on-premise and cloud-based management.
Launched in 2017 in partnership with Siemens, Industrial Security, an OT-specific offering, is an asset discovery and vulnerability assessment solution, built on our patented passive network monitoring technology. Industrial Security monitors critical infrastructure in energy, utilities and other sectors, utilizing a non-intrusive approach to give security and plant operations teams the ability to discover, visualize and monitor their most sensitive systems. Industrial Security includes comprehensive asset discovery, passive vulnerability detection and multi-site management, which allows for a consolidated view across multiple locations. We currently offer Industrial Security as a stand-alone solution, and we intend to integrate it within the Tenable.io offering.