Tenable

Tenable was founded in 2002 by Ron Gula and Jack Huffard, with Renaud Deraison serving as a technical co-founder who brought along the Nessus open-source vulnerability scanner he had originally created in 1998. The company was built around the premise of commercializing Nessus into an enterprise-grade product for identifying, tracking, and remediating security vulnerabilities across corporate IT infrastructure.

Tenable's global headquarters is located in Columbia, Maryland, approximately 30 minutes from Washington, D.C. — a proximity that has proven strategically valuable given the company's strong footprint in U.S. federal government contracts. In Israel, the company maintains offices in Tel Aviv and Ramat Gan, with a significant R&D center that was substantially enlarged following the 2019 acquisition of Israeli OT-security startup Indegy and the 2023 acquisition of Israeli cloud-security company Ermetic.

Tenable has been publicly traded on NASDAQ under the ticker symbol TENB since its IPO in July 2018, in which it raised approximately $251 million at an initial price of $17 per share. As of late 2024, the company's market capitalization was approximately $5 billion. Annual revenue for fiscal year 2023 reached approximately $800 million, with 2024 revenues pushing past the $900 million mark, driven largely by recurring subscription revenue from Tenable.io and Tenable One.

Tenable employs approximately 2,000 people globally, with roughly 300 employees based in Israel. The Israeli workforce is concentrated almost entirely in R&D, product development, and vulnerability research functions. The United States remains the largest single geography by headcount, with major hubs in Columbia (Maryland), Austin (Texas), and Columbia (South Carolina).

At its core, Tenable operates a SaaS and on-premise platform for cyber exposure management — detecting, prioritizing, and helping organizations remediate vulnerabilities across IT, cloud, operational technology (OT), and identity environments. The single most significant product event of the past 12 months was the continued expansion and commercialization of Tenable One, the unified Exposure Management Platform that aggregates vulnerability data from all product lines into a single risk score and dashboard.

Tenable is not a subsidiary — it is an independent public company. However, it has itself been an active acquirer, completing the purchases of Indegy (2019, approximately $78 million), Alsid (2021, approximately $98 million), Accurics (2021, undisclosed), Bit Discovery (2022, undisclosed), and Ermetic (2023, approximately $240 million).

Tenable's primary product line consists of Tenable.io (cloud-delivered vulnerability management), Tenable.sc (on-premise vulnerability management, formerly SecurityCenter), Tenable OT Security (formerly Tenable.ot, derived from the Indegy acquisition), and the overarching Tenable One Exposure Management Platform. These products address different deployment preferences and asset classes but share a common underlying data engine and CVE database.

The specific problem Tenable solves is the vulnerability prioritization crisis: large enterprises are exposed to tens of thousands of known CVEs at any given moment, and their security teams cannot patch everything simultaneously. Tenable provides the data — severity scores, active exploitation status in the wild, business context — to determine which vulnerabilities represent the highest real-world risk and should be remediated first. For OT environments, the problem is compounded by industrial equipment (PLCs, SCADA systems, HMIs) that cannot tolerate aggressive scanning and requires passive monitoring techniques to assess safely.

Tenable's buyers are predominantly enterprise and government organizations — financial institutions, energy companies, critical infrastructure operators, defense contractors, and federal agencies. The typical purchasing decision-maker is the CISO or VP of Security Operations, while the day-to-day users are vulnerability management teams and SOC analysts. The company has limited presence in the SMB segment; enterprise contracts often run to hundreds of thousands of dollars annually per customer.

Tenable sells primarily through a direct Sales-Led model, supported by a broad ecosystem of channel partners including MSSPs (Managed Security Service Providers), value-added resellers, and system integrators. The company lists its products on AWS Marketplace and Azure Marketplace for ease of procurement, but large enterprise transactions are handled through direct sales teams. Federal transactions often go through specialized government-focused resellers with the appropriate clearances.

Tenable's pricing for Tenable.io is based on a per-asset model — organizations pay according to the number of IP addresses, cloud instances, or OT devices they scan. Tenable Lumin, a module for exposure scoring and industry benchmarking, is an add-on priced separately. Tenable One pricing is not publicly disclosed and is negotiated on an enterprise contract basis. Nessus Professional, the entry-level scanner, is priced at approximately $3,990 per year per scanner.

Tenable's technical moat rests primarily on three pillars. First, its vulnerability database — built on more than 25 years of Nessus telemetry and supplemented by the Tenable Research team, which identifies and publishes hundreds of original CVEs annually. Second, the breadth of its plugin library: Nessus contains over 180,000 plugins covering known vulnerabilities across virtually every vendor and platform. Third, its OT-specific protocol expertise, acquired through Indegy, including deep knowledge of Modbus, DNP3, EtherNet/IP, and Profinet — industrial protocols that most IT-security vendors cannot natively analyze.

Tenable's engineering teams work primarily in Python and C/C++ for scanning engines, with cloud infrastructure built on AWS. The platform uses Elasticsearch for large-scale vulnerability data indexing and Kubernetes for orchestrating cloud workloads. The Israeli R&D team specifically focuses on OT protocol analysis, cloud security posture management (derived from Ermetic's technology stack), and identity security for Active Directory and Azure AD environments.

Nessus is the foundational product — the vulnerability scanner originally created by Renaud Deraison in 1998 as an open-source project, which Tenable closed-sourced in 2005 and converted into a commercial offering. Nessus Professional is the current commercial product aimed at individual security practitioners and small teams, priced at approximately $3,990 per year. Nessus Expert, launched in 2022, extended the scanner to include cloud infrastructure scanning and Infrastructure-as-Code (IaC) analysis for Terraform and CloudFormation templates, at a higher price point of approximately $5,990 per year per scanner.

Tenable.io is the flagship cloud-delivered vulnerability management platform, launched in 2016. It handles continuous asset discovery and vulnerability scanning for enterprise environments ranging from a few thousand to millions of assets. Sub-modules within Tenable.io include Web Application Scanning, Container Security (for Docker and Kubernetes environments), and Tenable Lumin for benchmarking exposure scores against industry peers. As of 2023, Tenable.io had more than 40,000 customers globally across all license tiers.

Tenable.sc (SecurityCenter) is the on-premise equivalent of Tenable.io, designed for regulated industries and government agencies that cannot deploy SaaS solutions due to data residency or classification requirements. It includes a full API and integrates natively with Tenable's compliance reporting templates, which cover frameworks including PCI-DSS, HIPAA, NIST 800-53, and DISA STIGs.

Tenable OT Security (formerly branded as Tenable.ot, prior to that as the Indegy product) addresses security for industrial control systems and operational technology networks. It uses a combination of passive network monitoring and safe active queries to inventory OT assets and identify vulnerabilities without risking disruption to live production equipment — a critical constraint for power grids, water treatment facilities, and manufacturing lines. This product line is developed primarily by the Israeli team in Tel Aviv.

Tenable One is the unified Exposure Management Platform, initially launched in 2022 and significantly enhanced through 2023 and 2024. It aggregates findings from Tenable.io, OT Security, Identity Exposure, and Cloud Security into a single Exposure Score, designed to be consumed by executive leadership and board-level audiences rather than purely by technical teams. Tenable One represents the company's strategic vision for moving up the value chain from tactical vulnerability scanning to strategic risk quantification.

Tenable Identity Exposure (formerly Alsid, acquired in 2021 for approximately $98 million) provides continuous monitoring of Active Directory and Azure Active Directory configurations for misconfigurations and attack paths. This is particularly relevant given that Active Directory compromise is a standard early step in ransomware attacks. The product was integrated into the Tenable One platform in 2023.

Tenable holds FedRAMP Authorization at the High baseline — achieved in 2020 — as well as SOC 2 Type II and ISO 27001 certifications. The FedRAMP High authorization is particularly significant as it enables deployment within classified and sensitive government environments, including DoD agencies and intelligence community systems.

Qualys (NASDAQ: QLYS) is Tenable's closest direct competitor. Founded in 1999, Qualys offers a cloud-native vulnerability management and compliance platform, and the two companies compete head-to-head for the same CISO budgets. The primary differentiation is that Qualys positions itself more broadly across GRC (Governance, Risk, and Compliance) workflows, while Tenable has invested more heavily in OT security and the Exposure Management narrative. In competitive evaluations, Qualys is frequently perceived as stronger on compliance reporting, while Tenable is considered stronger on vulnerability depth and OT coverage.

Rapid7 (NASDAQ: RPD) represents a distinct competitive archetype — its InsightVM product competes directly with Tenable.io on vulnerability management, but Rapid7's broader platform (InsightIDR for SIEM and SOAR, InsightAppSec for application security) gives it a more integrated security operations pitch. Organizations choosing between the two often weigh Tenable's deeper vulnerability data against Rapid7's unified detection and response capabilities. Both companies appeared in the Leaders quadrant of the Gartner Magic Quadrant for Vulnerability Assessment in 2023.

CrowdStrike (NASDAQ: CRWD) represents the most significant emerging competitive threat. CrowdStrike launched Falcon Exposure Management in 2023, leveraging its endpoint telemetry to offer vulnerability data with native agent integration. Because CrowdStrike already has agents on endpoint devices for EDR purposes, its vulnerability data can be richer on those assets than an agentless scanner like Nessus. The broader trend of platform consolidation — where CISOs want XDR, CNAPP, and VM from a single vendor — is a structural headwind for Tenable as a pure-play exposure management company.

Tenable's pricing occupies a mid-to-premium position in the market. It is not the cheapest option — open-source alternatives like OpenVAS exist, and Wiz or Orca Security can cover cloud environments at competitive price points — but Tenable commands a premium justified by the depth of its plugin library, the breadth of its compliance templates, and its OT coverage. The company does not compete on price and has not publicly pursued a freemium go-to-market strategy beyond the existing free tier of Nessus Essentials (limited to 16 IPs).

On the government side, Tenable secured a significant multi-year contract with CISA under the Continuous Diagnostics and Mitigation (CDM) program, which provides vulnerability management tools to U.S. civilian federal agencies. This contract, renewed and expanded in the 2020–2023 period, represented a material revenue contributor and a strong reference for international government sales. In terms of trajectory, Tenable is broadly defending and growing its installed base in enterprise and government, while also pursuing expansion through Tenable One's upsell potential to existing customers.

Sector tailwinds are favorable: the total number of CVEs published annually has grown from under 10,000 in 2016 to over 25,000 in 2022, creating an ever-larger problem for vulnerability management teams. Additionally, the European NIS2 Directive, which came into effect in October 2024, mandates formal vulnerability management practices for critical infrastructure operators across EU member states — expanding Tenable's addressable market in Europe materially. The proliferation of connected OT devices (Industry 4.0) continues to grow the addressable market for Tenable OT Security.

Tenable's Israeli operations are based in Tel Aviv and Ramat Gan. The Tel Aviv office serves as the primary Israeli hub, with additional space in Ramat Gan that was expanded following the Ermetic acquisition in 2023. The offices are positioned within easy proximity of the cluster of cybersecurity companies and startup ecosystem that concentrates in the Tel Aviv metro area.

Israel hosts approximately 300 Tenable employees, representing roughly 15% of the global workforce. Almost all of these positions are in R&D, product management, and security research. Core Israeli functions include: development and maintenance of Tenable OT Security (the former Indegy product), cloud security engineering (the former Ermetic team building CIEM and CSPM capabilities), vulnerability research as part of the global Tenable Research group, and core platform engineering for Tenable One.

In the last 24 months, Tenable's Israeli headcount has grown significantly. The Ermetic acquisition, closed in October 2023, added approximately 80 to 100 Israeli employees to Tenable's rolls. Rather than integrating those employees and then downsizing — a common pattern in acquisitions — Tenable retained the core Ermetic engineering team in Israel to continue developing CIEM and cloud identity security capabilities. This represents a counter-cyclical investment in Israel at a time when many tech companies were reducing headcount through 2023 and 2024.

The founders of Tenable — Ron Gula, Jack Huffard, and Renaud Deraison — are not Israeli. Gula and Huffard are American, and Deraison is French. However, the Israeli DNA of Tenable comes directly from its acquisitions: Indegy was founded in 2014 by Barak Perelman and Mille Gandelsman, both of whom are veterans of Israeli intelligence and military technology units. Ermetic was co-founded by Shai Morag, Arick Goomanovsky, and Or Aspir — all of whom came out of Israeli technology backgrounds, with Morag having previously served as Vice President of Products at Dome9 Security, itself an Israeli cloud-security company acquired by Check Point.

Typical roles that Tenable recruits for in Israel include backend engineers (Python, Go, C++), OT/ICS security researchers, cloud security engineers focused on AWS and Azure entitlements, vulnerability researchers, and senior product managers with domain expertise in security operations. Given the Ermetic heritage, there is particular demand for engineers familiar with cloud-native identity systems, Kubernetes security, and multi-cloud access governance.

The cultural and hiring pipeline in Israel draws heavily from IDF intelligence and technology units. Indegy's founders and initial team were connected to Unit 8200 and related signals intelligence communities, and this lineage has influenced the research-first, protocol-deep culture of the OT team. Ermetic's team similarly came from elite IDF technology backgrounds. Tenable benefits from Israel's strong pipeline of cybersecurity talent emerging from national service — a structural advantage that is difficult to replicate in other geographies and that the company has explicitly leaned into through its Israeli acquisition strategy. No specific notable Israeli investors hold named stakes in Tenable's public filings, but Marker LLC and Accel Partners were among the investors in Indegy prior to its acquisition.