Tenable Holdings, Inc. (TENB) Business

Item 1.        Business

Overview

Tenable is the leading provider of exposure management solutions. Exposure management is an increasingly critical category that extends foundational vulnerability management capabilities to advance risk assessment and prioritization across the entire attack surface – from IT infrastructure and cloud environments to critical infrastructure and artificial intelligence (AI). Tenable unifies security visibility, insight and action across this attack surface, equipping modern organizations to quickly identify and close the cybersecurity gaps that erode business value, reputation and trust.

Business dynamics continue to shift under pressure of geopolitical tensions, talent shortages, the push for greater automation, unrelenting compliance and regulatory pressures, along with the drive to out-innovate and out-pace competitors. AI is now a constant undercurrent and is recognized as both a business enabler and a cybersecurity risk.

For most organizations, the attack surface has expanded to include:

•Complex and dynamic hybrid and multi-cloud environments, which organizations are rapidly adopting even as they face a shortage of cloud security expertise;

•AI platforms, including agentic AI, the use of which is introducing risk by creating often-invisible security gaps and blind spots;

•Human, machine and AI identities, the dramatic rise of which is creating a sense of urgency to improve governance and access controls, and the removal of excessive privileges that can open up attack pathways within an organization;

•An assortment of operational technology, or OT, such as industrial control systems, or ICS, and supervisory control and data acquisition, or SCADA systems, which are increasingly at risk due to AI growth velocity — emerging use cases for OT include AI data centers that are being built all around the world;

•Personal devices, including mobile phones and tablets, internet of things, or IoT, devices and other types of “shadow IT” and "shadow AI" used by employees, often without the knowledge of the IT and security teams; and

•Virtual machines, microservices, open-source code repositories, containers and other tools used by DevOps teams.

The complexity of the attack surface is a key driver behind the growing need for exposure management programs. Scattered products and siloed views have left organizations struggling to hold back threats across a fragmented attack surface. Security teams are overwhelmed by the constant influx of data from the array of point solutions they are using to manage cloud assets, interconnected vulnerabilities, web applications, and identity systems. They are also challenged with effectively analyzing all that data to make informed decisions about which exposures represent the greatest risk to the organization.

Existing point solutions cannot adequately address the central security challenge: a deeply divided approach to seeing and reducing cyber risk. We believe an exposure management program can solve three distinct challenges facing cybersecurity professionals, including chief information security officers, or CISOs, and their organizations:

•The attack surface isn’t siloed, but security programs often are — making organizations ill-prepared to protect against attackers that are traversing from domain to domain (not silo to silo) to find exposures to exploit;

•There’s more data than ever, yet it’s difficult for security professionals to analyze cyber risk context and insights to identify true exposures; and

•Security professionals and business leaders lack a common risk language to align and mobilize responses.

An exposure management program, underpinned by a technology platform such as our Tenable One Exposure Management Platform, or Tenable One, can help address these problems. Successfully implemented, an exposure management platform allows organizations to:

•Gain comprehensive visibility across the modern attack surface;

•Bring cyber risk context and insights from across the attack surface together as one; and

5

Table of Contents

•Take swift action to eradicate priority cyber exposures and reduce business risk.

To be effective, an exposure management platform must extend beyond traditional vulnerability management, which concentrates on the discovery and remediation of publicly disclosed Common Vulnerabilities and Exposures, or CVEs. The platform must include information about configuration issues, vulnerabilities and attack paths across a spectrum of assets and technologies — including cloud configurations and deployments, identity solutions, such as Active Directory, web applications and AI-related assets and workloads.

Our Enterprise Platform Offerings

Tenable One is an AI-powered exposure management platform that gives enterprises a single, unified view of risk across all types of assets and attack pathways. The platform combines broad, industry-leading vulnerability coverage, spanning IT assets, cloud resources, containers, web apps, identity systems, third-party connectors and AI-related assets and workloads. Tenable One builds on the speed and breadth of vulnerability coverage from our long history of data from our research team of cybersecurity and data science experts, or Tenable Research, and adds aggregated exposure view analytics, guidance on mitigating attack pathways, centralized asset inventory and patch management that correlates vulnerabilities with remediation actions. It leverages AI, and machine learning, or ML, rapidly analyzing and interpreting vast data sets to pinpoint priority weaknesses and high-risk attack paths, deliver recommendations and automate routine tasks. The platform also supports ingestion and correlation of third-party security and business data, enabling customers to enrich exposure analysis with contextual signals from across their environment.

Tenable One integrates the following products and tools:

•Tenable AI Exposure: Our solution helps organizations identify, assess and reduce security risks associated with the use of artificial intelligence technologies. It provides visibility into AI-related assets, data usage and configurations across enterprise environments, allowing users to detect exposure such as sensitive data leakage, insecure configurations and excessive access. It allows organizations to understand and address AI-driven risks before they are exploited, supporting safer adoption of AI.

•Tenable Vulnerability Management: Our cloud-delivered software-as-a-service, or SaaS, vulnerability management offering provides organizations with a risk-based view of traditional and modern attack surfaces. Tenable Vulnerability Management empowers organizations to know, expose and close their critical vulnerabilities. The solution is designed to find hidden vulnerabilities with continuous, always-on asset discovery and assessment of known and unknown assets–even highly dynamic cloud or remote workforce assets–in an environment. Tenable Vulnerability Management also identifies which vulnerabilities to fix first with automated prioritization that combines vulnerability data, threat intelligence and data science.

•Tenable Cloud Security: Our cloud security solution that helps organizations reduce risk by rapidly exposing and closing priority security gaps caused by misconfigurations, risky entitlements and vulnerabilities in one powerful cloud native application protection platform (CNAPP). From development to runtime, Tenable Cloud Security continuously analyzes cloud resources to find the most important risks, spot unknown threats and toxic combinations of security issues and deliver actionable insights within minutes. Our cloud infrastructure entitlement management (CIEM) gives users control over access entitlements so they can eradicate exposures caused by human and service identities in the cloud and achieve least-privilege access to cloud resources and data at scale. Data security posture management (DSPM) and AI security posture management (AI-SPM) capabilities enable users to automatically discover, classify and analyze sensitive data risk and protect AI workloads with flexible, agentless scanning.

•Tenable Identity Exposure: Our solution offers end-to-end protection from identity-based threats by unifying identities across Active Directory, hybrid and Entra ID. Users can find and fix existing weaknesses before they are exploited and detect and respond to ongoing attacks in real time without the need to deploy agents or use privileged accounts.

•Tenable Web App Scanning: Our easy-to-use, comprehensive and automated Vulnerability Scanning for modern web applications, which allows organizations to quickly configure and manage web app scans, enabling them to identify vulnerabilities and prioritize remediation.

6

Table of Contents

•Tenable Attack Surface Management: Our solution continuously maps the internet to deliver comprehensive visibility into internet-facing assets, even those security teams don't know about, so they can assess the cybersecurity posture of their entire external attack surface for a more complete picture of where they may be exposed.

•Tenable Security Center: Our on-premises vulnerability management offering that provides a risk-based view of an organization’s IT, security and compliance posture so organizations can quickly identify, investigate and prioritize their assets and vulnerabilities based on risk assessment and predictive analytics, and provide insightful remediation guidance.

•Tenable OT Security: Our unified security solution for converged OT/IoT environments provides threat detection, asset tracking, vulnerability management, and configuration control capabilities to protect OT environments, including industrial networks.

Our Nessus Solutions

Our Nessus product line is one of the most widely deployed vulnerability assessment solutions in the cybersecurity industry and underpins our enterprise platform. Since the introduction of Nessus in 1998, we have built and nurtured an extensive community of Nessus users. We continue to cultivate knowledge and affinity within this user base, which, when combined with our enterprise customers and Tenable Research, creates powerful network effects in the form of a continuous feedback loop of data and insights. We use these learnings to expand our assessment capabilities and coverage, continually optimize our solutions and inform our product strategy and innovation priorities. We believe these data and insights will also fuel and strengthen our benchmarking capabilities over time.

Nessus Expert adds Web App scanning capabilities, Infrastructure as Code, or IaC, scanning along with external attack surface discovery capabilities to identify all domains and subdomains that make up an organization’s external-facing attack surface. Nessus Expert enables users to programmatically detect cloud infrastructure misconfigurations and vulnerabilities in the design and build phases of the software development lifecycle and continuously discover and inventory an organization's internet-facing assets from an attacker's perspective.

Our Technology Ecosystem

We have partnered with market leading technology companies to pioneer the industry’s first exposure management ecosystem to help organizations build resilient cybersecurity programs. Our ecosystem consists of a variety of third-party data import sources integrated into our platform offerings, as well as export of our data out to third-party IT systems. Our technology ecosystem connects disparate solutions and data to automate processes and accelerate an organization’s ability to understand, manage and reduce its cyber risk.

We integrate a variety of third-party data sources, including ticketing, configuration management databases, or CMDBs, and systems management, into our platform to augment our native data collection and help with analysis and remediation prioritization. Furthermore, our data is exported out to enrich third-party IT management and security systems.

Our Growth Strategy

Our objectives are to expand our market leadership in exposure management and to scale our business by capturing our large market opportunities with Tenable One, our AI-powered platform, while expanding our operating and free cash flow margins. To accomplish these objectives, we intend to:

•Continue to acquire new enterprise platform customers. We believe there is a substantial opportunity to increase adoption of our exposure management platform. We have experienced growth in new enterprise platform customers due to expanded product capabilities and investments in sales and marketing. We intend to continue to aggressively pursue new domestic and international customers by strategically investing in sales and marketing and leveraging our network of channel partnerships around the world.

•Expand within our customer base. We believe we have a significant opportunity with Tenable One and AI Security to expand our relationships with our existing customers by targeting additional teams, business units or

7

Table of Contents

geographies, pursuing broad enterprise deployments and generally expanding our coverage of their attack surface.

•Invest in our technology platform. We intend to innovate to provide our customers with unified visibility, insights and actions in a way that scales with the complexity of the modern attack surface. As we collect and ingest more data from third-party sources, we are also investing in the future of preemptive security, including AI security and remediation.

•Explore acquisition opportunities. We intend to acquire other businesses, technology and/or development personnel that will expand and enhance the functionality of our platform offerings.

Customers

We sell and market our enterprise platform offerings through our sales force that works closely with our channel partners, which includes a network of distributors and resellers, in developing sales opportunities. We use a two-tiered channel model whereby we sell our enterprise platform offerings to our distributors, which in turn sell to our resellers, which then sell to end users, which we call customers.

Our customers are located in over 170 countries and include organizations of all sizes and span a wide range of industries, including manufacturing, energy and industrials; technology, media and telecommunications; banking, insurance and finance; government, education and non-profit; healthcare; and retail and consumer.

At December 31, 2025, we had over 40,000 customers, including approximately 65% of the Fortune 500 and approximately 50% of the Global 2000 and large government agencies. In 2025, 2024 and 2023, no single customer represented more than 2% of our revenue.

Sales and Marketing

Our sales strategy employs both a direct-touch approach through our sales force and a low-touch approach through sales closed by our channel partners and on our e-commerce website. Both direct-touch and channel-originated sales are fulfilled through our channel partnerships. Our sales and customer success renewal teams collaborate closely with our channel partners to prospect, manage and support our customers, developing and maintaining close relationships with all of our enterprise platform customers.

We sell to organizations of all sizes across a broad range of industries, with a specific focus on enterprise accounts. Our sales team is divided by customer size and geography, including the Americas; Europe, the Middle East and Africa, or EMEA; and Asia Pacific and Japan.

Our partner ecosystem provides us with a number of advantages, including increased in-bound registered sales leads, broader geographic reach and greater deal velocity. Our channel partners include distributors, value-added resellers, system integrators and managed security service providers.

Our marketing initiatives cultivate brand awareness and leverage our track record of innovation in exposure management to expand into new markets, such as AI exposure. We are focused on building demand across all segments with a specific emphasis on our enterprise customers and delivering tailored marketing programs for security executives (i.e. CISOs), functional managers, security practitioners, managed service providers and consultants. Our marketing efforts are also designed to establish the Tenable brand as a thought leader and trusted resource of credible educational information and original research. We provide a variety of educational resources for cybersecurity practitioners and leaders, as well as cloud security teams, DevOps teams, OT practitioners and identity and access management practitioners, including a community forum where customers can ask questions of our experts and their peers. We execute marketing programs targeted at new customer acquisition, customer retention and cross-selling and up-selling of products across our platform.

Research and Development

We continue to invest substantial resources in research and development to enhance our platform offerings by

8

Table of Contents

developing new features, functionality, and applications. Our engineering expertise combines extensive security product development experience with individuals who possess expertise in AI, cloud security and user interface design.

Our Tenable Research team is staffed by cybersecurity, cloud and data science experts who leverage our long history of data and deliver exposure management intelligence, data science insights, alerts and security advisories. Our Tenable Research team has developed AI-based research tools to help improve efficiency and effectiveness in processes such as reverse engineering, code debugging, web app security and visibility into cloud-based tools. Frequent updates from Tenable Research ensure the latest vulnerability checks, zero-day research, and configuration benchmarks are available within our exposure management solutions.

We believe ongoing and timely development of new products and features is imperative to maintaining our competitive position. We continue to invest in development of our solutions across our global research and development team.

Backlog

We define backlog as contractually committed orders to be invoiced under our existing agreements that are not included in deferred revenue on our consolidated balance sheets. We expect the amount of backlog to change from period to period due to the timing of billings for our solutions and professional services. At December 31, 2025 and 2024, we had backlog of $159.9 million and $33.2 million, respectively.

Competition

The market for cybersecurity solutions is fragmented, intensely competitive and constantly evolving. We compete with a range of established and emerging cybersecurity software and services vendors, as well as homegrown solutions. With the introduction of new technologies and market entrants, we expect the competitive environment to remain intense going forward. Our competitors include: vulnerability management and assessment vendors, including Qualys and Rapid7; diversified security software and services vendors; endpoint security vendors with vulnerability assessment capabilities, including CrowdStrike; public cloud vendors and other companies, such as Palo Alto Networks and Wiz, that offer solutions for cloud security (private, public and hybrid cloud); and providers of point solutions that compete with some of the features present in our solutions. Many organizations also choose to build their own solutions in-house, often using open-source code rather than purchasing external solutions, and we compete against these internally-developed efforts as well.

We believe that the principal competitive factors affecting the market for cybersecurity solutions include product functionality, breadth and depth of offerings, flexibility of delivery models, ease of deployment and use, integration capabilities such as open APIs and scalability, uptime and performance. We believe that our suite of solutions generally competes favorably with respect to these factors and may serve as a complement to the solutions offered by our competitors in some cases. Some of our more established actual and potential competitors have greater name recognition, longer operating histories, more established customer relationships, larger marketing budgets and significantly greater resources than we do. In addition, as our market grows and rapidly changes, we expect it will continue to attract new competitors, including companies that are larger and more established than us and smaller emerging companies, which could introduce new products and services.

Intellectual Property

Our success depends in part upon our ability to protect our core technology and intellectual property. We rely on a combination of trade secrets, copyrights, patents and trademarks, as well as contractual protections, to establish and protect our intellectual property rights and protect our proprietary technology.

At December 31, 2025, we had 53 issued patents and 22 patent applications pending in the United States. Our issued patents expire between 2027 and 2044 and cover our network scanning, monitoring and analysis technologies and additional features of our platform offerings. At December 31, 2025, we had 13 registered trademarks in the United States. We view our copyrights, trade secrets and know-how as a significant component of our intellectual property assets.

We also license certain software from third parties for integration into our solutions, including open source software

9

Table of Contents

and other software available on commercially reasonable terms. We cannot ensure that such third parties will maintain such software or continue to make it available.

We control access to and use of our proprietary software and other confidential information through the use of internal and external controls, including contractual protections with employees, contractors, customers and partners, and our software is protected by U.S. and international copyright and trade secret laws. Despite our efforts to protect our trade secrets and proprietary rights through intellectual property rights, licenses and confidentiality and invention assignment agreements, unauthorized parties may still attempt to copy, reverse engineer, misappropriate or otherwise obtain and use our software and technology. In addition, we intend to continue to expand our international operations, and effective patent, copyright, trademark and trade secret protection may not be available or may be limited in foreign countries.

Government Regulation

Various federal, state and foreign legislative and regulatory bodies have legislation pending that could affect our business.

In the ordinary course of our business, we process personal information. Accordingly, we are, or may become, subject to numerous data privacy and security obligations, including federal, state, local, and foreign laws, regulations, guidance, and industry standards related to data privacy and security. Such obligations may include, without limitation, the Federal Trade Commission Act, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020, or, collectively, the CCPA, the Colorado Privacy Act, Virginia’s Consumer Data Protection Act, the Connecticut Privacy Act, the Utah Consumer Privacy Act and similar U.S. state comprehensive privacy laws, the European Union’s General Data Protection Regulation 2016/679, or EU GDPR, the EU GDPR as it forms part of the United Kingdom law by virtue of section 3 of the European Union (Withdrawal) Act of 2018, or UK GDPR, and the ePrivacy Directive.

Like other U.S.-based IT security products, our products are subject to U.S. export control laws and regulations, specifically the Export Administration Regulations, or EAR, U.S. economic and trade sanctions regulations and applicable foreign government import, export and use requirements. These laws prohibit or restrict the export of our products and services to certain countries, regions, governments, entities or persons subject to trade restrictions. For more information on the potential impacts of government regulations affecting our business, see Risk Factors included under Part I, Item 1A.

Human Capital

At December 31, 2025, we had 1,995 employees, including 949 employees located outside of the United States. None of our U.S. employees are represented by a labor union or covered by a collective bargaining agreement. Certain international employees are subject to collective bargaining agreements in connection with local labor laws. We have not experienced any work stoppages, and we consider our relations with our employees to be good.

We uphold a core set of values for our entire global workforce:

•One Tenable: We work together and we win together. We are part of one Tenable team - employees, customers, partners and other stakeholders.

•Deliver Results: We set high goals, take bold risks, measure honestly and deliver results that exceed expectations.

•We Care: We are committed to our work, our customers, our colleagues and our communities. We speak candidly and always do the right thing.

•What We Do Matters: The work that we do makes a difference in this world.

Our key human capital objectives are to attract, retain, engage, reward and develop our highly-talented existing and future employees, while fostering a culture conducive to achieving exceptional business results. We strive to be a career destination where employees from all backgrounds feel welcome, are treated with fairness and respect, are empowered to make a difference, and have the opportunity to grow.

10

Table of Contents

Compensation, Benefits and Talent Development

We provide robust compensation and benefits packages to attract and retain our employees. We incentivize our employees by aligning a portion of their compensation with the overall success of our business. In addition to base salary, our total rewards packages include annual bonuses, equity awards, an employee stock purchase plan, retirement plans, and health and wellness benefits. Equity awards of restricted stock units that vest over time are granted to new hires and to most employees on an annual basis. Eligible employees can participate in our employee stock purchase plan, in which employees may contribute a percentage of their compensation to purchase shares of our common stock at a discount. Our health and wellness benefits include medical and life insurance, paid time off, family leave, and employee assistance programs. We are committed to a structured hybrid workplace strategy which both allows flexibility and recognizes the value of in-person collaboration and community.

We promote and support employee development and organizational effectiveness by providing high-quality learning and development programs as well as tuition assistance programs. These programs are designed to meet individual, team and organizational needs and objectives, enabling our workforce to grow professionally and increase their impact to the business.

Engagement and Inclusion

Engagement and inclusion at Tenable is a catalyst for cultivating a workplace where every individual's unique strengths contribute to a culture of innovation, belonging and community impact.

Our engagement and inclusion mission aligns all initiatives to our Workforce, Workplace and Community pillars to enhance our overall employee value proposition and propel our success. It emphasizes that an inclusive culture fosters a diversity of opinions, employee engagement, fuels innovation and yields outstanding business results. We strive to be a career destination where employees from all backgrounds, regardless of race, gender, ethnicity, sexual orientation or disability, can do their best work. Our engagement and inclusion mission pillars include:

•Workforce: Attract, retain, and develop top talent through partnerships with external organizations, employer branding, and engagement and development opportunities for all employees.

•Workplace: Cultivate an inclusive, high-performance workplace where all employees feel they belong and are given the support they need to thrive.

•Community: Increase our commitment to supporting the next generation of STEM talent.

Environmental Stewardship

We care deeply about the places where we live and work. Our Board and management team recognize that we have a role to play in environmental stewardship. We believe that environmentally responsible operating practices are important to generating value for our stockholders, being a good partner with our customers and being a good employer to our employees.

Our energy consumption and usage within data centers is an important component of our day-to-day operations of our business. We outsource our data center needs to Amazon Web Services, or AWS. AWS, in addition to carefully choosing data center locations to mitigate environmental risk, has a long-term commitment to use 100% renewable energy. Aside from data center needs, greenhouse gas emissions and water and energy usage are not material factors in the day-to-day operations of our business. However, we believe that we can still play a part through environmentally sound practices.

Tenable headquarters is a LEED Certified Gold for Core Construction. In addition, we have taken the following actions to enable environmental stewardship:

• Implemented recycling in our offices;

• Offer biodegradable to-go boxes to reduce food waste;

• Have a strict policy for disposing of hardware; and

• Use a travel portal that provides detail on our carbon footprint.

11

Table of Contents

Tenable and our employees have donated time and money to important environmental causes, such as healthy waterways and other clean-up efforts, recycling, carbon footprint mitigation and protection of threatened wildlife.

Financial Information and Segments

See Note 1 and Note 13 to our consolidated financial statements in this Annual Report on Form 10-K for segment and geographical information.

Corporate Information

Tenable Network Security, Inc., our predecessor, was incorporated under the laws of the State of Delaware in 2002. Tenable Holdings, Inc. was incorporated in Delaware in October 2015. In November 2015, Tenable Network Security, Inc. was merged into a wholly owned subsidiary and in 2017 was renamed as Tenable, Inc.

Our principal executive offices are located at 6100 Merriweather Drive, Columbia, Maryland 21044. Our telephone number is (410) 872-0555. Our website address is www.tenable.com. The information contained on, or that can be accessed through, our website is not incorporated by reference, and you should not consider any information contained on, or that can be accessed through, our website as part of this Annual Report on Form 10-K.

“Tenable,” “Nessus,” the Tenable logo and other trademarks or service marks of Tenable Holdings, Inc. appearing in this Annual Report on Form 10-K are the property of Tenable Holdings, Inc. This Annual Report on Form 10-K contains additional trade names, trademarks and service marks of others, which are the property of their respective owners. Solely for convenience, trademarks and trade names referred to in this Annual Report on Form 10-K may appear without the ® or TM symbols.

Available Information

Our Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K, Proxy Statement, and amendments to reports filed pursuant to Sections 13(a) and 15(d) of the Exchange Act, are available for download free of charge from our investor relations website https://investors.tenable.com after we file them with the Securities and Exchange Commission, or the SEC. The SEC’s website https://www.sec.gov contains reports, proxy and information statements, and other information regarding issuers that file electronically with the SEC.

Investors and others should note that we may announce material business and financial information to our investors using our investor relations website (https://investors.tenable.com), our filings with the SEC, our website, webcasts, press releases, and conference calls. We use these mediums, including our website, to communicate with investors and the general public about our company, our products, and other issues, and for complying with our disclosure obligations under Regulation FD. It is possible that the information that we make available on our website may be deemed to be material information. We therefore encourage investors and others interested in our company to review the information that we make available on our website, in addition to following our SEC filings, our webcasts, press releases, and conference calls. The information we post through these channels is not a part of this Annual Report on Form 10-K. These channels may be updated from time to time on our investor relations website. The contents of any website referred to in this Form 10-K are not intended to be incorporated into this Annual Report on Form 10-K or in any other report or document we file with the SEC.