Tenable to Acquire Vulcan Cyber to Boost Exposure Management FocusTenable to Acquire Vulcan Cyber to Boost Exposure Management Focus

Tenable is poised to fill significant gaps in its exposure management platform with its agreement to acquire Vulcan Cyber.

Tenable said it was the first vendor to add exposure management to its vulnerability management platform when it launched the Tenable One Exposure Management Platform in 2022. However, Tenable's exposure management has lacked the ability to share telemetry with IT and security tools from other vendors. This is where Vulcan Cyber's exposure management offering, which can integrate with more than 100 third-party security tools, can make a difference for Tenable.

"This will give organizations the ability to have insights across the attack surface, not just what you point at Tenable but also that third-party data," says Tenable senior VP of products Jason Merrick. "At the end of the day, our focus here is helping organizations move as they're progressing from vulnerability management to exposure management and then gaining that context where they can make better decisions."

Adding Exposure Management to Vulnerability Management

Unlike vulnerability management offerings that are designed to discover, assess, prioritize, and mitigate threats in IT assets, exposure management considers an organization's cybersecurity posture and performs risk assessment.

Several Tenable rivals also offer exposure management as part of their product portfolios. For example, CrowdStrike added Exposure Management to its Falcon XDR platform in 2023, and Microsoft recently added exposure management to Microsoft Defender, which notably includes third-party connectors. On the same day Tenable announced its Vulcan Cyber plans, exposure management platform provider CYE acquired Solvo.

Omdia analyst Andrew Braunberg believes Vulcan Cyber will bring needed features to Tenable One that its rivals are now touting.

"While Tenable has been talking about exposure management for as long as anyone, it still often has the feel of an old legacy vulnerability management company," Braunberg says. "Vulcan has always seen exposure management as where the market was headed and has taken an impressively open approach to pulling in asset and exposure data and working to broadly support remediation, orchestration, and automation."

Tenable's Merrick acknowledges that Microsoft's licensing model with its M365 E3 and E5 plans give Microsoft an advantage.

"They can throw a lot of free stuff at this, and there are many organizations that are Microsoft-only shops," he says. "CrowdStrike, too, is growing and expanding. But I also think that this is an opportunity for Tenable to differentiate, to continue being that source of truth, to provide better analytic capability, and to tie these things together. Because at the end of the day, this forces us, from a product standpoint, to continue to innovate and deliver new capabilities."

Organizations are only beginning to expand their focus on vulnerability management to include exposure management, Merrick adds.

"I think we're in the first inning of exposure management," he says. "More and more, organizations are starting to talk about this."

The deal, announced on Wednesday, calls for Tenable to pay $147 million in cash and $3 million in restricted stock to Vulcan Cyber. While Merrick is unable to discuss specific integration plans before the deal closes, which the company anticipates will take place this quarter, the 100-plus connectors to third-party systems were a key impetus for the deal.

"We have always been envisioning being able to ingest third-party data into our exposure management platform like we've done with our vulnerability management solution," he says. "We've already built the data model specifically to accept and bring in third-party data. So we want to be able to go and fast-track that. Once we close, this is going to be the big focus for us in 2025."