My advice isn't vendor-specific, it's much more agnostic. Whoever is looking for a new solution for vulnerability management or configuration management, needs to ensure that they take their time. Develop a strong RFP process that's objective and quantitative and removes bias. Then, perform a well-thought-out PoC and let the data speak for itself. For me, it's extremely important that when you're planning on spending millions of dollars, or making a large purchase, that you remove any emotion or bias. You take the relationships out of the picture, and you let the best product win, given a certain use case.
In terms of Tenable focusing our resources on vulnerabilities which are most likely to be exploited, I can't say yes or no. One of the functions our team has is to focus on vulnerability research and emerging threats, and that was before there was ever a plugin created for Tenable. The team is actually really proactive in identifying vulnerabilities through manual research. That's where a lot of the critical stuff comes from. We'll find something critical before the scanning vendors even have a check for it.
The output of Tenable is used by dozens of folks, primarily engineers. Tenable itself, as a platform, is used by 15 or 20 folks. Most of them are vulnerability analysts and some of them are platform engineers. There are a dozen or so executive leaders who reference Tenable's data, as well. We built some 50 dashboards, tailored to a given audience, so that they can see near real-time results. For example, our CIO has an enterprise goal of reducing X percent of vulnerabilities in our enterprise, so we've built out specific dashboards reflecting all of that work. Maintenance of the product requires one person, and it's not a full-time position. For deployment, I had two people, who are security analysts. I actually did not need software engineers to do it.
We're using Tenable very extensively. Some of the feedback I got from Tenable this week is that we're actually one of their more mature clients. And we are expanding our usage. Our company was procured in early December last year, and we'll be expanding not only the scope of what we currently use but also increasing some of the functionality.
For traditional, network-based vulnerability management, I would rate Tenable a nine out of ten. For dynamic application scanning, it's a two out of ten. Overall, I'd put Tenable at a seven out of ten, which is still definitely higher than any of the other technologies that operate in the market. I think this segment of the market is a bit confused. There are too many companies looking to be a silver-bullet and own it all, and their strategy is a bit confused.