IntSights Cyber Intelligence Ltd. (RPD) Earnings Call Transcript & Summary

Hello. Thank you for standing by, and welcome to Rapid7's acquisition of IntSights conference call. [Operator Instructions] Please be advised that today's conference may be recorded. [Operator Instructions] I would now like to hand the conference over to your speaker today, Sunil Shah, Vice President of Investor Relations. Please go ahead.

Thank you, operator, and good afternoon, everyone. We appreciate you joining us today to discuss Rapid7's announced acquisition of IntSights Cyber Intelligence Ltd. With me on the call today are Corey Thomas, our CEO; and Jeff Kalowski, our CFO. We've distributed our acquisition and second quarter 2021 preliminary results press release over the wire, and it is now posted on our website at investors.rapid7.com. This call is being broadcast live via webcast. And following the call, an audio replay will be available at investors.rapid7.com until July 26, 2021. During this call, we may make statements related to our business that are forward-looking under Federal Securities laws. These statements are made pursuant to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, and include statements related to our preliminary results for the second quarter of 2021, the impact of the IntSights acquisition on our products, strategy and future results of operations, the anticipated growth of Insight's revenue post acquisition, the company's positioning, our future goals and the assumptions of underlying such goals. These forward-looking statements are based on our current expectations and beliefs and on information currently available to us. Actual outcomes and results may differ materially from the expectations contained in these statements due to a number of risks and uncertainties, including those contained in our most recent quarterly report on Form 10-Q and in the subsequent reports that we file with the SEC. The information provided on this conference call should be considered in light of such risks. Actual results and the timing of certain events may differ materially from the results or timing predicted or implied by such forward-looking statements and reported results should not be considered as an indication of future performance. Rapid7 does not assume any obligation to update the information presented on this conference call, except to the extent required by applicable law. At times in our prepared comments or in response to your questions, we may offer incremental metrics to provide greater insight into the dynamics of our business. Please be advised that this additional detail may be onetime in nature, and we may or may not provide an update in the future on these metrics. Following our prepared remarks, we'll host a brief Q&A section. We'd like to focus today's call on Insights' acquisition, so we ask that you hold all questions related to our preliminary second quarter 2021 results or for our quarterly earnings results call to be held on August 4, 2021. With that, I'd like to turn the call over to our CEO, Corey Thomas. Corey?

Thank you, Sunil, and good afternoon, everyone, and thank you for joining us on short notice. I'm excited to speak with you today about our acquisition of IntSights, a leading provider of cybersecurity threat intelligence. For today's call, I want to focus on sharing how this combination accelerates Rapid7's ability to secure the digital experience, meeting customers where they are as they evolve to face security challenges of a growing digital footprint. Before I jump to that, I want to briefly highlight the outstanding execution by our Rapid7 team delivering a very strong second quarter, demonstrated by our preliminary results of 29% growth in ARR to approximately $489 million, ahead of our expectations. These results reflect the expanding need for organizations to invest in security transformation alongside their digital transformation investment. But increasingly, customers are recognizing that improved visibility to their internal risk profile is just 1 part of the equation. The external threat environment is evolving faster than ever, highlighting for customers that threat intelligence is now more strategic than ever. It's clear that our digital transformation comes an ever-expanding external attack surface that they must monitor and protect against an escalating cyber threat landscape. IntSights, based in Tel Aviv and founded 6 years ago, offers a leading external threat intelligence and remediation platform that helps customers solve their growing challenge. Their flagship, threat command offering, turns complex signals into contextualized attack surface intelligence, democratizing threat intelligence and making it easier for organizations of all sizes to remediate their most critical external risk factors. More specifically, IntSights helps customers by monitoring the clear, deep and dark web to identify threats specifically targeting customers' digital footprint, things like data and credential leakage, malicious activity tied to their brand or fraud. Threat command not only provides continuous monitoring to identify these external risks such as suspicious phishing domain, it can then proactively respond with automated takeouts of these fraudulent domains or accounts. This is just 1 example of how IntSights provides actual intelligence and response that helps secure our customers' digital experiences. Coupling IntSights' tailored threat intelligence with Rapid7's community-infused threat intelligence and deep understanding of customers' environments will help our IntSights platform to provide unmatched monitoring across internal and external services. This will enable us to deliver rich insights to drive proactive and automated threat mitigation for our customers across their digital footprint. Our acquisition of IntSights expands the core capabilities and outcomes that Rapid7's IntSights platform can deliver to our customers in 3 primary ways. Let me take a moment to address each of these. First, IntSights expands our addressable opportunity by positioning Rapid7 as a leader in the fast-growing billion-dollar threat intelligence market. We enter to build on IntSights strong momentum to date by making threat command accessible to an ever wider security audience by continuing to sell it standalone and over time, integrating it as a component of our IntSights platform. I am confident that this can drive immediate value for many of our existing and prospective customers. Second, integrating IntSights' threat intelligence with Rapid7's leading detection and response capability that will provide customers extended end-to-end fidelity for internal and external attack surface monitoring, solidifying Rapid7 as a leading cloud-native XDR platform. At its core, XDR is about collecting and correlating disparate data to improve detection and accuracy, and leveraging automation to drive response effectiveness. Since inception, InsightIDR has led with a data-first approach to providing visibility and monitoring across customers' environments. Today, Rapid7 offers one of the most comprehensive extended detection response capabilities, combining internal visibility across network traffic, endpoint data, logs, user activity and cloud visibility with intelligent automation across our platform. Few competitors in the XDR market today can match this. But a critical challenge for every SecOps team today is to separate the overwhelming level of noise and alerts within the data from actionable signals of risk or compromise. By integrating IntSights' leading technology into our Insight's platform, we will bring to fruition our vision of a data-driven XDR platform that provides unmatched telemetry via a best-in-class availability to understand the threat environment across internal and external services, driving faster and more accurate detection response of threats. We believe this combination will accelerate our position as a leading player in the fast-evolving XDR space. Third, infusing IntSights' threat intelligence within our Insight Engine will elevate and further differentiate every product on our platform, amplifying our unified platform experience. This is a critical component of Rapid7's acquisition strategy. At our recent Investor Day in March, we spoke at length about the value of our shared data collection ecosystem with analytics that can move from product to product. The integrated intelligence and telemetry from IntSights will enhance risk visibility, not just in our detection response, but also in our VRM and cloud security pillars as we continue to work towards delivering a unified SecOps experience in the cloud. A great example of this opportunity is an existing Rapid7 enterprise health care customer, who also leverages Insights to protect their massive digital footprint. In their own words, at their size, they would need an army of 100 people to keep track of everything IntSights to monitor their external threat exposure. The net effect is that they have improved their security outcomes by leveraging IntSights to identify and remediate about 500 external threats per year. This is a great representation of the size and scope of the challenge that many customers are facing today as their ongoing investments in digital transformation dramatically expand their digital footprint. In addition to IntSights' ability to accelerate our core Insight platform capabilities, we see great admission-driven alignment with the IntSights' leadership team as well as great cultural fit, which, as I have shared previously, has always been critical to the success of our acquisition strategy. Their effort to democratize threat intelligence fits squarely into our mission of making the best and security operations accessible for all. They have built an innovative and impactful business, and we are excited to welcome the IntSights team and its customers to the Rapid7 family. Turning now to a brief financial review of the deal. Under the terms of the agreement, Rapid7 has acquired IntSights for a total consideration of $335 million, subject to adjustments to be paid in cash and stock. IntSights ended its second quarter of 2021 with approximately $27 million in ARR, and we see tremendous opportunity for the business to drive continued high growth looking ahead. We believe this accelerates our path to become a $1 billion company. IntSights has approximately 400 customers across multiple industries including technology, retail, financial services and manufacturing, among others, validating a huge opportunity for growth via both new customer acquisition and penetration into our existing customer base. We anticipate modest revenue contribution from IntSights for the balance of the year as a result of the required purchase accounting deferred revenue right now. We will share more details on this in a few weeks when we update our full year guidance on our upcoming earnings call. I will highlight, however, that we intend to absorb IntSights' operating expenses within our current profitability outlook for 2021. So were it not for the required deferred revenue write-down, we would not anticipate a reduction to our low end of our full year non-GAAP operating income expectations as a result of the acquisition. In summary, we're extremely excited about the opportunity IntSights brings to expand our addressable market, extend our leading cloud-native external capabilities, and elevate our platform value proposition, all in the service of helping our customers close their security achievement gap. We look forward to integrating the IntSights team and technology as we work collectively to deliver a unified SecOps platform experience and improve security outcomes for organizations of all sizes as they accelerate their digital expansion. With that, I will turn the call back to Sunil to open the call for your questions.

Thank you, Corey. As a reminder, we ask that you hold all questions related to Q2 results for our upcoming quarterly earnings results call. We'd appreciate if we focus today's discussion on the IntSights acquisition. Operator, can we now open the call for questions?

[Operator Instructions] Our first question comes from Rob Owens with Piper Sandler.

Great. I guess relative to the acquisition, as we think about the category of XDR moving forward, and you talked about the cloud-native capabilities that they have, just curious if there's more you think you need to do from an on-prem perspective. I know XDR has been a bit more of a marketing category and before that, there was next-gen SIM. So kind of curious if you have the pieces now, Corey, from your perspective or if there's more to do from the on-prem side of things to have a more holistic XDR? And I do have a follow-up as well.

Yes. Thanks for the question, Rob. And so when we think about XDR, we think really about how do they help customers solve their fundamental problem about detecting and protecting themselves from threats and attacks in their environment. And as you think about security is, by itself, a large fragment ecosystem, a detection response, a fragmented ecosystem. Our long-term goal with InsightIDR has always been to actually take that complex fragmented ecosystem and make it successful for people to actually have an integrated detection and response program. And so we've been building that steadily throughout the years, where it wasn't just logs. It was end points. It wasn't just logs to endpoints. It was also about the network data and visibility. And now we also are able to provide the external threat visibility, and we're able to response also in an integrated fashion with our InsightConnect platform that allows you to actually automate response across the portfolio. We think about, whether you call it XDR, whether you call it integrated detection response, at the end of the day, our primary focus is how do you actually take a complex environment and allow people to actually detect the attacks that are happening, make sure that attacks don't go through some of the gaps that often exist within threat security environments and allow them to actually respond as effectively as possible. With IntSights, it allows us to combine that holistic inside visibility with the external visibility. Now to your core question about do we actually have all the pieces, I would say we have the core pieces that we need, and we've been a leader in this space for a while. And so we've had the pieces for a long time. What happens is we keep pressing it and pushing the boundaries, so that we can deliver more and more value to our customers. And you see that with some of the organic investments that we're continuing to make -- and announce. And you continue to see us push the boundaries forward, ensuring that customers don't have any gaps in their ability to detect and respond to attacks. And you can see our [indiscernible].

Yes. And as a follow-up, just on the quarter, I know you're going to share more details in the next couple of weeks, but this was the second largest sequential increase in net new ARR, I think you guys have ever seen modestly behind the fourth quarter. And if we stack up acquisitions, there is an acceleration here in organic ARR growth. So maybe you can just comment generally about the environment that you saw during the second quarter.

Yes. We're going to have most of our commentary on the call. What I'd say is that, as I said on the Intercall, I'm extraordinarily proud of our team. They have done really a tremendous job of, one, building solutions that customers need. And so it's easier to sell when customers actually value and want what you actually have. And as you indicated, that's true just as much organically as inorganically. And the second thing is that our go-to-market and our customer service and sales team just did a tremendous job executing and continuing to build. So we will go through the detail on our earnings call, but I'm extraordinarily proud of the team and what they've accomplished for our customers.

Our next question comes from Jonathan Ho with William Blair.

Can you hear me okay?

We hear you just fine, Jon.

Great. So just how much of an upsell opportunity do you see with Insight? And perhaps what's kind of a typical deal size for the company look like?

Yes. And so let me just start with the upsell. We have to see a tremendous sort of opportunity to both cross-sell and upsell into our installed base. We think with InsightIDR, as I've talked about on previous calls, we increasingly are seeing customers who are absolutely focused on figuring out how they actually make sure that they actually get up and running as quickly as possible with the best-in-class solution. And so we see more people focusing on how to upgrade their stock. And we see this as a natural synergy with InsightIDR and frankly, with our InsightIDR install base. That said, this is going to be another offering that we continue to sell stand-alone. They have a great momentum, great traction in the market today. And we expect to continue that market both selling to our Rapid7 customers, but also adding net new customers. I think that from the data that we actually put out, those 2 core numbers is, one, if you look at the rough ARR, it's approximately $27 million, and we actually talked about roughly 400 customers. And so that gives you roughly a $67,000 ASP, again, just from the data that we actually put out in the announcements earlier.

Got it. Got it. And then in terms of the maturity of organizations, how should we be thinking about sort of their understanding level around protecting the external assets and maybe in baseball terms, what inning we are in terms of seeing the market adoption and awareness here?

Yes. It's a great question. I'll answer it in 2 ways. One, if you look at what the -- from the TAM standalone, which is attractive, it's like in the low single billions of dollars per year. What was the most exciting for us is the customer feedback that we've actually seen. We have seen a pretty big uptick in acceleration of customers looking for threat intelligence solutions and specifically actionable threat intelligence. And we think part of the reason they were so successful independently is because they're focused on the core things that people need to actually manage their risk exposure. So it's not just sort of like theoretical threat intelligence that's generic about what type of the environment. This hyperactual or hyperspecific about what we're seeing related to your specific company, your office as your people, how people are trying to actually use fraudulent websites, domains, information. We're looking across the clear web, deep web and dark web, all to actually figure out anything that add risks specifically to a company. And for us, as we actually spend our time looking across this space, the specificity and actionability is something that we really want to make sure that was available in any offering that we had such that customers can continue to get a faster turn on their results.

Our next question comes from Brian Essex with Goldman Sachs.

Great. And I guess maybe if I could expand, Corey, on that last response you had. Could you maybe provide a little bit more detail into the value of the Insight platform, whether it's having an extra, I guess, volume of data for you to ingest into XDR? Or did they really do something different? Is there technologically something that they're going to add to your platform in terms of analytics where you need to more fully integrate them into your platform? Just trying to understand kind of explicitly what they're bringing to the XDR platform or Rapid7.

Yes. You can think about what we -- well, it's a great question, it's an important one. Think about Rapid7 as excel -- excellent at providing an internal view of the environment. And so you think about a threat environment that's -- not a threat environment, a technology environment that with all the innovation, with all the focus on digital agility is expanding rapidly. And so our security customers have to actually manage that threat environment. And because we've been so focused on simplifying and integrate threat security perspective, Rapid7's -- and here, I'll talk about specifically InsightIDR, but I would say for all of our security operations, it's excellent in providing visibility about what's happening from a risk and threat perspective, the visibility and monitoring into the attacks that you actually have in the environment and then the automation that allows you to actually respond. All of this is internally focused. Now what Rapid7 has not done other than what we do from our open intelligence sort of like work is provide our customers in-depth views about their external risk and their external threats. And so are there people that are out there leveraging either their infrastructure or spooking their infrastructure that compromises them with their customers? Increasingly, as you think about the world of cyber where people's brands are at stake and people are looking to actually catalyze and compromise any aspect of an environment, then it's incredibly important to actually not just focus on the internal environment, but also see what's happening in the external environment, what's happened in the dark web, what's happening with the infrastructure that's being built up. And that intelligence is increasingly valuable to customers. So what I would say the complement is, we are best-in-class at an internal perspective. And what this adds is the best-in-class external perspective, so that we can actually know if there's actually people or data that's being compromised on the dark web. We can actually know when people are taking our infrastructure or mimicking our infrastructure using to compromise our clients and our customers. That's stuff that our customers increasingly care about.

Got it. That's helpful. And maybe if I could ask one more follow-up. Maybe a little bit of color on how the transaction evolved. Was this a company that you partnered with and you saw the demand with customer overlap? Or is there a minimal customer overlap and you kind of sought out the technology based on what you heard from your customers?

Yes. So like most things that we do, we're pretty demand-centric at Rapid7. So we're constantly listening to our customers and seeing what they're interested in and how we can actually create more efficiencies and more productivity or the stuff that we do when we take care of our customers, especially as it comes to their security operations. In this case, we were actually tracking the demand and we're also tracking the general market. And this is a team that we're incredibly impressed with. And this is a team that we spent some time getting to know because what we found when we looked at the broader market is that there was lots of companies that did what I would say, research-oriented threat intelligence. By the way, Rapid7 has great research-oriented threat intelligence. But what we would hear from our customers is that they were incredibly hungry for I want specific stuff that's a threat to me, and I want to know about when it's a threat, and I want to be able to respond. And so there's 2 attributes like, 1 would like the actionability of it being specific to a customer. But the second thing that we found incredibly unique is they had this ability to do these automated remediation takedowns. And so when they found things that automate the ability to actually remediate that for the customer, and that was incredibly unique from our perspective, especially combined with our overall platform.

Congrats on the transaction and the results.

Our next question comes from Saket Kalia with Barclays.

First, maybe for you, Corey. Really interesting to just hear about sort of the internal versus external kind of perspective, right, in terms of what IntSights brings. But I was wondering if you could just dig a little bit more into the threat intel offering here from IntSights and maybe how you think it differentiates. And I guess I asked that question because it feels like there are several options out there for threat intel. How do you kind of think about sort of differentiation of that data during the due diligence process?

Yes. It's a great question. One, there are several options that you can imagine we do our homework with these things. And we're incredibly impressed with this team. I would say the things for us that actually stood out as we were preparing is I put these things in a couple of different buckets, is, one, you can actually think about the threat intelligence market really came up as a manual human-centric activity where you've got a few really, really smart people and you actually have them dig, impersonate, spoof, gather and collect information. That's the historical threat intelligence market. By the way, that's awesome. And as you all know, Rapid7 has people that actually do that, are invested in that. The challenge for me is that doesn't scale. So I want to actually scale this as sort of like approach to 10,000 customers around the world and I want to be actionable, is especially in the talent environment that we're in now, we can't afford to have armies of people that are actually going out doing this manual stuff. We need some that are deep experts and we'll continue to have that. So really, what we wanted to look at is we were looking for threat intelligence that had scalability associated with it, where they really fine-tune the technology aspect of the ability to both generate threat intelligence on an automated platform and then synthesize third-party threat intelligence on a platform, and this was fairly unique in the ability to both generate threat intelligence in an automated fashion, synthesize threat intelligence and then add your own custom threat intelligence to the mix. That was incredibly important and powerful for us. And then the last thing, the thing I mentioned last time, is that they have actually taken that a step further and really focus on the automation -- on the automated remediation and [ takedown ]. Now part of the reason that they've actually done some of these things, and again, we're going to continue to invest and build out these capabilities, is that they have a similar mission to Rapid7. Their mission was democratize threat intelligence. And when you think about what that means, that means how do you actually make the best in security operations, which Rapid7 is focused on, accessible to the broadest possible audience. Be they a Fortune 10 company or be they a mid-size company or be they a government around the world. And so that focus on scalability is really what drew us to them. They have very, very smart and talented people based on their background, but scalability was unique impressions in the market, and so we were excited about the opportunity.

Got it. Got it. Maybe just a quick housekeeping follow-up. I think the deal just closed or maybe it's about to close, but can anyone talk just maybe about the financing mix between cash and stock and the $335 million purchase price?

Yes. Saket, this is Jeff. It closed Friday. So the total price was $335 million, it's about $21 million of stock. The rest is all cash, and that $21 million went to the founders.

Our next question comes from Alex Henderson with Needham.

I was hoping we could just hit a couple of the block-and-tackle elements of the acquisition. For instance, can you give us some sense of how many employees you're bringing in? And any idea around the growth rate, which I don't -- I know you said it was high, but high is a very qualitative term. Could you give us a little bit more sense of what the growth rate looks like? And then the third piece is, as we're looking at that $27 million in ARR, how should we be thinking about the mechanics around how much of that is going to be lost as a result of the purchase accounting? And how much of it you think you might be able to -- and I realize that obviously, that accounting exercise takes some time to play out and you don't have exact numbers, but something in the general ballpark would be helpful.

Yes. Alex, they have 180 employees that we're acquiring. And this is another high-growth asset that we're bringing on. It's a little over 40% in growth in ARR. With respect to the write-down, it's -- was going to say, that's the deferred revenue and not the ARR. The ARR stays by itself. So that would be -- we'll talk about that on the August call. So that will affect the revenue, obviously. And what we said in the prepared remarks is that in our -- if you didn't take that write-down, we come in on the low end of our operating income range.

Okay. And just going back into the competitive landscape. As you think about this acquisition, who did you -- who do you look at as their nearest competitors? Who does it -- where does it overlap? I mean is this Recorded Future? Or who should we compare this with broadly? And I appreciate the great responses and the opportunity to ask the question.

Yes. I mean the threat intel market is a highly fragmented market. I think you mentioned sort of like Recorded Future is one of the most well-known companies. [ Brit's got Cube ], that's another comparable company in the space. I think there's a host of companies that you actually go down the list. I think those are probably 2 of the most notable based on news and name brands. And they all focus on slightly different aspects. Like I said, sort of like, some focus on the customer threat intel, some focus on the automation, some focus on the brand and reputation. What we actually found here was a company that actually had a good mix of having a scalable platform for both process and other information, but also finding information, both on the clear and the dark web, as it pertains to companies.

[Operator Instructions] Our next question comes from Brad Reback with Stifel.

Corey, as you mentioned before, now you cover sort of the inside and the outside from a threat perspective. So going forward, should we expect you to continue to look to widen the platform, either be it further acquisition or internal development or just go deeper on what you got?

Yes. I mean it's a good question. I'd characterize it as actually going deep. I think we actually have a large TAM today. I think we have a clear market space. When we think about security operations and providing people the visibility into the environment, the analytics to understand what matters from both a risk and a threat perspective, and the automation to actually scale the management of those risks and those threats, we think that's a massive problem, whether you break down the individual TAMs or you look at it from an integrated perspective. And if you look both the organic investments that we made, and the inorganic, they've been fairly disciplined in the scope for that problem that I just described right there. We want to be the masters and the best in the world in helping people have visibility into their risks and threats whatever that may sit and whatever we resolve from a cybersecurity perspective and then provide the analytics and the automation to actually manage it and remediate it in the most productive and efficient way. That's how we kind of think about our market. So I would say it's deep but in a massive TAM and a massive area at a massive area of need for our customers.

And I'm not showing any further questions at this time. I would now like to turn the call back over to Corey Thomas for any further remarks.

Well, I want to thank you again for joining us at the last minute today. I also want to give another shout of gratitude to both the IntSights team and the Rapid7 team, and thank you to all the folks in the investor community who has been supportive of the work that we've been doing on behalf of our customers. Thank you so much, and have a great day.

Ladies and gentlemen, this concludes today's conference call. Thank you for participating. You may now disconnect.