Rapid7, Inc. (RPD) Earnings Call Transcript & Summary

Great. Welcome, everyone. I'm Melissa Franchi, software analyst here at Morgan Stanley, focusing on the cybersecurity space. Very happy today to have with me Rapid7 management; Jeff Kalowski, CFO; and Andrew Burton, President and COO. Welcome to both of you. Before we get started, let me just read this disclosure. Please note that all important disclosures, including personal holding disclosures and Morgan Stanley disclosures appear on the Morgan Stanley public website at www.morganstanley.com/researchdisclosures or at the registration desk.

Great. Well, let's kick it off. Maybe to start with you, Andrew, to just kind of level set investors that may not be as close to the story as we are. Can you just talk about how the Rapid7 story has evolved over the past few years? I think historically, your heritage lies in vulnerability management. Now it is a much broader story across VM, of course, but also security analytics, orchestration, et cetera. To what extent are customers now initially just engaging with you on the VM technology versus something that's much broader?

Yes. Great. So thank you for having us. And I'd start out with the story of Rapid7 really has been from the beginning about how do we better serve a market that has largely been underserved in getting to better security outcomes. And so when we originally, as Melissa, as you said, the vulnerability management space was when we started out, we started solving for this problem, we were focused largely around this medium enterprise. And the medium enterprise was a unique space to be because they were largely underserved by a lot of the players out there, that were really focused on the top of the market. These were accounts and customers that were challenged with complexity, and they were at risk of being compromised through these vulnerabilities. So we set out to design solutions that were easier to use, easier to deploy and more effective in helping them advance their VM programs. And what we found was, as customers really saw the benefit of solutions that were easier to use, easier to deploy, that the opportunities began to expand. We saw larger companies equally interested in that as well as smaller companies. And so the history of Rapid7 has been this democratization of helping people get to better outcomes around their vulnerability management programs. Now as we did that, and as we grew quite aggressively, we also were listing those customers tell us they had other problems. So for example, when we provided the customer visibility on how vulnerable were they, they would also then ask us, well, have they been compromised? And so as we began to look at that, that led to our second offering, which is now over 30% of our new ARR, which is our detection response through our SIEM offering. And similarly, we had customers tell us that they were either had deployed SIEMs and hadn't realized the promise of the SIEM, or they weren't able to access the SIEM solutions that were in the market. They were too complex, too expensive, or too difficult to use. And so the story of Rapid7 has been this kind of expansion around making security more accessible for both large organizations, large enterprise as well as the SMB and continuing to build out that portfolio. And so now here we are in 2020 and our 2 core businesses are doing quite well, which is vulnerability management and detection response is now #2. But we also have these other 2 portfolios, the application security as well as security orchestration and automation. These are more emergent. They're more mid- to long-term contributors. But again, we look at those spaces as has -- have security organizations been able to solve their core problems and advance their programs, and Rapid7, we believe, is positioned well to help those organizations advance their programs without having to be the experts or deploy a lot of expertise or resources to try to make that progress.

Okay. Great. That's a helpful overview. Let's start with the VM market because that is still your biggest business today. What's your view in terms of how fast the underlying market is growing and how much runway do you have? And maybe if you can frame that growth across a number of factors, whether that's the growth in like the number of devices, IP addresses versus for you, perhaps, pricing or competitive share gains?

Yes, absolutely. So when we look at the VM market, clearly, it's becoming a more complex problem. The expansion of the attack surface is quite significant, right, more distributed workloads, more connected devices and more organizations are trying to figure out how to make sure they're not exposed to their vulnerabilities. All 3 major vendors, whether it's us or the other players, we all agree that the market is decelerating a bit. We have said, and I think it's widely regarded in the analyst, that the market is in the low -- mid- to low teens growth. We are going to grow north of that. And we believe we'll grab a share. Now our belief is that there -- that we don't need to grow above that to our goals, but we believe the VM market is a healthy market. We're optimistic about that market. And we believe that providing a more comprehensive solution is what customers are looking for. Now in general, we've also talked about the average customer is about 30% to 50% penetrated. So you look at the total potential assets or their environment, how much coverage do they have in their VM program? And we see that larger accounts, more complex, more sophisticated environments, they struggle to get visibility across those environments. Smaller organizations have an easier way to get visibility into their environments. And so -- it mirrors a little bit of the market. This is not unique to Rapid7. And so when we look at that opportunity, we both see the opportunity to penetrate in larger accounts and continue to expand our footprint as well as we continue to see greenfield opportunity in smaller organizations, greenfield opportunities in the international markets and then continuing to provide a more complete solution for the larger enterprise. Pricing, I think, was your last point. I don't think we see any major changes or macro changes to the pricing environment. We have consistently said that we have a one price, one solution focus on VM. We do not try to monetize slices of the problem. We look at it as a holistic, both on, can I scan and get visibility into the environment and can I remediate those potential issues. That is one solution and our InsightVM, our cloud offering, is really focused on that problem. So I think at a macro point, market is healthy. We believe we can grab share, and we believe we're well positioned to continue to do that.

Right. And then just to put a finer point on it, when you're talking about gaining share, is that mostly in the large enterprise space? And can you talk about how you're differentiated relative to the other vendors, notably Qualys and Tenable in that market?

Yes. I think we look at share expansion and there's kind of 2 macro ways to think about it. One is in the broader market, there's a lot of greenfield. And we see that, as I said, in both medium enterprise and smaller as well as internationally. So there's a lot of net new opportunities there. And I think that's something we've talked about in the past. In the larger accounts, I think the question we see in the larger environment is, are people fundamentally advancing their VM programs and the scanning, the risk assessment is important, but increasingly, I had someone last week at RSA, we were here in San Francisco, and they're talking about the finders and the fixers. Our belief is that the 2 are needed to be increasingly working together. The people that are finding vulnerabilities, assessing vulnerabilities, and those people remediate them. That is the problem we're solve -- we're focusing on and we're solving on. Our differentiation is largely viewed around that, which is security, and VM, specifically, has a productivity problem. The number of vulnerabilities are going up and the rate of people addressing and remediating those vulnerabilities generally is going down. We believe it's our focus to help our customers flip that dynamic, reduce the vulnerability, so that over time, the number of vulnerabilities that they're concerned about are coming down as well. That achievement gap is what we're focusing on.

Okay. Great. That's helpful. Let's try to shift gears to your other core business, you said InsightIDR, the detection and response side of your business. You said it's over 30% of new bookings. I'm wondering the extent to which customers are now initially engaging with you for that capability because it seems like there is a lot of growth in the market for SIEM or security analytics. But at the same time, though, there seems to be a lot of other vendors that are trying to address that. So can you just describe what you're seeing from customer activity perspective?

Yes. We're -- so we are very excited about our SIEM solution, our detection and response offering. And we're excited because similar to VM, when we were talking with our customers and this has been -- many years, we've been working on this, over 5 years. Were people getting to the outcomes they were being promised around, can I detect and respond to a potential attack or if I've been breached? And so our approach to solving this problem was, can we provide a holistic solution? So we started out with user behavior analytics. So our fancy way of saying, can I detect what type of potential malicious user activity is in my environment? We combine that with my former company, which is log analytics, log management. We then brought in endpoint data and more most recently, we've added file integrity monitoring. Now the thing about bringing all these things together, was not just -- it was not a bundling exercise. It was, what does the customer need to be able to really detect and respond to attacks, right? And so the reason we're so excited and even just -- I think it was 2 weeks ago, Gartner recognized this as being in this magic quadrant, the upper right-hand quadrant, was we feel like the work is now being validated by third-parties, right? Our customers have been telling us that the promise of the SIEM has largely gone unrealized because, again, sophisticated teams are required, significant investments and a lot of focus in being an expert around solving the problem. And what we felt like was whether you're a large company or a small company, many of these organizations lacked those resources. And so when we look at those dynamics, Melissa, to your question, we are seeing about a 50-50 weighting. About 50% of the customers coming in are net new to Rapid7 and about 50% have a relationship with Rapid7. And so we have, I think, become one of those few companies that has market-leading products more than 1, in fact, 2, and we're able to go to our customers and go to the market with a way to bring people in on either one and then do some cross-sell, up-sell. One stat, I think we've shared in the past, that I'll just mention briefly is, of all the IDR customers, about 50% of them are also now getting vulnerability management from us, right? So we view this as an opportunity. We're waiting it, right? We still believe we can drive new customer acquisition, but we also believe there is expansion opportunity. So it's a measured approach. But it is one we believe we can land new customers with a balanced portfolio.

Okay. And you mentioned that now you're in the Gartner magic quadrant, that is meaningful because it is a critical component of enterprises decision-making. Is that something that you think could change the trajectory of traction with IDR?

Yes. I think we are obviously bullish on the IDR opportunity and it's -- getting that recognition is helpful. Two things I would highlight that Gartner helps us with. One is we were a cloud-native SIEM, right? We were born in the cloud. And at the time, when we did it, some people were a little skeptical of like, hey, could a SIEM ever be in the cloud. And we were -- we started in the cloud, we're born in the cloud. And now there's another company you may have heard of that obviously is a cloud SIEM, Microsoft. But Gartner's validation is also recognition that, hey, cloud SIEM, a cloud approach, a cloud-native approach is one that customers should be comfortable with. And we're seeing customer set. The second, which is probably more important is the references, right? Any analyst firm, they talk to the customers, right? And I think Peer Insights, this opportunity of what are my peers saying about this solution has actually been something that's been quite positive. And some of the specific points around Peer Insights is time to value, right? Nowadays, especially in cybersecurity, but also in tech, is how quickly can I get value out of something. And we see this as a huge differentiation. But rarely do you see a vendor say, oh, no, my stuff takes a long time to get deployed. So when we have peer companies, customers, talking about the value, quick time to value and being a more holistic solution and then Gartner being able to highlight that, that helps us tremendously, but it also -- the burden is still on us to make sure that we're communicating that effectively through our sales and marketing engine.

Okay. Let's talk about InsightConnect, that's maybe the most emerging product for you all. Can you just talk about what capabilities you're providing with InsightConnect that's different and separate from some of the automation and prioritization capabilities that you already provide with VM? And what's customers' willingness to automate some of these security functions?

So -- just so context for folks in the room. So InsightConnect is our security orchestration and automation offering, right? We acquired it a few years ago. We launched it in Q4 of '19 -- excuse me, Q4 of '18. And what we did is we embedded some of the technology, Melissa, to your point, in our other offerings, again, solving, making sure we solve the complete solution with VM and IDR. But we also believe, as to your question, that there is a stand-alone opportunity around helping people automate and orchestrate their security programs, right? And we believe right now that it's still a mid- to long-term contributor. We're seeing a lot of early tremendous and I think quite positive early successes. But think of it this way. We had one customer recently, and I mentioned RSA last week. One customer recently highlighted that their security team getting e-mails from their end users saying this could be a phishing attack, right, in e-mail. It was taking their security team 6 hours a day just responding to, hey, I think this is a phishing attack, right? And with SOAR, they were able to automate and orchestrate that to reduce it to minutes, right? And so you'd say, what does that look like, right? Being able to say, okay, when an e-mail comes in, enrich and see what kind of information is in there, being able to have a predictable workflow, maybe put it in Slack or some type of ChatOps tool and just having repeatable, scalable way that doesn't just throw bodies at the problem, right? So this is just one small sliver. But we believe, again, back to our thesis that security remains an unsolved problem is how do you take an industry that's largely -- there's not enough resources, the problem is getting harder and that they need some way to get leverage of solving the more sophisticated problems and automating the more basic stuff, right? And so it's early, right, I think we bought early time Phantom and Demisto were independent companies. We looked at a number of offerings that were out there, and we bought Komand. It's now InsightConnect. It's on our cloud platform, and we are seeing really positive early feedback. But the other thing I will say is, we aren't trying to artificially accelerate time. We are very patient. You saw this with IDR, right, going from a VM company to now a SecOps company. And so with IDR, it took us a few years to really make sure we understand the customer, understand the value and the value drivers and how to best package and monetize, and predictable, consistent, durable growth is our focus. So we're not trying to rush the SOAR solution to market. We do see some early signs, and we're very bullish on it, but we view it as more mid- to long-term contribution.

Okay. Follow-up for you, Jeff, on this discussion. So on the Q4 call, you stated that you're expecting to increase investment. And you did note the large opportunity in the SOAR market. Will these investments primarily be on the sales and marketing front? Or is there still some sort of R&D investments you guys are planning on making?

Right. Well, we're continuing to make investments, both in sales and marketing and on the development side. If you look at '18 to '19, we did show some leverage in sales and marketing. And we guided to improvement of just under 2 points this year at the midpoint. So we're -- you'll see that leverage in sales and marketing as well. But with respect to those investments as it relates to SOAR, there's a lot of -- what we're doing is we're increasing in head count in the sales and IDR -- in the SOAR and IDR space. There's a lot of synergy together with those 2 areas. So we're really driving that growth. For next year and the year after, we want to invest in that space right now. So while we're still investing, we're still going to improve the leverage in sales and marketing as well.

Okay. Great. That's helpful. So just putting it all together in terms of the product portfolio, currently, ARR per customer is at $37,000, $37,500 and you've talked to the potential of this metric moving up to $200,000. And you talked about some of these -- this is opportunity perhaps to expand VM more broadly within the customer base, you're still underpenetrated and you have expansion opportunities in IDR and Connect. But what products do you think will be the most instrumental in reaching that goal and closing the gap between what's being spent today and what's the max potential over time?

The short answer over time is all of the above. But clearly, today, VM makes up the majority of that and IDR, of course, is second. But what we do see over the near term, the next 2 to 3 years, it will be still VM and IDR on a weighted basis, but you'll see the application security products and the SOAR products becoming a bigger piece over time. What we will say is we -- I think you've heard us say in terms of line of sight over the next few years. Even with a -- what we're saying is, we -- over 10% ARR growth over the next -- I'm sorry, 10% customer growth over the next few years and 20% ARR growth over the next 3 years, which is what we said on the call, sort of our 3-year outlook. And by the way, we will have an Analyst Day late May, June. We haven't finalized the date yet, but we will provide more color on each of those products. But the point I was trying to make is that we see our line of sight is between $50,000 and $60,000 just on those 3 metrics on a 10% customer growth over the next 3 years and 20% ARR growth.

Okay. That's very helpful. On the 10% growth in customers, what extent do you need to expand internationally? I think over the past few years or for a while, we've talked about investments that you all are making outside of the U.S. in which you're pretty underpenetrated today. Are you at the point where you're starting to see some of those investments pay off? And what's your expectation for customer growth in U.S., percentage-wise?

I'll start. But as you know, that international grew over 50% and it increased as a percent, it's growing faster than North America, it increased as a percent of the total, I think it was 15% last year and now 17%. So what we're starting to see is we're realizing the benefit of those investments that we started a couple of years ago. So we would expect that customer addition should ramp up as well given the growth opportunity there. I don't know, Andrew, if you want to talk about the cloud?

I would say that the last couple of years, as Jeff said, we were really putting down some of the foundational investments to help us scale and grow. And now, we're starting to see the contribution and the returns of those investments. Things like looking and tiering at -- tiering the markets and looking at the markets to see their maturity, their cloud readiness. And that has generally been, I think, something that is -- that we believe is not only in the near term, but also in the longer term, it's going to help pay off. When we look at the cloud solutions, we are, in fact, seeing some of these international markets being not only more open, but actually more aggressively looking at cloud solutions. So I think we are very bullish on the international opportunity. It's also something with our broader portfolio we see is also an opportunity there because that greenfield is inherently something that gives us some leverage as well in terms of if we want to package or go-to-market with multiple solutions in the same buying dynamic.

Okay. Since you mentioned the cloud platform, over the past few years, we've followed your transition from on-premise subscription business to the Insight platform. Jeff, what metrics have you guys talked about that help investors understand where you are in that journey? Is it substantially [indiscernible] at this point?

No, it's a good question. So last quarter, we said about 87% of our revenue was recurring. I would say that on the VM side -- remember that our IDR product was always recurring, always cloud. So on the VM side, we're through that 2-year transition. We launched the SaaS product in April of '17, and we got through that in the second half of last year 2019. The -- if you look at our product and maintenance revenue, and those 2 are merging because maintenance is just the left over revenue from the perpetual maintenance and content. So as customers migrate to the platform, we're reclassifying that. And we're actually consolidating those 2 lines. So if you look at that revenue and you take out services, which was about 9% of revenues for the year, it's about 95% recurring. So we are really, absent the services, virtually all recurring. The difference of what's left is really when we changed over to 606 at the end of 12/17, the beginning of '18, that's the perpetual that's being rolled out over the remainder of the 5 years. So last year, it was roughly $14 million. This year, it's only about $10 million. So the short answer to your question is we're now virtually all recurring revenue, except for the services, which will be -- which, over time, becomes a smaller percentage of the total.

Right. Okay. That's helpful. We've had this discussion about this broad portfolio that you guys are offering to your customers. I wanted to talk about the net expansion rate. In the most recent quarter, we did see a downtick to 108%, down a little bit from the year-ago period. On the call, you talked about changing sales incentives towards prioritizing new accounts versus expansion within your existing accounts. Can you talk about the rationale for that change in sales incentives? And then just given we've talked about these new opportunities with Connect and expansion within IDR, will we start to see that net expansion rate move higher in 2020?

Yes. So I'll back up a minute. And if you remember, in 2018, our net customer growth was about 11%, and it was 16% at the end of '19. It was substantially improved, and we did changed the comp plans to focus on new customer growth. The other thing I want to talk about is that in '18, if you recall, we had a lot of the attrition of services-only customers. By design, what we did is, we said we don't want the low-value nonstrategic services customers. So we didn't focus on that. We focused on getting higher-value services that lead to product sales. So that was one element of the attrition back in '18. So we did incentivize the sales force to focus on new customers, and that worked very well last year. With respect to the metric, we don't -- and I want to clarify because there's some confusion, we don't manage to that net expansion rate metric. We manage to the ARR and the ARR per customer and growing those. And if you look at -- a rough example is if you can sell VM and they tend to up-sell and you sell $20,000 and maybe they up-sell another $20,000, you're going to get a great net expansion rate. But IDR, if it's $50,000 or $60,000, these aren't the real numbers, they don't -- they have to cover most of their environment. So you're not going to get the same up-sell which affects the rate, but you're going to get more ARR and more ARR per customer. So that net expansion rate is an important metric, but it's more if all your products are pretty much priced the same way. So in our case, it's different.

Okay. That's helpful. When we're thinking about ARR growth for next year, 25% plus, I think, is what you're guiding to, what are some of your key assumptions in terms of growth in new customers? I think you talked about this a little bit, but just to put a finer point for next year, growth in new customers versus up-sell?

Yes, we don't -- we're not forecasting the mix at this point. But we look at a healthy growth rate as the base gets bigger; it's over 10% in new customers. And what we said across the product lines is that VM, we say that the market growth is low to mid-teens. We will grow faster than the market. IDR is over 20% of our ARR, that will continue to exhibit strong growth. It went from triple-digit for a few years to 75%, but we're still forecasting very healthy growth there. Those 2 products will still be the majority of the growth in the 25% for next year. And of course, AppSec and SOAR will start to contribute, but not significantly until '21, '22. But they are in -- we don't need those to substantially overperform. As Andrew said, we are investing to get it right. And those are really the primary drivers. 3 years from now, those will become more meaningful.

Let me just pause here and see if there's any questions in the audience. If not, I have. Anyone? Okay. That's a new. Okay. Jeff, I, of course, have to ask you about margins.

Yes. Sure.

Can't let you go without giving...

They're improving.

Of course, they're improving. But my question is, well, so you've seen a lot of leverage in the model, FY '19 was pretty notable. And you broke even in terms of operating margin in FY '19. And that was up, I think, about 800 basis points. Next year, you're guiding to 1 to 2 percentage point margin improvement. Can you just talk about why leverage is -- the magnitude of leverage is moderating? And what's your key investment priority?

No. It's a good question, and we got this question from a lot of investors. I think everyone was looking back at our 2017 Analyst Day. And when we said 4% to 7%, and they were targeting at the 4% range. But if you remember, we essentially hit those goals of $350 million in ARR and revenue a year early. So we ended -- that assumption back in Analyst Day was we would decelerate below 20% on revenue and below 30% on ARR and we clearly exceeded those numbers. So the profit on margin rates then really don't apply because we still see an opportunity for significant growth over the next 3 years. And what we said on our Q4 call was that a floor of 20% over the next 3 years ARR and revenue growth. So what Corey talked about in terms of the framework was, where we see a big opportunity for growth, if we're growing in the low 20s ARR, then you'll see higher margin expansion of 2% to 3%. If we're at 25% to 30%, you'll see 1% to 2%, and then over 30%, less than 1%. So we'll -- again, we'll provide more color on Analyst Day. But while we see a big growth opportunity, we're not about optimizing profitability right now. But the commitment we will make is we're not going back. So if we increase -- as we increase growth, we will also increase margin. Regardless of which bucket, it will still improve.

Very helpful. Well, we're all out of time, but this has been a great discussion. So thank you both for coming and thank you, [ Samuel ], and thanks, everyone, for coming.

Thanks.

Thank you.