Rapid7, Inc. (RPD) Earnings Call Transcript & Summary

Good afternoon, and thanks for joining us. My name is Sunil Shah, and I'm the Head of Investor Relations at Rapid7. I'd like to be the first to welcome you to Rapid7's 2021 Investor Day. Now it's been a few years since we last had an Investor Day and, as some of you know, a lot has changed since then. In particular, we've grown into the vision we laid out a few years ago of becoming a leading multiproduct SecOps company. We're excited to have you join us today as we share our updated vision for the next 3 to 5 years, as we work to secure the digital experience on behalf of our customers. Now before we step into today's agenda, everybody's favorite slide. As you know, we are a public company. So in the context of today's presentation, we will make forward-looking statements, and those forward-looking statements are subject to certain risks and uncertainties. Please note that you can learn more about these risks and uncertainties in our most recent annual form on 10-K filed with the SEC as well as in our future quarterly filings with the SEC. Additionally, some of our commentary today will be in non-GAAP terms. GAAP to non-GAAP reconciliations can be found in our most recent earnings press release as well as in the appendix of this presentation, which we will upload to our Investor Relations site after the event. And finally, during the course of the discussion today, we may offer certain metrics that are onetime in nature, and we undertake no obligation to update those metrics in the future. With that, let's step through to today's agenda. So we'll begin today with our Chairman and CEO, Corey Thomas, who will discuss how Rapid7 is securing the digital experience. What you'll hear from Corey today is the large and growing market that we're addressing, and why Rapid7 is uniquely positioned to help our customers securely navigate the transitions that are happening in today's digital landscape. Next, we'll turn to our Chief Innovation Officer, Lee Weiner, who will talk about how we're delivering a unified checkoffs platform in the cloud. Lee will share our better together story of how we plan to provide a unified customer experience across our best-in-class platform pillars. After that, Andrew Burton, our President and COO, will talk about how we intend to lower barriers for customers to increase consumption of our platform, driving durable growth in ARR per customer over time. And finally, our Chief Financial Officer, Jeff Kalowski, will talk about how we plan to execute against that vision our focus for driving durable growth, while scaling profitability and free cash flow over the long term. After the presentations, we'll take a short break, and then we'll return to host a Q&A section where we will take live Q&A, but you're also welcome to e-mail me any questions you have at [email protected], and I'll be moderating the Q&A. We look forward to taking your questions then. As you can see, we have a full agenda today. So without further ado, I'd like to introduce Rapid7's Chairman and CEO, Corey Thomas, to tell us how Rapid7 is helping customers secure their digital experiences. Corey?

Thank you, Sunil. I just want to say welcome to all of you. We really appreciate you all taking the time out of your day to come here, not just the journey of where we've come from but also the incredibly exciting journey about where we're going and how we're going to help customers all over the world achieve their true potential. Now when you come to a cybersecurity talk, there's lots of stuff to talk about. Inevitably, one of the big things that most organizations talk about is what's happening with attackers. We're not going to spend a lot of time on that today. When you think about the dynamics that happens around cybersecurity, there's really 3 fundamental factors. The first factor is, of course, what's happening in the attacker landscape. You all are well versed and well familiar with that. But there's 2 other critical dynamics that are important. The first is what's happening in customers all over the world from a technology perspective, what's happening with the pace of technology. The second dynamic is the pace of technology and relationship to people's capacity to manage their own cybersecurity and manage their own risk. So let's take a moment and drill down into those dynamics and how they interplay together with the attacker landscape. So first and foremost, we're in a fundamentally new dynamic right now when it comes to technology and the pace of technology deployments. COVID has already exacerbated trends that were already happening well before we got into the COVID period. So let's look at those trends. Digital and remote experience. Now there have been a long-running momentum about people increasing their focus on digital experience and shifting their business from a human-centered workflow to a digital workflow. That only exacerbated and moved forward at a more aggressive pace with COVID. At the same time, you were creating those digital experiences, you now have a remote experience, where not just customers are remote but employees all over the world are now shifting to a new normal that has remote work as a much, much higher part of it. This affects not just how companies build technologies and deliver experiences. It also affects the fundamental practice of how other organizations sell B2B experiences to companies. The second phenomenon that's accelerating the overall dynamic and the pace of adoption in technology, cloud adoption. Now part of the reason that cloud adoption is such a big force right now is because there's no faster way to innovate than in the cloud. And therefore, you see many organizations that are facing essential crises adopt the cloud just to keep up with the patient of innovation, to keep up with their competitors, but most importantly, to keep up with consumer expectations. And the last is the shift to SaaS. One of the stuff that I find most interesting is that over 80% of organizations and vendors in the world will be delivering their technologies and their experiences through SaaS applications. This matches with what we've seen in the technology industry for a long time. But again, it changes both the control of the technology environment, but it also changes the pace of how people consume technology. It's just much faster to consume SaaS technologies. Now let's shift to start talking about the other dynamic that we have. We know the pace of technology is accelerating. What about our capacity to manage risk? Well, what we've seen is that this is challenge. And in fact, I talk a lot at our company about how we have to help customers all of the world. And by the way, when I say customers, I mean every single organization in the world. At Rapid7, we have current customers, and we have future customers. And our job is to help customers all over the world really, really drive and close the gap between the risk they can manage and the risk from the rapid pace of innovation. Let me just share a quick clip that we actually share at our company kickoff about how we think about this security achievement again. [Presentation]

So now you understand at Rapid7, how we think about the security achievement gap and why that's so critical to manage that gap for our customers. In order to do something about that, we have to agree about what we mean by achievability. Now because we have customers that are so diverse from some of the largest enterprise in the world to some of the midsized enterprises to lots of partners, we have to find a way to do very, very sophisticated, complicated things as simply as possible. So we created a relatively simple definition of achievability that I think helps our company, but also organizations all over the world, think about how they close that security achievement gap. Simply say achievability is the combination of capability plus accessibility. Capability plus accessibility equals achievability. So let's talk about what we mean, and let's start with capability. The first is industry standard capabilities. When we think about industry capabilities, these are now present requirements that most customers fundamentally understand that they need in order to do their jobs well. Now I'm actually going to point out that -- and I give credit to our team at Rapid7, we were at the forefront of lots of the thinking about what are industry standard capabilities, enterprise analytics. We've always said if you can't understand what's happening in your environment, you can't manage it. Visibility. If you don't see it, you can't do anything about it, you can't even understand it. Dynamic visualization, how do you get the right information to the right people at the right time. Most people are overloaded. How do you make sure that you can prioritize risk and threats in the right way? And then we'll go back to that thing that we talked about when we started attacker context. You have to be focused on the things that matter. Now one of the things that you'll realize is these are the things that we're talking about that we're not well adopted even 4 years ago when we did our last Analyst Day. But these things have become the norm of the industry today, and everyone is talking about a focus on analytics, visibility, prioritization, all of these things. In fact, most companies stop there today. But we are defining the new point to you about what it really takes to achieve the results that our customers need. And so when we think about it, we think not just about what's industry standard today, we think about how do we help security teams and businesses all over the world accelerate their security capabilities. This requires a different mindset and a different set of thinking, and you see it today, but you're going to see even more of it from us as we go forward into the future, and you're going to hear Andrew and Lee spend a lot of time talking about this. The first thing is silo braking data integration and contextualization. One of the things that whole security comes back today is that they operate as silos, they operate as silos between DevOps and IT, but even in security people operating the silos. One of the Rapid7's missions to mean that we're heavily focused on is how do we actually break down the silos that's holding organizations back. The other one, part of the reason that technology is moving so fast is that IT and developers have embraced automation. One of the sad truth is that security is still one of the most manual ecosystems in the world today. We are focused on intelligent automations that help our security teams do more, faster with less effort, policy-centric workflow capabilities. We cannot define and manage everything in advance. This is one of the fundamental problems with management. As we move to the cloud, there's opportunities to accept a policy sensitive workflow that allows us to dynamically respond to the environment, especially combined with automation. [indiscernible] ties detection with machine learning. We have a fundamentally massive problem when it comes to modern detection and response today. And this is something that Rapid7 has been at the forefront of. The first thing is and when we said this early on, if you're going to do a great job with detection, you have to be collecting data and watching the entire environment. Most people start to recognize this fact and our pricing model is one of the things that actually lead the way. But the second thing is this requires us -- if you think about this accelerating technology environment, what's really required is we have to collect every increasing volumes of data. There's a massive exposure of data that we need to collect. And once we collect it, we have to do it cheaply and cost effectively, but then we have to use advanced detection and machine learning to make sure we separate the signal from noise. Lee is going to spend a lot of time talking about that. And the integrated threat intelligence that allows us, again, to take not just the attacker context, but combine that with what we're seeing from other organizations all over the world to make sure that we have the best insights to manage the current threat environment. This is a big step forward about what we're doing today, but what you're going to see more of us in the future about how we're setting new standards and new bars in the industry. But we're not stopping there. If we deliver this, that would be great, but we want to see organizations all over the world receive the benefits of a well-managed security environment and an environment that moves at the pace of customers' innovation. So because of that, we have to also focus on accessibility. Now accessibility has a few things: one, affordability matters. Sometimes people mix this up and they say, when you think about affordability, you must just be talking about midsized enterprises. No. I talk to any large retailer who actually has to go to digital transformation, any major health care organization, most insurers, most utilities and energy companies. Enterprises and mid-markets all over the world need their solutions to be affordable. This is a fundamental misunderstanding in the cybersecurity industry in general that affordability doesn't matter. If we want to see customers and our future customers all over the world to be successful, we have to drive affordability, successfully use with limited training. The fundamental fact is that there's just not enough talent of people in the world today. That means that we, as an industry, have to lower the bar, so that people with reasonable levels of training, not savants that have PhDs, but people with reasonable levels of training can actually be able to deliver and run an effective security program. Can we manage it with few resources? Yes, there's some organizations like some of the largest banks that could put hundreds and thousands of people on this. But we talked to even some of our Fortune 100 clients. And yes, they're willing to invest, but they can't afford, especially with digital transformation, to have security teams that numbers in the several hundreds. Works consistently. The experience just has to work. We cannot -- and we talk about this all the time. Our customers, our future customers need to this -- as little time as possible trying to figure out how to actually make their security technologies work, which has been a big issue in the industry in the past and focus about how to solve their security problems. And then give value with minimal change, which speaks for itself. When we think about accessibility, our fundamental belief is that capability matters. And as you see, we're continuing to lead at the forefront of capabilities. But if we increase capability without accessibility, then we cannot really close the security achievement gap. So let's think about it, let's look at how that plays out over time. Today, the gap is widening. The pace of innovation is continuing to accelerate. And capabilities went along at a steady pace, but it's just going along at a steady pace. You're not really having any victims. Accessibility is some people focus on it, but not many. And so it's been relatively flat for a very long time. What you're going to see from Rapid7, what we've already done, but you're going to see us do even more of as we go forward is we're going to accelerate capabilities with some of those new market-leading approaches that we actually talked about. But we're also going to have massive leaps forward and access and accessibility. This is the magic formula about what makes Rapid7 so successful. Security achievability is, yes, we will be at the forefront. By the way, we're still investing in industry standard capabilities, as you'll hear from Lee and the team. But we're combining that with [indiscernible] security acceleration capabilities and then access to those capabilities. This is what allows Rapid7 to constantly disrupt the market. Our approach is simple. Advanced security meets customers and teams where they are and gives them what they need. Any team and any data, and we deliver best-in-class security operations for our customers. Now Lee is going to talk about how we do this a little bit, but I just want to give you a little bit of a preview about how we approach it and how we think about the platform that delivers on those capabilities. The first thing is when you think about best-in-class security operations, you have to have the best technology. Now I'm not going to go into all of the details here because Lee is going to cover that. But I want to point out that our goal is to make it seamless and simple to collect the data that you actually need, to be able to store that data in the most cost affordable way, to get the results that our customers need. To have analytics that say, here's what you actually do next, here's your road map and your path to success, here's where you identify threats in your environment, here's what you focus on vulnerabilities, here's where you're actively being targeted and compromised. And then automation that allows you to get the work done faster. So those are the core building blocks. Now there's lots of advanced technology that Lee is going to go in later, but it's important to understand the advanced building blocks. And when you think about the advanced building blocks, it's how we put it together that matters. And so we think about taking those building blocks, and we package them in the ways that organizations are organized, threat detection response, our fastest-growing business of Rapid7 today is because people will ask the world is a world that they have to be able to detect and respond to threats. Cloud security. A big expansion opportunity for Rapid7, but it's also a big risk area for our customers. We're going faster. Our goal, as you always know us to be, 1 of the top 2 in any market that we enter. And then vulnerability and risk management still one of the most relevant markets in the world today, but an area where we have leadership. Now the thing that I'll point out and the Lee will emphasize is that you see many overlaps in some of the underlying technologies here. We have a shared data collection ecosystem, we have a shared data organization and storage ecosystem. And lots of our analytics can move from product to product. And then we have an integrated automation platform with all this. This is how we get scale to our innovation as we go forward and deliver best-in-class offerings to the market on top of the Rapid7 platform. Now we've talked about the customer rationale. Let's spend a little bit of time talking about the business rationale and why we are so excited by the opportunity to solve customers' problems. Let me say that again. We're excited about the opportunity to solve problems that customers realize that they have. That's why we continue to have so much momentum in the market. So let's look at the bottoms-up and tops-down analysis about how do we think about our massive and growing opportunity today. So let's start with tops-down. Tops-down, well, that's the data that you can actually get from IDC if you go out and look yourself. When you look at the combination of vulnerability management and security transformation, well, first, there's a couple of observations that just stand out. Security transformation, where we've had great success moving into, we're at scale, and we still have momentum is a massive opportunity in and of itself. That said, IDC estimates that the total market between security transformation and vulnerability management is roughly $20 billion. Now that also under-recognizes a massive opportunity that's not fully appreciated. One of the things that you'll notice about Rapid7 is we don't just sell what people are already buying, our approach to accessibility allows us to broaden up the aperture and sell to more customers, who have the need, they just have not had the right solution with the right effectiveness at the right cost structure to solve that problem in the past. That's one of the keys to our success as we expand the market opportunity. So when we look at IDC, we say this underrepresents the full opportunity. So therefore, we have to actually go look, and we have to do bottoms-up. And when we think about bottoms-up, we think about who are all the organizations, all over the world, say, roughly 74,000 organization all over the world. And what do they need to actually have a great cybersecurity operations and a great cybersecurity program. We look at the #1 organizations. We look at what we've seen in our customer base as far as both opportunity and also [indiscernible] improvement in different customers. We're just going to spend some more time and talk about this a little bit later. And we see roughly a $420,000 opportunity per customer. So when we pursue this opportunity, we are looking at a $30-plus billion opportunity because customers need security operations. They are invested in a digital transformation. They have to close the gap between what they can manage from a cybersecurity perspective today and what they need to manage to close their cybersecurity achievement gap. So when you look at both of these today, if you can serve it, there's a $20 billion opportunity. When you look at the fundamentals and the bottoms-up, it's over $30 billion opportunity. This is what has us so excited. And by the way, this is being validated in what we're seeing as we go to customers today and what we expect to see as we go forward. So let's think about what that means altogether. Rapid7 will secure the digital experience by delivering best-in-class security capabilities with world-class accessibility to make sure that we are driving more and more of the market, and we become the market leader as we go forward. Thank you so much for your time. With that, I'd like to introduce our Chief Innovation Officer, Lee Weiner, who's going to talk about how we're building a unified SecOps experience.

Thanks, Corey. It's great to be here with all of you. Excited to talk to you about how we're delivering a unified SecOps platform in the cloud. So to start, let's talk about how our customers are really looking for an integrated platform, right? Today, customers have far too many solutions that they have to use to manage their security operations teams, and you can see here a lot of our customers are telling us that they want fewer solutions, fewer vendors. They really -- a lot of them talk to us a lot about how they want a holistic view, that it gives them more context and more visibility across their security operations. And they really want recommendations from expert-driven solutions and expert-driven researchers. Now the other thing we hear a lot from our customers is that, look, we want this platform, it's great, but we're not going to do that if we have to compromise best-of-breed capability, right? I think if you think about security and you think about what's going on in the information security space, there's a lot of innovation both from attackers that are actually compromising organizations, but we also need that innovation to be from defenders, people like us, helping companies in this journey that they're in to really close that security achievement gap that Corey talked about. So why isn't this working, right? There's been a lot of attempts at making these platforms in the past 10, 20 years, for sure. Well, it's definitely not for a lack of try, right? Many companies have been trying to do this. And I think what we see is really 3 core challenges. Number one is many companies, they can't actually build best-of-breed on top of the platform. You run into an issue where the solutions just wind up becoming kind of a least common denominator issue or somewhere around the weakest link kind of challenge that you see with solutions being built on top of our platform. The other big thing is oftentimes, these platforms fail to deliver integrated experiences, which is really a huge thing. We just -- as we just talked about with our customers, they're really looking for that, and they really need that. And then lastly but definitely quite important is that many of the platforms of the past have been complicated and really hard to deploy. And there's just been a huge burden on the customer to manage a lot of that. So the customer has to deploy hardware and software and a pretty broad set of storage capabilities to deploy these platforms. So at Rapid7, what we're focused on is we're continuing to deliver best-in-class solutions on top of our platform. And you see that, right, with our industry-leading SIEM, our industry-leading vulnerability management solution, our innovative cloud security offering, our intelligent automation solution. We're continuing to build these things best-in-class, so we can meet our customers where they are to solve the problems that they have. The other thing that we're doing is we're focused on how do we reduce the friction to allow our customers to access more of the platform when they need it, right, when it makes sense for them. So as they mature, as they grow, they can start in one area, and it's easy for them to start consuming other parts of our platform, other solutions from us. Now Andrew will talk to you in a little bit about how we're commercializing that, how we're making it easier to commercialize that. But from a technology standpoint, there's a lot of opportunity for us to reduce that friction of work, and we're more focused on that. And then our cloud delivery, really, our cloud delivery helps us in a lot of ways because that allows us to reduce the burden on our customers for them to have to deploy the technology in their environment, right? We take a lot of that on ourselves. We collect the data from them and send it to our platform, but they don't have to store that. They don't have to manage the compute. It analyzes all that data. It's all very simple for them, and it reduces that burden. We're using shared services, shared technologies, shared experiences to allow us to deliver this through the cloud. And the cloud gives us a pretty distinct advantage, especially when we think about things like time to deploy and time to value. The cloud really sets us up for success. Now we're building this on top of these 3 pillars that Corey talked about. Our threat detection response pillar, really our InsightIDR, SIEM, that's best-in-class, industry-leading. I'll talk about that in a little bit more detail. Our cloud security offering, our DivvyCloud products that really helps our customers manage their security in the cloud. And then our industry-leading vulnerability risk management offering InsightIDR. Now we deliver this through our shared Insight engine, and we have intelligent automation that is woven through all of these things. And so now what I'd like to do is talk about the best-in-class capabilities in each of these areas. So let's start with our threat detection and response offerings, right? Our industry leading SIEM InsightIDR. This product allows our customers to detect threats in any of their environment. It allows us to collect data from the cloud from the endpoint to the network, bring that all into one place and integrate that. No matter where that data is, we make it really easy for our customers. A lot of our customers, they get up and running with InsightIDR in days or weeks at the most. Because the big thing that they can do is they can collect that data really quickly and easily. Other technologies competitor of ours, that could take weeks, months, could take longer to get the data in. We've really focused on making that easy. And again, we've made it a large priority for us to collect data from all different environments. And once we do that, we bring that in, and we apply analytics to it, right? These analytics are detection-oriented, a lot of the past SIEM technologies are compliance-oriented. And those solutions, many of which are still in the market today are not very good at detecting threats that are happening in the environment now. They're just not suited to do that. And our SIEM was purpose-built for detection of threats across many different types of technologies and many different types of attack vectors. We use analytical models like user behavior analytics. So we know what users typically do and what they -- and when they do things out of the norm, we can raise an alert, again, really keeping that noise down and giving our customers a signal they need. We also look at attacker behavior. So we know what attackers are doing. We have a lot of research of Rapid7. We've got a lot of threat researchers that understand attacker behavior, and we build analytical models for that. And we use machine learning, so that we understand, again, normative behavior and abnormal behavior, so that we can keep the noise down and increase the signal for our customers, so they can do more with less. And then once we've collected the data, we've analyzed the data, we then want to contain the threat or contain the attack. And what we've built into InsightIDR natively is automation. So our customers can create workflows, they can quarantine assets. They can revoke users. They can that threat in a way that is quite simple, immediate and does not require a lot of manual intervention. And this really helps our customers get more done with less. Again, a lot of the reasons that people select InsightIDR of the competition is because of that broad data collection, because those analytics really allow you to find the signal and noise. And then teams can just be more productive with InsightIDR than other SIEMs on the market. So let's talk about our cloud security offering. Now Corey talked a lot about how organizations are migrating their infrastructure from on-prem to the cloud. This is a trend we've been seeing for quite some time. And what is happening is that they're using different public cloud environments, and they are looking at their security programs differently with their cloud infrastructure. And so our product, DivvyCloud, is perfectly suited to meet our customers in the cloud to help them gain visibility and understand their risk across AWS, Azure, Google Cloud platform, Oracle Cloud, Alibaba and their Kubernetes environment. So we collect data from all of these different cloud environments. And then what we've done is we have integrated a lot of the analytics that organizations are looking for in their cloud. They're looking to understand their cloud security posture. How well is it configured? How much risk does the deployment of my cloud, the way I deploy it present to my customers into my organization. We've also combined cloud workload protection. Help me understand the threats that could be affecting my containers that I'm deploying. Containers are being deployed in a massive way. So cloud workload protection helps you gain visibility to those threats that could be affecting your containers. And then most recently, we've added our cloud identity and entitlement management analytics on top of DivvyCloud. This really gives our customers visibility into how they configured identities in the cloud and permissions in the cloud for their cloud infrastructure, which a lot of customers have a lot of challenges with because like other cloud infrastructure that is ephemeral identities are, too. So you need to get a view of that to understand those risks. Now one thing we find with customers is that in the cloud security program, there's different stakeholders' resolves. In traditional IT, in traditional security, you've got IT teams and security teams. In the cloud security area, you must work with the DevOps. And so we've built a cloud security offering that is built for security, but meets the needs of DevOps where they are. This allows us to integrate with their processes to understand when they're deploying infrastructure, if it's risky and communicate with those DevOps teams in the way they want to be communicated with, so that they can remediate those things in real time and make the changes such that they don't put their companies at risk with their product structure. And then lastly, we built in remediation, automated remediation into DivvyCloud natively, like we have with some of our other solutions. So that our customers can quickly remediate any threat that may happen. An example here is when a developer may unintentionally deployed some infrastructure that could be something like opening up a storage bucket to the public Internet without realizing it. And our analytics would find that and our automation could remediate that within seconds to really reduce the exposure for that customer. And so as customers migrate their infrastructure to the cloud, this visibility, analytics and automation allows them to do so confidently, so they can continue to innovate within their business and for their customers. Now let's talk about vulnerability risk management and how we deliver best-in-class there for our customers. Vulnerability risk management organizations, really, if you think about it, they are continuing to find vulnerabilities across their traditional environments and their modern environments. This continues to be a challenge for companies. We saw a lot of that in 2020. We believe we're going to continue to see some of the dynamics here going forward. And so what we've done is we've brought that data collection across the cloud infrastructure, the traditional network infrastructure and the endpoint together to make that easily accessible to find the vulnerabilities holistically across your entire area. Now once we found those vulnerabilities, we then want to help our customers prioritize their risk around this. Organizations have thousands of vulnerabilities. The question really becomes is, well, where should I focus my time and effort. And so we've got analytical models that take into effect your context of the value of the asset, the threat context as well as how you would remediate that risk. And we prioritized that for IT teams and for security teams to go off and do that work. And this is a key reason why we beat the competition. A lot of our wins over time really come from, can I actually reduce the vulnerability that you find for me. Because at the end of the day, that is the goal of vulnerability management teams is to actually reduce that risk. Another way that we accelerate that is we built automation into the vulnerability management offering. Right from within inside VM, our customers can automate the remediation of vulnerabilities. They can automate things like the configuration -- of things like firewalls, if that needs to be part of your remediation. And we do this in a way that not only can you automate it through technical needs, but you also can bring humans into it. So we've got pretty scalable and customizable workflows that our customers use based on their needs. So now the question really is how do we deliver these best-in-class solutions across our platform? Well, we have this shared insight engine that Corey talked about. And I'll get into the details about how this works in a few minutes. But you can see here, we've got data collection, we've got different data storage, we've got analytical models, and we have automation. And we do get a lot of questions from investors about, why are we in these specific areas? And why we built vulnerability management, threat detection response, cloud security? What you can see here that all of these solutions use some of the same components, right? So the platform enables innovation for us. It allows us actually to build these best-in-class solutions for our customers because we can use different services from a platform to create the right experience for our customers. The other thing that we do is we unify the experience across all of these solutions. So once you come in and you use InsightVM, it's easier to use InsightIDR or DivvyCloud or Insight AppSec. It's much easier to expand because of the way we built the solutions, the experience and how it's integrated and how we have shared collection below that. And so that really helps us deliver this solution. And again, our ability not only to meet the promise of our customers to help them close that security achievement gap really relies on our platform, but also to build those best-in-class products on top of it and the platform enables that. So let's talk about that in a little more detail. So one of the core premise of the platform is centralized data collection. When we first built the platform 7 or 8 years ago, this was a big part of the vision is how can we help our customers bring all of their data into one place. And so we have very extensive different types of data we can go like from the endpoint to the cloud, you can see log data, application data, we leverage things like APIs from third parties. We pull data from SaaS applications to cloud applications, and we bring it all into one place, right? And then what we do is we put it in various data stores, but those data stores, we have broken the silos down, so that we can help our customers realize the value of using that data in different places. The other thing that this really enables is it actually makes the applications and the solutions, our best-in-class solutions on top of the platform, more accretive to one another. In other words, if you deploy InsightIDR, our SIEM, and you collect data for that, it's actually easier to deploy InsightIDR after that because of the data we collected for InsightIDR. And so again, that accessibility that Corey talked about, how we're really trying to not only improve our capabilities but make them more accessible to our customers. This shared data collection, the ability to break down these data silos allows us to deliver that for our customers. Now once we do that, we have to run analytics on top of that to ensure that our customers know what to do with this data. And so we continue to build a shared analytic engine that allows us to deliver the context and the insight our customers need around attacks, threats, user behavior, vulnerabilities, identity governance, remediation analytics. We actually work on new analytical models with our data science team all the time, and we add them to this engine. And those can be used, and they are used, across multiple of our best-in-class solutions to really help our customers understand where their threats are, where their risks are. And then also, we know what to do about that. So that leads us to our intelligent automation. We've really focused a lot on our automation engine over the past few years to not only extend its ability to integrate with our platform but also the ecosystem at large, right? Our customers work in a very diverse ecosystem, where they've got different kinds of systems that they want to integrate their workflows with. And so we've built that into our automation engine. We also have made the workflows -- we have both pre-built workflows, but then we also allow you to customize those very easily. And ultimately, it allows you to take action to make sure that your teams can -- our customers' teams can do more with fewer people and really amplify the expertise they have because there's -- so much today in cybersecurity and security operations is manual. And if we can really help our customers reduce those manual tasks through automation, we can help them take a big step forward in their security program. So with that, what I really want to walk through is really what does this unified platform experience look like? And what are we really building towards? And so I've got a scenario here, I'm going to walk through to help illustrate that. So what you see here is an alert that came from Slack. And that alert got generated from our platform, sent through our automation engine, our InsightConnect product, triggered this to the customer. And what we find with a lot of customers today is they actually work in Slack. Their security operations team, the DevOps team, their IT team, they work in Slack. And so we want to meet our customers where they are. So we've natively integrated a lot of our notification engine into the Slack. And so when a customer comes in and they click on that alert, they get to the investigation window that you see here. And I think the first thing to notice is that we've detected a threat that's using Powershell, which is a windows service that has exposed a vulnerable flaw in Microsoft Word and so you get the threat. And the thing that is important here is you see that we've got our user, who is affected by this, Alan Smith. And you can see some information about Alan Smith. You can see there's some risk with Alan Smith's account, 3 out of 5 rating. You can see that this threat affects an asset, a primary asset, and you can see that asset actually has a vulnerability risk of 5 out of 5. You can also see that InsightConnect, our automation technology, spun up a war room in Slack. This is again a very common thing when people are dealing with an incident. They get a whole bunch of people in the Slack wyrm so they can all collaborate. And this all happened automatically, right? I think the big thing to note here is that user risk is coming from our DivvyCloud technology. That asset risk is coming from our vulnerability management technology. The threat detection is coming from our InsightIDR technology, right, our SIEM. So you can see all of this in one place. And then you can start to see that there's a variety of automation tasks that happen, right? We get some additional context about the threat through a third-party through our InsightConnect automation technology. We also find -- we also automatically run a query with InsightIDR to see if there's any outbound connections that look malicious that might be associated with this threat. And then we're analyzing this user's access to the Amazon Web Services production environment with DivvyCloud. So again, we're kind of bringing all this into one place, and we're automating the analysis and the collection of it for you. Now once we do that, you can see here that we have some recommendations. The platform has determined that there are some actions that the end -- the security operations team should take, right? And so you'll see here when they click on that, there are 6 assets that could be impacted by this threat. So immediately, the end user can quarantine those assets. There are 24 cloud accounts that are accessible. And so they can revoke those accounts. Now in some cases, they could trigger a manual workflow here because, of course, there's users involved, but they've got the flexibility on how they want to do that. And then at the end of the day, they also should go investigate some additional endpoints that could be compromised. So we automated some mundane cast there for sure that typically would be manual. They could take hours. They could even -- they could take a day, but we've made some of those things very easily accessible for them to automate. Now there's some things that they're going to go off and again, because there's some expertise they might want to apply. They're going to go off and do that manually. But what you see here is really an integration of the contacts, the data, the analytics into a unified experience that is that experience our customers want and demand. When I started this discussion about what customers are looking for, this is what they're looking for, and this is what they've really communicated to us that they want. And so we're building this based on our platform, based on our data question, our analytics and our automation engine that allows us to deliver those best-in-class products. It expands that ability for them to get value through very easy-to-use experiences in a cloud-delivered way. It doesn't mean they've to deploy a bunch of hardware and software that burdens them with the operations. Instead, we actually can close security achievement gap that Corey talked about. So thank you very much for your time. I'm going to hand it over to Andrew Burton, our President and Chief Operating Officer, who's going to talk to us about our customers and how we can meet their challenges.

Thank you, Lee. I'd like to build on some of the commentary from Corey and Lee from earlier about how we're increasing platform consumption with our customers by focusing on 3 main areas: A strong landing motion across any one of our 3 pillars that meet customers wherever they are; two, once we bring customers in, and we're able to help them realize that better security that Corey talked about around best-in-class capability and accessibility. How are we able to seamlessly expand with those customers and scale with them as they need more and more value from their SecOps securing solutions. And then third, durable growth. I'll share with you what those pathways look like, about how we view the opportunity ahead. It's a massive opportunity, but one that is durable. It is quite exciting. So let me start about our proven ability to land across our best-in-class solutions. We have 3 main pillars, as we mentioned: Threat detection response; cloud security; and vulnerability risk management. We have the ability to land customers in any one of these 3 pillars. We have done this by, as Corey said, linking accessibility with capability to provide our customers with better achievement. And Lee talked about unifying that platform experience to drive better customer value. So I'm going to walk through each of these and share with you a little bit about why. And what it is that is really helping our customers. Not just realize better security, but separate and differentiate Rapid7 in the market. So the first, threat detection response. We're very excited about threat detection response because over half of our new business in detection response in 2020 was with brand new customers. Now these customers were looking for a better solution. They were looking for a better way, and they came to Rapid7. So what was it they were looking for? I would argue it's 2 things. And you've already heard much of this. As Corey said, best-in-class capabilities. Previously, customers would have to go and look at a user behavior analytics solution or a SIEM solution or network traffic monitoring solution, right? And they would have to figure out how to integrate these things together. And then once they did that, if they were successful, they would try to figure out how to get to a better security position. With Rapid7, we've taken these capabilities, these best-in-class capabilities, and we've already done the hard work. We integrated them, so that our customers didn't have to. We provided advanced capabilities like in-point telemetry, the ability to have automation natively integrated. This seamless experience around bringing ease of use to a detection based SIEM. We also built it natively in the cloud. So again, the cloud delivers an ability for our customers to consume better security, but quickly get time to value in a detection based SIEM. Now we went quite quickly from being a Gartner challenger, a leader in the challenger quadrant to being in the magic quadrant, that upper right-hand corner. And we did that because we focused on customer achievement, accessibility and best-in-class capability. And our customers are very excited about this opportunity, and I'm personally very excited because it clearly demonstrates that there is an opportunity in the market in the security industry to help people get to better security through better achievement. Second, our vulnerability to be risk management pillar remains a key part of our strategy. We continue to be a leader in this market, and we continue to believe there's a rich opportunity for Rapid7. Now similar to the last pillar, in this pillar, we saw the need, and our customers were telling us they needed to have broad visibility. They needed the ability to look across their infrastructure and be able to assess detection vulnerabilities. But we didn't stop there. They also told us they needed visibility into their applications and understanding what applications may be vulnerable. This level of visibility in a was only one part of the problem. Because once they have visibility, they get all this information scanning and detecting and finding all the stuff is very difficult, but it's only the first step because once you understand what potential vulnerabilities there, you even say what's the level of risk, so risk scoring, prioritization assessments, this is critical as well. We didn't stop there. We said, okay, now we've given you a good assessment of your infrastructure and the applications. We've given you effective visibility and that risk, customer said, we need better ability, better solutions help us remediate. So we embedded in automation. So this theme of best-in-class capability, but also putting it together in a way that delivers ease of access and ease of use. So similar to detection response, our vulnerability risk management solution combines all these incredibly powerful capabilities into one easy-to-use solution. So as we look at vulnerability risk management, this is why we remain quite bullish to this core market, and we believe is a key part of our land strategy. Now our third pillar, our third pillar of cloud security. We have demonstrated the ability to consistently land 6-figure deals with DivvyCloud. Now here's why. Digital transformation, digital investments are clearly going up by all measures. Customers need to secure those investments. Now similar to the other 2 pillars, the ability to protect the workloads in those environments, the ability to understand what resource is being accessed. When entitlements are being used, their cloud identity is critical. And understanding how things are being used and consumed is massively important. And then what is the overall posture management? So this recipe of combining best-in-class capability with accessibility is once again repeating itself in cloud security. And so cloud security and DivvyCloud are helping us and helping our customers close that achievement gap. This is a huge market. It's early days, but we're very excited about it. So each of these 3 pillars are areas where we're able to land new customers and bring them in. But that is only part of the problem. Because if we think about a customer on their journey to better security, they are going to -- we need to meet them where they are. We need to understand where they're struggling, where they maybe have had some challenges, and we need to be able to effectively meet them. As I said earlier, be able to land in any 1 of those 3 pillars. But what happens next is the customer starts to realize value, they need to be able to scale. They need to be able to realize more value. Now the old way, the old way was a challenging way. The old way had artificial barriers, it had a lot of cost. It required a lot of expertise. And the worst part of all was the customers had to get value after they tried to spend their way or invest their way or hire their way to better security. Our way is simple. Provide those best-in-class capabilities, make them more accessible, enable the ability for a customer to start wherever they are and the ability for them to realize value over time but seamlessly expand. So I want to share with you a few examples of how, in our way, it really is seamless and easy for customers to expand on our platform, driving that expanded platform consumption. So let me share with you an example today. Threat detects the response. As I hit on earlier, we're very excited about this business, a rapidly growing business because our customers, once again, are saying, hey, I need a better way to detect a response to attacks. So as I said, meeting the customer where they are. Customers are telling us they want flexibility. One size does not fit all. So as you can see here, we are going to be coming out soon. With detection response capabilities that are simply stated, good, better, best. As a customer, you need to start where you are in your journey, you get to decide what offering is best for you, right? So they are able to tailor their needs match to the right solution. Now as that program begins to expand, let's say, when they start doing more detection based response, maybe they need some automation. As they start expanding and realizing more value, they can seamlessly grow with us in this area, they can go from maybe a good offering to a better or better to best. And these are all done in the context of seamless expansion, making it easier for our customers to realize, in this case, a better threat detection response program. So again, one size doesn't fit all, and the ability for our customer to seamlessly expand within a solutionary. Now in the future, this same opportunity will present itself in our other pillars. Again, meet the customer where they are, provide them with a solution that meets their needs and seamlessly expand within that pillar. So that's exciting. That's only one aspect of the opportunity here. Expanding within the pillar is great, but what about lowering the barriers to expanding across our platform. Let me share with you an example here. As I said earlier, threat detection response. The ability to detect and respond to potential attacks. One of the key ingredients to a solution like this is to have in point telemetry. Using the Rapid7 agent and a customer deploys that agent out making able to monitor specially a remote work environment, which is a key capability. Now that same customer has the ability through, as we shared, integrated technology, to be able to expand to our vulnerability risk management solution, leveraging the same agent technology. Let me repeat that because this is really powerful. You're a security professional. You're trying to deliver better security. So you deploy agent technology from Rapid7 that helps you respond and detect potential attacks. That same agent technology can be used to power vulnerability risk management. You do not need to deploy new technology. You already have the technology deployed for one solution, you seamlessly can expand with Rapid7 for another solution. Let me share with you this example, a health care customer. Now the health care customer was InsightIDR, moving to InsightVM, over $100,000 of ARR. And in this case, they needed to have that attack visibility of detection response, but they also got the benefit of the unified platform. So that ability to seamlessly expand from 1 solution to another, customers are doing it today, but we're going to make it easier, and we are making it easier for them to do it on an ongoing basis. Let me share with you the second example. In the second example, vulnerability risk management, as I said, this is a key part of our strategy. You can imagine as a customer needs visibility. The natural next step is visibility into the cloud to be able to see their total infrastructure. To be able to see what is going on with these -- all these accelerated investments they're making in the cloud and digital transformation, as Corey said, securing that digital experience. It's a natural step to be able to extend your vulnerability risk management posture from traditional environments to more cloud and natively -- native cloud applications. And so we're able to not only secure that traditional environment, give visibility, have the ability for data and analytics to be able to easily move across the 2 solutions. In this example, I'll share with you a technology customer. Right, InsightVM and DivvyCloud, over $500,000 of ARR. Again, we had a relationship with the customer, delivering on our promise of better security and DivvyCloud and cloud security demonstrate powerful automation and customization capabilities that were unique for their environment. So when you take these 2 examples of expanding across the platform, combined with the opportunity to seamlessly expand within a pillar, you get this idea of customer expansion as a significant opportunity. So let me share with you some more specifics there. I'll share with you 2 things. They're here on this slide. In 2020, 19 of our top 20 deals included security transformation solutions. 13 of the top 20 included multiple products. This is what our customers are buying today. Customers are demonstrating this need for better security, but also solutions will work better together. So when we think about that growth rate of the opportunity for Rapid7 to expand our ARR per customer with $100,000, that 40% CAGR that we've demonstrated over the last 3 years has proven our ability to be able to provide better security, more accessible and help our customers scale with us. So all of this is driving growth on a per customer basis. Again, that 18% CAGR on an ARR per customer basis, we've demonstrated that. As we look forward, right, into 2023, that $65,000 opportunity, we think, is readily attainable. This is an opportunity to grow with our customers and having a primary metric of ARR per customer is critical to that. So let me share with you how we're fueling durable growth, and we're doing it in 3 areas: we're scaling the enterprise while continuing to serve the mid-market. We're broadening our partner ecosystem, and we're extending the global opportunity, scaling our enterprise and mid-market business. Accessibility for organizations of all sizes, as Corey said, is critical. People are really seeking regardless of size, regardless of level of maturity. They're looking for better security that closes that achievement gap. We have a strong enterprise business. Approximately 50% of our business today comes from the enterprise. We continue to invest. We're hiring more and more salespeople. We're investing in marketing, we're investing in customer success. We are growing our team to drive this business. However, this is not at the expense of the mid-market. The mid-market is an underserved portion of the market. This underserved and better security is under-realized there. This portion of our -- of the market helps us to continue scale and grow. And when you include the mid-market of the enterprise, that's approximately 80% of our business. So scaling with the enterprise, driving enterprise growth is essential, but we also believe continuing to serve this mid-market helps us continue to realize our promise of delivering better security to our customers. Second, broadening our partner ecosystem. We are a partner-first organization. We believe our partners help us and help our customers realize better security. So when we think about broadening this ecosystem and really being partner-first, we look at opportunities like cloud solution providers, managed security service providers as well as our channel and distribution partners, and again, providing this platform that is all around ease of adoption, landing anywhere in our portfolio and being able to seamlessly expand and enabling digital transformation. So our partners are realizing this opportunity as well. This opportunity around better security achievability, this opportunity around best-in-class solutions, it's seamless expansion, meeting customers where they are and being able to serve the customer needs around digital transformation. And as Corey said, securing that transformation is key. The investments -- and the investments in the digital experience are critical, and we're helping customers protect those investments. And we're doing that with a partner-first approach. So our third area, the expanding global opportunity for Rapid7. This is a massive opportunity. It's being fueled by digital investments all over the world. Digital transformation, digital investments, as Corey said, securing that digital experience. Our global presence, our platform available around the world makes it easier for customers to onboard and join us in this journey. And so with this global platform, we have the reach and we have the opportunity to bring in customers from all over the world. Now 2 examples: the Australian market and the DoC region, they highlight this opportunity. Where increasing levels of digital investments are fueling the need to secure those environments. And these are only 2 markets of many that we believe is a significant opportunity. Now what's also interesting here is the global regulatory requirements are increasing. So a couple of recent examples, whether it's in Latin America or the Middle East, financial services, health care, these organizations are trying to meet the increasing burden of regulatory compliance while also having better security. So this is also fueling that opportunity for us to have durable growth on a global scale. So as we think about driving or increasing our platform consumption, delivering on durable growth, again 3 areas. One, as I said, a strong landing motion. We've proven the ability to land customers across any 1 of our 3 pillars: meeting customers where they are and providing them with rapid time to build value, the accessibility to get to better value with best-in-class capability; two, frictionless expansion, meeting them where they are, but then they in easy and seamless for the customer to expand with us. Based on the value and the opportunity they have in their environment to get to a better security. So we can scale with our customers easily and as they is, and that's where that ARR per customer opportunity continues to grow, and we're very excited about. And then finally, as I just said, durable growth, strategic paths, the global opportunity expanding, our global platform, helping us serve that. Our global partner ecosystem and the ability to look at this changing environment as an opportunity for Rapid7. So thank you for your time, and I'd like to transition it to Jeff Kalowski, our CFO. Where we'll talk about how do we drive long-term financial scale and cash flow.

Thanks, Andrew, and good afternoon, everyone. Corey talked about our unique approach. Delivering both advanced capability and accessibility to customers. Lee talked about how we're building a unified customer experience. And Andrew talked about how we're going to lower barriers for customers to consume that experience. To close out today, I'll to talk about how this customer focus enables us to deliver on 3 fundamental financial goals. First, I'll discuss what gives us confidence in delivering durable growth over time. Second, I'll talk about how we plan to do that while scaling profit and free cash flow; and third, I'll lay out our path to becoming a $1 billion rule of 40 company. We'll begin by talking about durable growth. But before I jump into that, let's start by reflecting on our execution. As some of you recall, in 2017, we laid out our 3-year vision to deliver growth of 30% to grow our SecOps platform and transition to profitability. We've since demonstrated our ability to consistently execute, both from an innovation standpoint and a finance standpoint. Exiting 2020, we delivered significant outperformance from our 2017 plan. Our 38% ARR CAGR was led by product investments and leadership. We ended with over $400 million in revenue, driven by ARR upside and our model transition to recurring revenue. And we reinvested in the business to drive a higher executive growth rate. So we ended slightly lower on our operating margin as a result at 0.5%. But as you can see, our slightly lower operating profit translated to significant ARR upside. The approximately $15 million that we reinvested in the business drove $83 million incremental ARR above our target. This demonstrates our ability to see value from our investors. We have confidence in our ability to invest and generate strong returns on that investment. And we'll continue to take this approach where we see opportunity to grow. Turning now to focus on our future growth. We've invested significantly in our platform since 2017, putting us in a strong position to address customer needs. As a result, we have multiple paths to deliver durable growth ahead. First, our platform. We have more products today. These products are more mature and established. Secondly, our land to expand engine. We have a large untapped customer base and a much larger wallet share opportunity. Third, our focus on growing high-value strategic customers. Our higher-value platform customers continue to grow and increase ARR per customer. And fourth, we are still early days in our international penetration opportunity. We see a long runway for international to grow as a percent of the business. Let me step into each of these growth levers in more detail. First, Corey talked about our large and growing market opportunity. This has enabled us to drive significant growth in new ARR since 2017. We've also seen significant mix shift in our business with huge growth in security transformation. This represented over 50% of our new business for 2020. But even as mix has shifted towards security transformation, we also saw great growth in VM over this time. Looking forward, we have an even bigger TAM in security transformation, which gives us confidence in long-term growth. Overall, we see a compelling opportunity to drive sustained growth in new business. As a result of this growth, we've seen a similar strong mix shift in total ARR. Exiting 2020, security transformation now makes up 40% of our ARR. This is a great milestone and positions us to deliver continued growth. Given the secular trends Corey spoke about, security transformation is a significant growth engine. We have multiple market-leading solutions here, IDR, cloud, AppSec, automation. And this high-growth engine is a larger percent of the business today. Additionally, as you heard from Andrew earlier, we're only beginning to monetize this integrated platform opportunity. So we're excited about our platform growth lever. Our next growth driver is our land to expand engine. We've talked about having multiple products to sell, but some of our products are also more mature today versus 3 years ago. This combination creates a significantly larger wallet share opportunity today. IDR is a more mature product with established technology leadership. Cloud is a large and fast-growing market opportunity, and we're expanding our capabilities here. Our platform opportunity, we have more new modules and cross-platform services like automation. As you can see, we have greater than 8x upside potential to spend for an average customer compared to where they are today. So we're very early in penetrating our customer base. We'll also continue to feed the expand engine by growing our customer base. And this 420,000 customer opportunity is not just in the enterprise, it's across our base, including mid-market customers. Platform value is resonating with mid-market customers. A great recent validation point is a mid-market customer that bought VM and IDR with additional modules as well for a total ARR of over $350,000. And there is still more opportunity to sell additional products into this customer. It's clear, we're still early days in our expanding cross-sell opportunity. We have a large untapped installed base and a vast majority of customers don't have more than one platform product. Andrew talked about focus on lowering barriers to expansion for our customers. Over time, this will enable us to increase the mix of multiproduct customers. We have multiple monetization paths to achieve this. Customers can expand from VM to IDR, IDR to cloud, all of these to automation, et cetera. As we increase multiproduct penetration, this will be a core driver of our ARR per customer growth. The third driver of growth, our customer grows our opportunity. As Corey shared, we have a huge global customer opportunity, over 74,000 potential global mid-market enterprise customers. We're still early in penetrating that opportunity, and we've seen strong growth in customers. The total customer growth is only part of the story. We're seeing an underlying mix shift with faster growth in strategic customers. We're now focusing on growing our platform customers. With more strategic products to sell today, we can focus on high-value customers. Today, platform customers represent over 70% of our customer base. For 2020, platform customer growth was 25% compared to 9% total customer growth. So even if we grow total customers in the 5% to 10% range, we believe that's a good outcome. Because we expect strategic customers will grow faster than total customer growth. Now on a topic of customers. As many of you know, we've always focused on transparency and simplicity. With that in mind, I want to highlight some minor updates we've made to our customer count methodology going forward. By the way, these definition and adjustments don't materially alter our growth rates. Rather, this is intended to simplify our customer definition going forward in order to better align our ending customer count with ending ARR. As a result, we're making 3 small adjustments to our previous methodology for counter customers. If you've read our customer count definition, you know that previously we had a 90-day lag to reflect churn customers. This was more relevant in a perpetual world, not today, so we're eliminating this. We also included a small number of services only customers. However, these customers don't contribute ARR. So we're removing these as well. And finally, we're removing a small number of very low-value InsightOps customers to be more consistent with how we've historically treated low-value legacy IT Search customers. Each item independently is not meaningful, but the net outcome altogether is our customer count is optically lower by approximately 1,000 customers versus the prior count. The result, however, is the customer number that more accurately aligns with our quarter end ARR metric and how we manage the business. ARR per customer has a corresponding slight increase of approximately $5,000 versus the prior number. But I'll reiterate the overall growth rates for both the customers and ARR per customer remain fairly consistent under this updated methodology. Turning now to our fourth growth driver. We believe we have a long runway for international growth and see more greenfield opportunity internationally. We are still early days for security transformation solutions in international. In fact, we saw strong trends for products like IDR during the second half of 2020. And Andrew highlighted some key opportunities in international regions. I'd like to point out that in 2020, international ARR grew faster than total ARR of 28%. We're executing well and investing in international regions, and we see no reason international should grow to mid-20s percent of our business over time. So as you can see, we have a multitude of growth drivers in the business. The outcome is that our VM ARR will continue to grow, but securities transformation will soon become the majority of the business. By 2023, we expect security transformation will be over 50% of our ARR mix and will continue to grow as a percent of the mix from there. Over the next 5 years, this baseline growth plan assumes we can sustain a high single-digit growth CAGR in VM, while security transformation grows at approximately 30% CAGR. Our goal is to become dominant in 1 of the top 2 technology leaders in our 3 pillars, and we're confident that we're well-positioned to deliver on this vision. So investors sometimes ask what are the right metrics to track our progress. Many software companies look at a variety of metrics like billings growth, deferred revenue growth and the net retention rate as their key metrics. However, we don't feel that these metrics are the best indicator of our growth for our business. This is in part because many other software companies do not disclose ARR. The key growth metric that most directly translates to revenue growth and reflects the health of our business is ARR. And ARR growth is comprised of 2 core drivers: number of customers and ARR per customer, which incorporates the cross-sell and adoption of our platform products, driving more wallet share per custom. These will be the 2 core drivers of growth in our business over time. And these are the metrics we manage the business to. We've disclosed this metric publicly since 2017. This is what we encourage investors to track our progress by. So in summary, we've talked about what gives us confidence in driving durable growth. Our multiproduct platform opportunity, our land to expand engine, our focus on growing high-value strategic customers. And our long runway for sustained international growth. But as we scale the business, we recognize the importance of delivering value to the bottom line over time. And so we're also focused on scaling profitability and free cash flow as we grow. Let's spend a few minutes to talk about why we can deliver that. As you can see, Rapid7 has a long history of delivering margin improvement. As the business has grown, we've seen significant margin improvement over time. Most recently, in 2020, we executed on profitability even in the pandemic year while also absorbing our largest ever acquisition. This is because we have great natural leverage in the business, which allows us then to reinvest responsibly in our business. We'll continue to focus on delivering to our growth and profitability framework. And I'll just reiterate, if we're growing 20% to 25%, we'll expand margins by 2% to 3%. We're growing 25% to 30% with stand margins 1% to 2%, and if we're growing over 30%, will be less than 1%. We see a great opportunity to expand profitability and ramp free cash flow as we continue to drive growth in our business. Let me frame how we intend to do that. Andrew talked earlier about our evolving go-to-market motion. Even in recent years, we've seen improving efficiency in our sales and marketing spend. Over the past 4 years, we've delivered approximately 10 points of margin improvement as we scale the business. As we look ahead, we see multiple drivers for ongoing leverage in the sales and marketing. Our platform drives sales productivity. We have more products to sell to customers today, and we have the opportunity for larger deals over time. Secondly, as we discussed earlier, we'll lower barriers to expansion for our customers. This will drive strong cross-sell to existing customers, which also improves efficiency. And third, as we grow ASPs over time, particularly with products like Divvy and IDR, this will also drive leverage. Overall, we expect sales and marketing spend as a percent of revenue to continue to decline. This is where the bulk of our future margin expansion will come from, and we're set up well to deliver this. Turning to R&D. Innovation is a key competitive differentiator for Rapid7. If we're growing, we'll continue to invest in R&D at approximately 20% of revenue, which positions us to maintain our best-in-class leadership, but we can still see innovation and leverage that benefits the business. For example, benefit from R&D efficiency because of a common SaaS platform. This will enable us to bring new products to market quicker. We talked in detail about our share capabilities across our core Insight edge. Focusing on these common capabilities gives us fewer bricks to build on top of and adds value and enables us to bring new modernization opportunities to market at a faster rate. We're excited about our team's ability to continue innovating on behalf of our customers. Finally, on gross margins. We significantly scaled our gross profit dollars in recent years. All the while generally delivering a consistent gross margin profile. As the cloud mix and our business grows, it's had a modest impact to product gross margins, driven by increased storage and processing in the cloud, but ultimately, this is a good fit. It means customers are leveraging our solutions and seeing value. Nevertheless, we're focused on maintaining healthy product margins as we grow and we anticipate we'll see cost benefits of scale as security transformation products grow. As a result, we expect to maintain product gross margins consistent with typical SaaS models in the mid-70s. This combination of durable growth in the business, coupled with a focus on scaling profitably and improving efficiency, puts us in a great place to scale free cash flow looking ahead. We're turning the corner on positive free cash flow here in 2021, and we're well-positioned to grow cash flow from here. We have a recurring revenue model, which supports visibility and cash flow. And largely annual billing cycles, which provide consistent collections. And finally, our major facilities expansion and CapEx are behind us now. This is a low capital-intensive business. Put together, this puts us in a great position to scale free cash flow as we look ahead. So we've talked in detail about our focus on driving durable growth. While scaling profit and free cash flow ahead, I'd like to close out with a brief discussion on how we think about scaling to become a $1 billion company over time and laying out our multiyear targets for the business. As you've seen today, we have significant runway to continue growing ARR. We have a great steady growth in profit engine with our core VM business. We have a compelling high-growth engine with our security transformation solutions, which will soon be over half of our business. Given the multiple growth drivers we discussed and our large addressable market, combined with our product and go-to-market investments, we're confident we're on track to grow to $1 billion of ARR and beyond. There's really 2 core drivers to achieve this: one, growth in customers. We have a large global addressable customer opportunity, and we're still early in penetrating that. And 5% to 10% customer growth, is very healthy because underlying that, we expect to grow strategic customers faster. And secondly, ongoing growth in ARR per customer driven by a long-term opportunity to sell more of our higher-value security transformation products and an underpenetrated cross-sell opportunity. This all puts us in a great place to deliver approximately 10% to 15% growth in ARR per customer. So both these drivers will enable us to scale to over $1 billion in ARR. And finally, I'll close today with a view of our midterm and long-term growth objectives. As I've shared today, we have a core focus on delivering ARR growth while ramping free cash flow as we look forward. This is reflected in our multiyear targets, which you can see here, starting with the baseline of our initial fiscal 2021 guidance, we believe we can drive durable growth over time. Scaling the business to approximately $750 million in ARR by 2023. We'll also scale revenue at a consistent basis ARR, resulting in approximately $700 million of revenue by 2023 as well. We'll continue to track forward on our growth and profitability framework, which would put us in the approximate 6% to 9% operating margin range. We expect to deliver free cash flow margin of approximately 10% by 2023 or free cash flow of $70 million. Longer term, we expect to continue growing the business beyond 2023 and anticipate that Rapid7 will deliver over $1 billion in ARR by 2025. While marching towards our objective of delivering the Rule of 40 business which we define as ARR growth plus free cash flow margin. This will result in total free cash flow by 2025 of approximately $200 million. We see a huge opportunity to continue scaling our business and look forward to executing against this vision over the coming years. So in summary, as you've seen today, we're well positioned to drive durable growth in our business. While also scaling profitability and free cash flow as we march towards our goal of becoming a $1 billion Rule of 40 company. We look forward to executing and delivering value for our customers, employees and shareholders. With that, I'd like to turn it back to Corey for some closing comments.

Thank you, Jeff. And make all of you again. As you can see, the security platform of the future needs to address both capability and accessibility. If we do that, if we deliver value for our customers and help them close their security achievement gap, we will build a phenomenally successful company for both our customers, our employees and our investors. Let's review the key elements of our plan as we go forward. We're going to secure the digital experience, meeting customers where they are today as they evolve to face the challenges of tomorrow. We're going to do that by delivering one of the best-in-class SecOps platforms in the cloud in the world that delivers all the best-in-class capabilities, but also world-class accessibility. This is going to enable us to increase platform consumption with a proven land and expand strategy that we're investing more and more as we actually go forward to build the momentum that will allow us to drive long-term scale, delivering both ARR but at the same time, scaling profitability as we move forward. This is how we deliver great experience for our customers and a great experience for our investors as we go forward. Thank you, again. I look forward to a Q&A session. Before we do that, we're going to take a short break, and we'll see you back here in a little bit. [Break]

Good afternoon, and welcome back to Rapid7's 2021 Investor Day. We hope you enjoyed the presentations earlier. Now we'll move to a live Q&A session. I have joining me for Q&A, Rapid7's Chairman and CEO, Corey Thomas, our President and COO, Andrew Burton; our Chief Innovation Officer, Lee Weiner; and our Chief Financial Officer, Jeff Kalowski, I'm pleased to welcome them here, and we're ready to kick off Q&A for everybody. So our first question will come from Rob Owens of Piper Sandler.

I wanted to ask about centralized data collection and the concept of shared data versus data and silos. Lee touched on it, Corey did somewhat in his presentation. I noticed you slipped in the acronym of XDR at this point. So curious if we're getting into some acronym soup here, XDR versus SIEM, how we see this market somewhat playing out. And while I think centralized data collection, sounds like a great idea. Are we seeing the land of 1,000 lakes with all these different data silos around security, around reservability? And just, I guess, what is your near-term perspective and your longer-term perspective relative to these categories and your customer conversations?

Yes, Rob, this is a great question. So I think to your point, we've been collecting this kind of data for 5 or 6, 7 years now, right, from the endpoint to the network to the cloud and everything in between. And look, our customers want to bring that data together so that they can get better analytics to drive better risk assessment and detection for the ability to automate the outcomes of that. I think what we're seeing from our customers is that their environments are very heterogeneous, and they want to bring all of that together. For sure, we see that demand, and we believe we're going to continue to see that. I think to answer your question about the acronym situation with XDR. We really see XDR as an evolution of the SIEM market, right? It's something that we pioneered back in 2016 when we launched insider at the RSA conference, I think I remember talking to you a little bit about this, then and beyond where we really thought about the detection problem much more holistically than just compliance which is what this previous SIEM generation was focused on, more of a how do you collect that data for -- specifically for detection really broadly. And so we see XDR as an evolution of the SIEM, something we've been playing in, like I said, since 2016, we're going to continue to invest in that. When it comes to data lakes, I think there, we're really looking to meet our customers where they are. And we want to support those in a way where we can enrich that data and enhance that data and perform our analytics on it. I think in our customer conversations from a security standpoint, I think it's early in those discussions where whether organizations are looking at different providers for security data lakes. But we are definitely looking at how we can support our customers as they make that shift to that transition and how our technology will enable that.

Yes. I would just add on to Lee's very good points is that customers are many different parts of their curve of their evolution. And so when we think about the problem, we think about -- we want to make sure that we solve the problem that we talked about the customers earlier how do you actual have the most effective security program. For some of our customers, that mean we'll actually be taking our fairly robust. Remember, we have one of the most robust comprehensive data collection ecosystems in the world, and they'll want to use and do with it what they will. For lots of customers, they actually come to us for our analytics and our workflow because it gives them a faster time to Insights and it allows them to actual operational lines there, experience faster. So as we go forward, we don't have a model that requires customers to be arbitrarily forced into a single-mode doing in it. That said, what we're finding fairly consistently, especially these days is that customers ultimately want simplicity. Now if customers are -- want to have and roll their own data lake, that's a completely reasonable in too. But in many cases, customers are unconcerned about the technology that sits behind it. They're saying, how do I solve my problem in the best ways and that often involves integrating with something they have. And this is why our attitude and our approach is that wherever you are on your journey, we'll start with you. And usually, that means we expand with you as you go along over time. And that's our strategy, and that's our approach.

Our next question will come from Saket Kalia from Barclays.

Okay. Great. Sunil, can you hear me and see me okay?

We can. We can.

Okay. Excellent. I maybe my first question for you, Corey. A lot of great things to talk about within the security transformation business. Maybe just to zoom into one part of that, in particular, with cloud security and DivvyCloud specifically. There feels like a lot of a decent amount of buzz in the cloud security posture market. The question is, how do you feel DivvyCloud differentiates from a technology and maybe accessibility perspective?

It's a great question, and thank you so much for joining us today. And I'll tag team it with Lee. I'll point out 2 things that I really hear from our customers so far is the first is it actually helps them not just get the insights they need that help them operationalize their security. So if you look at what we really focused on with DivvyCloud, it's both getting the data and doing the complex analytics, but it's really tied into the operationalization engine around automation. And that tends to be a very big differentiator in the market today. The second thing that I consistently hear, and Andrew gave some wonderful examples of went do it earlier, is customers don't view cloud security in a silo. And so they're trying to figure out how to overhaul and how to uplift their overall security program. And that means that they actually don't want things isolated. So when they look at their cloud security, they're thinking about that is how does that affect my FoC in my incident detection response program to have artificial barriers. And so when we think about how do we actually simplify and drive accessibility, make it easier to use and easier to get higher performance, it is about how you actually tie it tighter into the workflow. And so if you think about what we're approaching, it's sort of what we talked about earlier, DivvyCloud has leading best in markets like the other top 1 or 2 players in cloud security when it comes to the data they collect, the analytics they do, and they're best-in-class when it comes to innovation. If you look at the stuff that they're doing in terms of identity, which we talked about or some of the work that we've actually recently done around Kubernetes security best-in-class in terms of innovation, but they're taking it to the next level and the next step and say, how do we actually help companies scale how they operationalize that and their teams to go along security journeys.

Yes. I think what I would add to that, to Corey's point, is really on the accessibility front socket, one of the things that we hear from our customers is that when they think about the cloud security program, they don't want to have to think about all the specifics around how the public cloud providers maybe think about or use nomenclature, right? If you think about storage, the way that Microsoft and Amazon and Google, all reference stores might be a little bit different. You want to build a policy across all of those things. So we try to make it really accessible that no matter what a public cloud provider are using, the ability to create policies and understand risk is at an abstracted layer so that your analysts can better understand that. And so they can communicate that to their management. So there's quite a bit of usability enhancements like that that we've made, and the team has made over the last years that have made it much more accessible for organizations to better understand the cloud security risk and the posture and then the ability to remediate that and really automate that, as Corey mentioned.

Our next question will come from Matt Hedberg from RBC.

This is really, really super helpful and we think even longer-term here. So I guess, Jeff, I wanted to ask you a little bit about the 2025 outlook. Just to confirm, I think per your guide, the long term guide, you were talking about 20% free cash flow margins by 2025, which, by your Rule of 40 comment would imply ARR growth effectively at 20% also. Really kind of implying no deceleration over the next 5 years. I guess I just want to make sure, is that the right way we should think about the trajectory of ARR? And then in terms of getting there, do you have more confidence in the 5% to 10% new logo growth or the 10% to 15% ARR per customer growth?

Yes. First off, it's a good question, Matt. But with respect to ARR of over $1 billion, it's -- what we said is $1 billion plus. So we expect to get to $1 billion. So that ARR growth, it's not necessarily implying significant deceleration there, we're saying $1 billion plus. And we feel comfortable with the approximate 20% of free cash flow of $200 million, which gets us to a Rule of 40 company by that. Your next question on the components of ARR. So look, we have multiple growth drivers. The way to look at our growth is really in our overall ARR growth. It's really what we're projecting is 5% to 10% customer growth and 10% to 15% in ARR growth per customer. And that could happen within the range. At the midpoint of those ranges, if you apply that over 5 years, you should be able to get to $1 billion-plus. So we don't really have a bias as to which way -- which way that will go. It's possible with all the expansion opportunities, our second growth driver that Andrew talked about, reducing friction, growing within the pillars, expanding products across the platform. It's very possible that it might shift more towards add on, but we're not biased either way. But the important point I will make is that both customers will grow and ARR per customer will also grow.

And just to reinforce Jeff's point there. The main thing I would actually take about take away from the description that Jeff gave is that we're committed to the Rule of 40 by 2025. So that's first to follow us. You can think about that in many ways, as an instantiation of the framework that we already have. Now to be perfectly clear, we're just as happy to actually have 25% growth and potentially slightly lower margins, as Jeff described, we did over the last few years, and it's going to be based on growth and opportunity. Ahead of us, we see robust opportunity. We see lots of growth. We're still in the COVID environment right now. So we'll see how that looks as we come out of it. But we do believe that we have great operational controls over expenses in the business. And whether it comes from growth or whether it comes from profitability, we're very confident that we can continue to actually both deliver profitable growth as we expand going forward.

And our next question will come from Brian Essex from Goldman Sachs.

Thanks, Sunil, and thank you all for doing this. It's a great package of information. I guess, maybe, Corey, a 2-part question for you. One, I mean, you guys talked about origination of vulnerability assessment management, how that remains a core piece of the platform. One, how often do you originate business from other areas of your kind of platform? And then, two, I think we're hearing from several vendors in the market with regard -- particularly with regard to DivvyCloud and posture management that Kubernetes and container security is kind of reaching an inflection point. Would you subscribe to that, that we've kind of reached a new level of productivity on that kind of platform to be able to drive an acceleration of growth going forward.

Both excellent questions. So the first, I would say that we still find lots of vulnerability in the manage business. It's still a core area for us that said, if you look at what Andrew described earlier, is that is we have an abundance of business the security transformation solution. And I'm going to let Andrew talk about that. So I'll pause that when I'll get to your second question. And I'll ask Andrew to come up and really talk about some of the dynamics that you've seen between those. On your second question around Kubernetes and cloud, yes, I think we're at an inflection point. I personally believe that the COVID and the pandemic has been a catalyst for digital transformation. Cloud security plot and center of that. And specifically around Kubernetes, part of the reason that we accelerated. And just to be clear, we had Kubernetes technology in-house but one of the reasons that it was an acceleration was because we started to observe a trend in the market, and it's this is that people are adopting cloud. As people play with cloud, they have lots of approaches to start cloud security and container security. But when people start really saying, how do I manage my container security and scale and how do I manage my cloud scale, Kubernetes really starts to stand out as part of that adoption cycle. And so one of our fundamental beliefs is that by leapfrogging the competition and having best-in-class security and Kubernetes we think we're providing great value to our customers, and we've skated to where the puck is going. And so far, the early results and the early feedback that we've got from our customers says that we make the right call there. And yes, I do believe that we're at an inflection point as we go forward. We'll see what the pace of it is, but we see a massive opportunity here.

Yes. Thanks, Corey. I would just build on something I was shared earlier, right? To your point about our confidence of originating business. We have proven the ability to land customers in any 1 of our 3 major pillars, right? And as Jeff was just highlighting in his slides, that growth rate that we're seeing around digital transformation is we're quite excited about this. And this is something we've also clearly demonstrated the landing in these 2 pillars of both when we think about the SIEM space or the cloud security space. And the question about the confidence, I think, is this proven recipe, right, of taking best-in-class capabilities and as Corey was highlighting and making those capabilities more accessible. So whether you're a large enterprise, enterprise or mid-market customer, we believe that our customers are asking for and people on the market are looking for solutions that they don't have to compromise, right? And so with Rapid7, we're meeting customers where they are. We're also giving them a way that they don't have to compromise. And so I think we're very bullish on that opportunity, and we're very confident of originating business in any one of our pillars. And I think the track record here over the last few years has demonstrated that.

Our next question will come from Jonathan Ho from William Blair.

I guess I wanted to dig in a little bit into your good, better, best pricing strategy, and just your thoughts around how that potentially impacts things like deal sizes and how this maybe helps you with your partner engagement as well?

Great. Why don't I take that one and then maybe Corey or if anyone else wants to add on. So I think it's a great question, Jonathan. So good -- we think about good, better, best, and I highlighted this earlier is what we see in our customers is one size does not fit all, right? So being able to meet them where they are and say, okay, we can tailor or provide them with the solution that best fits their current needs. But then to your point, what we've seen is almost every customer is on a journey of maturing their security program. And when I say maturing, let me just think about some of the things that Lee mentioned, right, the expansion of the attack surface. The digital -- securing the digital experience that we've all highlighted, right? And so that confidence is good, better, best is we think about it from a customer-first mindset is how do we meet them where they are? And then as they get to better securities, as they get to achievement that Corey talked about, how do we then make it easy or seamless to expand with us. And then we think about that ARR per customer, as Jeff was highlighting, right, that's a key metric, right? Customer is an ARR per customer, right? We feel very confident that's where the expansion opportunity gets really exciting. We're seeing that with automation and orchestration, the 2 examples that I highlighted. I mean, these are -- I think they were both examples where -- great 6-figure deal examples, and that's where we see this ARR per customer expanding because it's driven by customer-first achievement and then customer-first expansion of their security program. And so that's where I think we get a lot of this confidence.

Great. Thanks, Andrew. And thank you, Jonathan, for the question. Our next question will come from Hamza Fodderwala from Morgan Stanley.

Can you hear me okay?

We can. Yes.

All right. Great. I had a question about sort of the longer-term guidance. So I think in your path to 1 billion you mentioned a 30% CAGR on the security transformation business. I think on the VM side it was high single-digit growth CAGR, if I recall correctly. On the VM side, I mean, it seems like that high single-digit CAGR is much lower than what you've done historically even in the past year during the pandemic, lower than the market growth as well. I'm curious kind of your conservatism around that. And do you think that the core VM and the other SecOp offerings that you have are becoming increasingly converged so that is kind of hard to maybe parse out which one is which?

Yes. I'll start with that one, and then Jeff and Andrew and others feel free to tag on. So first and foremost, we actually believe that we'll continue to grow and take share in the vulnerability management market. If you look at IDC's estimates, they are actually in the mid to sort of like high single digits. And what I would say is, if you think about our model last time, last time we grew -- I think we talked about VM growth in the mid-teens and we achieved higher than that. Now you say why did we achieve higher than the mid teens growth. Well, it's really one factor that we find at the end and another factor that we actually saw good performance on. So the fact we find at the end was that we were going to see good customer growth. And I think we'll continue to see healthy customer growth as we go forward with the exception that we're much, much more focused on more strategic customers and less transactional customers. What was the factor that we actually saw that continue to have nice upside, that's the assets under management per customer for VM. You'll recall, we've talked before about it going from sort of like the low single digits teens to the 20s to 30%, 40% assets under management. I would say people expand their assets under management from the 40%, 50% up to 80%, 90%, that represents upside in our model, and that's great. We do take a more of a wait and see approach on that. So the way that I would describe it, by and large, is that vulnerability management, we plan to actually grow faster than the market. We plan to be a share taker in the market. And if the market sees upside demand, we'll be participating in that upside demand, and that recommends fundamental strength of the business. One other way to think about it is that we have a very, very strong growth and financial profile even with vulnerability management at those numbers. And that's based on the strength -- and the vulnerability management market, to be clear, and that's based on the strength of our security transformation solutions overall.

Thanks, Corey. And our next question will come from Gregg Moskowitz from Mizuho.

All right. So I guess, first for Corey or Lee. I'm curious, roughly what percentage of security issues that are getting flagged by your SIEM or your VM can be significantly remediated using automation today? And how you see this evolving over the next few years? And then maybe just briefly for Jeff, getting back to that expectation for 5% to 10% new logo growth per year. If we look at a year or 2, your non-platform customers are going to become much less meaningful as a percentage of the mix and hopefully, you'll be landing a lot more with your 2 non-VM platforms. So I guess, why wouldn't your net new logo growth be greater than that going forward?

Yes. So Gregg, great question. I can start and then Corey, if you want to chime in. On the automation front, look, I think when you think about automation, it spans a lot of different use cases and scenarios. And you saw in my example, there was an example of using automation to enrich and alert with some additional intelligence. And I think when we think about the opportunity for automation, it's almost in every scenario automation can help either increase efficiency or drive productivity. And then there are some cases where we actually can take action depending on what the alert or incident might result in, things like quarantining an asset, disabling a user, shutting down a service, in cloud security automatically deprovisioning an image and then reprovisioning it with the right configuration. There's a lot of different use cases where you can use automation. Really the kind of the opportunities in some ways are quite broad and large. So we believe it's quite a good number of cases where, again, organizations can get far more productive and more effective through the use of automation for both vulnerability management, for detection and response as well as cloud security use cases.

Yes. The one thing I would actually add to that is that, one, customers today are very focused on automation in their stock to actually help them just remove manual task. Some of those are investigated tasks, some of those are remediation, some of those are collaboration workflows that they're actually looking for. The second thing that I think's key to build that is that we have an extensible automation infrastructure. So it can be where the customers need it to be. And so there's one way to say sort of how much do you actually have remediation built out of the box so we have a healthy amount, but we're going to have a lot more over time, and that's a big area of development. But we also have an extensible architecture and approach that allows customers to actually build the automation they need and that they find valuable and for the things that they actually want to automate. So I would emphasize both of those points. And then just for the sake of time, I'll just jump to the second one around customer growth. I would say, we could have higher customer growth. What I want to be clear of is that's not the focus. We are focused on actually driving customer growth in midsized companies and -- in midsized companies -- in both midsized and large enterprises and public sector organizations. Where we're less focused on growth is in the consultant space and in the transactional space where you will find things like Metasploit or we have some of the traditional log entries or we have some of the performance management that we still have from NetFort and log entries. That's not strategic security transformation growth. So when we think about growth is we have -- and there's been a proxy around the platform customers. But when we think about growth, we absolutely want to grow customers, but we're also looking to grow customers that are actually building security programs versus doing ad hoc security work. Now to your point, at some state in the future, yes, that will actually drive total growth. But the way that I measure and I look at it sort of like as we go along the journey is are we drawing customers that have a high long-term lifetime value. And we want to grow those customers, and we've done an exceptional job of growing those customers in the past. We have a plan and the team has a plan to continue to grow those customers down. Now at the same time, we're actually focused less on transactional customers. So we're not incentivizing people to go out and get consultants that may want to buy Metasploit, and that's the total sort of like value of what they'll actually be able to do on time. That's not a big priority for us right now, and it won't be a priority in the future. And so the message that we're saying is like, listen, customer growth matters, but we're focused on quality customer growth. And at the same time, it's also growing the lifetime potential and the ARR per customer. Those are the 2 things that we really focus on and those are the 2 things that we'll talk about. Sunil, you're muted.

Sorry about that. Our next question will come from Alex Henderson from Needham.

I was hoping you could talk a little bit about the competitive landscape and to what extent the other companies, Tenable and Qualys have reacted to your superb execution in automation and the share gains that you've gotten. How are they behaving in terms of pricing? And what are you seeing in terms of changes in their competitive behavior?

Corey, do you want to jump on that one?

Yes. I'll jump on that. So I would say that we have very different strategies, and we have not seen them respond well to the things that have actually driven our success. So we have not seen a big focus in good -- great attention and focus on automation, for example, or simplifying the overall customer speed and journey to build a great security operations program. But they've taken different strategies that are likely to work quite well for them. Qualys is building a very, very broad platform across a whole bunch of different areas. That's -- their strategy is different than ours, and you can talk to them about whether that works. Likewise, Tenable has -- we prioritize cloud and application security, and we decided to partner in areas like IoT. Tenable prioritized IoT and the active directory security. Those are their decisions. I would say that we're making very, very different decisions. And our focus is on building one of the most advanced security operations platform that delivers the fastest time to value. I don't think anyone's coming close to us on delivering on that mission. But I would also say, to give credit to them, is they're just pursuing very different missions and very different goals.

Thanks a lot. Our next question will come from Joshua Tilton, Joh. Berenberg -- or excuse me, from Adam Tindle at Raymond James.

Okay. So a question maybe for Jeff and Andrew. I think today, you introduced a 5% to 10% new customer growth metric. I think prior it was 15%. And some of that delta may be explained by aspect of nonregrettable churn of non-platform customers. So Jeff, maybe if you could just touch on that, quantify that and perhaps a time line to rightsize that? Is this a 12- or 24-month process? And Andrew, how do you ensure that introducing this good model on the good, better, best doesn't lead to more low-value customers over time? What are the controls that you've put in place to ensure that, that doesn't happen?

Yes. Adam, I'm not sure I get the first of your question, but we feel comfortable in that 5% to 10% range overall for customer growth. And as Corey said earlier, it could be higher with the focus on strategic high-value customers, but we feel good about being in that range. And I think you're questioning on the churn, our retention rates are still healthy. They haven't changed over the course of last 3 or 4 years. They've been pretty consistent. We are -- we have seen the lower dollar value customers' churn, but our focus now is on the higher value customers.

Yes. Thanks, Jeff. The piece I would add is to the reference to customers and controls, I might flip it around and look at it in a different way. When we think about each of our packages are tailored specifically to what we believe a profile of customer that we want to do business with, right? So I think the core thesis is -- as I mentioned earlier, is we look at whether it's a good, better, best, and obviously, we'll have different names for them. But when we look at those offerings, is they're tailored for customers we believe are looking for, as Corey said, a better SecOps security solution and they're looking for a unified platform that can deliver that. And so the way we've set it up is to actually drive the right match to figuring out who are the customers we want, what are they looking for and then how do we tailor our packages to that? So I would actually flip it around and look at it that way. And then as I think we've been highlighting and then how do we work to expand with those customers, as Corey was saying, the lifetime value. These are strategic customers that we believe, over time, are going to be journey and partnering together to get to better achievement. So I think we focus first on who are the customers we want to engage with, how do we deliver the right solutions to the right people at the right time and then how do we make it a seamless journey to expand and get to better security, right? And so I look at that way. I think our sales team and our marketing team and our customer success teams all kind of live this spirit of that, which is how do we engage the customers and help them on their journey and to make sure we're meeting them with the right message in the market.

Thanks, Andrew. And now we'll go to Joshua Tilton from Berenberg.

So on the last earnings call, you guys kind of talked about growth expectations for VM and the security transformation solutions of 10% and 40% plus, respectively, for 2021. So if we look at the ARR mix that you gave today, it seems that you're pretty well positioned to come in ahead of your initial ARR growth guide kind of on mix alone. So am I doing the math wrong here or should we just view the guidance as conservative, kind of in light of this ongoing macro environment?

Yes, Josh, the growth rate that we laid out in the presentation is a CAGR over 5 years, they're high single digits, and 30% CAGR for security transformation over 5 years. For this year, I think what we said is we would grow ARR for VM, that we'll continue to take share and grow ahead of the market and security transformation will continue to grow over 40% this year.

Yes. Just a comment. I do want to be reflective of, as we talked about on our last earnings call, we do believe that this year still has some uncertainties to it. We see great fundamental demand. And we think that, like as we exit this year and go into next year, that fundamental demand will actually turn into real opportunity for Rapid7. But it just has uncertainties in this year, and we have to calculate and think about those uncertainties as we gave guidance, as we went out and we actually talked to you. Likewise, though, the thing that I'd actually point out is that we also said that we saw higher demand for security transformation solutions. And so we continue to see vulnerability management as robust one rather than the broader market. If you look at our guidance in total with others, our guidance was fairly in line with us actually continuing to take share in the vulnerability management market, which we believe that we'll continue to do. And if the market recovers, just like the way it did last year, then that's upside potential for us overall. But we've given you the best estimate and the highest transparency that we can actually give you at any point in time based on what we're seeing and based on what's happening in the market.

Thanks a lot, and thanks, Josh, for the question. For the next question, we'll take an e-mail question from Jonathan Ruykhaver from R.W. Baird and the question, maybe for you, Corey or Lee. Any update you can provide on the early traction around Cloud IAM Governance and enhanced endpoint telemetry? And what are the synergies between those products and the broader platform?

Yes. So on the Cloud IAM Governance piece, we released something last year IAM Governance for the cloud. And just to clarify what it is, it's really to help organizations understand their identities and roles and permissions that they create in their cloud infrastructure. And when you start to roll out your cloud infrastructure, you have to create a lot of different roles and permissions for a variety of different things and it gets quickly kind of unwieldy. And so what we've been building is a way to analyze that so that you can understand your effective access of what these roles and permissions can enable so that you can reduce that surface to make sure that you're not overpermitting things that could result in malicious acts. It could result in an act or -- using those rules for something they should. And we've had a lot of good feedback and tractions early, I would say, for sure. But we've had great feedback from customers. We're working with some customers on rolling that out now. And then we're going to continue to innovate on top of that to roll out more capabilities in this area, and we're pretty excited about it. On the enhanced endpoint telemetry, which is a capability that is available in InsightIDR today, it allows customers to get more data around their endpoint activity for things like investigations and forensics for an attack that may be occurring or some investigations that they need to run. We've had a lot of good use of that capability and success as well. And again, kind of going back to some of the earlier discussion we had, that's just an example where it shows that we're collecting data from the endpoint, from the cloud, from the network, from your traditional infrastructure and your modern infrastructure to give you that holistic picture, kind of -- that kind of next-generation of detection and response technology. And the enhanced endpoint telemetry is an example of how we're continuing to innovate there. And again, we've had a lot of good customer success and customer traction with that as well.

Thanks a lot, Lee. And then our next question will come from Chris Speros from Stifel.

Corey, you talked about the different stakeholders involved in the cloud security buying process relative to traditional IT security and the importance of working with DevOps and meeting them where they are. Can you talk about your approach to targeting the developer buying center and how your partnership with Snyk has played into that, if at all?

Yes, that's a great question and you hit it. We actually have a pretty expansive partnership model. Our whole goal is to be excellent at the things that we're excellent at, which is the security operations center and security transformation and focus on that, but also partner and we'll add capabilities over time to other areas. The partnership is a key mechanism. Our strategy in security is enabling our customers, and our customers are security customers. That said, what we've learned and what we've observed and what we've heard from our customers and what we've frankly heard from DevOps is there is unnecessary friction for security to partner with DevOps to secure enterprises and to secure applications and to secure innovation and to secure cloud. And so we think about our job is to actually remove the friction for our customers so that it is not a lot of work and we reduce the burden of them doing their job of securing their environments. And we do that in multiple ways. So the first way that we actually do that when you think about our cloud and apps is we build our technology so that it "to use the language" that -- I mean if we use the shift left, it actually meets customers where they are naturally in the process and allows them to secure things at the right stage and it builds the right type of infrastructure that allows people to actually figure out their security at build time and run time and all the different places along the path to build in an application, such that it's not a big after the fact exercise. We also do that by actually partnering with people like Snyk that enables us to actually make sure that as our partners do their part of the ecosystem of the stack, that security flows directly into some of the work that we actually do. And I'll remind you is that we have quite a robust ecosystem around security operations for applications in the cloud. We have cloud-based security, we have container-based security, we have cloud security testing, we have application security firewalling, we have application security monitoring and that's just to name a few and we're still getting started on this journey. But we're being very, very thoughtful about why -- where we provide value, and we're spending lots of time with our customers and our partners saying, where's the friction coming from and how do we actually eliminate the friction because that allows our customers to be more productive. And that strategy is being met with great success, and that's part of the growth in the drivers that we actually see today.

Thanks, Corey. And then we'll turn back to Matt Hedberg from RBC for our next question.

Maybe for Lee and then, I guess, the portion of it will be for Jeff as well. When you look at the product set today, you guys have been on a tier from an R&D perspective, you've acquired some technology. I guess, I imagine the tech stack's going to look different in 2025. But to the extent that you can talk about where you are today versus perhaps what that tech stack looks like in 2025. I'd love to kind of hear that view. And then, I guess, for Jeff, I just wanted to confirm when you're talking about some of these longer-term targets, are those effectively organic in nature?

Yes. So Matt, it's a great question. I'll talk about the tech stack. To your point, we are continuing to innovate. We have been innovating and delivering new capabilities to customers. I think, look, we -- as Corey said during his discussion, and as I talked about, we want to really understand our customer problem deeply, right? That is a big focus here at Rapid7 broadly. We spend a lot of time with our customers, and that has driven a lot of our innovation in the last 10 years. So how can we really solve their problem. And a lot of it is really understanding our user and delivering on that. To deliver that, we continue to build our platform and evolve our platform. And we think we've got a lot of work to do in our core pillars, right? We've got a lot of opportunity to continue to innovate and we have a lot of opportunity to add things like more advanced analytics. We've got -- we use things like machine learning in our platform, and we'll continue to evolve that and add more algorithmic models that help our customers in their [ socks ] detect more effectively and contain those attacks as an example. And we will continue to understand better how they can apply more of their workflow so that they can automate the output of that. I think when we think about -- and I talked a little bit about how we bring some of the data together, that's going to require us to invest in the experience a little differently and how can we make sure that we can bring the relevant data in context. If you think about all of what we have, we can continue to innovate on top of that data to deliver more context to our customers so they can make better decisions, and that will be a strong focus as well as we move forward. But we definitely feel like we have a lot of room to continue to innovate and grow within our pillars and within our area, that we're focused on with our customers to continue to make them successful.

And I'll take the question around -- Matt's question around inorganic versus organic growth. We really haven't changed our strategy over the last 5 years. We don't have any big ambitions to actually change it as we go forward. To say it very simply is, we have a very audacious plan to deliver the world's most advanced, most sophisticated security operations technology around data analytics and automation across every single technology environment in the world and to do that in a way that allows our customers to actually get the most efficiency and the most productivity. And that value proposition works well. Now what we're constantly looking at and screening is really 2 different things. Is one, we're screening the pace of customers' needs. So as an example, you saw that we believe last year and we talked about it, that customers' need for cloud was accelerating faster than our organic build plans. That doesn't mean we do anything necessarily about it, but that means it's something we pay attention to because that's customer feedback that we're actually getting firsthand. By the way, this model also allows us to execute with higher confidence because we're primarily focused on sort of like where customers are telling us they have urgent needs and priorities and what customer shifts are occurring. The second thing that we tend to pay a lot of attention to is what represents great long-term value, both for our customers but also our investors. So our goal is to make sure if we were to do M&A, it's accretive in the medium term. And so that 12- to 24-month period, we want to make sure that it's economically accretive and viable. That's our focus and that's our orientation. We don't have any need to say we absolutely must go acquire something. But based on what we view as market demand, based on what we actually see as what we can actually make accretive in a reasonable time frame, which is a factor of sort of like what's the prices in the market, and sometimes the prices are reasonable and sometimes they're unreasonable. You'll notice that we've also [ set-in ] our hands a lot when we actually thought prices were unreasonable in the market. We'll consider acquisitions. We say no to lots of things, and we don't have any must-do built into our models. But we're always paying attention to what customers are saying they need and we're also always paying attention to the pace of which we can give customers what they need and what's actually happening in the broader market.

Thanks, Corey. And to close out the afternoon, we'll take our last question from Saket Kalia again at Barclays.

Awesome. Jeff, maybe just one strategic finance question for you and just one clarification. So maybe just strategically, a lot of talk about ARR per customer today, and of course, the faster growth in security transformation. I guess I was wondering if you could talk about ARR byproduct. And what I mean by that is, as -- if you think about ARR per customer for security transformation products in isolation, as that mix increases, what impact will that have on the blended ARR per customer metric, right? That's the first question. And the second question is, I was just wondering, just to make sure the question is asked, how do you define what a strategic customer is, just as we kind of hear that term a little bit more in the future?

So I'll start out with your first part of your question and maybe Andrew can add -- piggyback on the strategic customer. So if you look at the graph of the 420,000 that we laid out Saket, it's a big difference from where we were 3 years ago at 200,000. So that really grew. Divi obviously increased it. If you look at that graph, it's over $100,000 or $120,000 average per customer. If you look at our D&R product, that also grew significantly from 3 years ago. It was less than 100,000 then. It's become more of a mature product. And we've actually gotten larger customers, which is where we -- from where we were 3 years ago. So over time, if you look at that shift, then that's all going to contribute to driving growth in the overall ARR per customer. I guess that's the way to look at it and you look at our customer -- I guess, you look at our customer growth of 5% to 10% and you look at the growth in the security transformation growing, you can sort of triangulate and do the math and figure out where you think that's going to be byproduct, but we've given you enough metrics to sort of project that out, and I hope that's helpful.

And then Saket, I'll pick up Jeff's point about strategic versus nonstrategic. And I think Corey alluded to -- just alluded to this earlier, right? If you think about the strategic customer, right, that's one that is looking to close that achievement gap with a better security operations set of solutions and one that we believe we can well serve with our platform and serve across this space of securing the digital experience, right? What it's not is somebody that's -- as Corey said, a consultant who's just looking at a transactional relationship, right? We're thinking about lifetime value, we're thinking about platform adoption, we're thinking about engaging them that are looking for a better solution, right? So as we think about that strategic customer, that's where we get things like the consultants or the one-off kind of log entries type of customers as well that really aren't in that sweet spot of focusing on the security operations teams and those digital and security transformation groups, right? So if you think about those 2 groups and what they look like in that journey around better adoption, better security and better lifetime value, that's how we think about it. And you can cut them up a couple of different ways, but I think Corey hit on this and Jeff hit on it as well. And we're seeing, frankly, that's where our confidence with this ARR per customer, right? Because these customers are telling us that they're looking for this ability to have the better, easier consumption of security and then seamless expansion. And for us, it's a natural sweet spot. And it's one that, as Corey said, we've been really focusing on for a few years now, and it's one that we're seeing really some growing success with.

Terrific. Thank you, Andrew. With that, I think that wraps up our Q&A and our overall event for the day. So I will turn it back to our Chairman and CEO, Corey Thomas, for any closing comments. Corey?

Sunil, thank you, and most importantly, thank you all for joining us today. We really appreciate you taking the time to actually hear Rapid7's strategy and its vision for our customers and how that vision and that strategy, we believe, will translate to long-term value for our investors. So thank you so much for your time. Please be safe and be well, and we look forward to continuing to have the discussion and the dialogue with you as we go forward.