Rapid7, Inc. (RPD) Earnings Call Transcript & Summary

Okay. Well, hey, good morning, everyone. Welcome to day 2 of the Barclays TMT Conference. My name is Saket Kalia. I cover software here at Barclays. Very happy to have with us the team from Rapid7. We've got Corey Thomas, CEO, as well as Jeff Kalowski, CFO of Rapid7. We've got about 25 or 30 minutes together. Maybe what we could do is we can take the first 15 or 20 minutes to go through some fireside chat here with the team. And then would love to make this interactive. Any folks on the webcast that have any questions for the team here, just feel free to shoot me an e-mail at [email protected], I will be happy to ask it on your behalf here in the time that we have. So with all of that as a preamble, Corey, Jeff, thank you so much for being with us here today.

Great to join you. Thank you so much for having us.

Sure.

Absolutely. It wouldn't be a Barclays conference without the Rapid7 team.

Corey, maybe just to start with you. I know you spent a lot of time with customers. So maybe a good place to start out would be, what are you hearing from CISOs just on their willingness to spend, particularly on products in your vulnerability management and security transformation portfolios?

Well, one, we feel very good about the demand environment and the feedback that we're getting from CISOs and security teams is, one, security is priority. Two, the security operations is a big focus of how they actually make their program successful. And so in general, we're seeing high demand for -- in our security transformation, our cloud security and our detection and response technologies. And we see enduring demand for our vulnerability and risk management technologies. And so we feel pretty good about the cloud environment. What we're also hearing from CISOs is that they have the same concerns that it feels like everyone and at least in the U.S. is having right now, and that's just about talent. And so in some ways, the bottleneck has actually moved from, can they actually get budget, is can they actually staff the teams to actually manage their security efforts in the way that they actually want to. And so I know talent is top of mind for a lot of CISO. It's something that we pay a lot of attention to because we want to make sure that customers are set up to actually get value and leverage our solutions and our technologies as quickly as possible.

Yes, absolutely. That makes a lot of sense actually. And I definitely want to connect that back to the security operations part of the portfolio as well. I think there's an interesting trend there. Jeff, maybe just to shift over to you. I mean, there were a lot of good things to talk about here from the last earnings call in Q3, including ARR acceleration, which I thought was really interesting. But maybe just to make sure that we're all on the same page, can you just tell us what were some of the things that you were most proud of in the past quarter? And Corey certainly feel free to chime in here as well.

Yes. It's a good question. Q3 was a very strong quarter for us. It's really hard to pick any one thing because it was just so broad-based. I guess -- I think overall, the performance is validating what we said at Analyst Day with respect to the growth drivers. We had strong customer growth. We had strong ARR per customer. We had strong international growth. So everything worked well. Like everything we laid out, we're validating what we said back in March. And I don't want to exclude the fact that we had very strong overperformance in our operating income. And the point there is that what we're showing is there's leverage in the business if we overperform, and the overperformance went to the bottom line. So all those factors really support our message of really the mission of driving durable long-term growth.

Yes, I just -- I think Jeff hit it. In many ways, what's been consistently exciting for me about what our team is doing is that we have lots of ways to solve customers' problems. And we're executing on lots of ways. So what that means is that like if you are going through a pandemic, if security transformation and solutions becomes more sort of like in demand than vulnerability management, we get to play in both of those spaces. If different parts of the world show greater demand, we get to participate. So it's the fact that we actually have a lot of different growth drivers and our team is attuned and can actually respond to which ones are in customers' preference at any moment in time. And that provides a massive opportunity for the stability of growth over time, and that on itself to me is one of the things that I would emphasize.

Yes, yes, absolutely. I think that's actually a great dovetail just into -- I'd love to see them into the security transformation portfolio a little bit, Corey. Understanding we're not going to break out sort of the components of that specifically, but maybe you could rank order for us just the products there in terms of size in that security transformation bucket. And maybe even more importantly, which ones are you most excited about from a growth perspective?

Yes. I mean, so the easiest way to think about the sauce, lots of it has to do with both the TAM, which we have a lot of robust TAM, but also the history and how long we've been investing in it. We have gone from sort of like a nascent in 2017, 2018 on the detection response to a real leader in the market. And that's showing durability of both growth at scale. We introduced more broad-based cloud security, which includes both organic development and inorganic capabilities last year. So it's not the same scale as the detection response, but the growth is strong. And I'm incredibly optimistic about the future. If you look at Rapid7 as we go forward, I would actually say that things that excite me is really something like two different things. One, the strength of security transformation solutions, anchored, I would say, as we go forward, pretty evenly between detection response and the cloud security. The second thing I would say is the emerging strength of our ability to actually monetize and also extensions, which actually gives us a way to consolidate for customers economically. Customers are increasingly more interested if you have a best-of-suite platform in consolidation, if you can give them the best of [indiscernible] technology, but it has to be economical. So if you look at what we're doing with NTA, if you look at enhanced endpoint telemetry, if you look at it with cloud security, we're building a platform that allows itself to extend. I think we're in the very early days of that. But the success that we're having and the demand that we're seeing, it's having us double down on that. And really, that actually portends lots of opportunity for the expansion and moving from -- we moved to the sub-$20,000 to the mid-$50,000s. We've talked about we see clear line of sight directly. We're moving to the mid-60s. But our ability to grow that ARR per customer, I think that capacity is increasing. And really what we're focusing on now is the operationalization around that.

Sorry, go ahead, Jeff.

I don't know if it is a part of your question, but in that in security transformation, the detection and response is the most scaled business and is the largest component. But the point I want to make is they're all growing well and security transformation and the aggregate is growing over 40%.

Got it. Got it. You anticipated my next question there, Jeff. So just to maybe put a bow on sort of the -- looking at security transformation in the aggregate, Jeff, maybe for you, can you just remind us how large that overall bucket is from an ARR perspective? What that growth profile is that you've talked about? And maybe how the bucket impacts, again, that very important metric of ARR per customer? Is it -- does it add to that metric? Does it impact it in a different way? If you could just talk about security transformation from those few different lenses.

Yes. So we haven't broken out the specific components of the bucket, but maybe this is the way that I can actually frame it for you -- is that at the end of '20, we said about half of our -- a little over half of our ARR was VM and 40% was security transformation, right? And then at the last quarterly call, we said now VM is a little less than half, and security transformation obviously, has grown. We didn't give a specific number. I think VM at the end of '20 was 53% and security transformation was 40%. Back then, all the other components were 7%. And I also want to point out that remember that we added insights to it, which was $27 million at the end of Q2 of this year with that acquisition. That's in that bucket as well. So if you apply the math and the growth rates across those components, you can sort of size the relative size of each component on the $550 million. I would say that also, I think your question is to ARR, security transformation is growing faster. It is probably -- it is a higher price item in the aggregate than VM. So it is contributing more to that ARR per customer, particularly the cloud, which is, as we talked about when we acquired -- Divvy, their average price was about $200,000 ARR more enterprise-focused. So yes, security transformation contributes more. And it is growing faster at some point. I think you pointed this out in your questions on the last quarterly call is that at some point, yes, it will overtake VM as a percent of the total ARR.

Yes, yes. Absolutely. I definitely want to dig into some components of the security transformation bucket a little bit. But maybe just to show the VM business, just a little bit of love. I mean, I think InsightVM is still -- or at least at the end of '20, right, kind of using those numbers, is still the largest single part of the business. And of course, we've talked about how that's changing. But maybe, Corey, for you, how do you think about market growth in the VM market? And how is that competitive landscape changed, if at all? You've been in VM being market for a long time. I mean, just kind of curious what your perspective is there.

Yes. So I don't think the competitive dynamics have changed so much. I do think they will probably change in the competitive dynamics now and as we go forward. The way that I would describe the market is I think VM we said that, for us, will be over 10%. And we actually don't. We see durable growth there, but still put sort of like in the technology landscape itself and infrastructure landscape, vulnerability management is incredibly attractive space. Now we have probably a slightly different view from a strategy perspective. Our goal is to actually really drive three things. One is to actually drive more adoption in the significant amount of organizations that don't have VM today, and they don't have the visibility. The second thing is to actually drive broad visibility and to make it cost effective. Again, keep in mind, VM is a market that moved from 20% asset under management for our organization to a little 40%, and it's still hovering sub-50% in general. And what we believe is that like in order for anyone to manage their security well, they have to have a broad-based visibility. And so the second thing is how do we actually make that economical and easy to use to actually get broad-based visibility from a vulnerability management perspective. And then third, to actually take the core data to get operational, not just within vulnerability management, but to actually have that core component that feeds the rest of security operations. So with that is our strategy is actually to be #1 in terms of the usage of vulnerability management capabilities for visibility and risk management from a strategic perspective. And then for that to actually help be a component that actually drives ARR per customer. What I would tell you is that I'm indifferent to whether we actually have something called vulnerability management as a separate -- [indiscernible] offering 5 years from now. What I'm really focused on is how do we drive usage and adoption and then monetize that profitably that's actually driving our ARR per customer continuously up. And that's the benefit of the platform play. And what I would say is customers like that approach because it's really centered on solving them problems in the most economical way.

Got it. Got it. A lot there that I definitely want to touch on. But maybe related to that, and Jeff, I know we don't talk about profitability per product. But maybe for you on the VM business, I guess how do you feel about sort of room for the VM business to sort of expand profitably, right? Because if you think about the business, right, you've got this really fast-growing security transformation bucket, which I have to imagine is going to be just lower profitability than VM. And you tell me there if I'm wrong, the VM business that's been around for a long time, that's got a nice leadership position I have to imagine is helping sort of subsidize that a little bit. How do you think about the profitability of the VM business and that dynamic between the two?

Well, look, as you know, VM is our most mature product. And it's a bit below half the ARR last quarter. It's a very high-margin product. And while it's growing less quickly than security transformation, it's still growing well, and it being the most mature product, it is supporting the growth of the other products. So it contributes a lot to the profitability of the overall business. So yes, if you look at security transformation products, they're less mature. They are evolving. We're continuing to invest heavily in those products as well, we continue with VM as well. But we're adding more new features. So it's less of a mature product, so it's going to have slightly lower margins. But having said that, we have very healthy margins in the mid-70s overall product margin. So yes, it helps fund the other faster-growing products as well.

Yes. Yes, absolutely. So wanted to make sure we spend a couple of minutes on VM. I would love to go back to security transformation and just then just dig into a couple of the products there. Maybe starting with, I think, maybe the longest-standing product in that bucket, which is InsightIDR. It's funny, Corey, I mean, I thought that InsightIDR was ahead of most, right, in terms of seeing the potential disruption in the SIM market. How do you sort of feel about the opportunity for share gain here going forward? And maybe I'll ask you the same competitive landscape question on SIM, right, which I think is going to be a little different than the answer on VM. How do you think about it -- how do you think about there and where IDR kind of fits?

Well, I mean the nice thing is that the detection response market is bigger than the vulnerability management market. And it actually has higher growth in the vulnerability management. And we actually have a scale position, and we're one of the growth leaders by far. And so that is sort of like the backdrop of why we actually like the market and why we actually think it has a big durability because while we actually have scaled it, we still have massive amounts to actually grow. It also has something that you know -- you can get lots of things right but time is something you can't control. It's also a market that's actually characterized by having big shifts and who the dominant players and the leading players are. And so competitively, if you look back 4 or 5 years, VM is relatively stable, but the detection response in the SIM market, if you look back several years, it was our side or Micro Focus and IBM and Splunk and then a couple of other small players like LogRhythm. If you look forward, as you actually go forward, the leading players, you see is sort of like -- Splunk is the only one that's still really in the game in a relevant way. And you've seen Rapid7 in an incredibly strong position. But you also see the emerging players around like Microsoft and Exabeam that are well positioned. And then you have people that are doing the managed detection response. And Rapid7 has a great position here because we actually are both leading on the technology side but we also have significant market demand from our partners on the managed detection and response side of the equation. And that positioning in that backdrop, I think, allows us to actually be well positioned for the future. And so if you say, what are people looking for? And what's the criteria as you go forward? It's that, one is you got to actually have an XTR-centric capability, meaning that like you don't make customers roll their own solutions and have to build their own. So we're collecting data across the endpoint, the network, log files, asset files, API interrogation, direct intelligence. So one, the broad data collection platform. The second is analytics has to actually be both behavioral and it actually has to be something that customers can extend. We pioneered the behavioral analytics around both user behavior analytics but also attack behavior analytics. And we've now introduced the capability, which has really opened our market up for the large enterprise to actually extend and have your own type of analytics engine that's customized and extensible for large enterprise companies. And then the third thing is in a world where you actually have really, really low levels of staffing relative to the challenge, you have to be able to automate. We have one of the top automation platforms in the world, and all of these are tightly integrated into an extensible package. You look across the modern stakeholders, there's very few that can compete with that value proposition. So I think our capacity to sustain growth and take market share in the future is incredibly strong.

Yes. Absolutely. Corey, maybe just moving on to another product within security transformation, DivvyCloud, which I think we acquired a little bit over a year ago. Now a lot of folks are getting more and more familiar with the term of cloud security posture management or CSPM. But it feels like a term that other vendors are using a little bit as well. So Corey, maybe the question for you is what do you and the team sort of see in DivvyCloud that you feel like gives you an advantage to take some share in that space?

So you're right. So cloud is an increasingly competitive market. Part of that is that it is -- has a lot of unsolved problems. We think Rapid7 is unique. And I think about it not just at DivvyCloud. Remember, when you look at cloud security, it's a couple of acquisitions, DivvyCloud some organic development around identity and ongoing adding on capabilities like cloud detection engines that actually came in conjunction with our detection response platform. And also the risk engine, which actually came from some capabilities in our vulnerability management team has actually made. So when we think about it, we really are thinking about cloud security overall or some people call it cloud native security, which is more than just CSPM. Now what's the advantage that Rapid7 has is everyone else is either acquiring or buying into something that they -- is not the natural engine. The key criteria for success in the cloud market is can you actually ingest multiple forms of both data but also analyze environments from a risk perspective. Again, if you look at our ability to having the broadest data collection platform and having one of the broader platforms for doing risk analysis -- core to what we do. And then can you actually translate that to [indiscernible] automation. That security operations focus is core to our DNA. So we're not a networking company learning that, we're not sort of like a different type of class of company learning that. Cloud is about basically, can you actually give visibility? Can you assess risk and threat? And then can you automate state changes? That is core to the Rapid7 DNA. And we actually bring all of our platform technology. So when you think about all of these subsectors of sort of like cloud security, is yes we acquired CSPM, we acquired parts of the Kubernetes workload protection. But the visibility into containers is partially that's acquired. Part of that, we had deep expertise on analyst and containers from our VM team, which has done some early pioneering work with VMware about how do you actually look at virtual machines from a cybersecurity perspective. When you think about looking at risk, lots of that research comes from our vulnerability management teams to do that. The way we go about looking at threats, again, having one of the largest or sort of like fastest-growing SIM or threat detection platforms contribute to that. Same with threat intel. And so this basis of our platform is in many ways where we're taking is core technologies, and we're adding new technology organically, like we did with the identity analytics in the cloud. We're doing some smart acquisitions that we did with DivvyCloud . But we're also creating a reformulated cloud front door, but lots of fundamental technologies that you actually need in the cloud and that gives us something that's very, very unique. We have breadth of cloud security technologies and we also have depth cloud security technologies. We think that, that positions us incredibly well in the future, especially since many of these things are in areas where we have core domain expertise.

Yes, yes, absolutely. Jeff, I want to shift over a little bit to pricing and packaging because I think Rapid7 had some interesting things around that recently. But maybe just to set us up for that, and Corey touched on this earlier, but Jeff, can you just remind us what Rapid7 has said about targets or aspirations maybe on ARR per customer? And just some of the high-level levers that you think about in sort of getting there?

Yes. I think what you've heard us say is that we see line of sight between $60k, $70k in ARR per customer. And there's two drivers of that, obviously. There's the customer growth and then there's the increase in the prices and bundling. So what we do see is that we -- well, let me back up a minute. We're not biased as to which one is -- we're not optimizing for customer growth or for ARR per customer. We don't incentivize our sales force either way for land versus expand. I think the point that we'll make is that they're both growing nicely. Like last quarter, ARR and ARR per customer -- I'm sorry, customer growth and ARR per customer grew in the upper teens. So we have no bias. It's really -- as long as they both grow. And in our long-term targets, we said 5% to 10% customer growth and 10% to 15% ARR per customer. We're exceeding those goals now, and you're seeing that in the growth now of $55,000 last quarter ARR per customer. So those are the two drivers. We managed the overall ARR growth, obviously. But I've said it, ad nauseam, but we have a healthy balance that -- they're both growing and contributing to the overall ARR per customer.

Yes, absolutely. Maybe that dovetails into one of the last strategic questions that I want to ask you, Corey. But again, it feels like Rapid7 has kind of experimented with pricing and packaging and bundling sort of strategies more recently. And so maybe it will be an open-end question for you, Corey. What have you done with pricing and packaging this year that is maybe different than what Rapid7 typically does? And what benefits have you seen sort of as a result of those changes?

One is that customers see Rapid7 as sort of like having great technology. And it took a while for us to set that position. And so now the economic argument really enters into the customer equation, how do they actually get access to those technologies in an economical way, which actually makes the conversation around consolidation a lot easier. I would say that in many ways, we had, I would say, reasonable market concerns for like several years ago about like customers interested in consolidation. What we're finding is that customers -- once they actually know you actually have best of suite or best to be product on common platform. They're much more willing and interested to engage in a discussion about how they start shifting towards you. Now I'll also say just -- no customer wants to actually have a singular risk. So this is not going to be a market where you actually have one player with all of the usage because many customers take that such too much concentration and consolidation. But I do think that you actually see a high driver for customer go to sort of like 20-plus security technologies down to sort of like the low single-digit security technologies. And we think we're a huge beneficiary of that. So then the question to your question is what's the right way to monetize that economically for the customer and that has the right growth profile for us? And so what customers are interested in bundling. That's actually worked quite well, although we have some -- we're taking that easy and slow because what we want to see is that customers deploy ideally within 3 months of purchase and usage. And so the second thing that we're actually been looking at is sort of like, what are the subscription models that actually customers pay as they use stuff. And we think that we have a broad enough suite and portfolio where that's of interest to customers and that's an interest to us. And it provides visibility for the customers, but it also provides an easier ramp to accelerate expansion for us. And so that's sort of a bit of interest. And so those are the two areas that we're really focused on. And I would say the -- if you say what's changed most is that it's not a question of our customers interested in scaling and consolidating. It's what's the right way and the easiest way for them and the easiest way for us to actually do that efficiently.

Got it. Got it. And I lied, I'm going to make this the last question for you, Corey. But I think probably worth calling out, I think this is going to be, unfortunately, our last Barclays conference with Mr. Kalowski here. It's been a really fun ride. And for me personally, I'm sure it has been for you as well. But Corey, maybe the question for you, talk to us a little bit about Jeff. Who is replacing Jeff? When he's going to be starting? Anything you want us to know about that shift in the financial leadership team.

Yes. If you're not aware, one, I think we announced a few calls ago that Jeff, who actually has done an amazing job, and our team will miss dearly, is retiring. We've also announced , a person that I've known for a while and have a lot of respect for [ Tim Adams ] will be joining as CFO. And as far as the transition, it's going to be a great transition. I mean, luckily, we have Jeff who's a world class guy, and Tim is a great guy. And they've been spending lots of time with each other, and they have a great collaborative relationship. Tim has a great relationship with the team and a huge respect by the team for him and vice versa. And so I expect a very smooth transition. Tim will be starting at the start of the year. But Jeff and Tim are going to have an overlap period and they're working together to actually make sure it's a smooth transition as possible, and there's already lots of engagement with the teams.

Yes. And Saket, I couldn't be more excited to get someone of the caliber of Tim to follow on who's got a great reputation. I've known Tim for a while, and it will be seamless. It would be great.

Yes. I mean, I can actually say that executives got them -- Jeff might get the recruiting bonus for recruiting Tim.

I might negotiate that.

Well, listen, I'll certainly say it feels like a very orderly transition but also just to make sure it is said -- very big shoes to fill with Mr. Kalowski. So congrats on the retirement and...

We'll stay in touch, Saket. I'm not going anywhere.

Would love to. Would love to. Corey, Jeff, thank you so much as always for the time. Really appreciate it.

Thank you.

Take care.

Awesome. Enjoy the rest of your day. Bye now.