Rapid7, Inc. (RPD) Earnings Call Transcript & Summary

Okay. Well, hey, good afternoon, everyone. Welcome to Day 2 of the Barclays TMT Conference. My name is Saket Kalia. I cover SMID-cap software here. Very happy to have with us the team from Rapid7. We've got Andrew Burton, Chief Operating Officer. We've got Tim Adams, Chief Financial Officer. We've got Sunil Shah as well in the -- up here in the front row as well in the Investor Relations and kind of other stuff areas. So we'll go with that, but -- so we've got about 30 minutes here together. Maybe what we could do is we can take the first 20 or 25 minutes with some fireside chat with the team. And then I'd love to make this interactive. Anyone that has any questions, just pop up your hand. We've got a mic runner around, and we'd love to make this interactive. So maybe with all that as a framework, Andrew, Tim, thanks so much for being with us here today.

Thank you for having us.

Yes, absolutely.

Andrew, maybe for those of us that are less familiar with Rapid7, I was wondering if you could just start us off with a little bit of an overview of the company. Maybe specifically, where you've come from as a VM company to what the company has turned into today and where you see this going.

Yes. That's a great question. And one of the areas, when people look at this as a VM company, the core capability of the VM company was to be able to go out, scan an environment, collect a bunch of disparate data, very complex data, synthesize it all and give people a simple visibility into where their top risks were, right? So taking an incredibly noisy environment, dumb it down and help someone improve their security program. As we have evolved as a company, we've become a SecOps company, and we believe we can be the #1 leader in helping people get better visibility, insight and analytics around their attack surface. And what does that really mean? Where are my threats and what are the risks to my environment, right? And so when we look at this, our customers consistently tell us it's a noisy environment. It's very hard to get the team staff to be able to get that insight. So our mission is to make that achievement a little bit easier, a little bit simpler, consolidate down, be a platform consolidator and help people use our SecOps platform to address the end-to-end enterprise risks and threats facing their organization. And that's how we think about the opportunity, especially in this economic environment. People are looking for platform consolidation. They're looking for better analytics. They're looking for things they can automate. And they're looking effectively for a better security program, which is where we're helping them.

Yes, absolutely. Tim, maybe just to level -- sorry. You were going to -- I was just going to say, maybe to level set all of us, maybe are there any -- are there any sort of highlights from last quarter that you want to make sure we know about just so that we're all on the same page?

Maybe a couple of things. Look, the headline that we're not certainly proud of is we lowered our guidance for the balance of the year. Q3 did not come in quite where we thought it would. And we laid out a couple of high-level things. We are seeing a lot of economic pressure, macroeconomics, certainly in EMEA, and we're expecting to see more of that in EMEA, but to see it over here in the States in this mid-market category where we do have a lot of customers. So we lowered the guide for the balance of the year. We believe we have de-risked it. And we're being very thoughtful about how we execute going forward. I'm sure Andrew is going to talk a little bit more about sales execution, and it wasn't quite where we thought it would be for a variety of different reasons. And so between sales execution and the macro environment, we lowered the guide. And then Corey just wanted to put it out there and reiterate a longer-term view that we shared a couple of years ago at our Investor Day of being a Rule of 40 company in 2025 and that we see the opportunity for a 20% ARR growth CAGR between now and 2025, knowing that next year is going to put some pressure on that. So it will be down modestly, we said 1 point or 2 based on these couple of factors, making changes to our sales optimization, some pricing and packaging that we're working on, and who knows when the economy is going to turn around. I've not seen any estimates out there that I think many of us can hang our hat on. There is a lot of pressure out there on that side. And we see those as a headwind certainly in the first half of the year. And at least our thinking right now is, on the execution side, that will get better in the second half of the year. And we'll see how the economy plays out. So a couple of things to share.

Yes, absolutely. Yes. Well, certainly, you're not the only security company that's seeing that type of macro weakness, so you're in good company, for what it's worth. Andrew, maybe for you, maybe as a derivative question here, I know you spend a lot of time with customers. Maybe the question is, what are you hearing from them on their security budgets right now? And how are they prioritizing tools like VM, like SIEM and some of the other SecOps tools that Rapid7 brings to bear?

Yes. So first, security continues to be a high priority. I don't think anyone would say the threat landscape is any simpler or less threatening than it was even just a few months ago, right? So I think we continue to see the fit. But it's not immune, right? It's not immune to the macro forces. And what we're hearing from customers, literally, security is still a priority, but I have to be very thoughtful of what I'm prioritizing on a relative basis to work through. So that's what I'm hearing from CISOs. And when we hear that, it really becomes a question of timing and sequencing. We're not hearing projects getting canceled. We're not hearing that some of the flush spending that has occurred over the last few years, especially at the end of the year, we're not hearing that's going to occur because there's more deal inspection, right, as CFOs get more involved, as CEOs are keeping a very close eye on their spend, but they continue to say security is important, security is a Board-level topic, and it's something they need to protect their organizations. So then the question becomes, Saket, is where are people prioritizing? Where are they focusing their efforts? Digital transformation. Huge amount of dollars have gone into digitizing or transforming workloads, development environments. And you saw this with Microsoft, Google and Amazon and the cloud expansion. The security of those environments is incredibly important, right? We're also seeing this changing attack surface is being something that is very important. Detecting and responding to potential attacks or threats to the organization, again, continues to be a top priority. So that's what we're hearing. For us and our point of view, it really becomes about being able to meet the customer where they are and what they're prioritizing and then really making sure you're able to work with them to make sure that, that prioritization and that they can get to that outcome they need to.

Yes. Absolutely. Corey has definitely talked about this as well, meeting our customer on their journey, so that definitely resonates. Maybe staying with you, Andrew. I mean not unlike other companies in our coverage, the deal scrutiny, the longer deal sizes. But Rapid7 is still growing security -- the security transformation bucket, ARR by I think about 40%. So can you just talk about -- is it fair to say that maybe more of that scrutiny is happening in the VM business? Or would you point us to maybe another part of the portfolio? Or is it geo-specific? I mean it's just -- it's still great to see the security transformation bucket growing 40%. We're talking about macro, so help me reconcile that maybe.

Yes, I think, one, you do have security programs that are evolving and transforming more moderate, let's call it, right? And you got this macro influence, right? So Tim, and we have talked about Europe and in the mid-market in the U.S., those pressures are there, right? But if you take a little bit of a closer look and you look at the security programs themselves, on a relative basis, VM is not what we see as being prioritized as much as some of the others. Security transformation, an area that we have done a lot of the hard work to build out that product set and that platform element, is an area that's incredibly important because you got the amount of money that's been poured into those environments, just talking about digital transformation, cloud workloads. And so we see this -- the detection and response business for us is security transformation has been very healthy because what we effectively did is we consolidated 5 or 6 different tools into one offering. And that's often missed when people look at Rapid7, is we were very much focused on consolidating around product centers. Now we're taking that to a platform consolidator, right? So security transformation has grown at such a nice clip because we have solved the problem of people trying to use multiple tools to get to a singular outcome. So now we give them a single tool, give them a better outcome at a better price. And now we're taking that to our platform.

Right, right. That makes a lot of sense. Maybe the natural add-on to that for you, Tim, just to give us a little bit of financial color. Can you just remind us how you segment the business between VM and security transformation? How big are those respective businesses? What's the difference in growth rates? Maybe just to start us off.

Yes. We've talked publicly, we came out of last year and we said security transformation solutions was a little more than 50% of our ARR base, VM being the primary lion's share of the other 50%. And we've said this has been a very high growth engine of the business for us, growing over 40% more recently. And then when you look at the new deals, the new ARR, it's as high as 70%. So there's a lot of traction and momentum behind that. So you've got this traditional VM business that is still very healthy and very important to customers, but Andrew talked a little bit about some of the packaging work that we're doing. And you think of cloud from a risk complete standpoint, you've got the D&R product, and you've got threat intelligence and automation. And all of these products are sitting in what we have traditionally called security transformation solutions. And that's where customers are going with their needs that they have in the market as they're trying to have better visibility across the traditional on-prem platform, the cloud platform. They really want to understand what risks are out there. They have to detect them. Then what do I do once you detect them? How do I respond? And these are just very important pieces of the puzzle that we've been able to put together on this platform that we call the Insight platform. And I think one piece maybe investors don't fully appreciate is the amount of work that has been done to build out the platform in this set of products. Some were built internally and some have been acquired. But either way, organic or inorganic, it does take a lot of work to put this together to have a more seamless environment and platform for the customer. And we've done a lot of that heavy lifting, and that's in place. That's why we think we're very well positioned when you think what's next and where we headed with vendor consolidation, which we believe will happen in the broader security environment. There's still going to be a handful of vendors that will be the one standing at the end of the day. We think we're going to be one. And in part, it's because you have the platform which is an enabler in that breadth of products. And the security transformation is an important piece of that.

Yes, absolutely. Maybe just staying on that topic with you, Tim. I mean you mentioned several of the products that were in security transformation. Understanding we're not going to get into relative sizing, but could you maybe rank order for us what are the top 3, 4 kind of products?

Yes, D&R stands out as really the big one that's in that bucket, and that's one that we've had a little bit longer inside of the portfolio. So that has grown very nicely, probably 50% order of magnitude. Then I would probably take threat intel and cloud. We haven't quantified the particular pieces, but they're all strategically important in terms of what customers -- in terms of the problems that they're trying to solve.

Yes. Sure. Andrew, maybe we can touch a little bit just on the sales force changes that we talked about in the last call. Could you -- and I think you touched on this when you were talking about the platform sale a little bit. But could you just maybe give us an overview of the transition in the sales force? And why is right now the right time to transition the team from more of a product-specific to more of a platform sales approach? Does that make sense?

No, it does. And it's a question we get a fair amount, especially with what's going on. So let me pry a little bit at just brief history so people understand how we got to where we are. So about 3 years ago or so, we had, relatively speaking, 2 specialized sales forces, right, each focused in different aspects of our product portfolio. And as we -- as Tim was describing, as we look to cloud security and we were building and then we acquired Divi Cloud, as you may recall, Saket, to help accelerate that effort, we were faced with the decision, were we going to have 3 specialized sales teams or would we consolidate? Now obviously, 3 specialized sales teams doesn't make sense from a customer standpoint. And also from an economic and productivity standpoint, it just wouldn't work for us over time. So we consolidated down as we got into 2022. And we started to see some really nice productivity signs of the sales team being able to sell this broader portfolio. It was largely seen in the enterprise space and then internationally, right? And as we began to really look at that, we also began to hire a significant number of new accounting execs. Now as these 2 things were going on, what happened? We know what happened, right? The macro changed. And in general, let's just say if the macro wouldn't have changed, if you hire a bunch of accounting execs and you look to bring them into a very complex land anywhere strategy, that is going to take some time. And our models have built in a little bit of elongation of ramp time, but that ramping time took a little bit longer than we expected. It has taken longer. Now you introduce macro to it, and now you've got these 2 factors, right? They're not 100% overlapping, but they begin to influence one another. And so as we look at bringing our sales force really forward to this next stage, we're introducing new packages that dramatically simplify our land motion around a couple of core platform offerings, right? So as Tim said, I was describing this earlier in some of our meetings, when you think about -- I break it down to 3 levels, right? The first, the technology and the platform. In many ways, that's the hardest thing to get right, right? Do you have the tech? Has it really been put together in a way that your customers can consume? So we say, check, we've done a lot of the heavy lifting there. Second is, have you priced it and package it in a way that's easy to consume? In the previous instantiation, these were all separate: pricing, packaging, sales cycles. And then the third is, do you have the people that can take your offerings into the market? So you think as you hire a bunch of new people and you got to ramp them on a complex set of products, we felt like this is an opportunity really as a platform consolidator to simplify the packaging and pricing and help further ramp and accelerate our ability of our sales team to go into a market now that's volatile. People are looking to get more for less out of their security programs, and they want to focus on strategic relevant areas, securing cloud and digital transformation. Hopefully, many of you would agree that's important. And then second, being able to look at that changing modern attack surface [ in tech stuff ]. So what you'll see from us is a dramatic simplification of being able to go out to our customers and say, "Look, we can meet you where you are." You were talking about that a few minutes ago. But then being able to simplify our pricing and packaging so that a sales force that maybe doesn't have 2, 3, 4, 5 years of experience can ramp and get up to speed and still be able to have the complex conversations when needed in later in their tenure, right? So for us, it's a really focus on productivity and simplifying it. It's good for our customers. It's good for our team and helps us capture more share of our customers' environment.

Yes, absolutely. I mean it's a lot to digest there. So I understand why it's going to take a while, but I also see the benefits around it as well. Andrew, maybe just following up on that a little bit. I mean clearly in this macro environment, close rates are very different, not just for you, but for everybody out there, right? I'm curious, though, how you feel about the pipeline and progress that you're seeing on the sales team transitioning to this more platform approach?

Yes. So we're very focused on pipeline, right? And much of the pipeline that we are closing now has been built well before we introduce these new offers. So we have -- as I think on the call, we talked about and we've talked about since, is some of the key deals -- we had some very nice deals that we thought were going to close in September and they pushed and they closed in October. Nobody likes to see that, but we are not seeing deals or opportunities being canceled, right? So it's timing, it's inspection. There's a few things we've looked at. One, increasing coverage ratios, making sure we feel better about that, making sure our sales teams and Tim and I spend a lot of time looking at inspection and deal-based buildups to make sure we feel confident about where we need to get to be. And then obviously, one of the things that all the security team is doing, and I think beyond security, is making sure the budgets are aligned to the where prioritized spending has occurred, right. And when we hear like, "Hey, this is an opportunity," you got to really inspect that and make sure. And tenured account execs know how to do this, but we've got to really make sure that everyone is really focused on this to make sure that we can get where we need to be.

Yes, absolutely. Maybe just the last question on this topic and some of the changes in the sales force. I mean the pricing and packaging here, I think, seems like a really important part of it. Can you just -- Andrew, just talk to us a little bit about that. And maybe more specifically, give us some examples of some of those changes in the pricing and packaging and how that might help, because productivity is something I think you're looking for. How might that help that productivity here in '23?

Yes. First on mind, I'll give a really simple example and that really highlights this. So I mentioned vulnerability management. It's still -- it's still important. People got to have a traditional program where they're looking at assessing their legacy on-prem environment, but no one's going to turn that off. But if you ask a CISO, let's say you had a $10 million or $100 million budget -- let's just pick a round number, $10 million. And you said how much of your $10 million in your security program have you allocated over here to something that's important, but maybe it's not strategically relevant? So what we have done is with our cloud risk complete offering, we said, "Look, we'll give you unlimited VM, unlimited, and provide you with end-to-end visibility around your potential risk environment for your traditional environment plus your cloud environment, and we're going to price that based on your cloud workloads. It's a pretty compelling proposition, right? So what does a CISO get? A CISO gets the ability to allocate dollars around where they strategically are investing as an organization, digital transformation, cloud, they get to be indexed on where workloads will grow over time while still protecting and getting visibility into their legacy environment. And this is important because many people have asked, is Rapid7 still focused on VM? Absolutely. We view it as a feature, not as a stand-alone offering, right? And that is a shift, and that's been part of our strategy. This wasn't something we just did in Q3 or Q2. We said, look, our customers want end-to-end risk visibility across their infrastructure, right? We're providing this. And we think we're one of the few companies that can meet the customer where they are, traditional VM cloud workloads, but we can actually bring end-to-end risk assessment, visibility, analytics and automation to help them get more out of that program. That's a simple example. Now obviously, if you can do that, we get share of environment and we get compelling ARR on a per customer basis with a clear path to growth over time.

And I would argue, compelling economics for the customer as well, right? That's interesting. Maybe -- so let's put a bow on some of the sales force stuff. I'd love to dig into just a couple of the product areas that I've always found fun. Maybe starting with just InsightIDR. And I mean Andrew, maybe for you, how do you sort of think about -- it's funny, we were doing the keynote, we asked about the SIEM market, got a funny response. I mean how do you think about the SIEM market? Is there still room for InsightIDR to continue taking share?

The simple answer is absolutely, right? Now why is that? The SIEM market was predicated on people being able to look at where they potentially are getting attacked. The challenge became is there's so many potential threats or alerts that people were getting, they were overwhelmed. And so what we saw was this need to -- if you're an analyst sitting on the SoC and you got to click on every alert, that's going to get very painful very quick, right? So what we felt like is a detection-based response would be, what if we could collect not just your log data, your endpoint telemetry, your network data, your user analytics, right? I could go on and on. What if we could bring that all into one engine that correlates, contextualizes and provides perspective on where risk might be and then it tells you, we think this is a higher risk than all that other stuff? And if you're that analyst, that'd be pretty compelling, right? There's a lot of SIEM workloads out there that people are still trying to figure out how to get to work. And we're like, look, the proposition, we just inverted the whole problem. We said, don't start with the assumption that can you get all the data in a SIEM. Start with, can you figure out where the threats are that you really care most about? And can you bring those things together? So the IDR product consolidated, again, 5, 6 plus offerings. Tim just mentioned threat intelligence. Threat intelligence on its own, very important, but what if I then bring dark web visibility in this? What if I bring digital risk protection into this, right? Again, you're that same analyst, do you want to be working in different tools? Or do you want one tool that does the hard work for you so you can spend your time doing really important stuff? So to answer your question, Saket, I think there is a great opportunity out there in the SIEM market because a lot of companies are still struggling with how to get their analysts and their SoC teams to a better place, because the modern attack surface, it isn't getting any easier, right? Getting more complex, more fractured, more fragmented. And so again, that's an opportunity for Rapid7 to help people get to a better outcome.

Yes. It's really interesting. So we've got about 7 or 8 minutes left here. Just before I switch to some financial questions here with Tim, any questions here from the audience? Tim, maybe for you, again, I'd love to shift to some more fun financial questions. I guess in conjunction with some of the scrutiny in sales cycles, you mentioned the word de-risking earlier. The team decided to adjust the ARR guide for the full year, I think to 19% to 20% growth. And you correct me there if I'm wrong. The question is, what was the thinking on this de-risking? And why is that the correct level?

If you're going to change the number, you only want to do it one time. So we wanted to be very thoughtful and de-risk it appropriately, and we believe that's what we've done. 19% to 20% is the range for this year. We really took a hard look at what was currently happening. What I referenced earlier, the challenges that we're seeing macroeconomic in Europe continue to persist, and it's a pretty strong headwind. And we also were starting to see signs in the mid-market category over here in the States. And we said, look, I think that's a risk area. And then to Andrew's earlier point, we're talking about pipeline and looking at coverage and knowing that some deals are taking longer to close, and we said we need more pipeline coverage in our model for the number for the quarter. So those were the factors that went into our point of view for the range that we put out for Q4 and the balance of the year.

Yes, that makes a lot of sense. Tim, I think another -- I think one of the other interesting points on the call was the operating margin beat. And then I think just the medium-term guide of free cash flow margin expanding by about 400 bps per year, again, you correct me there if I'm wrong.

That's right.

But I guess I was wondering if you could dig into a little bit of detail around how you got that leverage because [indiscernible].

It's a couple of different things. We've always had a framework. You referenced our colleague Sunil earlier. He's done a lot of great things for the company, but one of which was to create this growth and profitability framework probably, what, 2 years ago at the Investor Day. So that's something that we've had in mind and we've shared with the Street for some time. So it's not a new thing for us. And if you grow faster, we still think we can drive profitability, maybe just not as much as growing at a slower rate. So we've had, I think, an intelligent framework in place. Corey mentioned on the call that, look, we see 20% compound growth rate CAGR for the ARR between now and 2025. And the other piece of our Rule of 40 is free cash flow. And so we believe, based on our modeling, that we can generate 400 basis points per year of free cash flow improvement. And it comes at a variety of different areas. If you think of the entire P&L, we focus a lot on gross margin. We are a large AWS customer. We put a new contract in place with them with some better pricing. We have a team that is very focused on utilization of that platform and driving optimization, and they do great work across the board. You look at the labor component, and we have a lot of metrics. We were just going through this with Andrew the other day of what type of leverage we can get in gross margin from the labor component, based on the relationship of our team to the number of customers they support or the dollars of ARR that they support. So you're trying to look at a lot of different things. And our perspective is, we just want to drive leverage improvement year-over-year, and it can vary how much by area. That holds true for sales and marketing, R&D and G&A where we know we can do a better job and get a little more efficient than where we are today. So the finance team, we will set goals and targets for our colleagues that are running the operations. We have these healthy discussions as to what's the right amount of leverage and how do we get it, and that becomes the plan for next year. So we do a lot of work on that side. And R&D really comes down to looking at the different opportunities for investment and how we prioritize, and the type of returns that we want to see to compare one project to another. So it really goes across the entire enterprise that we're very focused on driving leverage because we believe we can do that.

Yes, absolutely. Maybe I'm going to take the leverage point and just maybe connect it back to the top line for a second. Tim, I think on the ARR targets for fiscal '25, I've always loved this disclosure just around the number of customers that you can back into sort of the ARR per customer. How do you sort of think about that equation in getting to that fiscal '25 target in terms of growth from the customer bases as opposed to growth in the ARR per customer?

Yes. We've always said there are 3 -- at least 3 levers of growth. We can -- we have about 11,000 customers today. We think that opportunity is 70,000, 74,000. So we have a lot of room to grow in the market with a huge TAM of acquiring new customers. And we said that should grow 5% to 10% a year. This past quarter, I think it was about 9% growth. And then we look at the ARR per customer. So how much of our product set are customers buying. This past quarter, we reported $63,000 of ARR per customer. We have a slide in the investor deck that shows an average customer, if they bought all of our products, could be $500,000. So we've got a long way to go in terms of wallet share to gain more. And we said, we think the ARR per customer can grow 10% to 15%. And last quarter, I think it was around 14%. And then you have international. Notwithstanding the challenges that we're having in EMEA right now, but we've all seen these cycles, they come and they do go, just a matter how long it takes to get through these things. International is about 20% of our business today. So we do think that as longer term is still a growth opportunity. So I'd say there's at least those 3 levers where we have the opportunity to grow to get to that longer-term target.

Yes, absolutely. Maybe in the last minute or so that we've got here, one of the last -- one of the questions that we're trying to ask all of our companies here at the conference, just given all the uncertainty around the macro is, how do you define this? I mean what percentage of the business, whether it's ARR or revenue, has historically come from new logos? And how has that done in prior downturns?

Yes. It's roughly 50-50, and it can fluctuate quarter-to-quarter, whether it's new in the land side or on the expand side. When you look at that new ARR, it fluctuates a little bit, but it's generally in that ZIP code.

Got it. Got it. Well, I think that's about all the time that we have. Andrew, Tim, thank you so much for being with us here today. Really enjoyed it.

Thank you.