Rapid7, Inc. (RPD) Earnings Call Transcript & Summary

Hey. Good afternoon, everybody. Thank you for joining us. My name is Hamza. I'm the cybersecurity analyst here at Morgan Stanley. And with me, privileged to have Andrew Burton, President and COO of Rapid7. Andrew, thank you so much for joining us.

Thank you for having me, for having us.

Before I get into it, just a brief programming note for important disclosures, please see the Morgan Stanley research disclosure website at www.morganstanley.com/disclosures.

With that, Andrew, who -- before we get into the weeds, talk a little bit about Rapid7, the platform as it's evolved in the last few years. What is it trying to solve? What do you mean when you talk about a broader platform for security operations?

Sure. So first, I'll start with a little bit of context around our target market or our ideal customer, which is -- as we all know, security teams are under resourced. They're over leveraged and the attack surface is expanding rapidly. So when we talk about security operations, it's really this idea of helping those teams operationalize their ability to understand what's going on in their environment, how they're being attacked or what threats they're facing and then how they can improve their security posture to manage -- to more effectively manage and protect their organization, right? Our platform, really, has evolved in this idea of to do that, first and foremost, you have to understand the attacker. You have to understand their techniques, their methods and what they're doing. And then you have to bring that insight to -- first and foremost, to the SOC to help them do their job more effectively, higher efficacy and higher efficiency. And then by doing that, helping that expertise get transferred into their security posture and how you can help these teams, improve their ability to protect their organization and address risk that may or may not be existing in that organization's environment, right? So we've linked this idea of understanding the attacker, understanding what's going on in the environment with their ability to improve their security posture, right? And connecting that is why we built our platform because it ultimately requires rich visibility and understanding around the attacker, the attacker techniques, the data and the environment and bringing that all together for a team that's really struggling to understand how to do that.

Makes sense. So then there are really 2 bundles to which you go to market. There's the Managed Threat Complete, more around the threat detection and response side. There's a Cloud Risk Complete, which you talked about, improving security posture, things like the core vulnerability management, cloud security posture management, et cetera. So that's super helpful. Maybe to level set, there's been a lot of debate lately around best-of-breed versus platform or platformization as it's been called now. There's a big opportunity for you to consolidate security budgets particularly within that mid-enterprise level. What are you seeing there? What is in the appetite for consolidation? Do you think it's going to be 1 vendor that dominates all the security budget? And how do you go about doing it while still maintaining best-of-breed?

Yes. It's a great question. There has been a lot of debate recently, a lot of discussion about this dynamic. So first, I would start with the customer, right? If you understand the environment in which the CISO is operating, we really focus on this mainstream enterprise environment, right, where there's a security team, and they're struggling to keep up with this expanding kind of threat facing the organization. So when we look at it through that lens, through the customer lens, what we see is a need for better outcomes, security outcomes, right? And this is not something new to Rapid7. We've been doing this, Hamza, as you know, for years now. It's talking about how do we improve the productivity of that security team. And the Managed Threat Complete offering was basically and is rooted in this idea of how do we help the SOC be more productive in understanding or detecting what's going on in their environment, contextualizing it and then responding and preventing those things from getting in their environment, right? If you want to call that platformization or consolidation, fair enough. But for us, it's ultimately about making the SOC more productive, more effective in a world that's increasingly fragmented and threat levels are going up, right? So that's the first one. Now the second one, to your point, of, well, how do we capture and how do we get share of wallet? Is that going to be -- many of these security programs have multiple vendors in there. Because they've tried to sell or deploy multiple tools, and we look at it from as, are there -- is there a value that's being realized, the outcome of better security operations. And that, to us, is a more integrated solution that allows for people to allocate dollars or a percentage of their program to be more successful to support that. So in our approach, it does give an economic advantage, but the economic advantage is secondary to the value that they get, right? A lot of vendors out there are talking about we're going to give away stuff for free. If I give you something for free but you don't see value in it, what's the purpose, right? Versus if I say, "Hey, I'm going to give you great value and compelling economics," that is what our platform does and it's something we've been doing for quite some time as we've talked about over the years. And so our, really, focus is on value or outcome for the security team and then allowing them to allocate dollars and budgets. And by doing that, there will be consolidation down because customers or security teams will be more successful, and they'll partner with us on a longer-term basis and a more durable basis to help them get to those better outcomes.

I think the other point that's come up though is there's a lot of legacy technical debt in security SOC today. And obviously, it's not easy to migrate or switch off of these vendors. So what are some of the things that as a platform you can do to ease those migration costs?

Yes, yes. So the first part is this dynamic where a lot of the security teams I talk with, they'll say, are they getting the levels of efficacy that they need to get, right? Are things getting caught, are things getting dispositioned, and are the teams being successful. So I think first, we see a lot of failed SIEM deployments managed service providers that don't have the level of coverage they need to have, right? So that's the first thing, right? Do they see a need. And to your point, they're like, well, I'm invested quite heavily in these different tools. So I need some flexibility or I need a great value proposition. So this is something that we actually have really shown a lot of value and is allowing people to reallocate or allocate dollars across their programs to cover more of the environment. One of the best examples that we've used recently is we have vulnerability management as a feature within our platform offerings, right? So we use an example, a customer could be spending let's call it, $100,000 in vulnerability management. We say, great, still cover that VM program, right? Come over to Rapid7, but that's going to be a feature of your broader offering. And we're also going to extend your coverage into the SOC, right? So you'll get more coverage for those dollars. And likely, they're going to spend a little bit more with us. And so they could double to, let's say, $200,000, but they still get the VM coverage and they get the broader SOC coverage. So that's what we talk about having that value proposition, being able to have better economics with better value.

Got it. Just from a broader macro perspective, we are seeing some mixed results from some vendors. I think on the network security side, that's not an area that you're in. There seems to be a bit of a slowdown on just the traditional vulnerability management side, which is now less than probably 40% of your ARR now, if I'm correct. Maybe there's been less of a prioritization. But in areas like XDR, EDR, we've seen increased demand. So I'm just curious, from a broader level, are you seeing any spending fatigue in security, number one? And number two, what are some of the main priorities in security right now? And how is Rapid7 levered to that?

Yes. I think by all measures, not just security but in IT, we're seeing people scrutinizing their spend and saying, are they getting the return of the value for that spend, right? And I think we saw it in the cloud workloads, you see it in IT infrastructure, and you definitely see in cyber. And so that's something we've talked about quite a bit, and it's something that we said CFOs and CEOs are looking carefully at, right, which is not just, "Are you going to get new spending," but, "The spending you have today, is it allocated in the best places," right? And so I think, first and foremost, that's where I'd start, right? Now on top of that, then we look and say, okay, where are we seeing participation rates or where people -- what's being prioritized, to your other part of your question. We are seeing detection and response-based approaches being prioritized within security, right? Because people effectively -- it kind of makes sense if you think about it, I need to understand, in this threat environment, what might be coming at me and being able to have a full coverage in the environment. It's not just end point, it's not just the cloud, it's across my attack surface, right? This is important because there are some vendors out there talking about, we're going to cover this or that. Our assumption is your data and your coverage needs to be across your attack surface, right? Not just one part of it, right? That was part of our approach. And so when you look at that, I think that supports our thesis as well, right? And then finally, we say, okay, it's being prioritized. It's important. There is continue to be -- we've talked about in CISOs are getting their budgets, right, in the year, but they're still heavily scrutinized, right? And for us, we still see this enterprise buying cycle. You see a little bit of Q2 and Q4 naturally become areas where CISOs are getting their budgets unlocked because the CFOs are able to have more fulsome view into their budget year, right? And so we've kind of talked about the scrutiny, we don't expect and nor should it go away. It's just more people really validating, am I getting value, is it important, and does it fit into my spending priorities.

On the detection and response side, on that for a little bit, we saw a ransomware attack almost double last year. You have AI creating more malware faster than ever before. Rapid7 does have an incident response business. Have you seen any flexion there as a result of that? And how does that drive conversation around adoption of the broader portfolio?

Yes. It is -- it's a good point. One, so the -- as you said, threat level's going up, which is inherently raising the level of importance of people having the detection response program. If there's an incident, that naturally leads to somebody raising their hand and saying, "Hey, I need some help," right? And so we see that dynamic definitely helping us, right? But to this point about, okay, how do we think about the value and the prioritization of this incurring? Absolutely. In this threat environment and having security teams that are under-resourced or overwhelmed, is -- being able to augment those teams is critical, right? And so that is an important aspect of this. And being able to continue to kind of leverage that or look at that is important. Now the -- so an IR program is really important, but it's also one that, as we've talked about in the past, will help us really demonstrate the value of a detection response program, which then helps us build our upsell/cross-sell strategy to a broader platform play as well, right? So it can be a point, but it's not the only point of our ability to land.

And just to -- IR program, you mean incident response?

Yes.

But also the Investor Relations...

Yes, yes, yes. Important to clarify.

Both. So we talked a little bit about the bundle. So last year, you had simplified the product offering with the Managed Threat Complete and the Cloud Risk Complete. You talked a little bit about what's included in that. What was the impetus of this? And then talk a little bit about the progress there. You talked about, I think, $100 million of ARR coming from these bundles. How did that do relative to your expectations?

Yes. I think -- well, I'll answer the last part first. I think it's -- to the expectations, I look at looked at -- look it through the lens of our customers looking for it, is that demand environment there. And I think to the expectations, I think it met or has exceeded that as an area of importance, so that's good, right? As -- in terms of what led to it was, again, our core thesis. And this is -- I know there's been a lot of commentary, especially in the last few weeks about platformization and consolidation, all these things. But this is something that, as you may recall, it started with our next-gen SIEM, where we said, are customers getting to the outcomes they need, are they getting the productivity they want to see. And so we had already been building out, in our core product offerings, this kind of core capability. I think in the macro environment, and we started to see that shift that occurred, the number of CISOs in the percentage market that started looking for, "Hey, you know what, in a tough economic environment, I need to really maximize every dollar." That was when we saw that begin to really come to the forefront, right? Now as you said -- you said this earlier and I probably should have highlighted it is, it doesn't mean you sacrifice quality. You have to have great coverage and great quality. That's not debatable, right? But now you get this question of, in a macro environment, you get this idea of, like, well, now I'm really being scrutinized. And as we all know, security and cyber is raised at the Board level, it raised at the CEO level. So people inherently want to know, am I getting the returns, and I getting the coverage I need. But then now you get this pressured macro, where people are looking at, "Have I bought technology or have I actually utilized deploying that into the outcome," right? And that, I think, is not going to go away, right? And I think it will be something that rightfully, in our opinion, should be heavily scrutinized and looked at across our industry is the rate of technology being spent versus its level of consumption and utilization to get the value, right? So I think that'll go up. And it's -- the packages, as you said, that's what led to them. And I think we are seeing some really nice continued demand for this. And it's continuing to support, not just continuing to drive that strategy, but now we're starting, Hamza, to layer on additional offerings that sit on top of those offerings so we can begin to kind of think of stair-stepping, right, 15% to 20% more uplift and offering more value more outcome and better economics.

Got it. So when a customer does buy the bundle with you, what does it look like from a growth potential standpoint and net retention standpoint? Are they more willing to expand with you as a result of that? I know it's early but...

No, it's a good example. So one of our -- we've talked quite a bit about focusing our customer base. So this largely VM customer base, right? We've been able to go to them and say, "Hey, take a spend level." Let's use my round number example, $100,000 of VM and say, "Okay, well, for $200,000, I can cover your VM and -- as well as your SOC, right, your security operations." That's MTC, right? So retention goes up, our ASP goes up, the ARR per customer goes up. And then now we're offering additional -- we just announced managed digital risk. So you'll see that now as a stair-step that we'll put on top, and we'll be able to talk about that as a value-added expansion opportunity as well, right? So that's into the customer base. One of the things that I think we've also talked about with new logos is seeing higher win rates, right? So more productive sales force, our ability to not just convert them but retain them. And then their -- then they actually provide, also, opportunity for us to stair-step and do expanded value.

So when you talk about Managed Threat Complete, obviously, a lot of things come to mind. There's a next-gen SIEM. There's the managed detection and response portfolio around that. I think Corey has been very thoughtful about -- and as you as well, have been very thoughtful about expanding into the SOC budget. Is it -- should we think about it as a SIEM replacement? Or is the view that we'll augment the SIEM initially and then over time, expand within the SOC and perhaps consume the SIEM?

Yes. I think it's a little bit of both, right? So let me start with the -- a lot of folks deployed SIEMs and say, well, this is going to be my SOC tool. We just found the legacy SIEM was not built to be -- or designed or architected to be in a detection-first approach, right? So I think a lot of that SIEM market is turning over effectively and there's a realization that you need to be a detection-first strategy, right? We were, I would say, if not the first, one of the first, really, lead with that. So I think you will see, and I think we will continue to see some of that SIEM market turnover as people realize they need something that's purpose-built for the SOC. Now to the second part, they say, "Okay, now if I've got something that's inherently detection-based, do I have an opportunity to expand what I can do for the security operations team?" And I would say, absolutely, right? So things we've been able to do around enriching the ability for that security operations analyst and we did this with our InsightIDR offering is bring more in context to their -- to the challenges they're facing, right? If you think about the -- a simple example. You're a security operations analyst. You're facing all of these alerts and notifications of potential detections, what do you need? You need context so you can process and understand what's going on, right? So we talk about enrichment, right, and adding capabilities to enrich the experience for the SOC analyst to be more effective, right? So first is detection. Second is enrichment. The third is disposition. Okay. Now I'm been able to make an informed decision of what I need to do. So I want to make sure I get that right. And then being able to then connect that to what those -- to those teams that are going to work with. One of the biggest things I get asked about is this is not about having the SOC necessarily manage your security posture. It's allowing them to provide that insight to those other security teams or the cloud ops teams or the infrastructure ops teams to be able to adjust their security posture accordingly, right? So that's a way to think about disposition leads to action or remediation. And so that's a way to think about that, effectively, workflow is where the SIEM is an important element. And we've talked about our ability to really be successful there. But there is this opportunity, this macro opportunity, this longer-term opportunity to continue to drive better coverage efficacy and protection, through connecting these things together. And we can talk about AI, if you want, but I think that goes into play. But it is something that is, I think, very compelling for a lot of the customers we chat with.

Yes. Let's talk a little bit about AI. Obviously, top of du jour. I think there are a couple of somewhat unique things with Rapid7. One is using generative AI and you've been using, I'm sure, AI for a long time to automate security operations capabilities that you offer to customers, but then also using generative AI to make your SOC analysts or the managed services more efficient. So maybe talk a little bit about both those angles.

Yes. No, it's great. And so I'll use that same context, right, of as you said, AI, you've got ML, you've got LLMs and you've got everything else in between, right? So we use each layer of each step of what I was describing earlier. So first, are we able to detect and pick up things in the environment, right? We've been using ML and AI in there. Absolutely, we continue to enrich that, make that stronger. The adding context where we see a lot of the LLM models really helping us contextualize and draw connections that previously an analyst -- expensive analyst would often have to do. And so you can begin to see maybe some both leverage we'll get there as well as higher rates of contextualizing where things should be assessed or identified, right? The third one is the one I think -- where chat, traditional interactive-based -- some of the LLM stuff comes in, which is now as an analyst, if I want to interact with and understand more about what's going on and begin to actually -- something has been detected, something has been contextualized and now I need to start taking action on it. Traditionally, that would be someone that'd be a highly trained individual that would spend a lot of time with. That's a lot where the LLM or the chat-based tools come into play, right, where now can start interacting. Now that can be in our SOC, can be our partner SOC so we can extend that out to our partners, to our MSSP partners and other partners and to our customers, right? Now we have, as you said, been running AI models for quite some time. The beautiful part of what we have is we run 24/7 our own global SOC, so we know and we're able to use and deploy these technologies, pilot them, get them to the rates we want to see level of efficacy and coverage. And then we can begin to deploy them into our ecosystem, our partner ecosystem and our customer ecosystem. But we've walked in, as they say, we've walked in their shoes first, so that then we can then make sure that they're getting what they need, right? So that's where you get that on the ability to just contextualize, but also be able to interact or understand what you're looking at, right? Now the fourth one is one that I think doesn't get a ton of attention, which is you can also use AI models to ensure your quality and levels of efficacy are maintained, right? Because the biggest -- one of the biggest risks that you run into is, okay, I'm addressing this, but am I elevating my standard for my security program. And the AI models, think of that as they're a backplane to, not only detect stuff, not only contextualize stuff, helping your analysts be more productive, but also ensure that your levels of quality are not -- they're not going down on the weekends or nights or whatever the case may be. So you're able to make sure, what do we know, like, security, you only have to get it wrong once and you're in trouble. That's where the AI models really begin to continue to elevate your levels of quality and standard of care around making sure that your security program or your SOC is operating effectively.

Yes. And then maybe one more question on that front before I open it up to the audience. But I think we've seen among a lot of MSSPs and MDR firms that you compete with, the customer satisfaction has gone down a bit because it's so hard to get high-quality security analyst. You've got to pay sometimes $0.25 million-plus, if not more. So when you think about using generative AI or AI within -- internally, how is it improving the utilization rate of the security analyst that you're offering as part of your managed service of the business?

Yes, I think it's very exciting. I'll just say it that way. It's exciting because, one, we can make sure that the customers are getting to the level of protection they need. Two is you mentioned the cost. These analysts are really expensive and there's only so many of them, right? So we can actually begin to elevate and automate some of that level of protection and get leverage in model more effectively. So the simple -- let's call it rule of thumb is operating a service and product gross margins, right? And that's something where, over time -- not overnight, but over time, we believe that AI really becomes an enabler and not just for the SOC, but you see this with engineering, right? Software engineering, right? We're seeing this more and more every day where people are using AI to help software developers be more productive. We'll see that. You'll see the ability to make SOC analysts more productive, right? That's an area, right? The ability for us to really drive more effectiveness throughout the security life cycle, right? So I think this is going to be something, over time, that we'll see productivity gains, but not at the expense of quality, not at the expense of coverage, which is why I get excited, right? Because traditionally, as you said, a lot of MSSPs, they're trying to get to stronger economic models, but the [ dissat ] starts to kick in. And so then they see customer churn. Well, this is really this -- imagine an environment where you can improve sat, improve coverage, but also have improving economics, so that's why I get excited.

Yes, that's super exciting. Any questions from the audience before I continue? There's definitely a lot more. Okay. I want to dig into Cloud Risk Complete. So there's the vulnerability management side, where you've been a leader in for a while, then there's the cloud security side. I had an investor earlier asked me, "Hey, how does Rapid7 compete in the cloud security market?" One, do you feel like you have a full cloud security portfolio, what Gartner terms as CNAPP? And what's sort of the growth trajectory there these days?

Yes. So the simple answer, I would say yes, right? But I think it's a little more nuanced. A lot of the cloud security spend has occurred in cloud-native environments, right? And that's where early adopters naturally go, right? And CNAPP or CSPM and the cloud workload protection, there's these various capabilities in the cloud that are consolidating in more singular offerings, right? Our thesis has been -- and we have the CSPM capabilities, we have the workload protection. We have entitlements there, so we have it. But our belief is that the CISO needs to look across their environment, of which the cloud is a critical element, but it's not the only element, right? And so what you'll see, and I think you'll see this with our VM base, where customers say, "I need to assess my workloads." Great. As the cloud becomes more broader penetrated in these environments, CISOs want to know what is their security risk, what does that posture look like across the environment. So I would say, not only do we have the cloud security capabilities but we're extending it so that it doesn't stop or just start only in the cloud environment. It goes across their environment. So in a multi-cloud environment as well as a traditional environment, we can contextualize risk, we can help them understand their security posture and understand how to address it, right? And so that is an important element. Yes, we have the cloud security elements, but we believe the broader opportunity is in the right to participate in the market, longer term, will be based on 2 things: broader risk claim with a really favorable value economic proposition. I think there is this -- I think there are some dynamics out in the market where people price maximized in cloud security. And our belief is always this is going to be a component of your security program, not the entirety of your program.

I think we have a question here.

So you guys have reengineered your cost structure in the last year. And looking at kind of the year-over-year improvement in profitability into last year and you talked about doubling profitability in this year more than at least doubling this year, there's a lot of, like, onetime restructuring elements to that. As we think about go forward, building on 2024 base, what should be kind of the ongoing expectation of how much revenue growth translates into, call it, EBITDA margins or free cash flow?

Yes. I'll set a little context because folks in the room are not familiar. So last year, we did a restructuring. And the reason we did that is we want to set up what we will frame is balanced growth or profitability and growth story, right, being able to have both levers. And so when we did that, we felt like it was one, was being able to do some restructuring in the company to help support that more efficient and durable growth model, but also have more efficient and durable profitability, right? So we doubled -- we talked about doubling our free cash flow. And our free cash flow is largely driven off our -- function of our ARR, right -- ARR growth. But it is -- we have said that the growth that I think many folks were chasing previously and including ourselves, was very expensive growth. And so what we said is our backstop, we're having that profit profile will allow us to continue to grow. But if we see the macro changing, right, we'll be able to pursue growth efficiently, but we don't need that to change. So I think we've set up the model to allow for both levers to be able to be balanced off each other. And then when we look at the longer-term opportunity, I think we've said that the current environment is stable. But as we start looking at the back half of this year and we look at next year, we believe that, that efficient growth, we can reaccelerate because we'll be able to drive some of this pricing and packaging and consolidation effort out of our base.

Some of your competitors have margins in the high 30%, 40%. Is it reasonable to expect contribution margins on growth kind of beyond this year to be in that range?

I would say our -- long term, we're going to continue to drive our margin or free cash flow growth. I think we haven't gone beyond our current model to talk about the specific targets yet. We're having a discussion internally about when we'll update those. But I'd say we feel very good about this balance between the growth and profitability targets.

Just on some of the structural improvements that you're making on the profitability line. It sounds like sales productivity is a big one because you been able to continue to grow at a healthy low to mid-teens rate despite what was a significant head count reduction last year. So talk a little bit about that. Now that you have salespeople selling more stuff effectively, how is that driving more sales and marketing leverage?

Yes. I think it's twofold, Hamza. First is, like you said, is we needed to rightsize and get the right structure, not just in sales but across the business in place. We feel like with our sales engine, that was really rooted around our platform go-to-market, right, and driving a dominant land and dominant expand motion. So make sure everybody is really successful in doing that. Two is, as we look at this year, we look at that productivity on a per head basis. We feel very comfortable with the room we have, and we look at productivity on a per [ basis ]. So for over a multi-period basis, it's something we look at by market, by segment, et cetera. And so we feel like we're set up well to continue to manage that near-term opportunity for growth using our current investment levels. And then -- and longer term, if we see that landscape start to change, we can add capacity if we need to, but we don't have to in this current profile, right? So it's really one, in the team; two, in the go-to-market or the offerings that we bring to market, which is largely what we introduced in 2023, and now we're seeing a lot of higher win rates and productivity rates there; and then three, it sets us up for that longer term kind of growth and profitability profile.

And the other thing I wanted to double-click on that you mentioned, which I thought was really important was the gross margin side, right? There is a services element in Rapid7 to the revenue stream, but getting the services gross margins to product gross margins over time. Talk a little bit about some of the structural improvements you're making there.

Yes. I think there's been a few areas. So part of the restructuring, the restructuring are not just on the go-to-market side, it was also on some of the engineering side. And we had made some acquisitions over the years, and we reconcile that into a more singular engineering organization and a more singular operations team, right? So we've kind of brought that together and kind of unified that structurally. And I think that's something that we'll be able and we've operationalized on a go-forward basis. Two is, I think our investments of -- in our innovation centers, we have innovation centers we're opening up around the world, lower-cost locations. So I think we'll begin to see that contribution as well. And then three, I think some of the productivity on the engineer -- per engineer basis, we talked a little bit about some of the AI stuff. But I think in general, being able to really operationalize this idea of the contribution of where we build something at what cost profile and what levels of productivity, right? So we'll see that, I think, increasingly be something we'll be doing, but also I think you'd see a lot more of that in the industry as well.

Last question for me. There are not a lot of public cybersecurity or software companies in general that are growing 30%, let alone 20%. I think the majority of the sector is not growing 20% on the public side these days. I'm curious, as you look out longer term, I'm not asking for longer-term targets here, but is the ambition to get back to a 20% top-line growth? So when you think about balancing growth and profitability, if you can get to 20% growth again, do you see the need to maybe invest more towards that?

Yes. So I'll answer it first. We believe we've got a durable and differentiated advantage in our strategy. And so the first thing I'd look at is are we well positioned; two, is are we participating in markets that are important and valuable for security teams; and then three, how do we -- is our right to win going to be more favorable over time. And I would say, yes, on all 3 of those points, right? Our longer-term target model is something we'll be updating, but I think we've said, hey, we still believe, over time, that Rule of 40 is still our North Star. Now that balance between growth and profitability, we haven't talked about specific targets there per se. But I do believe, and we do believe that reaccelerating growth will be important, and the ARR growth is what will help us drive that free cash flow, right? So I think we do believe, and I think we have set up well using these platform offerings, using this ability to drive more into our installed base and deliver more value sets us up in the long term. We've also talked about allocating or spending or investing in our R&D line to help support that so that we're able to drive mid- and long-term growth in our product strategy.

Okay. Great. Andrew, Elizabeth, thank you so much for joining us. And thank you, everyone, for coming.

Thank you.

All right.