Rapid7, Inc. (RPD) Earnings Call Transcript & Summary

All right. Well, good morning, everybody. Welcome to Day 3 of the Morgan Stanley TMT Conference. My name is Hamza from Morgan Stanley. I'm delighted to have Corey Thomas, CEO Rapid7. Before I begin, just a brief programming note. For important disclosures, please see the Morgan Stanley Research Disclosure website at www.morganstanley.com/disclosures. With that, Corey, first of all thank you so much for being here. It's always an honor and a privilege to host you and looking forward to the conversation.

Thank you so much for having me.

Great. So look, Corey, maybe just on the high level, Rapid7, has been through some transitions. It started off as a traditional vulnerability management company 5, 10 years ago now, but it's a much different company today. So I'd love for you to just high level, just walk us through what that platform transition has been?

Yes. So as you said, Hamza, we start off as a traditional -- you can think about the traditional vulnerability management, the on-prem vulnerability management. And one of our core markets was the mid-market. So we were a leader in traditional vulnerability management in the mid-market. The interesting thing about that experience is that when you initially start serving sort of like midsized enterprises, you also get a pretty good view into what a resource-constrained organizations need, what are they going to do? How do they actually think about security? So we had an early view on to some of the constraints that were placed on enterprises, that we believe we're going to be replicated by both likely just mid, but like larger organizations all over the world as security became a bigger pressure point, there was going to be a harder time that people are going to have to manage-in their security operations. And so the things that we actually learned from that and part of the path that we actually went down were, how do you actually help security operations professionals understand their environment, identify risk, manage compliance and monitor the environment at quality and scale. What we heard from our customers at that time is that they were struggling to actually get quality efficacy and scale at a reasonable price point in their operations. And so myself along with our team, we made some pretty aggressive investments to say, "Okay, how do we actually solve this"? And it was an early form of consolidation, you know we all talk about today. And in that time period, we started building out our detection and response business because if you look at the 2 core pillars of security operations, it's how do I assess risk in my environment? How do I understand my environment? How do I access risk in my environment? How do I monitor my environment? And so we actually built out our detection and response practice to actually monitor the environment. Our vulnerability management was the core part of the risk environment. And then as cloud security came along, we started investing in understanding the risk of the cloud and also monitoring the cloud environment. If you zoom out to where we are today. If you look at our recent investments last year, we made a massive investment in understanding integrated risk across the environment. So that's not just sort of like the risk that Rapid7 identifies, it's actually consolidating risk across every security and technology provider in the environment to understand what's the attack surface? What are your compliance gaps? What are your controlled gaps and what are your misconfiguration gaps in the environment. And then we're leveraging that across the entire environment, endpoint cloud on-prem. And then how do we actually help customers monitor the environment. So if you look today is we have an end-to-end platform that assess the entire attack surface, understand it's risk and compliance across the attack surface and monitors the attack surface. We augment that with our managed detection response offering that actually leverages both AI and automation to drive scale. But there -- if you [ looked at ] one of the big assumptions that we made in 2021 that we have even more conviction on today after seeing -- what we're seeing is we say, in the next 10 years, there'll be less than 10% of the organization in the world that can run a true 24/7 [indiscernible] and SOC. And so we said, listen, how do we actually do that at scale and at quality and at a price point that customers can afford. And we start off by adopting massive amounts of automation. We also built our own productize MDR service. So we productized it [ end-to-end ] ourselves. We focus on integrating with the leading technologies in the world. And as AI came along, we focused on adopting AI. But if you look at our stack, we're augmenting customers' ability to actually manage security operations. We're doing that in an environment that is changing our business model. The on-prem mid-market, sort of like it's not a growth engine. But if you look and you actually zoom out is customers actually are looking for not to completely outsource but they're looking for a partner that can actually help them scale the management of their security operations. And we think we've built both the platform and the technology and the centers of excellence to actually help customers scale that.

Got it. That's really helpful. And right now, Rapid7, like you mentioned, is really addressing the core pillar of security, whether it's risk exposure management, now Detection and Response. But the detection and response really has been it feels like the crown jewel asset, if you will. It's over half the business or roughly half the business. I think last quarter, you said it was $400 million plus in ARR. 75% of that was the managed Detection and Response. I wanted to hone in a little bit on that. I think it makes -- the MDR space has seen a lot of growth in recent years. I'm curious, when you think about scaling that because there is a services component. What are some of the opportunities and challenges you see there? And then how does AI sort of fit into that dynamic?

Yes. So like one is that our requirements are -- the economics have to scale good for the customer, but they also have to scale well for us, like you can't have any door. So there's a couple of things that we're obsessed about. We're obsessed about doing it efficiently, but also effectively the customers -- there's a couple of precursors. One, more than I'm trying to think about any other provider that actually offers an MDR service, we have a more integrated in stack. Other people have to actually sort of like subsume and spend money or the customer has to spend money on Azure Sentinel or Splunk or other stuff in their environment. Arctic Wolf guys have their own stack to run it. But we really focused on building an integrated world-class stack that is also validated by customers on usage. So like Arctic Wolf has a great stack but like we sell our tech stack customer. So the majority of the use. And so when you think about what it takes to actually sort of like scale it and get the efficacy is, one, you actually do have to have an incredibly strong tech stack that you actually own the core pieces in the data [ storage ], the data analysis engine, the core SIEM technology, but you have to have the core pieces of the engine sort of like in-house, if you're actually going to scale efficiently and economically. The second piece of that equation that enables you to sell is you've got to be massive users of automation in AI. It just doesn't work if you actually can't sort of like leverage automation and AI effectively across the environment. And then you actually have to take your product expertise and like the mentality that we have. If you look at our MDR SOC leaders right now is it is a mentality this is everything that they actually do, our technology needs to actually be doing -- like if you take what our [ junior analyst says ], anything that they do, our technology needs to actually be doing within a year. And so they have a tight feedback loop and a tight cycle. So we're scaling with technology. We're delivering the gross margins that are -- I would just say that like we've also not -- we've grown well, but we've left money on the table because our take has been like we are actually going to grow as long as we can actually grow efficiently. We've unlocked massive volumes of the potential growth right now and part of why we're accelerating our investments in AI is that the ability of our teams to actually have our technology do more of the work. And our team focuses on the longer horizon is sort of improving year after year as we actually move on. But that core to scale is you got to own your technology set, you got to leverage automation and AI. And then you have to have a massive engine to actually process third-party telemetry across the environment. So we're processing Palo Alto and CrowdStrike, Sentinel ones. But like you got to be able to process other people's data and telemetry reconcile that with your own data that you're collecting natively across the environment with the cloud data and do that efficiently. And so the efficiency and efficacy of the engine has been a massive investment for us.

That's really helpful. And in some ways, if I may, it's almost a bit like service-as-a-software. We've seen other companies do a similar approach, great companies who have done very well in the last couple of years. And so really, it's predicated on customer being on the Rapid7 platform, having that data having [indiscernible].

We require customers to be on the [ Rapid7 ]. And that doesn't mean we don't want -- we have a great relation with Microsoft where we connect and like work with sort of like their stack. But like yes, the core processing is on the Rapid7 platform because that's what gives us and the customer economic scale. And I would just say, look, most of the players in this space or services companies that have different degrees of great integration stories. There's an advantage to being a product company that's building an MDR product. And there are -- and that is that sort of like that services-as-a-software, somewhat like a mentality, which is almost sort of like a reorientation.

Yes. But important point being that it's very much a product-led [indiscernible] maybe going back to AI. One of the questions I've got just on the MDR space in general is to what extent is AI going to allow you to scale more efficiently versus AI being used to perhaps automate, maybe commoditize some of the services that are being offered. What are your thoughts on that? How does Rapid7 kind of defend itself from it?

So it should do both. I mean just to be clear, so the way to think about like AI, there's a bunch of stuff. And I think services companies want to do this, and we're a net beneficiary so we know firsthand of it and there's a bunch of stuff that AI not just is doing that humans don't want to do. It's also doing things that humans do poorly, meaning that they do it very inconsistently. And so that stuff is easy, that stuff comes off the table. And in fairness, anyone can actually go do that. So you can say that that's a pressure -- that's the pressure point. We see it as a core advantage point because we want our SOC analysts and our teams to one of the most valuable work. And in fact, they're happy to go do the most valuable work. Humans are not good at being consistent every moment of every day. And so we want them doing the most valuable work. The second thing I think that while it drives a core advantage for us is that security is a dynamic environment. And so if you look at like where AI is exceptional, AI is exceptional and actually taking massive quantities and volumes of data and doing 2 things, it's making sure that you can actually process sort of like common pattern to common page repeatedly or identifying [ edge ] cases and [ edge ] ranges. A lot of security though, is the frontier of security research because there's new things that happened. Something that was vulnerable yesterday -- something that was invulnerable yesterday is actually vulnerable today. That's a new thing. There's no history there. And so security has lots of things with actually no history. You did not have the safety environment today that you actually had yesterday. So we think we're a net advantage of AI for sort of like 3 distinctive reasons that are actually -- that are actually, I think, incredibly important. The first one is just like you're going to have advantage for organizations that actually have better quality of data and larger sets of data. We have both the customers' data that we actually manage. But we -- because we have 10,000 customers that just use our raw technology across the environment. We have access to sort of like all of that data to actually train our model zones. Like in comparison to almost any other MDR player in the market -- not any, but like people that do these -- sort of like the software-as-a-service thing, is we're top demand in terms of the data advantage that we actually have. The second piece that we actually sort of like have is my belief -- our belief is the best AI in the world for security is not unidimensional. So what most people do, if you look at most of those start-ups, they're taking a unidimensional view of AI and training it on the activity data in the environment. They're training on the logs or they're training on the activity data you actually get out of APIs. That's the unit metrics, activity data. Here's what's happening in the environment and they're training it on what's happening in the environment. We, I think, uniquely to security have a multidimensional model. We're training on yes, the activity data. But unique amongst almost all the players in detection and response space, we actually know the state of the environment. This is why we've made a massive investment in the attack surface management and [indiscernible] within the an asset management space because it's not enough to know the vulnerabilities. We actually know what every piece of technology you have in the environment, how is it configured? What are the controls you actually have in the environment? What are the controls gaps. So what other people say, this has happened in the environment, we can say this is happening in the environment, and here's the state of the controls and configurations and weather you're susceptible or not suceptible to the environment. It's materially different. There's a measles outbreak somewhere is that like we know who's been vaccinated. And so our competitors just know that like there's measles in this space. We actually know who's been vaccinated, who's not been vaccinated. This is why we had a big investment in understanding the state of the environment because the activity relates to the state of the environment is an attack that's successful in one organization has nothing to do with what's successful in another organization. So that's the second sort of like vector. The third vector that's actually material is we actually have the process data because we actually have security analysts and operators that are doing like -- this is part of my CrowdStrike. They actually have like security operators that actually given the feedback about like, here's what we see, here is the researchers, here's what should be programmed in. So if the process [indiscernible] operators, the state data about what's the state of this environment and how that relates to that activity is a unique platform to actually leverage AI going forward. And that's part of like we made the -- investments we made last year, but that's also why we actually doubled down on some of the investments this year to accelerate that.

Makes a ton of sense. And I think one of the things that you can also do with that data, I imagine, is because you know who's been vaccinated to use your analogy, you're reducing the number of alerts that, that customer may have or with your -- some of your service [indiscernible].

This is successful. This is not successful. Because, I mean, all of that stuff, if you know it, you actually sort of like and actually decide what matters. And that actually gets rid of a lot of inefficiency, that makes the solutions a lot more effective. And that creates economic advantage for us and our customers because that allows us to manage their environment much more effectively.

Are there any examples maybe you could share where high level or numbers, but where you came into a customer, they adopted the platform and they did see that significant alert or cost reduction?

Oh, yes. Look, if you look right now is that we are able -- the most people that are actually doing their own SOC today or a -- I would just say, it's actually a very common thing that we actually go in. Our value proposition we going to a customer is that we will actually give them 3 advantages out of the gates, we'll monitor more of the environment, they will actually see less noise and the things that they'll see will be more relevant and they'll actually have 24/7 coverage, so like out of the box. And they'll have reconciliation across all their data and all of their alert streams. And so we had a customer that -- I just saw this alert this morning is we had -- because I'm an executive sponsor for the customer. We had a customer that deployed 2 weeks ago the customer advisers sent the feedback from the customer is -- they decide unbeknown to us to actually do a red teaming test in their environment, just to sort of like [ tech and tunes ], is the customer said, this is the -- they said you caught it within 2 minutes. This is the fastest time I've seen it and that was the only alert you actually sort of like progressed in the environment. And like we've been doing these tests for like the last 2 years. And if they were caught, it actually was caught like within days, not minutes, and we were still getting lots of noise in the process. But that's just one example of sort of like our value proposition that we offer.

Yes. As you mentioned, this is not something that you started doing just 1 or 2 years, this is an evolution of a platform?

We started investing in this in 2015, and it was slow going, but we started building out this because, again, we saw in the early mid-market installed base is, they had 0 chances of being able to run a 24/7 SOC. Now what we learned over time is we have some of the largest Fortune 500 manufacturers is actually customers. That's one of the big area of strength is we've been expanding that to actually deliver or like more customized services from larger customers. If you talk to a large manufacturer, they cannot afford the stack. Their environments are massive. And their security teams even 10 to 20 people just not big enough to actually manage the scope of the environment. So this is how you actually scale your security operations is a really big deal for a lot of organizations.

Yes. Maybe without disclosing any numbers, but when a customer does get on the detection and response platform or the full platform, do you tend to see higher levels of stickiness or expansion rates as a result of that?

What we've heard from people that have done the market comparisons is that our retention rates for that service are amongst the highest in the industry overall when compared to sort of like peers and benchmarks. They're definitely higher than what our traditional vulnerability management was. Keep in mid, like the headwind that we have in vulnerability, [ kind of a ] headwind. The thing that we have in vulnerability management is that it's a sticky business. But be it market vulnerability management is not a growing business, and that's a big part of our installed base. And so we had to have growth in other areas which may be different if you have federal large enterprise and orientation there. So not only is it actually stickier. It also has better sort of like customer growth dynamics, in our dynamics.

One more question from my end then I'd love to open up to the audience for Q&A. You're certainly not start of opportunity. There's a big market out there in detection and response in all the areas that you're covering. There had been some organizational changes in the last year from a go-to-market standpoint. It did seem like last quarter on the Q4 earnings call, you sound a lot more upbeat that those changes were largely behind you. So maybe what are you excited about heading into 2025? And what were some of those changes that never made?

Yes. So well, the excitement is that this is the first time in a while that we actually have had the full product portfolio being updated, we have the opportunity to actually upgrade our installed base. We'll see what's the pace and the velocity of sort of like the upgrading and installed base, but that's extraordinary exciting for us and our sales [ cycles ], even in the environment that we're actually in today. The changes that we actually made from an overall sales perspective, we've actually been focused much more on our partnership and distribution ecosystem which is a major focus, we've also been focusing on aligning and rationalizing our teams to actually be more customer [ pod ] focused, where instead of having like 3 or 4 different organizations where -- keep in mind, one of the things with the MDR services you have customer advisers. So you could have a customer adviser, a customer success manager and AE, a salesforce, a TAM and they're disconnected. We've actually focused on actually having teams that support customers. So it's not a massive change to the model, but we actually want a team based where our customers have a specific team with a specific point person that's in charge, that gives the customer both accountability and frankly allows us to scale that engine much better overall. So those were some of the bigger changes that we actually made in the last year.

Any questions from the audience? We got one here.

It sounds like you have different components of the business with different growth profiles. So can you elaborate on what the mix is and what the relative growth rates are of those various businesses? And is there some inflection point that you hit when the MDR business gets to a certain scale or a certain percentage of the business.

Yes. I mean part of what we talked about it because I do think we're approaching that inflection point. So our D&R business overall, which MDR is a part of -- the reason actually it's a part of it because strategically, the unit volume is actually one the technology side which actually gives us lots of data telemetry, but that's roughly -- it's a little bit under half of the business cycle, quite half the business but it's a little bit under half the business. We talked about being a $400-ish million business, that's growing in the teens. And we actually think that there is both durability of growth there with the investments that we're making, but also ranges to actually have an improvement in there because we're not addressing all of the market today, like we have lots of enterprise customers that want us. They're like, "We love your service". We've heard great things about it or we work [ within ] other companies. But you need to actually manage these custom workloads because of like, hey, can you manage Epic, Epic is a pain, if you've have seen 1 Epic installation, you've seen 1 epic installation. So like how do you deliver that more customized service there. So we think we have growth aperture there overall. The other side of the equation is the -- it's not just vulnerability management. It was the largest piece of the business. And you can actually think about that business as sort of like being closer to like a flattish business. But this is the first time that we've actually had an upgrade cycle with our exposure command offering in many, many years. And so we actually think we actually have upside. Now we don't know the pace and velocity of upgrades, like I always think about when you have upgrade cycles, do you get to sort of like 30% of the business in 3 years or 70% of the business in 3 years. And part of what we're making our investments is the customers love the integrated view, they want to accelerate compliance and they want to continue to accelerate cloud. And so we actually see lots of opportunity to drive upgrades in that cycle there. And so those are the 2 sort of like if you say like, listen, even if you don't have net improvements in that risk, about VM side of the business, we think that the growth rates in the D&R give us some comfort about sort of like the sustainability, durability. And we think we're almost through the cycle where you have like the D&R cycles are their bigger ASPs, longer deal cycles, which just calls its own separate ship in the business. But we do see the ability to actually have upside on that risk and exposure management business as we upgrade the installed base.

I have a question about the competitive landscape. And as you go upmarket versus mid-market, do you start to see some of the platforms are to offer the same type of service -- integrate your type of services into the their platforms?

I mean the -- so it depends on what the -- I would just say the exposure management cloud security market is going to be a congested sort of like competitive market. And so like we're really measuring ourselves about like what percentage of the installed base that we actually upgrade over time. Keep in mind, we make a lot of money like getting to like 1/3 or half of our like our installed base at a 10% to 20% uplift. So it's not like -- so the economics of that and turning that into a positive momentum story or not a mystery. That's where we're very focused about like how we deliver better quality of service to the customers overall there. Seeding that out to more customers is great, but that's almost upside to just the upgrade cycle that we're actually in now. But that is a competitive market. Make no mistake, we have some strong competitors there but we do -- we know we would be able to upgrade a good portion of our installed base, and we see early momentum, early side there. So the economics of growth, there's lots of opportunities to actually monetize that. On the detection and response, we actually love the business there. I mean that is a massively fragmented business. Yes, you see a wide range of stuff. You see a bunch of private companies that are services companies with great technology integration you have CrowdStrike, which has a great product where they actually manage their stack. But our value proposition of actually managing an entire SOC processing all of their data and doing that at better cost economics and better scale than anyone else, is I believe we're going to be top 3 there, we are now. I think we're going to be top 3 there for a long time. I think the investments that we're making are continuing to extend the differentiation there. That's a massively fragmented market with 600-plus providers with different approaches. And I think our approach is strong and it resonates and it's actually different. Yes, there will be some people that will like do outsourced accenture, and that will be the right thing for them. There will be some people that will actually have a to have a different orientation, focused on price. But I think there's plenty of growth opportunity in that market because the key thing is that, again, Customers will have to have 24/7 monitoring, and it is a small fraction of customers that can run their own 24/7 SOC around the world. The market trends are actually moving in that direction.

And you mentioned about new ways of monetizing some of the things you're doing and sort of ingesting a lot of third-party data and going after the threat. Could you elaborate on any of those? Or are those still going to come?

So I'll just say there -- the one thing that we've actually learned after sort of like not being thoughtful enough about what we actually in the year past is. We'll talk about the results that we expect after we sort of like demonstrate the progress. But I'll tell you the things that we're actually focused on. We're working with some of our larger manufacturing customers about how do we actually sort of like monitor -- we have a good core monitoring of the environment. They want lots more customized monitoring. That's been the purview of what I would just say is relatively higher-priced, more expensive services-oriented companies, we are actually commoditizing that sort of like services-oriented business, by actually applying software and AI to actually monitor a lot more of the environment at scale. We're doing that right now. We launched the initial versions of that last year. That's an example of it. Last year, on top of our platform, we offered -- launched our first version of our red teaming as a Service, where we'll do -- we're leveraging, again, world-class penetration testers and read teamers. That's a business that is typically all -- historically has either been crowdsourced or has actually required deep expertise. We're having our teams provide the intelligence and the engines and the oversight of it, but they're managing AI models that go across that actually do sort of consistent red teaming. We're starting with the external attack surface that I actually think is going to see good uptick as we actually move along. But those are just 2 examples of where we're actually sort of like extending the service.

It looks like you've expanded margins quite rapidly in the last couple of years, but the guidance implies a big step back in margins next year. What's going on there? And is this a onetime step back? And do you have a kind of a longer view of the progression of margins?

Yes. So to onetime step back, we do -- look, our base case has us both accelerating. We haven't talked about the degree of acceleration and expanding margins. So I want to be clear about that. And the driver of it is really sort of like 2 things. It's one, and this way to provide the incremental visibility. We are investing to extend in known ways, our detection and response service to actually leverage AI to actually -- leverage our technology and our automation to actually manage more customized environments, which allows us to expand our market footprint. We consider that a high return scenario, and that's why we showed the scale of the business. Like it's not -- like we're investing with something that's a promise on the come, so to speak, like this is sort of like a known good growth investment and we're partnering with our customers to extend service in ways that actually both make us stickier, but also leverage technology that allows us to actually expand the growth rates and growth horizons there. So that's the first area of investment. The second one we are accelerating on the exposure command both our integration, our compliance and some of our cloud stuff because as we work with our installed base, we've seen good uptick. But lots of customers are saying like, "Hey, once you get the debt, I'll upgrade" and we want to make it as easy as possible to actually drive the upgrade velocity. Now part of why it's one time is that we looked at our cost structure and compared to most of our peers, we just have too much of our cost structure in mid-cost and high cost. We have 0 historically in low cost. And so we are setting up our India sort of like development center in operations. And so part of that is actually sort of setting up that. That gives us flexibility. I would just say to be market aligned. This is not one where we're going to actually be all in 1 place versus the other, is that we should be at market norms, and that provides flexibility in the cost structure. Our expectation as we actually go forward is that we're expanding both margins and we should be accelerating growth and that's the base case. The degree and the velocity of that, we're still working through, and that's why we talked about our Analyst Day later this year.

We'll end it right there, Corey. Thank you so much for traveling here and coming to our conference. So an honor to host you and best of luck with reaccelerating the business this year.

Thank you very much. I appreciate it. Thank you.

Thank you.