Rapid7, Inc. ($RPD)

Good day, everyone. My name is [ Kaha Ilani ], and I will be your conference operator today. At this time, I would like to welcome you to the Q1 2026 Rapid7 Earnings Call. [Operator Instructions] At this time, I'd like to turn the call over to Matt Wells, Vice President of Investor Relations.

Thank you, operator, and good afternoon, everyone. We appreciate you joining us. Today, we will be discussing Rapid7's first quarter fiscal 2026 financial results. We've distributed our earnings press release over the wire, and it can be accessed on our Investor Relations website. With me on the call today are Corey Thomas, our CEO; and Rafe Brown, our CFO. [Operator Instructions] Before I hand the call over to Corey, I want to note that certain statements made during this conference call may be considered forward looking under federal securities laws. Such statements are made pursuant to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995 and include our outlook for the second quarter and fiscal year 2026 and the assumptions for fiscal periods beyond that period and our positioning, strategy, business plan, operational improvements, and growth drivers. These forward-looking statements are based on our current expectations and beliefs and information currently available to us. While we believe any forward-looking statements we make are reasonable, actual results could differ materially due to a number of risks and uncertainties, including those contained in our filings with the SEC. Reported results should not be considered as indicative of future performance. We do not undertake and expressly disclaim any obligation to update or alter our forward-looking statements, whether as a result of new information, future events or otherwise, except to the extent required by applicable law. Further information on these forward-looking statements and risk factors are included in the filings we make with the SEC, including the section titled Cautionary Language concerning forward-Looking statements in our earnings press release. Additionally, over the course of this call, we'll reference non-GAAP measures to describe our performance. Please review our earnings press release and filings with the SEC for a rationale behind the use of non-GAAP measures and for a full reconciliation of these GAAP to non-GAAP metrics. These documents, in addition to a replay of this call will be available on the Rapid7 Investor Relations website. And with that, I'd like to turn the call over to Corey.

Thank you, Matt, and welcome to everyone joining Rapid7's First Quarter 2026 Earnings Call. Let me start by sharing insights from the influx of conversations we've been having with customers as they navigate the rapidly evolving cyber landscape. CIOs and CISOs are telling us the same thing in different ways. Advances from frontier models have fundamentally accelerated the threat environment and outpaced operating models built to defend against it. Vulnerabilities can now be discovered and exploited autonomously and attackers are moving at machine speed. This fundamentally rewrites the value equation in security. The premium is no longer on detecting threats faster after they emerge, it shifts to preemptive exposure management, autonomous detection, and remediation at scale, closing the windows attackers exploit before they can be exploited at all. This is precisely the environment that plays to our strengths. And that's why our investments in the AISOC and preemptive security operations are resonating so strongly with customers. The shift we're enabling from reactive to preemptive, from human scale to machine scale is not a marketing refrain. It's the only viable path forward for teams that need to anticipate where attackers will move next, prioritize the exposures that actually matter, and respond at the speed of modern attacks. Customers are looking for a partner who can unify their data, apply AI with the right context, drive remediation at scale, and translate all of it into measurable outcomes. That is exactly where we are focused. The core platform we're building across detection and response and exposure management is becoming the foundation customers turn to as they modernize for this new threat reality. By unifying exposure and [ detection ] on the Command Platform and combining AI-driven operations with the depth of expertise that we built over 25 years, we're giving customers a single, coherent way to reduce risk, disrupt attackers, and build durable cyber resilience. The opportunity in front of us has never been clearer, and our conviction in this strategy has never been higher. Turning to the first quarter. I am pleased to report that Rapid7 delivered outperformance against all guided metrics. ARR of $832 million and revenue of $210 million were driven by sustained growth in our Detection and Response business, offset by trends in other parts of our business, particularly our non-core stand-alone offerings. Non-GAAP operating income of $24 million exceeded our guidance and helped drive strong free cash flow of $33 million. Our quarterly results reflect a greater focus on balancing strategic investment in driving scale in the business. In Detection and Response, ARR growth of approximately 7% was driven by strength in MDR business. Our approach to delivering AI-enabled SOC, combined with deep services expertise continues to receive strong market validation. And in this quarter, we added a new Fortune 500 customer and a 7-figure ARR deal. In Exposure Management, we'll continue to simplify the migration process of upgrading our large vulnerability management base and to the Exposure Command platform. Our approach to a unified, AI-driven Exposure platform continues to resonate with new and existing customers. In this quarter, a large Fortune 500 customer consolidated on Rapid7 as their exposure platform of choice in a competitive deal cycle. In the quarter, we acquired Kenzo Security, an agentic platform built to run security operations autonomously and at machine speed. This is a direct accelerant to our AISOC vision. Kenzo's data mesh shifts customers away from a per alert investigation model to a system-driven one. Coverage scales with the environment, not headcount. This unlocks two things: a meaningful tailwind for MDR growth; and a path to higher contribution margins through software-driven efficiency. Most importantly, Kenzo opens a door to the full MDR market. Rapid7 is evolving into a preemptive agentic security platform that accelerates the entire SOC, delivered either as a managed service or a self-managed platform. By combining deep MDR expertise with exposure-driven visibility into vulnerabilities and attacker behavior, Rapid7 enables organizations to detect, investigate and stop threats earlier. We also continue to innovate on our Exposure Command platform, delivering two major capabilities: runtime validation for cloud environments; and Data Security Posture Management to strengthen proactive exposure reduction across hybrid environments. In plain terms, we no longer just tell customers what their vulnerabilities are, we tell them which ones are actively being exploited in their environment. Runtime validation determines what attackers can actually reach in production, and DSPM maps where the high-value data lives and who has access to it. Together, they collapse the noise and surface to the small set of exposures that actually matter. These steps accelerate the playbook we shared with you in February, strategically investing in our AI-enabled SOC to deliver preemptive security infrastructure, while also deploying expert talent towards high-value customer engagements that AI cannot replicate. Turning to customer wins in the quarter. Rapid7 continues to be the partner of choice for global organizations securing complex, on-prem, cloud and hybrid environments. The go-to-market changes, Allan, our Chief Commercial Officer, put in place at the start of the year are beginning to bear fruit. We are running a sharper, more focused organization and productivity has improved. While it's still early, the operating discipline we're committed to in February is beginning to take hold. And we believe that as an organization, we can continue to drive efficiencies over the middle term. In this quarter alone, a Fortune 500 mining company with global operations selected Rapid7 as its MDR provider of choice in a 7-figure deal. This was a long competitive sales cycle in which our SIEM and detection response capabilities stood out to their security leaders. Rapid7's history managing cloud, hybrid and on-prem environments and strong technical knowledge help cement this decision. After years of only covering a portion of its environment, a Global Fortune 500 aviation manufacturer expanded with Rapid7 as their preferred Global Exposure Management provider in a large 6-figure deal. The capabilities of our Command Platform, combined with our in-house technical talent were resonant points during the expansion process. And lastly, a leading health services provider selected Rapid7 as their MDR provider of choice in a large 6-figure deal. Previously, subsidiaries of the organization used disparate tools and lacked unified coverage. Rapid7's ability to address challenges at a regional and local level, in addition to a unified coverage across ecosystems stood out to security leaders at the organization. Now before I pass the call to Rafe, I want to dive deeper into implications of the unprecedented shift to frontier models bring to the security landscape. And I want to be clear that this market shift is a long-term tailwind for us, not a threat. Vulnerability discovery has been accelerating and commoditizing for years, driven by advances in AI coding and reasoning and frontier models like Anthropic's Mythos and Google's Big Sleep have made that trajectory undeniable. Mythos surfaced more than 2,000 previously unknown vulnerabilities in 7 weeks. That is a new baseline. But here's the part of the stories that headlines miss, Mythos commoditized vulnerability identification, finding bugs and code. It does not commoditize the operational reality of managing those vulnerabilities across complex enterprise environments. It does not commoditize detection and response, it is not commoditize exposure management. If anything, it makes it all the more essential because the volume and velocity of findings every enterprise has to act on is about to increase dramatically. The value is migrating in 3 directions, and Rapid7 is at the intersection of each trend. First, remediation of scale. The Command Platform provides a granular visibility and tracking required to manage thousands of filings across hybrid environments. Combined with our SOAR capabilities, and Kenzo's agentic AI, we are moving from traditional patch management towards AI-native remediation, identifying flaws and deploying fixes autonomously. Second, Detection and Response, a faster discovery cycle on the attacker side means a faster response cycle on the defender side. Kenzo accelerates our MDR service from AI-assisted workflows to autonomous machine speed investigation. Detection is no longer the bottleneck. It becomes a precursor to near instantaneous response. And third, preemptive exposure management. Our March releases of runtime validation and Data Security Posture Management, move Exposure Command from continuous assessment to continuous validation, telling customers, which exposures are actually exploitable in their environment against their sensitive data, given their identity surface. This is a shift the market is describing. It's a shift that Rapid7 has been building towards more vulnerabilities found means more demand for operational platform that turns findings into outcomes. To close, this is the moment of real change in our industry. We have the data foundation, we now have a step-change AI capability accelerated by Kenzo, and we have the expertise customers do not get from a model alone. The team is executing with urgency. The operating discipline is taking hold, and the work we're doing this year sets up share gains we expect to deliver over the medium term. With that, I'd like to pass the call to Rafe to discuss Q1 results in more detail and our updated 2026 guidance. Rafe, over to you.

Thank you, Corey, and good afternoon, everyone. As a quick reminder, unless otherwise noted, all numbers, except revenue and balance sheet items mentioned during my remarks today are non-GAAP. Please refer to our earnings release and SEC filings for additional details regarding the presentation of our results and guidance metrics. In the first quarter of 2026, I'm pleased to report that we exceeded guidance across all guided metrics. We finished the first quarter with total ARR of $832 million. But let me add a bit more color. I've now been at Rapid7 for 5 months, making this a good opportunity to step back and share some of my observations which I think will also help you better understand our underlying mix of businesses as well as the rationale for the strategy we are pursuing. A key takeaway is that while many people think of Rapid7 as a VM and D&R provider, that categorization of our business is incomplete. I believe that the business should be thought of in 2 distinct groupings. First, our core platform solutions group, comprised of our Detection and Response solutions, which includes MDR, and our Exposure Management business, which includes VM and Exposure Command. These core platform solutions constitute more than 80% of our total ARR and have been the sustained growth driver in our business in recent years. As you know, we have different underlying trajectories within core platform solutions, led by our strong MDR business and work underway to return the exposure management business to growth. These core platform solutions are where our business is focused. As such, the performance of our core platform solutions is the clearest indicator of the ongoing transformation within Rapid7, and they are the solutions where we are concentrating product development and go-to-market resources. The remainder of our business mix or second grouping consists of stand-alone non-platform offerings. As customers have shifted towards platform-based offerings over the past few years, these stand-alone non-platform products have declined on a year-over-year basis, while they remain profitable, and we continue to support our customer using these products, stand-alone non-platform offerings are not central to our strategy. As a result, they have experienced declines and have been the driver of the sequential net ARR declines we have witnessed in recent periods. With the benefit of that context and framing, let me unpack our Q1 ARR performance. Our core platform solutions, which now total over 80% of our overall ARR, as I shared moments ago, grew approximately 2% on a year-over-year basis, led by our strongest offering in the group, our Detection and Response business, which had approximately 55% of total ARR, grew approximately 7% on a year-over-year basis. While D&R growth was partially offset by our Exposure Management business within these core platform solutions, we remain pleased to see ongoing momentum in our more holistic Exposure Command offerings, driven by both newcomers and customers migrating to this new platform. We are not where we want to be across all elements of our core platform solutions. But reaccelerating the growth of these core platform solutions is the focus of our strategy and where we are placing our bets, as you heard Corey describe in detail earlier. In contrast, our non-platform products declined in the quarter, driving the sequential decline we saw in total ARR. As we plan for the remainder of 2026 and beyond, we see opportunities to optimize margins for these stand-alone non-platform solutions as we take steps to improve the alignment of our investment resources to our growing core platform solutions. Returning now to other important metrics. Total revenue of $209.7 million declined 0.3% year-over-year. Within this, product revenue of $204 million was flat year-over-year and services revenue declined slightly. We finished the quarter with over 11,500 customers and an average ARR per customer of approximately $72,000. Turning to first quarter profitability. Total non-GAAP gross margins of 72% were down approximately 280 basis points year-over-year, consistent with our expectations driven by improved staffing in our global security operations centers. We reported non-GAAP operating income of $24.4 million or a margin of 11.7% favorable to our guidance. This upside to profitability drove non-GAAP earnings of $0.36 per diluted share. Free cash flow totaled $33.4 million in the first quarter, driven by strong collections. From a balance sheet perspective, we ended the first quarter with $670 million in cash, cash equivalents and short-term investments. In addition to these resources, we have a $200 million undrawn revolver in place. Our cash and investment balances, undrawn credit facility and continued free cash flow generation give us confidence in our ability to settle our March 2027 convertible debt upon maturity as well as fund ongoing operations. This brings us to second quarter 2026 guidance. We expect in the second quarter with ARR of approximately $820 million. And on a sequential basis, we expect ending ARR for our core platform solutions, D&R and Exposure Management will be approximately flat quarter-on-quarter, with an expected sequential ARR decline in our noncore stand-alone non-platform offerings. For the second quarter, we expect total revenue in the range of $207 million to $209 million or down approximately 2.9% to the midpoint on a year-on-year basis. Non-GAAP operating income is expected to be in the range of $24 million to $26 million or a margin of 12% at the midpoint. Non-GAAP earnings per diluted share are expected in the range of $0.33 to $0.36 on approximately 78.3 million fully diluted shares. Updating our full year fiscal 2026 guidance, we expect total revenue in the range of $836 million to $842 million, a year-on-year decline of approximately 2.4% at the midpoint. We are raising non-GAAP operating income guidance to a range of $112 million to $118 million or a full year non-GAAP operating margin of 13.7% at the midpoint. As previously highlighted, the business exited 2025 with a higher expense run rate, reflecting 2025 investments across people, technology and our India Global Capability Center. By closely managing ongoing investments, we expect non-GAAP operating margins to improve to the mid-teens as 2026 progresses, and we remain focused on continuing to improve operating margins in 2027. Non-GAAP earnings per share are expected to be in the range of $1.52 to $1.60 per share on approximately 79.4 million fully diluted shares. We expect 2026 as free cash flow in the range of $125 million to $135 million for the full year, flat with prior year performance at the midpoint and a free cash flow margin of approximately 15.5%. In conclusion, there is a tremendous opportunity for cybersecurity companies who can help their customers respond at the incredible pace of new vulnerabilities and increasing attacks. Rapid7's core platform offerings of Detection and Response and Exposure Management are uniquely positioned to help companies navigate these threats, which we believe presents a long-term growth opportunity for our business. And with that, I'd like to turn the call over to the operator for Q&A.

[Operator Instructions] Our first question comes from Michael Cikos with Needham.

Can you hear me okay?

Yes, we can hear you just fine.

Terrific. So I just wanted to start out with the guidance we have here for the ARR and thanks for splitting out the core versus the non-core. Could you help us think about that core ARR business, where are we specifically with the exposure management and helping that business start to see growth versus some of the headwinds we've seen in recent quarters?

Yes. I mean, Rafe and I can tag team it. So our exposure management, we're happy that we're seeing the stabilization. I would not say that it is a growth driver, just to be clear. It's not, but we're seeing a stabilization and improvements that we would expect, and we see good leading indicators of that business is sort of like set up to improve, but it's nothing we can claim sort of success or improvement on. We're still working with the upgrade cycle in a noisy environment. We are optimistic that the backdrop of what's happening in AI gets customers refocused back on the need to actually take Exposure Management, seriously as a priority because there was lots of noise before about all the things people can focus on. And we're certainly heartened by the early conversations, but that's not something that we will translate directly into a forecast or guidance at this stage.

Understood. And for the follow-up here, again, I know we're navigating the core versus the non-core ARR components. If I'm just looking at the guide we have here on the ARR for Q2, and I know you guys are only guiding a quarter out at this point. It is less than what consensus had been thinking about here? And I'm just looking to see, can you give us a flavor for what the shape of the rest of the year looks like or any other things we should be mindful of as we navigate the next couple of quarters since we are only getting that ARR data point from a guidance standpoint on a quarterly basis.

Well, we're only guiding the current quarter right now. And as Rafe says, we're getting a firm -- we want to make sure that we have the transparency as we go through it. The one thing I'll comment on is, clearly, in the first half of the year, we're seeing the non-core, which I talked about other before, decelerating off at a faster rate, while core is still a net positive contributor. As that plays out, we'll see how that plays out and whether we see the acceleration in exposure, the impact of D&R. But I would just say, we give you revenue guidance, we feel very good about that. We have a lot of confidence in all the measures that we actually got on. But we'll keep you updated as we actually go along, but we're not going any further breakouts right now.

Our next question comes from Matthew Hedberg with RBC.

This is Mike Richards on for Matt. It made a ton of sense when you were talking about the changes with Mythos and the other frontier models and how that can act as a tailwind for Rapid7. But I was wondering about how these changes are impacting customers. Is there a confusion in the market around frontier models and vulnerability discovery? And what that means versus exposure management? Or do they sort of get it? Just any details you guys can provide on what the customers are thinking right now?

It's a great question. Look one, I think there's probably more confusion with investors than there are with security experts, which we understand which is why I wanted to clarify in my prepared remarks. Most customers look there's two class of things that are going on is customers are having expertise on staff and they're expecting a lot more sort of like scale of vulnerabilities and confusion. And what we're hearing from them is the need to really focus on affordability, understanding what's on the environment. Focus on understanding reachability, what's happening and then remediation and organization management at scale, which requires an understanding of the attack surface. These are all things that we're focused on. And frankly, though, we are accelerating our own efforts to make sure that we make it easier for customers to understand what are the vulnerabilities that matters most, because what you're seeing is a lot of real things, a lot of noise. And what we want to make sure is that like as things surge for customers, they are remediating and addressing the most important things first as quickly as possible. And that's the stance we're taking there. And what we've seen so far with customers is that those that are in the know, they understand that they're focused on it and they're asking us, how can you help me actually manage the complexity -- I'm going to have a lot more to manage. There'll be a lot more real stuff that I actually have to address, but there's going to be a lot more noise too. Now there's -- I would say a lot of customers that are less mature in their cycle, and the word vulnerability is vulnerability. But again, I actually think that what you'll see often in security is that the knowledge does get out there. They will have to respond. They won't be able to remediate everything that's in place all at once. And so they, too, will actually have to understand it. I think the tricky part for investors is vulnerability, whether you do discovery or scanning or vulnerabilities and code, it all sounds the same. But they're very different, like code level vulnerabilities are very different than the vulnerability management, which is very different than exposure management. Exposure management is about addressing the things that are actually exploitable and the vulnerabilities that actually lead to compromise and doing at scale across the environment. So there's differences, but using the word vulnerability, definitely can cause some nuancing and confusion.

I appreciate it. That's super helpful. Yes, that's super helpful. And just as a quick follow-up, maybe just taking a step back from a macro perspective. Are you seeing any change in customer behavior as it relates to maybe geopolitical uncertainty or even just AI budget crowding out as we've heard of more and more enterprises sort of running up on their AI budgets and not impacting other areas of enterprise software spend?

Yes. I mean look, I actually think everyone is trying to figure out what's the right way to budget and plan for it. That is an obvious thing that -- I don't know an organization all over the world is not trying to figure out like what's the right AI strategy? How do I budget for it? How do I plan for it? And how do I deal with the leapfrog that happens from time to time? But I would just say universally, to be clear, this is a year where more than ever we're seeing regardless of what the domain is, customers are looking for how do I actually start showing real benefits and outcomes for the technology. It's moving from pilots to delivery. And this is the thing that actually makes me excited about the investments that we've made organically and with Kenzo is that customers are in the show-me stage, and they're looking for how can you actually help me scale. In our case, is how do we help them scale their security operations because I hardly know any customers that are getting a lot more people allocated to the teams. And so they're looking for technology and services to scale their security operations, and that's where we're focused. Thanks again for your questions.

Our next question comes from Joe Gallo with Jefferies.

I just want to ask one high level one and one explicit about 2Q. So a high level, you guys are investing in areas of growth, MDR, go-to-market, integrating AI, how should we think about the trade-off between stabilizing ARR growth and maintaining gross margins going forward? Any guardrails that we can think through?

Rafe and I can tag team this. Our team has a very clear mandate is that we have to scale margins over time. And we feel that we have the right setup for that. If you think about our MDR business, which is our fastest-growing business that also historically has had, frankly, less contribution margins at scale than some of the other businesses, and also is a business that we expect the gross margins to expand. That was a big part of the Kenzo thesis is that we can deliver better service at better efficiency and better cost leverage. So we're quite excited by that. We can deliver our customers a better experience and do it more efficiently, which is good for our investors too. And so just to be clear, as both myself and the management team have a mandate that we have to actually expand margins over time. But we are willing to make tactical investments to make sure we're going in the right way. It was absolutely the right thing to do this year as we saw the tsunami of cyber risk coming into customers to make sure that we were properly staffed in our MDR environment to manage that and respond to that and make sure we're delivering a great quality of service, which leads to long-term retention and expansion. We know that we can actually do more AI and automation to actually do some of those SOC services over time. But we feel very, very good that we made the right decision to make sure that customers are set up well, but we are managing the business to expand margins over time.

And I would just call out, as we mentioned in our remarks, we do continue to expect to see bottom line margins improving as we go across 2026. And we're very actively -- when we do planning, we roll it out and look at it at those carryforward numbers to make sure we're very conscious of run rates going into the next year. So I think we talked about -- in 2025, we saw some investment, and we knew that would impact year-over-year comparisons as we go through the first part of the year. But you'll start to see the benefits of that and see those improving margins even here in 2026 as we move to the back half of the year.

Okay. No, that's very clear and really helpful. Maybe just a follow-up, I just want to understand exactly what our takeaway should be with your 2Q ARR guide, right? So 1Q declined $8 million quarter-over-quarter, you're guiding to another decline of $12 million. So I'm just trying to understand like, is that 20% of the non-platform business? Is that churn getting worse? Is it lower expected new business for the 80% of the business that's growing. We're 1 month into 2Q. So I'm just kind of curious what you're seeing in 2Q that kind of indicates that new ARR might be a little bit worse than you saw in 1Q?

Yes, I would just say, look, in 1Q, even though we're not actively -- even though we expect other or the non-core to actually churn and it's not a core area of focus, it's not core area of investment. When we see acceleration, we take a more cautious outlook about what that does. We definitely saw acceleration of the -- we're not adding new. So it's really just churn, just to be clear, and that's on the stand-alone non-core businesses. We saw acceleration then in Q1, and we are taking an appropriately I think, thoughtful viewpoint of that as we actually go into Q2. And we also just want to predict that we're going to overcompensate for that by acceleration of core. And so that's the primary driver, and that's the primary takeaway that I have now. I think that's part of our given commentary.

Yes. And I think that's exactly right. We want to share that color on what's exactly going on there because it's really important for everyone to see that where our core business is, how it's been growing and have that clarity because that's really going to be the long-term future for the organization. And those products will be the ones that we're taking to customers on a regular basis. So we hope by breaking that out, that again illuminates exactly what's going on.

Next question is from Adam Tindle with Raymond James.

Okay. I just wanted to continue on the topic of core versus non-core. And if I was to rewind back, Corey, I know the strategy was to really create a lot of synergy between the platform historically. So I guess as we fast forward to today and having one piece of the business that's understandably kind of non-regrettable churn or in decline, how are you managing the impact on core while non-core churns, meaning, I imagine there's some customer overlap. Why would churn in the non-core piece, potentially not impact core? What are you doing to mitigate that potential risk?

No, it's exactly the right question. Look, whenever you have dynamics and just to remind you, like non-core is things that are on the lower on the priority list, but it's also stand-alone business, some of the legacy stuff there. You hit the nail. You hit the core point, is that, as you manage these things, you know what we have to do well. We have to nail how we help customers gather security operations and the core of that is the preemptive platform with Exposure Management and Detection and Response and how we weave that together. Now as you said, there is a subset -- not all the customers are overlapping, just to be clear. We have a healthy amount of stand-alone customers. But for customers that are overlapping, their experience matters deeply. And so our teams are actively working to make sure that we deliver those customers the right experience. But also in the world of rapid innovation at the pace of AI, we're rapidly rolling out new services that address their need and we're expanding their scope and their experience with them. If you look at some of the announcements that we've been making, we've been picking up our pace of innovation and our pace of things that we actually communicated to the market. And frankly, our pace of what we're actually providing customers as part of their existing subscriptions. And our view is if we do that well and we keep delivering on that, we're actually adding more strategic value in areas that matter more and therefore, we can actually really continue to focus in on those areas. But as you know, these type of transitions have to be managed well and it's something that we're focused on to.

Yes. Okay. Yes. Rafe, maybe just a quick follow-up. You talked about, obviously, silver lining here has been profitability. And I think you mentioned mid-teens operating margin in fiscal '26 and through in that you expect to continue to improve in fiscal '27? Understandable that obviously not providing official guidance on '27, but that's helpful to give us a sense of trajectory of the business. I guess as you think about that, it's uncommon that we see platforms that are undergoing growth pressure that are still able to scale and not experience that lack of leverage on the downside. What are the drivers in terms of your confidence in margins in mid-teens and continuing to improve in fiscal '27? And any parameters that you'd like to set just so we can understand what continued to improve in fiscal '27 might mean?

Sure. I think what's given us confidence as we go through '26, is like, first of all, you'll recall that there was a great deal of investments across people and technology last year, opening up the India center. All of those things happened in 2025. So especially in early parts of the year, the year-over-year comparisons, you're not bearing the burnt of that cost uptick. But a lot of that work was in place to help build efficiencies in our organizations, giving us locations where we can give great productivity at an affordable rate. It's extremely helpful. Having SOCs that are around the world on a global basis, extremely important to our customers, but also important to our efficient operations. So as we get people ramped up and get that part of the business locked in, that's what really is offering some efficiencies for us. And we're also being very careful in 2026 about cost management and just across the board, we're making -- we want to deliver on that commitment we've made about our margins. And so we're being quite cautious about where we spend. And some of this plays out really is when we start talking about core versus non-core, being really clear about where we should invest because we think that will drive long-term growth versus where we need to be more moderate in how we manage those costs. So all of that coming together is giving us what we're planning for 2026 and giving us confidence is we really look -- need to be looking at those run rates as we leave this year into next.

Next question comes from Jonathan Ho with William Blair.

I just wanted to maybe dig a little bit into sort of this emergence to the Mythos models, like how do we think about the broader opportunity set around MDR and CTEM evolving with that AI landscape. And how does your product specifically maybe need to change to address sort of the emerging landscape?

Yes. So let's just -- great question, Jonathan. So I think that you have to first understand what's changing for customers in order to understand frankly, what the work that we're doing that's valuable and the work that we need to do differently. I think that's a very good question, Jonathan. So the first thing, what's changing for customers? Customers are seeing influx of 0 days. They want to see a much larger volume of vulnerabilities. They're going to see more exploitable vulnerabilities, but the amount of vulnerabilities that they want to see are not all going to be exploitable. So the ability to actually figure out what really manage is going to be key. The ability to actually manage remediation at scale in tighter time frames -- if you could do remediation, in months before they figured out which stuff matters and manage the remediation in days as appropriate matters and the things that should be weeks and things should be months, we have a massive remediation backlog overall. The pace of what you're looking at is being able to exploit vulnerabilities at speed and pace, dwell time is actually shrinking. So what you're going to see is people are going to have to go from detection quickly to actually active response. That's another significant change overall. And so when you put the picture together, customers are going to be dealing with both, the speed, the scale and the need to respond quickly without breaking things. So what does that actually go? So let's just break down a couple of things. So one, Rapid7 has had a long history of focusing on exploitability, and our security researchers are accelerating and moving our models and upgrading those to actually deal with the increasing insertion that we expect and the speed to actually really discern what's exploitable from what's not exploitable. The second thing is we actually -- as we built out our overall Exposure Management framework, we believe that vulnerabilities are not the core thing that matter in themselves. It's intersection of vulnerabilities, how devices and networks and technology is configured, as well as the controls in an environment. After all, that's what exploitability is. It's the reachability, combined with what controls in place, what's configuration, combined with what's vulnerable. We understand that better than most organizations in the world. And then the last piece that we just invested in is Kenzo, which is actually doing detections quicker. So the things that we're changing from there is we're upping the visibility and understanding and the ability to quickly process what's exploitable in the environment. We're accelerating the investments in our remediation management to help customers track and manage remediation across the environment. We were already bringing forth the Kenzo for actually instantaneous detection, but we're also investing heavily in leveraging our understanding of both the configuration surface and the control surface to actually help customers understand what the best interdiction or immediate intervention options they have to contain attacks, because they will have to respond in the moment and sometimes the [ 4 ] mediation is not available. I know there was a lot out there. But those are the things that are changing for the customer, the things that we're investing in, and frankly, the things that we're accelerating and changing in our environment, in our technology segment.

Our next question is from Eric Heath with KeyBanc.

All right. Maybe one Corey, one for Rafe, if I may. So, Corey, I mean [ Glasswing ] has been out for about a month and it feels like there's a lot of urgency out there. So just curious what impact you've seen thus far in 2Q in the pipeline? And then for Rafe, I very much appreciate the color on the platform growth and the guidance. But any specificity you can give on how net new ARR 1Q was for core platform? And then just how we should think about maybe the exit rate for the non-core platform products as we exit 2026?

Yes. I mean, I'll hit it before because I've actually hit on it partially before. With [ Glasswing ], I think there's two things. There's a small cohort of our customers who have actually seen it and access and they want insights into how we help them deal with the true exploitable ones and also the volume and the noise. And that's very straightforward. And that feedback and that engagement with customers is driving some of the strategies that I talked about earlier. And then there's those that are on the outside and trying to figure it out. And frankly, they're looking for a perspective about how much does this change their technology strategy? Do they have to put all new projects on hold and just do remediation for the next 6 months? And if so, what type of remediation? So I think they're in an assessing mindset, just to be clear, and that's why I say we're still in the early days because lots of organizations don't know what the magnitude of the impact is specifically for them.

Yes. And then just to add a bit more color on the first quarter. I would say, first of all, we were really pleased with the sales organization and their hard work in Q1. You'll recall that we had a new leader, Allan joined late last year. He made a few changes on the team even in -- even as we started this quarter, and yet the team really executed well, very much hustled, and we saw an uptick in productivity across the quarter. We saw just good execution on a lot of operational details that are just really important to running a sales organization. So I think hats off to the sales team on delivering good results there. And that translates into our core platform solutions where you saw, first of all, within core, the Detection and Response business, which is now 55% of total ARR, and I think that's a little bit more color than we've shared in some of the past quarters on that. Growing at 7% on a year-over-year basis. So that's new net of any churn we had in the quarter. So that's a really strong leader. And that, combined with Exposure Management solutions, which rounds out the core solution, that total group was growing at 2%. So good execution on the top line, good work from the product team, helping our customers and just execution all around make sure that, that core numbers were growing in the first quarter.

The next question is from Shrenik Kothari with Baird.

So just a follow-up to Jonathan's question and Corey, thanks a lot for the color with frontier AI, the value, how it's shifting or shift towards remediation and scale and the exposure validation. That makes total sense. Just in terms of monetization opportunity and timing wise, just wanted to get your thoughts in practice. Like how do you think that, that shows up in this post frontier AI model world? And in terms of MDR, in terms of the urgency for Exposure Command upgrades in terms of runtime validation and just a broader platform. And then I have a quick follow-up.

Yes. Look, our current plans, it is a -- it's not even a single, probably a double, using a baseball parlance for just to actually get a catalyst to actually help move the priority of exposure management back to the forefront, which actually helps significantly with the VM upgrade initiatives and focus. So that's our focus. We're not looking to actually charge incrementally for it. We think we actually have a modernization plan that's already attached to it. And so seeing the VM to Exposure Command acceleration in the upgrade program is where we plan to primarily see the monetization. And again, we're accelerating some things in line with our strategy where we focus and tightening, but we were on this path about how you actually manage remediation at scale, how do you actually really assess exposures from both a control and a configuration standpoint. And then the last thing is how you actually act in response overall. So I would just say the focus hasn't changed. But from that perspective, we should see the monetization there. On the MDR side, it's going to be interesting because I think the thing that I'm talking to most customers about is how do they -- if customers are getting comfortable, they know now that they will have to enable active response and do more automation and more AI-driven response across their portfolio, and they're getting comfortable with that. Our goal is to actually lead that discussion with trust. That is an expansion area, that's an investment area. It's a potential monetization area, which is a little bit too early there. That's one of the biggest incremental areas, I would just say, a focus, that we're recalibrating resources for is how do we actually shift the active response to machine speed while ensuring that we can actually do that safety based on our knowledge of the overall attack surface and control surface and the configuration surface.

Very helpful. And just a follow-up, Rafe, you talked about, of course, prudence in the non-core guide and more confidence in the core platform growing. Just in terms of the go-to-market changes that have been put in place bear fruit at this, Corey mentioned productivity improving. Just can you unpack a little bit like what's happening in the plumbing? Like are you seeing -- just again, in your words, Corey, I mean, is there a healthier mix of more singles and doubles now? Is the child source pipeline becoming more efficient? Is there more better upgrade motion to like which ones are showing up?

Yes. I mean the big one is the rate is at [ earlier rate ] Allan has really tightened in the focus on making sure that we're actually selling the core, which is, again, the D&R and exposure in the Command platform integrated capability. So one thing is that when you actually have a strategy, you're not actually selling all over the place. So we actually have a tighter focus there. We're seeing tighter pipeline builds in those areas, and more focused, consistent execution. Yes, and the biggest thing is that like as we set targets, we actually hit the targets. Now we all want to actually see acceleration and we want to see the growth go faster. But I will say that we actually have the confidence in the trends of how we're seeing the business performance starting to actually shift. We want everything to go faster, but we're seeing the confidence in the -- both the management and the visibility. That gives us a lot of confidence about like how we actually see the year standing now.

Next question is from Meta Marshall with Morgan Stanley.

This is Abhishek Murli on for Meta Marshall. Congrats on the quarter. I wanted to touch on Kenzo Security and kind of where that product sits in the road map in the context of AI-driven investigation. So can you kind of clarify what capabilities have already been incorporated into customer workflows versus like what kind of remains in development? And then should we think of it as more of an improving of productivity or a customer-facing remediation? And kind of just any further details on that.

Yes, well, Kenzo is excellent -- what the data mentioned in their model was extraordinarily at doing investigations of scale. So it was an alert processing engine that allowed you to come in and process alerts from all over the environment. We're [ not ] asked to integrate right now, just to be clear. So it's not like a dumb integration. It's probably the biggest thing, and we all like, that has to happen fast and it has to go fast. So the team has come in. We're in the process of integrating in. We'll be rolling it out to customers starting in the next couple of months, and rolling out the rest of -- rolling out to the rest of this year. But that's the biggest thing. So if you say like what's the core of what Kenzo does? It is an AI platform for actually processing alerts and doing high-quality investigations at scale. To add some context, specifically for investors and for people on the call is that typically, what a SOC analyst who typically does is they get an alert in and one, they have to make sure it's not deduplicated. I would say over time, SIEM's did not doing a good job with this. D&R systems like Rapid7s did a good job with a deduplication. So we've already been making advances here. But then you have to go out and actually do all of the knowledge collection and contextualization to actually say, what's all the data I need to gather to actually figure out whether this is real or false. And then once you actually have a sense of whether it was real, then you actually had to actually do another level of investigation to figure out like how bad it was in the environment and what you actually need to contain and remediate there. That took days, just to be clear, hours and days. Kenzo is excellent at doing that in massive volume, massive scale but in machine speed. And so it's much faster, and it has better efficacy rates overall. So we're both taking it in, we're applying the model, and we're extending the model out to actually hit not just alerts but a much wider range of data sources as we go forward. And then the other part that we're actually adding in to Rapid7 is that because we have so much deep knowledge of the environment, is we have a much wider range of response options that are available. Now again, that is new development effort that's happening. So I don't want to get too far down the path. But customers do need to know how they can actually respond at speed and scale. Some of that is going to be used in our technology, some of that's going to be using third party technology. But we have the brains to know which type of controls and systems to leverage at scale, whether that's existing controls, whether that's new start-ups that are actually in the space that actually make changes in the environment. We have that knowledge and that expertise to actually know what's the most efficient to apply at scale based on our knowledge of the environment.

Our next question is from Adam Borg with Stifel.

Awesome. I'll just stick to one. Maybe, Corey, you talked really, I think, at length in a good way about how the frontier models are driving increased vulnerability identification, but that's really where the tailwinds begin for you. And I think you talked about customers understanding how these frontier models fit in and investors may be a little bit more confused on their role over time. And maybe just to that latter point, if you could help us understand like what's preventing these frontier models for moving just from identification of vulnerabilities more towards the exploitability, the reachability, the prioritization and the remediation that you talked about because they seem to be talking that they're moving in that direction. And any way you could talk about the moats that vendor like yourself has to prevent that from occurring would be really helpful.

Yes. So there's 3 different moats that matter. And again just to be clear, I want to say versus the frontier model because we actually leverage frontier models inside of Rapid7. So anyone who's not leveraging frontier models is like just not going to be relevant. So I want to be clear. This is about where the actually use cases and don't matter in that. I want to frame that to be clear. So there's a couple of things that are actually significant clear moats they actually do. One, it's just like if anyone's actually use frontier model in any environment at any scale, you actually know you have to actually discern what's the cost of activity you're actually doing. So someone can actually go stand and do exploitability analysis in the environment and do all of that. But just to be clear, they're paying a lot more than what you actually get for the same information in the core vulnerability management system. They're not designed to do that. Now could they build specialized thing and specialized software to actually do that? Potentially, yes. But again, you are -- then you're just building the product and you can actually say you're actually building the product and you have not. So but that's one, it's like cost does matter, and we actually do it efficiently at scale and at cost as someone who's tested out some of these systems in the environment trust me, you can run a fair amount of money doing what you think is a very straightforward scan. And by the way, that's proven out in their own data that they actually go. So I would just say we actually can't miss it. The second thing that you have to say is that like it's not whether it's vulnerable, it's actually exploitable in the environment. And exploitability means you have to understand not just the vulnerability. You have to understand the configuration of the complete environment, and you have to understand the controls in the overall environment and how they intercept. Now you could make a technology to do anything, but that is actually specialized it's both knowledge and data that we've optimized around to understand the question about what's actually both exploitable, what's reachable and how is that configurable in the overall environment. The last thing when you actually get to the core one about how do you actually want to actually take action and respond in the environment. And look, I have a high trust, but I don't think anyone wants a frontier model in their environment, running rampant in the environment that can actually make configuration changes, do active defense, active response in the environment. For models that are updated all the time without clear visibility and understanding what can change and by many of the authors on admission is just like that's just not the way that most people are going to have the trust to actually deal with security. So to get to the core thing is that we have deep expertise to understand another domain. Yes, AI does a lot. By the way, it's an accelerant for us. The cost of doing these things at scale does matter to customers, and it will matter to the customers over time. And then when you think about the autonomous response, you both need the knowledge base, but you also need the trust. And this is why I say, like, we're building active response, but it's built on a system of trust and knowledge. And that's a big deal because you do not want your active response being too smart and being too clever, because if you get the keys, where these systems can take over and actually have access to make any type of change in the environment overall. You can have very minor errors that actually cause catastrophe for organizations. And again, most CISOs and frankly, most IT people know that. And so they're looking for things that actually do the mission and do it well and do it cost effectively. I know that was long-winded, again, we're adopters of the technology, but it's important to understand that we like the constrained there too.

Our last question comes from Gray Powell with BTIG.

Okay. Great. I just want to make sure, can you hear me?

Yes.

Yes.

All right. Excellent. I think you hit on this before. But I just want to circle back on sort of the non-core products and how we should think about that trend line stabilizing over the next 12 months? So just if I'm doing math correctly, ballpark terms, I would assume that non-core is maybe a little over $150 million-ish in ARR. Q2 guidance implies that it's down about $10 million. Is there a level where that -- where we should think about that number stabilizing? And then they are existing customers. So like why is there not an opportunity to upsell them on the platform? Is there like a conversion opportunity there?

Yes. No, thank you for the question. I think the best way to think about what we're trying to do is build out robust platforms that are attractive to our customers. And I think a couple of things. First of all, some people -- some of our customers have platform offerings, but may have also bought something stand-alone that's out there, right? That is part of the equation. And as Corey mentioned, like it's very important that we take care of these customers and that their whole experience with Rapid7 is very important. We do think there is also an opportunity for those who may not have a platform solution that the best thing for them is to migrate on to one of our platforms, right? And we're looking for technologies that we can integrate in and make that platform more rich. So that's really our #1 focus around those customers. I just -- I wanted to break that out because this trend has actually been going on behind the scenes for some period of time for the last few quarters of where you'll see those stand-alone non-core offerings, that's actually where we've had more of the challenges on the renewal front. But what we're really calling out here is we're focused, we're building attractive platforms with robust technology, and that creates that upgrade path for many of our customers, but it also allows us to focus on meeting the demands of the market at present.

Thank you, everyone, for joining. This concludes today's call. You may now disconnect.