All right. Okay. Good morning, everybody. Thank you for joining us. My name is Hamza Fodderwala. I'm a cybersecurity analyst at Morgan Stanley. And with me, I have the pleasure of hosting Andrew Burton, Chief Operating Officer of Rapid7, for a fireside. And before I begin, just a brief programming note. For important disclosures, please see the Morgan Stanley Research Disclosure website at www.morganstanley.com/researchdisclosures. With that, Andrew, thank you so much for joining us this morning.
Thank you for having me.
Maybe before we get into the weeds, you know, for investors who may not be, you know, super familiar with the story, briefly talk about Rapid7, the evolution of the platform, and sort of what the company provides today versus, you know, its inception.
Sure. It's really a story of how our customers early on, we went public as a vulnerability management company. And vulnerability management, as you may know, is about providing visibility into where I'm potentially exposed or have points of exposure in my environment. And as we came out of the IPO, many of our customers were telling us that it was helpful to understand where they might be vulnerable, but they also wanted to know if someone had exploited one of those vulnerabilities. And so they began to really ask us to provide more visibility and insight into their operating environment. And so we have evolved from those early days of visibility across the environment into helping people operationalize their ability to detect and respond to potential threats that may occur inside that environment.
That's really where our platform has been evolving, not just over the last several years, but as we look out into the future.
You know, in cybersecurity, there's been a big theme towards consolidation.
Mm-hmm.
I think you have the average enterprise using something like 50 different security tools. The largest enterprise sometimes are using hundreds of security tools.
Yeah.
Rapid7 has pivoted, like you mentioned, from core vulnerability management into a broader security automation play. Can you talk a little bit about how you're helping customers consolidate
Mm-hmm
those multiple security point products that they're using?
Yeah, really, from those early days, Hamza, we were hearing from our customers that they were struggling, not only recruiting their talent, but actually having the security people that they would hire be productive. And what we found when we looked more closely at it, was that security teams were deploying a lot of point solutions, and the responsibility, the onus, was on them to integrate those solutions together. So as you said, the average security team has a plethora of tools, but they've been left to integrate those tools together to get to the security outcomes that they'd like to get to. And so what we really started doing was consolidating point tools or point solutions to focus on enabling those security professionals to be more productive.
When we built our detection and response offering, in many ways, we started bringing together these individual point solutions to help people detect and respond to those threats. Things like log analytics, behavior analytics, network traffic monitoring, things that many security teams were trying to do independently. But we were hearing from our customers that if we could bring those together, focus on the productivity of the analyst or productivity of the infosec team, and then also improve their efficacy, right? Because security efficacy in this environment remains a big challenge for most security teams, right?
And so, yes, the consolidation story, but it's focused on the productivity of the analysts and the security efficacy of their program, and that has really been, I think, the secret sauce for us, is 'cause when you can do those two things, you're effectively enabling that security team to take on an expanding attack surface with more complexity in their environment.
Got it. So less selling point products, more selling a solution
Yes
to, for the productivity of the analyst. You know, one of the ways you guys have, gone to market around
Mm-hmm
that theme is, the new bundles. You have two bundles: Managed Threat Complete and Cloud Risk Complete. Can you talk a little bit about the impetus for this and some of the traction that you're seeing in the market with these bundles?
Yeah. They, they've been very well received. I, I think in many ways, I've been, I've been surprised on, on how well they've been received. The impetus was twofold. I mentioned earlier about the productivity and, and efficiency of the security team, but as we, a couple of years ago, we began to really see CISOs talk to us about leveraging or consolidating their budgets because they were under increasing scrutiny. And obviously, we've seen this with the macro environment, where budgets are being looked at by CEOs and CFOs very closely. And so it was in some ways a simple proposition, if you could allow me to leverage more my budget to achieve more of my security outcomes, but also take those dollars and put them in where they're strategically valuable, right?
I think hopefully, most people would agree nowadays that this attack surface that most CISOs and CEOs and CFOs are facing in their environments is expanding, is increasingly fragmented, and is increasingly complex, right? So when we can talk to CISOs about leveraging their budgets to cover more of that environment and improve their overall ability to detect and understand if there are threats that are in that environment or facing their environment, that's something most CISOs will, will wanna talk to us about.
Got it. So, you know, you offer a lot in your, in your portfolio. You've got the vulnerability management piece, you've got security, log analytics, you've got
Mm-hmm.
Cloud security. When you talk to CISOs and you talk to CIOs, you know, what are their top security spending priorities, and where are you seeing the most incremental demand?
Yeah. Yeah. The, you know, my, my opinion, and I think, this is supported over, many of the customers I've met with, especially over the last six months or so, is security teams are looking to go from a reactive and responsive position to a more proactive and, assertive stance, a positive, maybe a forward-facing stance around how they can protect their environments. The key to that, change or kind of shift is to give people more visibility into their environment and proactively monitor that environment for change, right? I think with the emergence of clouds, most organizations I chat with have multiple cloud environments in their organization. It is a very dynamic, very ephemeral, very, rapidly changing, environment that they're trying to secure, right?
And so the ability to not just anticipate that, but to monitor and look for potential malicious activity or potential signs of a breach is something that's very important, and it's something that our customers continue to tell us is driving a lot of their programs that we're talking to them about.
Got it. And when you step back, I mean, there's so many, you know, green shoots that we see for cybersecurity next year. You have the rising threat environment, ransomware attacks are up, you know, 50%-60%, depending on the stats that you read. You've got the SEC disclosure requirements that are kicking in later this month. You know, what is sort of the CISO priority level when you talk to customers?
Mm-hmm.
How concerned are they, and what do you think that means for budgets going to 2024?
Yeah, there is a bit of a contradiction out there, I think, because like you said, in some ways, the level of urgency and importance of an effective security program is going up, right? Whether it's some of the increasing regulations, especially in the U.S. But we're also seeing, as you said, the ransomware attacks, the level of threats that most organizations are facing are going up. However, what we have seen the last few years, budgets continue to be under tight scrutiny, right? And not just security. Security sits inside the IT budget, right? It's generally the first or the top line item, but we can tell, we don't believe there's going to be a big change in the demand, in the budget environments.
So demand, yes, will go up, but budgets will be tightly controlled, and we believe the winners will be those that can map budgets to outcomes, right? And too often, I think people were buying tools and technology versus spending their money around: Can they get to their security outcomes? And that's really where we provide that mix of not just technology, but also the expertise and the ability to bring everything together in a more integrated approach with our platform. That's where the CISOs are really focusing their efforts.
Got it. And obviously, the bundle strategy around consolidation is a big part of that.
Mm-hmm.
So you talked a little bit about the two bundles, Managed Threat Complete and Cloud Risk Complete. I think last quarter, over 40% of your net new ARR was
Mm.
coming from those bundles.
Yeah.
Can you talk a little bit about what that does to your average deal size and, you know, what would be a sort of a typical ASP uplift, if you will
Mm-hmm.
If you went to a customer.
Mm-hmm.
who was using
Mm-hmm
a single product versus now
Mm-hmm
Using the bundles?
Yeah, that 40% is the, that's, that's a great stat we shared. It is trending up, right? And I think that, that each quarter we've been talking about the continued progress and performance there. When I look at ASPs or I look at what's driving that, we, we've talked about roughly double
Mm
is what it does, right?
Mm.
The question we often get: What's driving that? You know, so it's you have this increasing performance around these Threat Complete, Risk Complete packages, ASPs roughly doubling. And when we look at that, it's frankly just a simpler way for a customer to consume more of the platform with us to cover more of their program, right? And so that the ASP is roughly double the conversion rates. When I look at our sales team and our go-to-market engine, the conversion rates on those deals are much higher.
Mm.
We're seeing stronger productivity in our sales and marketing engines around that. So the ASPs are, don't get me wrong, they're, they're great to see, but I look at sales productivity and obviously the, the yield and performance on those, on those teams, and, that's up as well. And so I think we continue to see that, that kind of traction and, and really strength to help support us on a go-forward basis.
Yeah, that leads to my next question. I, you made some sales org changes, I think, starting
Mm
last year.
Mm-hmm.
You're now a little over a year into that. Can you speak a little bit more on the sales productivity point? You've got all these products now that you these bundles you can sell, a more mature sales force. How is that driving more leverage for you, more efficiency, and ultimately also helping to drive profitability?
Yeah. Yeah, yeah, you're right. We were piloting these, excuse me, late last year. As we came into this year, we really began to put them at the center of our go-to-market motion. So that productivity and performance, if you were an account exec, whether here in Europe or back in the States, you previous to the bundles, you had an opportunity to sell multiple products, right? And you could go in and kind of solution for the customer and based on where their budget priorities were, but it required a bit more tenure, a bit more experience and expertise around how to position and when to position, right? The packages have allowed us really to put these at the core and create a dominant motion, right?
And so that productivity and efficiency of the sales engine really says everyone's going to major or be focused in their first default motion of being able to understand how to position the complete packages, right? And you'll be able to make sure you can talk to your customers about how to leverage their budgets to cover more of their environment. If everybody can be productive, and then we can build on it, it both increases the productivity of the account exec, but it also, over the course of their tenure, we're seeing them actually contribute and provide more overall dollars on a contribution basis. So you have, you know, time to productivity, you have overall performance on a per-head basis, and then you have the contribution that they make over time.
Those are really, I think, increasingly supporting the environment that we're trying to drive around this consolidation motion around an integrated SecOps platform.
Got it. So, you know, you obviously can land with multiple products, but if we sort of break down the major market categories that Rapid7's addressing, let's start with sort of the core vulnerability management piece, right? Where you started off
Yeah.
Now that's less than half your business. You know, that market, I would say, growing in and around sort of 10%.
Mm-hmm. Mm-hmm.
Say, around 10%. You've got three established players there. How does Rapid7 see its place in the vulnerability management market? Does it see it as a bigger market than what is currently estimated, or is it, you know, sort of one product, one sales motion, and a broader sort of platform, if you will?
I think it was about a year ago, when we were talking to folks about we see VM as a feature, right? Which kind of makes sense, right? You have an environment, maybe a traditional workload environment, you want to assess it, but that environment isn't the extent of your attack surface, right? Your attack surface expands end-to-end across your environment, from the endpoint to the cloud, right? Emergence of cloud security, cloud computing, right? And so when we talk about VM as being a feature, VM is very important, right? We are one of the leaders in providing vulnerability management coverage for our customers.
Mm-hmm.
But what we've said is we are expanding to cover their full environment and to provide that ability of, am I vulnerable? Am I exposed? Am I at risk? Is something that in these cloud-centered environments, it's a different type of environment, but it's still the core proposition is, am I protected, or can someone exploit some of this environment that I'm relying on? Those cloud environments are very strategic and very critical, but those traditional workloads are still there, right? And that's where I think the last year, year and a half or so, a lot of customers, and I think some other vendors, have highlighted that it isn't going to be an all or nothing or a binary position, right? People will have cloud workloads.
They will be very strategic, but a lot of that legacy environment will continue to persist and need to be covered. So we think of VM as a feature of our platform. It's important to cover it. It's important to provide great security around it, but we believe the environment is more than just that traditional workload.
And then sort of the second pillar, if you will, which is also a big part of your business, is around, you know, how you're helping security operations teams.
Mm.
Right? Whether that be security and log analytics, managed detection and response. You know, we see this as a big opportunity
Mm-hmm.
$20 billion plus in spend.
Yeah. Yeah.
Talk a little bit about your positioning there, and how do you see that landscape changing in light of, you know, Cisco's acquisition of Splunk?
Yeah. You know, and Cisco's acquisition of Splunk, I think, is interesting because it really validates much of what the security industry has been trying to highlight. I would say we've been trying to highlight, is the importance of security data, the importance of understanding or contextualizing where risk is in your environment, and being able to do that. We set out, and people often ask me, obviously, is the platform new? I'd say really, from the early days, we felt like having access to the security data and being able to look across multiple data types, contextualize it, would be extremely valuable because, as we all know, data is often used to drive the insights that people need to make decisions, right? Security is no different, right?
If I can use data or leverage data across my attack surface, I can contextualize it, and then I can have and make better decisions on how to protect my environment. That's something most security teams would want to talk to you about, right?
Mm-hmm.
And so this idea of detecting and responding to potential threats or risks in your environment, at the core of that is this idea of using security data and analytics to help that security analyst proactively go out and prevent something from happening versus waiting or reacting to it. So, you know, the Splunk acquisition or, or even some of the other movements you see, and then we'll talk about AI in a bit, but you'll see increasingly this focus around security data. And I would say we, our assumption, right, from day one is that your security data would come from any number of sources. Again, from the endpoint to the cloud, we are going to be able to pull that data in, contextualize it, and use it to help security teams be more productive and more efficient.
Yeah, let's get into that then. You know, you've got the data coming from the endpoint, cloud, and other vectors that you're
Mm-hmm
you know, securing. How do you think of bringing all that data together, all that context together, and leveraging the power of Generative AI to really help streamline a lot of security operations today?
Yeah. Actually, Elizabeth and I, our head of investor relations, we were discussing this last night, and many of our customers would say they're overwhelmed with the amount of data in their environments, right? And in fact, most organizations, most vendors are in a similar place to try to pull all this data in to make smart decisions. So about, you know, machine learning, artificial intelligence, generative AI, generative AI is very exciting, but it is something that we have believed from the beginning, is the importance of AI, machine learning, and now generative AI will drive platform efficacy for us. And so we have a rich heritage and deep history in using AI.
We are now leveraging Generative AI to help us make again security teams more effective and also drive better security efficacy, right? Now, the part that most organizations I think aren't talking about, and this is an important aspect, is the data protections and security around that data. If it starts with the data, right, and something that when we built our platform, we were very sensitive to, is how do you protect data, right? Especially if it's customer data or that security data, and especially in a different geographic environments or different levels of regulatory requirements. We are very protective of running our models on our platform in a highly secure and highly protected environment.
We are not training other people's models on using our data, and that's one that, I think we'll see, I think, heightened levels of, not just awareness, but I would say auditability and protections around what people are doing with the data and how they're, how they're ensuring it's protected. So generative AI, we're very excited about it. We're seeing some really nice contributions, but it is something that we continue to be very thoughtful and careful about to ensure that we're doing it within our environment in a very secure and protected way.
Got it. So it sounds like you're exploring ways to use it within your product suite. How are you exploring ways to use it internally within your organization to improve the efficiency of your, you know, developer
Yeah.
salespeople or what have you?
Yeah, there is this, you know, I was chatting with someone yesterday. We have an office here locally, and we were talking about this very balance of applying Generative AI to help our customers, which we run some 24/7 global operations, and we see a lot of opportunity there. But then we also talked about internally, right? And you see some common use cases. One, if I'm a customer and I'm looking for quick response with a very contextualized answer to my problem, right? A lot of times, you'd have a person try to interpret and try to provide that tailored response. We're using Generative AI and some of the interactions.
I mean, these are things I think a lot of folks in the industry are talking about through chatbots or chat interfaces or, you know, React programming, if you will, right? That's a pretty standard one. I think the one that gets a little more interesting is when you start using it to drive more contextualized, tailored customer engagement, right? Which is around how do you get involved in kind of helping the customer or looking at something in their environment and being able to say, let's say you're a, let's say, a technical account manager, right?
If you could reach out to your customer and say, "Hey, I'd love to talk to you about what we're doing in this part of your environment, because it looks like something that I've noticed some of your level of protections or maybe some potential indications or vectors of potential compromise." And you can use AI to help not just improve the efficacy of security program, but actually delivered tailored account support, account engagement, that is gonna provide really nice value for the customer. But it'll also provide better leverage and scale for us to be able to figure out how best to allocate our people to provide value-added conversation. Personally, I think that's more exciting than talking about chatbots per se.
I think chatbots will be valuable, but I think when you can begin to really leverage that and apply it to the customer life cycle and begin to really drive points of inflection that are positive, that's where I think you'll see some of the Generative AI contributions.
Got it. Last AI question, then I'll open up the audience for any questions as well. You know, we talked a little bit about AI for your product suite, AI, how you're using internally. The other thing, which I think is unique to cybersecurity, is you have hackers leveraging these new AI tools. What are you seeing, you know, with 'cause you're obviously helping your customers respond to threats. What are you seeing in terms of the threatscape and sort of threat activity out there, and to what extent do you feel like that's bolstered by some of these new AI tools?
Yeah, I think you hit on this earlier, Hamza. I think the rate of ransomware attacks, something we track very closely is we call it emergent threats. We have a whole program around when a new threat is identified in the community, and we are seeing that rate go up pretty significantly. I think unfortunately, the bad guys are leveraging the technologies and AI as well, and they're getting increasingly sophisticated. They're getting increasingly focused on evading traditional prevention technologies. And something we've highlighted is that relying on prevention only is, I think, long proven now to be insufficient, right? And so, using a more detection-based approach is one that's critical because what I'd like to say is the security problem is unsolved.
Because the bad actors are leveraging things like AI, they are leveraging emergent technologies, they are leveraging new techniques to get into your environment. And so that's really where the ability to detect and respond to across this environment is really critical. And so, I personally think that will continue to increase, and I think we'll see more complexity. We'll see an expanding attack surface. And to your point, we will see attackers using more and more advanced techniques, and it will move from inconvenience to significant business disruption. I think we've seen some instances in the press where when that happens, people can get in and create serious disruptions of organizational you know, capacity or their ability to get have their jobs done.
Any questions from the audience? Okay. I guess it's still early in the morning. Maybe just going back to the most recent quarter. So, you know, the top-line results like clearly inflected. Your net new ARR accelerated quite meaningfully in Q3. We talked about a lot. We talked about the bundles, we talked about the improving sales productivity. What would you attribute that inflection to, right?
Mm.
Is it kind of all the above, and, you know, how much more room do you think you have to go when it comes to some of those initiatives that you've been obviously making progress towards over the last year?
Yeah. I think we see a stable demand environment, right?
Mm-hmm.
We've talked about not seeing a budget flush at the end of the year. When I think about our performance and our focus is on really continuing to help customers consolidate their dollars and drive their programs, right? When I think about our progress and how much room to go, I think we still have. I think it's a pretty exciting opportunity in front of us because, you know, security teams continue to be resource-constrained, right? Their ability to hire, their ability to train, and their ability to apply that talent to solve those problems continues to be under massive pressure, right? So as I said earlier, there is this contradictory dynamic going on, which is, as we were just talking about, the attack surface is getting worse in terms of fragmentation and complexity.
The attackers are leveraging more advanced things, but yet those budget environments are continuing to be tight. They continue to have CEO and CFO, really high levels of engagement, board involvement. So the profile of security is going up, but the budgets are still very tight. And so as we've said, Q4, we don't expect a budget flush, nor do we expect next year really much changing in the demand environment and in the overall budget environment. Security will be a top program, but it's not immune. And so I think we feel pretty good about our outlook.
We continue to hear from our customers that they need higher degrees of efficiency and efficacy, but we don't see any big changes in terms of their budgetary environments.
Got it. So very much execution driven
Mm
and product driven, and any upside in the demand environment will be sort of upside
Yeah, yeah
to report. Okay.
I think we've tried to be pretty consistent there, and I think to your point, some of the results have shown that consistency. We like to think of it as efficient gross growth or balanced growth, right? In this environment, you need to really, in our opinion, you need to be really thoughtful about how you're driving growth. Our efficiency and balanced growth approach, I think, is one where we believe we can double the free cash flow but still have a meaningful growth in the business.
Got it. On the profitability point, yeah, you mentioned doubling free cash flow next year. How do you think about sort of growth versus margins beyond
Mm
What you've targeted? I mean, is there a scenario where if you see yourself potentially growing, you know, 15% to 20% again, are you willing to trade off, you know, some margin for that? Or just given the demand environment that you're seeing right now, it's really a time to, you know, improve that profitability.
Yeah, I mean, the efficient growth model is one
Mm
that I think we've demonstrated, and it's one that we believe will continue to serve us well over, you know, especially in the foreseeable future. In this environment, the cost of that incremental growth just doesn't warrant it, right? And so I think that efficient growth, where you can still drive profitability, you can still drive great contribution and great performance within the business, and still continue to drive consolidation in our security, in the security programs with our customers, I think that's a win-win combo, right? And so we are very focused on efficient growth, and as you said, I think we've been able to dial that in, and be able to make sure that we can achieve those objectives.
But it is one I just you know, the cost of that incremental growth profile is just so high, and I think we've seen this environment really not reward organizations doing that.
Yeah. And you know, you're generating a lot of cash, I think over $150 million in free cash flow next year. What's sort of the plans for use of that cash? I know historically it's been more tuck-in M&A. Is there any, you know, opportunity to perhaps look at other opportunities to deploy that free cash flow beyond that?
Yeah. Well, first, I would say we're very much focused on our organic
Mm
engineering and tech investments. So it's something we used at times, M&A, to accelerate some of our efforts, but we don't believe we need to do any M&A, right? We believe we're well positioned. We have the technology stack. We've spent the last few years really getting that in place. Obviously, we always keep an eye out if something accelerates or is accretive. But you know, M&A is not something we need to do, right? The ability to continue to drive productivity and drive that balanced growth is really at the core, and I think that I think we said it's about doubling to about $160 million in free cash flow.
Mm-hmm.
Yeah. I'm sorry. So, you know, right now, I think that focus is on driving our free cash flow and then continuing to drive the productivity and performance within the company. We continue to see this balanced growth model. And so, you know, I think we'll be well positioned, if something changes in the macro environment, but we don't need it to change. Opportunistic around, if something presented itself in the M&A environment, we don't need it to have happen. So I think we feel very good about our position, and being able to kind of continue to drive that efficient growth model.
Got it. Last call for any questions in the audience, or, maybe I'll end with
Quiet group.
Yeah, I know. It's still early. Maybe I'll just end the year. Just, you know, what are some of the, maybe one or two things that you're most excited about going to 2024? Obviously, over the last year, there's been stabilization in the sales force, the new product bundles. Is it just a continuation of that, or is there something else, any new product cycle that you're particularly excited about going to 2024?
Yeah, I think it comes up. If we were here about a year ago
Mm-hmm
... I would've, I would be sitting here talking about the things we would need to go do to validate, and prove to investors and prove to community that we had a strong approach to having this balanced growth model and driving consolidation, everything we've been talking about. I think, as I sit here today, having that progress and performance we've had, really makes me more comfortable and more excited about the opportunity ahead because we have been able to demonstrate that, in fact, that there is value in doing what we're doing, and that customers are going to reward and really work with people like us that can help them get to those better outcomes we talked about, right? So that's kind of what I'm most excited about.
And our teams are excited, right? Our team is excited. We see this as a global opportunity. It's something that we're seeing around the world. And so I really think it's unlocking the opportunity, and having, you know, you have the right vision, right? The, having the right focus, the right execution, and the right delivery. I think that's being able to then just continue to focus on that, and I think we'll, we'll see that, we'll see that opportunity really manifest itself next year.
All right. Great, Andrew, thank you so much for your time.
Thank you.
Appreciate it.
I appreciate it.
All right.