Good afternoon, everybody. Thank you for joining us. My name's Hamza. I'm the cybersecurity analyst here at Morgan Stanley. And with me, privileged to have Andrew Burton, President and COO of Rapid7. Andrew, thank you so much for joining us.
Thank you for having me. For having us.
Before I get into it, just a brief programming note. For important disclosures, please see the Morgan Stanley Resource Disclosures website at www.morganstanley.com/resource-disclosures. With that, Andrew, maybe before we get into the weeds, you know, talk a little bit about Rapid7, the platform, as it's evolved in the last few years. What is it trying to solve? What do you mean when you talk about a broader platform for security operations?
Sure. So first I start with a little bit of context around our target market or our ideal customer, which is, as we all know, security teams are under-resourced, they're over-leveraged, and the attack surface is expanding rapidly. So when we talk about security operations, it's really this idea of helping those teams operationalize their ability to understand what's going on in their environment, how they're being attacked, or what threats they're facing, and then how they can improve their security posture to manage, to more effectively manage and protect their organization, right? Our platform really has evolved on this idea of that to do that, first and foremost, you have to understand the attacker. You have to understand their techniques, their methods, and what they're doing.
And then you have to bring that insight to, first and foremost, to the SOC to help them do their job more effectively, higher efficacy and higher efficiency. And then by doing that, helping that expertise get transferred into their security posture and how you can help these teams improve their ability to protect their organization and address the risk that may or may not be existing in that organization's environment, right? So we've linked this idea of understanding the attacker, understanding what's going on in the environment, with their ability to improve their security posture, right? And connecting that is why we built our platform, because it ultimately requires rich visibility and understanding around the attacker, the attacker techniques, the data, and the environment, and bringing it all together for a team that's really struggling to understand how to do that.
Makes sense. So then there's really two bundles to which you go to market. There's a Managed Threat Complete.
Yes.
More around the threat detection and response side.
Yep.
There's a Cloud Risk Complete, which you talked about, improving security posture, things like the core vulnerability management, cloud security posture management, etc. So that's, that's super, super helpful. Maybe to level set, you know, there's been a lot of debate lately around best of breed versus platform, or platformization, as it's been called now. There's a big opportunity for you to consolidate security budgets, particularly within that mid-enterprise level. What are you seeing there? What is in the appetite for consolidation? Do you think it's going to be one vendor that dominates all the security budget? And how do you go about doing it while still maintaining best of breed?
Yeah. Yeah, it's a great question. There has been a lot of debate recently, a lot of discussion about this dynamic. So first I always start with the customer, right? If you understand the environment in which the CISO is operating, we really focus on this mainstream enterprise, you know, environment, right, where there's a security team and they're struggling to keep up with this expanding, kind of threat facing their organization. So when we look at it through that lens, through the customer lens, what we see is a need for better outcomes, security outcomes, right? And this is not something new to Rapid7. We've been doing this, Hamza, as you know, for years now, talking about how do we improve the productivity of that security team?
The Managed Threat Complete offering was basically and is rooted in this idea of how do we help the SOC be more productive in understanding or detecting what's going on in their environment, contextualizing it, and then responding and preventing those things from getting in their environment, right? If you wanna call that platformization or consolidation, you know, fair enough. But for us, it's ultimately about making the SOC more productive, more effective in a world that's increasingly fragmented and threat levels are going up, right? So that's the first one. Now, the second one, to your point of, well, how do we capture and how do we get share of wallet, is that going to be, you know, many of these security programs have multiple vendors in there because they've tried to sell or deploy multiple tools.
And we look at it from ARR. Is there the value that's being realized, the outcome of better security operations? And that, to us, is a more integrated solution that allows for people to allocate dollars or percentage of their program to be more successful to support that. So in our approach, it does give an economic advantage, but the economic advantage is secondary to the value that they get, right? A lot of vendors out there are talking about, "We're gonna give away stuff for free." If I give you something for free but you don't see value in it, what's the purpose, right? Versus if I say, "Hey, I'm gonna give you great value and compelling economics," that is what our platform does and is something we've been doing for quite some time as we've talked about over the years.
So our really focus is on value or outcome for the security team and then allowing them to allocate dollars and budgets. By doing that, there will be consolidation down because customers or security teams will be more successful, and they'll partner with us on a longer-term basis and a more durable basis to help them get to those better outcomes.
All right. I mean, I think the other point that's come up, though, is, you know, there's a lot of legacy technical debt.
Mm-hmm.
In security SOCs today.
Yeah.
And obviously, it's not easy to migrate or switch off of these vendors. So what are some of the things that, as a platform, you can do to ease those migration costs?
Yeah. Yeah. So the first part is, I, you know, this dynamic where a lot of the security teams I talk with, they'll say, "Are they getting the levels of efficacy that they need to get, right? Are things getting caught? Are things getting dispositioned? And are the teams being successful?" So I think first we see a lot of failed SIEM deployments or managed service providers that don't have the level of coverage they need to have, right? So that's the first thing, right? Do they see a need? And then to your point, they're like, "Well, I'm invested quite heavily in these different tools, so I need some flexibility.
I need a great value proposition." So, this is something that, you know, we actually have really shown a lot of value in is allowing people to reallocate or allocate dollars across their programs to cover more of the environment. One of the best examples that we've used recently is we have vulnerability management as a feature within our platform offerings, right? So, we use an example. A customer could be spending, you know, let's call it, $100,000 in vulnerability management. We'll say, "Great. Still cover that VM program, right, coming over to Rapid7, but that's gonna be a feature of your broader offering, and we're also gonna extend your coverage into the SOC," right? So you'll get more coverage for those dollars. And likely, they're gonna spend a little bit more with us.
And so they could double to, let's say, $200,000, but they still get the VM coverage and they get the broader SOC coverage. So that's when we talk about having that value proposition of being able to have better economics with better value.
Got it. Just from a broader macro perspective, you know, we are seeing some mixed results from some vendors. I think on the network security side, there's that and that's not an area that you're in. There seems to be a bit of a slowdown. On just the traditional vulnerability management side, which is now, you know, less than probably 40% of your ARR now, if I'm correct, maybe there's been less of a prioritization. But in areas like XDR, EDR, you know, we've seen increased demand. So I'm just curious from a broader level, are you seeing any spending fatigue in security, number one? And number two, what are some of the main priorities in security right now, and how is Rapid7 levered to that?
Yeah. I think by all measures, not just security but in IT, we're seeing people scrutinizing their spend and saying, "Are they getting the return of the value for that spend," right? And I think we saw it in the cloud workloads. You see it in IT infrastructure. You definitely see it in cyber. And so, that's something we've talked about quite a bit, and it's something that, we've said CFOs and CEOs are looking carefully at, right, which is not just, "Are you gonna get new spending?" but the spending you have today, is it allocated to the best places, right? And so, you know, I think first and foremost, that's where I'd start, right? Now, on top of that, then we look at, say, "Okay, where are we seeing participation rates?
Or, where are people, what's being prioritized?" To your other part of your question, we are seeing detection and response-based approaches being prioritized within security, right, because people effectively, you know, it kinda makes sense if you think about it as, "I need to understand in this threat environment what might be coming at me," and being able to have a full coverage of the environment. It's not just endpoint. It's not just the cloud. It's across my attack surface, right? And this is important 'cause there's some vendors out there talking about, "Well, we're gonna cover this or that." Our assumption is your data and your coverage needs to be across your attack surface, right, not just one part of it, right? And that was part of our approach.
And so when you look at that, I think that, that supports, that supports our thesis as well, right? And then and then finally, when you say, "Okay, it's being prioritized, it's important," there is continued to be, you know, we-we've talked about in, in CISOs are getting their budgets right in the year, but they're still heavily scrutinized, right? And for us, we still see these, these enterprise, this enterprise buying cycle. You see a little bit of Q2 and Q4 naturally become areas where, you know, CISOs are getting their budgets unlocked because the CFOs are able to have more fulsome view into their, their, their budget year, right? And so we've kinda talked about the scrutiny. We don't expect and nor should it go away. It's just more people really validating, "Am I getting value? Is it important?
Does it fit into my security and my spending priorities?
On the detection and response side, to hone in on that for a little bit, we saw ransomware attacks almost double last year.
Yeah.
You have AI creating more malware faster than ever before. Rapid7 does have an incident response business. Have you seen any inflection there as a result of that? And how does that drive conversation around adoption of the broader portfolio?
Yeah. It is a great point. So as you said, threat level's going up, which is inherently raising the level of importance of people having a detection response program. If there's an incident, that naturally leads to somebody raising their hand saying, "Hey, I need some help," right? And so we see that dynamic definitely helping us, right? But to this point about, "Okay, how do we think about the value and the prioritization of this occurring?" Absolutely. In this threat environment, and having security teams that are under-resourced or overwhelmed, being able to augment those teams is critical, right? And so that is an important aspect of this, and being able to continue to kind of leverage that or look at that is important.
Now, so an IR program is really important, but it's also one that, as we've talked about in the past, will help us really demonstrate the value of a detection response program, which then helps us build our upsell, cross-sell strategy to a broader platform play as well, right? So it can be a point, but it's not the only point of our ability to land.
Got it. And just to clarify, IR program, you mean incident response?
Yes.
But also the Investor Relations.
Yeah, yeah, yeah. Yes.
Important to clarify.
Both. So, you know, we talked a little bit about bundles. So, last year, you had simplified the product offering with the Managed Threat Complete and the Cloud Risk Complete. You talked a little bit about what's included in that. What was the impetus of this? And then talk a little bit about the progress there. You talked about, I think, $100 million of ARR coming from these bundles. How did that, you know, do relative to your expectations?
Mm-hmm.
Mm-hmm. Yeah. I think, well, I'll answer the last part first. I think it's to the expectations. I looked at it through the lens of, "Are customers looking for it? Is that demand environment there?" And I think to the expectations, I think it matters has exceeded that as an area of importance. So that's good, right? As in terms of what led to it was, again, our core thesis. And this is, I know there's been a lot of commentary, especially in the last few weeks, about platformization and consolidation and all these things. But this was something that, as you may recall, it started with our next-gen SIEM, where we said, "Are customers getting to the outcomes they need?
Are they getting the productivity they wanna see?" And so, we had already been building out in our core product offerings this kind of core capability. I think when the macro environment and we started to see that shift that occurred, the number of CISOs and the percentage of the market that started looking for, "Hey, you know what? I in a tough economic environment, I need to really maximize every dollar," that was when we saw that begin to really come to the forefront, right? Now, as you said this earlier, and I probably should have highlighted it, is it doesn't mean you sacrifice quality. You have to have, you know, you have to have great coverage and great quality. That's not debatable, right?
But now you get this question of, in a macro environment, you get this idea of like, "Well, now I'm really being scrutinized." And as we all know, security and cyber is raised at the board level. It's raised at the CEO level. So people inherently wanna know, "Am I getting the returns? Am I getting the coverage I need?" But then you get this pressured macro where people are looking at, "Have I bought technology? Or have I actually utilized, deployed, and gotten to the outcome," right? And that, I think, is not gonna go away, right? I think it will be something that, rightfully, in our opinion, should be heavily scrutinized and looked at across our industry is the rate of technology being spent versus its level of consumption and utilization to get the value, right?
So I think that'll go up. And it's the packages, as you said, that's what led to them. And I think we are seeing some really nice, continued demand for this. And it's continuing to support not just continuing to drive that strategy, but now we're starting, Hamza, to layer on additional offerings that sit on top of those offerings so we can begin to kinda think of stair-stepping, right, 15%-20% more uplift and offering more value, more outcome, and better economics.
Got it. So when a customer does buy the bundle with you, what does it look like from a growth retention standpoint, net retention standpoint? Are they more willing to expand with you as a result of that? I know it's early, but anything.
Yeah. No, it's a good example. I mean, so one of our, we've talked quite a bit about focusing on our, our customer base. So this largely VM customer base, right, we've been able to go to them and say, "Hey, take a spend level at let's use my round number example, $100,000 of VM, and say, "Okay, well, for $200,000, I can cover your VM and as well as your SOC, right, your security operations." So that's MTC, right? So retention goes up. Our ASP goes up. The ARR per customer goes up. And then now we're offering additional, we just announced Managed Digital Risk. So you'll see that now as a stair-step that we'll put on top. And we'll be able to talk about that as a value-added, you know, expansion opportunity as well, right?
So, that's into the customer base. One of the things that I think we've also talked about with new logos is seeing higher win rates, right, so more productive sales force, our ability to not just convert them but retain them. And then they actually provide also opportunity for us to stair-step into and do expanded value.
So when you talk about Managed Threat Complete, you know, obviously, a lot of things come to mind. There’s a next-gen SIEM. There’s the managed detection response portfolio around that. You know, I think Corey’s been very thoughtful about, and, and as you as well, have been very thoughtful about expanding into the SOC budget. Is it should we think about it as a SIEM replacement? Or is the view that we’ll augment the SIEM initially and then over time expand within the SOC and perhaps consume the SIEM?
Yeah. I you know, I think it's a little bit of both, right? So let me start with a lot of folks deployed SIEMs.
Mm-hmm.
And say, "Well, this is gonna be my SOC tool." And we just found that the legacy SIEM was not built to be or designed or architected to be in a detection-first approach, right? So I think a lot of that SIEM market is turning over effectively. And there's realization that you need to be a detection-first strategy, right? We were, I would say, if not the first one of the first to really lead with that, right? So I think you will see and I think we will continue to see some of that SIEM market turnover as people realize they need something that's purpose-built for the SOC, right?
Now, to the second part of that, you say, "Okay, now if I've got something that's inherently detection-based, do I have an opportunity to expand what I can do for the security operations team?" And I would say, "Absolutely," right? So things we've been able to do around enriching the ability for that security operations analyst - and we did this with our InsightIDR offering - is bring more in context to the challenge they're facing, right? If you think about a simple example, you're a security operations analyst. You're facing all of these alerts and notifications of potential detections. What do you need? You need context so you can process and understand what's going on, right? So we talk about enrichment, right, and adding capabilities to enrich the experience for the SOC analyst to be more effective, right?
So first is detection. Second is enrichment. The third is disposition. "Okay, now I'm able to make an informed decision of what I need to do. So I wanna make sure I get that right." And then being able to then connect that to what those, those teams are gonna work with. One of the biggest things I get asked about is, "This is not about having the SOC necessarily manage your posture. It's allowing them to provide that insight to those other security teams or the cloud ops teams or the infrastructure ops teams to be able to adjust their security posture accordingly," right? So that's when you think about disposition leads to action or remediation. And so that's when you think about that workflow, is where the SIEM is an important element.
We've talked about our ability to really be successful there. But there is this opportunity, this macro opportunity, this longer-term opportunity to continue to drive better coverage, efficacy, and protection through connecting these things together. And we could talk about AI if you want. But you know, I think that comes into play. But it is something that is, I think, very compelling for a lot of the customers we've chatted with.
Yeah. Let's talk a little about AI, obviously, topic du jour. I think there's a couple, you know, somewhat unique things with Rapid7. One is using generative AI to and you've been using, I'm sure, AI for a long time.
Yeah.
to automate the security operations.
Yeah.
Capabilities that you offer to customers. But then also, using generative AI to make your SOC analysts.
Mm-hmm.
For the managed services more efficient.
Yeah.
Maybe talk a little bit about both those angles.
Yeah. No, it's great. And so I'll use that same context, right, of as you said, AI. You've got ML. You've got LLMs. And you got, you know, everything else in between, right? So we use it at each layer of each step of what I was describing earlier. So the first, are we able to detect and pick up things in the environment, right? We've been using ML and AI in there. Absolutely. We continue to enrich that, make that stronger. The adding context where we see a lot of the LLMs models really helping us contextualize and draw connections that previously an analyst, expensive analyst, would often have to do.
And so you can begin to see maybe some leverage we'll get there as we as well as higher rates of contextualizing where things should be assessed or identified, right? The third one is the one I think you hit on where traditional interactive-based, you know, some of the LLM stuff comes in, which is now as an analyst, if I wanna interact with and understand more about what's going on and begin to actually, you know, something's been detected, something's been contextualized, and now I need to start taking action on it, traditionally, that would be someone that'd be a highly trained individual that you'd spend a lot of time with. That's where a lot of the LLM or the chat-based tools come into play, right, where now you can start interacting.
Now, that can be in our SOC. It can be our partner SOC. So we can extend that out to our partners, to our, our MSSP partners and other partners, and to our customers, right? Now, we have, as you said, been running these AI models for, for quite some time. The beautiful part of what we have is we, we run 24/7 our own global SOC. So we know and we're able to use and deploy these technologies, pilot them, get them to the rates we wanna see, level of efficacy and coverage. And then we can begin to deploy them into our ecosystem, our partner ecosystem, and our customer ecosystem. But we've walked in as they say, we, we've walked in their shoes, first so that then we can then make sure that they're getting what they need, right?
So that's where you get that on the ability to just contextualize but also be able to, to interact or understand what you're looking at, right? Now, the fourth one is one that I think doesn't get a ton of attention, which is you can also use the AI models to ensure your quality and levels of efficacy are maintained, right? 'Cause the biggest risk that you run into is, "Okay, I'm addressing this. But am I elevating my standard for my security program?" And the AI models, think of that as they're a backplane to not only detect stuff, not only contextualize stuff, help your analysts be more productive, but also ensure that your levels of quality are not, you know, they're not going down the weekends or nights or whatever the case may be.
So you're able to make sure what do we know? Like, security, you only have to get it wrong once, and you're in trouble. That's where the AI models really begin to, continue to elevate your, your levels of quality and standard of care around making sure that your security program or your SOC is operating effectively.
Yeah. And then maybe one more question on, on that front before opening up to the audience. But, you know, I think we've seen, among a lot of MSSPs and MDR firms.
Yeah.
That you compete with, the customer satisfaction has gone down a bit 'cause it's so hard to get high-quality security analysts.
Yeah.
Right? You gotta pay sometimes $250,000 plus.
Yeah.
If not more. So when you think about using generative AI or AI within, internally, how is it improving the utilization rate of the security analysts that you're offering as the.
Yeah.
Part of your managed services business?
Yeah. I think it's very exciting. I'll just say it that way. It's exciting because, one, we can make sure that the customer is getting to the level of protection they need. Two, you mentioned the cost, right? These analysts are really expensive. And there's only so many of them, right? So we can actually begin to elevate and automate some of that level of protection and get leverage in our model more effectively. So the simple, you know, let's call it rule of thumb is operating a service at product gross margins, right? And that's something where over time not overnight, but over time, we believe that AI really becomes an enabler. And not just for the SOC, but you see this with engineering, right, software engineering, right?
We're seeing this more and more every day where people are using AI to help software developers be more productive. We'll see that. You'll see the ability to make SOC analysts more productive, right? That's an area, right? The ability for us to really drive more effectiveness throughout the security lifecycle, right? So I think this is gonna be something over time that we'll see those productivity gains but not at the expense of quality, not at the expense of coverage.
Mm-hmm.
Which is why I get excited, right? Because traditionally, as you said, a lot of MSSPs, they're trying to get to stronger economic models. But the dissatisfaction starts to kick in.
Mm-hmm.
And so then they see customer churn. Well, this is really this imagine, you know, an environment where you can improve sat, improve coverage, but also have improving economics. So that's why I get excited.
Yeah. That's super exciting. Any questions from the audience before I continue? Definitely have a lot more. Okay. I wanna dig into Cloud Risk Complete. So there's the vulnerability management side where you've been a leader in for a while. Then there's the cloud security side. I had an investor earlier ask me, "Hey, how does Rapid7 compete in the cloud security market?
Mm-hmm.
One, do you feel like you have a full cloud security portfolio or, with Gartner terms, as CNAPP? And, you know, what's sort of the growth trajectory there these days?
Yeah. So the simple answer, I would say, yes, right? But I think it's a little more nuanced. A lot of the cloud security spend has occurred in cloud-native environments, right? And that's where early adopters naturally go, right?
Mm-hmm.
CNAPP or CSPM and the cloud workload protection, you know, there's these various capabilities in the cloud that are consolidating into more singular offerings, right? Our thesis has been and we have the CSPM capabilities. We have the workload protection. We have the entitlements management . So we have but our belief is that the CISO it needs to look across their environment, of which the cloud is a critical element. But it's not the only element, right? And so what you'll see and I think you'll see this with our VM base where customers say, "I need to assess my workloads." Great. As the cloud becomes more broader, penetrated in these environments, CISOs wanna know, "What is their security risk? What does that posture look like across the environment?
Mm-hmm.
So I would say not only do we have the cloud security capabilities, but we're extending it so that it doesn't stop or just start only in the cloud environment, right? It goes across their environment. So in a multi-cloud environment as well as a traditional environment, we can contextualize risk. We can help them understand their security posture and understand how to address it, right? And so that is an important element. Yes, we have the cloud security elements. But we believe the broader opportunity is and the right to participate in the market longer term will be based on two things: broader risk plane with a really favorable value economic proposition, right? I think there is this some dynamics out in the market where people have price maximized in cloud security.
Our belief is always, "This is gonna be a component of your security program, not the entirety of your program.
All right. I think we have a question here.
You guys have re-engineered your cost structure in the last year. Looking at kind of the year-over-year improvement in profitability into you know last year, and you talked about doubling profitability, you know, this year more than at least doubling this year, there's a lot of like one-time restructuring elements to that. As we think about go forward building on 2024 base, what should be kind of the ongoing expectation of how much revenue growth translates into, you know, call it EBITDA margins or free cash flow?
Yeah. I'll set a little context in case folks in the room are not familiar. So last year, we did a restructuring. And what the reason we did that is we wanna set up what we're framing as balanced growth or profitability and growth story, right, being able to have both levers. So when we did that, we felt like it was one, was being able to do some restructuring in the company to help support that more efficient and durable growth model but also have more efficient and durable profitability, right? So we talked about doubling our free cash flow. And our free cash flow is largely driven off our function of our ARR, right, ARR growth.
But it is, we have said that the growth that I think many folks were chasing previously, and including ourselves, was very expensive growth. And so what we said is our backstop, we're having that profit profile will allow us to continue to grow. But if we see the macro changing, right, we'll be able to pursue growth efficiently. But we don't need that to change. So I think we've set up the model to allow for both levers to be able to be balanced off each other. And then when we look at the longer-term opportunity, I think we've said the current environment is stable.
But as we start looking at the back half of this year and we look at next year, we believe that, that efficient growth, we can re-accelerate because we'll be able to drive some of this pricing and packaging and consolidation effort out of our base.
Some of your competitors have, you know, margins in the, you know, high 30s, 40%. Could it be reasonable to expect contribution margins on growth kind of beyond this year to be in that range?
I would say our, our long term, we're going to continue to drive our, our margin or free cash flow growth. I think we haven't gone beyond our current model to talk about the specific targets yet. We're having a discussion internally about when we'll update those. But I'd say we feel very good about this balance between the growth and profitability targets.
All right. Good answer. Just on some of the structural improvements that you're making on the profitability line, it sounds like sales productivity is a big one 'cause.
Mm-hmm.
You know, you've been able to continue to grow at a healthy, you know, low maintenance rate, despite what was, you know, a significant headcount reduction last year. So talk a little bit about that. You know, now that you have salespeople selling more stuff, effectively, how is that driving more sales and marketing leverage?
Yeah. I think it's twofold, Hamza. Well, first is, like you said, we needed it to right size to get the right structure, not just in sales but across business and in place. And we feel like with our sales engine, that was really rooted around our platform go-to-market, right, and driving a dominant land and dominant expand motion. So make sure everybody's really successful at doing that. Two is, as we look at this year, we look at that productivity on a per-head basis. We feel very comfortable with the room we have. And we look at productivity on a per-head basis over a multi-period basis. It's something we look at by market, by segment, you know, etc. And so we feel like we're set up well to continue to manage that near-term opportunity for growth using our current investment levels, right?
And then, at longer term, if we see that landscape start to change, we can add capacity if we need to. But we don't have to in this current profile, right? So, it's rooted, one, in the team. Two, in the go-to-market or the offerings that we bring to market, which is largely what we introduced in 2023. And now we're seeing a lot of higher win rates and productivity rates there. And then, three, it sets us up for that longer-term durable kind of growth and profitability profile.
Yeah. The other thing I wanted to double-click on that you mentioned, which I thought was really important, was the gross margin side, right?
Yeah.
There is a services element, in Rapid7 to the revenue stream. Getting those services gross margins to product gross margins over time.
Yeah.
Talk a little bit about some of the structural improvements you're making there?
Yeah. I think there's been a few areas. So the part of the restructuring with the restructures were not just on the go-to-market side. It was also on some of the engineering side. And, you know, we had made some acquisitions over the years. And we reconciled that into a more singular engineering organization, a more singular operations team, right? So we've kind of brought that together and kind of unified that structurally. And I think that's something that we'll be able and we've operationalized on a go forward basis, right? Two is, I think our investments in our innovation centers, we have innovation centers, we're opening up around the world, lower-cost locations. So I think we'll begin to see, you know, that contribution as well.
And then, three, I think some of the productivity on the engineer per engineer basis, we talked a little bit about some of the AI stuff. But I think, in general, being able to really operationalize this idea of the contribution of, where we build something, at what cost profile, and what levels of productivity, right? So we'll see that, I think increasingly be something, you know, we'll be doing. But also, I think you see a lot more of it in the industry as well.
Last question for me. There are not a lot of public cybersecurity or software companies in general that are growing 30%, let alone 20%.
Mm-hmm.
You know, I think the majority of the sector is not growing 20% on the public side these days. I'm curious, you know, as you look out longer term. I'm not asking for longer-term targets here. But is the ambition to get back to a 20% top-line growth, so when you think about balancing growth and profitability, if you can get to 20% growth again, do you see the need to maybe invest more, towards that?
Yeah. I'll answer it first. We believe we've got a durable and differentiated advantage in our strategy. So, you know, first thing you gotta look at is, are we well-positioned? Two is, are we participating in markets that are important and valuable for security teams? Then, three, how is our right to win gonna be more favorable over time? And I would say yes on all three of those points, right? Our longer-term target model is something we'll be updating. But I think we've said, "Hey, we still believe over time, that Rule of 40 is still our north star," right? Now, that balance between growth and profitability, we haven't talked about specific targets there per se.
But I do believe and we do believe that re-accelerating growth would be important. And the ARR growth is what will help us drive that free cash flow growth, right? So, you know, I think we do believe and I think we have set up well using these platform offerings, using this ability to drive more into our install base and deliver more value, sets us up in the long term. We've also talked about allocating or spending or investing in our R&D line to help support that so that we're able to drive, mid- and long-term, growth in our product strategy.
Okay. Great. Andrew, Elizabeth, thank you so much for joining us. Thank you for everyone coming.
Thank you.
All right.