We are super excited to welcome back Rapid7. Been a lot of years here at this point. We got CEO Corey Thomas and Sunil Shah, SVP, Head of Finance. Thank you guys both so much for coming. Maybe to get started here, can you guys just talk broadly about the demand environment and how it's trended throughout the years? And then, you know, six weeks into fourth quarter, kind of what are you seeing to date? And what historically has been the benefit of a Q4 budget flush?
Yeah, and so I think the demand environment I would characterize as a growing gap between what CISOs need and the pace of the funding that they actually get. You know, you saw the environment get incrementally more, I would just say, diligent in procurement engaged last year. This year, we've actually seen, especially for larger deals, it's just taking a lot more time for CISOs to actually get funding for the projects that they're actually looking for. And so it's an ongoing theme, and it's an ongoing stressor in the security community, is about how people actually think about sort of like the, can they actually get the funding to actually do their jobs and do their jobs well? And you can juxtapose that against the compliance environment and a lot of other stuff.
As we actually sit in, what I would just say is that, you know, historically, we've actually seen Q4 budget flush. It's not one that we're expecting a budget flush sort of like environment this year. We still see lots of organizations in belt tightening mode and trying to figure out the pace of how they unlock the projects and the backlogs that they already have.
When we're thinking about belt tightening mode, sometimes with that comes deal elongation. When kind of thinking about that through like different segments, regions, like where are you seeing the most pressure on budgets? How much does it differ between the enterprise and the SMB?
You know, it's a good one. So I think one of the challenges that we have right now is we've slowly shifted, is we took a, as we rebuilt our risk, our integrated risk offering this year. You can think about we actually actively stopped selling our VM and our cloud solution as we were rebuilding Exposure Command. That put some pressure on growth this year. And so we became more weighted towards our detection and response business, which are larger deals in volume. So I would just say around, there's two things is that yes, you have some deal elongation, but we've also had a higher mix towards larger deals. Like in Q4, this is the first time ever that we have over half of our pipeline in deals be over $100,000 in deal sizes. Meaning that over half the pipeline is larger deals in orientation to pipeline.
One, we're actually mixed shifting up. Now, as we've launched Exposure Command, hopefully that actually balances it out as we actually go into next year as we see that pipeline accelerate. But we actually are sort of more larger deal weighted right now. And then the second factor is that in those larger deals, we are seeing elongated deal cycles. I would say it's more weighted in North America right now. But you know, we see it around the world, incremental pressure on people sort of like timing their budgets and getting their budgets. One of the things we talked about at the end of Q3 is we saw some deal slips, they actually closed in October. And so that's good, but we're still seeing people sort of like having to actually get budgets approved. It's taken longer and longer to actually get the budgets approved.
Yeah. Maybe thinking of kind of a natural follow-up to that, when you're talking about larger, more strategic, more complex deals, how much of that is, are you able to fix internally by like your go-to-market versus how much of that is just the nature of larger deals have more products?
It's the nature of larger deals. I mean, like you don't, if you look across the space, I don't think our trends that we're seeing are materially different. When I talk to both partners, we do a lot of business through partners, our deal dynamics are not that mysteriously different. It shifted up so that's actually added some pressure. I think the internal dynamic that we can actually address is actually just having a larger volume of transactional deals and volume deals. I think we get more of that from the Exposure Command upgrades. So one of our big focuses is upgrading our VM installed base to Exposure Command. And I think we see that opportunity for that volume, and that pipeline is actually built quite nicely up overall.
But that's the thing that we can control is actually having a healthy mix of expansion business that we get from upgrading the traditional vulnerability management install base. But you know, you don't want to, it's a good thing that we moved up there. I mean, the one thing I would just say is to be clear, we moved up the priority stack. Now, the cost of that is that as we actually, and we've gotten more efficient, the cost of that is as we moved up the priority stack, we actually have drifted to larger and larger deals. They have longer cycles. And as you're actually mix shifting to larger deals with longer cycles, that actually puts pressure on growth in a defined timeframe when you're in the period of that mix shift overall.
Yeah. And so I'm sure a lot of these dynamics we're talking about go into this, but in the quarter you lowered the ARR and Free Cash Flow guide. Could you just talk to us about kind of the assumptions that go into that guidance and then where you build confidence when you look at it?
Yeah. So the assumptions are that this year you're seeing deal cycles be longer than last year. You know, as an example, is that if you look at the same pipeline construction model that we actually had, we're not seeing close rates materially change on average. We are seeing them taking longer. So if the close cycles and the close rates were the same as you actually had last year, we wouldn't have lower guidance.
What we've seen is it be tighter this year and take longer this year. And so, you know, our big decision was, do we assume it's like last year, in which case we feel pretty good about it, or we actually follow the trends that we saw in Q2 and Q3 of this year, where things just took a lot longer. And so our guidance is anchored on sort of like it being closer to Q2 and Q3, because that's the dynamics that we're seeing in the markets when we actually talk to customers.
Yeah. So we're talking more about timing than, right, than deals or pipeline.
Yeah, we're talking about timing. Look, but the other piece of it, just to be clear, is that there's two dynamics. So one, for Q4, it's primarily a timing thing, because the pipeline we have is the pipeline we expected. The retention rates we have is the retention rate we expected. That's a, we actually have a larger set of deals, and we assumed it would be closer to last year's on the close rate, and we don't think that's the case based on Q2 and Q3.
So that is sort of like more of a timing issue. If you look at growth overall this year, that is actually more weighed down by the fact that we actually paused. I emphasize the word paused, the active selling of our risk category as we were actually refactoring Exposure Command coming into the year. And that had a bigger, like we expected it to have an impact. It had a slightly bigger impact than we expected. We talked about that in Q2, but the Q4 dynamic is much more about timing.
And that kind of leads us right into talking more about the verticals. So when we're thinking about the growth opportunities across the Insight Platform, so there's core VM, next- gen SIEM, threat intelligence, exposure management. I'm not going to read the entire list here, but can you just talk about the pillars and how you think about them when you're building out a growth trajectory and where your biggest opportunities are?
Our entire, not entire, a big part of our strategy was predicated on the assumption that, one, you know, vulnerability management thrived in an on-premise world, and you actually had to move higher up the value stack. And so we've been really focused on the reorientation around that. We've been wildly successful at DNR, which is approaching like half of the business. And so that has actually been a successful reorientation, which we think has growth rates that are healthy. You can look at what Gartner and others say about it, but it's a healthy teenage growth rates that we're actually gaining, we're taking share, and we're going quite well there.
And then in the risk business, we thought we had to do a fundamental reorientation of the value proposition and shift it away from a traditional collect and report model of vulnerability management, where it's a collect and integrate and organize the attack surface point of view that actually moved us higher in the priority stack. And I would just say that was the accelerated focus of what we did with Exposure Command this year. And I think we feel good about the early indicators of that. Of course, it's something that we didn't start selling to late Q3. We're still going through the channel enablement, but I would just say the pipeline build and the early conversion rates off that are better than expected.
But those are the two big anchor tendencies sort of like, how do you actually get a view of your attack surface from an overall risk and tracking and management perspective? So this integrated view of the attack surface is the first one. And then the second piece of it is, how do you actually make sure that you monitor that attack surface for attacks, which is our core detection and response focus? Those are the pillars. Everything else supports around it. So we've been rationalizing and simplifying is how do we track the attack surface and have an integrated view of the attack surface? And then how do we monitor that attack surface?
Yeah. And maybe building off what you just said, so it's a 70% increase in the pipeline since Q2 for Exposure Command. I guess both like, what is resonating so well, but like also what's the pain point?
Right. Oh, yeah. The pain point right now is that, and it's easy to talk about the pain points that explains what's resonating well. Right now, most customers have to be a systems integrator to figure out what's happening in their attack surface. So like, you know, like the thing that we always got, and we were trying to figure out how to deal with it, it's like at Rapid7, you know, work with Splunk, but how do you actually reconcile that like you say, I have this many assets or this many identities in my environment, but Okta says this, or CrowdStrike are sending one or tracking this many things that actually have my directory services says this. And so customers had to be the systems integrator.
So if you think about it, we were a data source for what was happening in the environment, but customers didn't have to rationalize that data source, and they had to actually figure out how to actually reconcile our data with all the other data points that they actually have in the environment. And so one of the things that we actually realized, we said, "Listen, the opportunity to be higher in the value stack is not to just be another data source of which vulnerability management, even cloud security, is just another data source." And so our goal was like, "Okay, how do we become the trusted system of record about what's happening in your environment?
That's providing both high quality data, but then integrating all the other data sources and doing that systems integration work that actually sort of like tracks what's truly happening in the environment from both our data, but also all the other security telemetry that customers have that paints a picture of both the attack surface and the evolution. In my view, this is always a more strategic problem to actually be a system of record and an integration source than just another input source of data.
So part of the pain that we're addressing is customers actually have to manually reconcile what's happening in their environment from multiple data sources. We're providing a low cost, highly efficient source of data, but most importantly now we're integrating all the other sources of data in the environment to paint a picture of what's happening with their attack surface. That's the thing that resonates with customers.
Yeah, no, absolutely. And you keep using this term value stack. Like when you're talking to customers, and this is always a question we get around prioritization, what do you think is at the top of the value stack for your customers right now?
Yeah. So it is right now the way that I think about the value stack and how customers sort of operationalize it is, you know, at the very top, they have the stuff that they actually don't function without. So this is part of why identity has to be like, so like you can't function without it. Then it's the stuff that like you both should do and you must do, or you actually just aren't sort of like relevant. So think about this as the core detection and response, sort of like part of the story. Then, you know, you have the risk stuff, which is stuff you should do, but like you're actually calculating how much of it you actually have to do. And so this is where we actually sort of like, you know, you can think about cloud security, vulnerability management, sort of all that.
And then you have a bunch of ancillary stuff. And so where we've reoriented, you know, for is sort of like, okay, is if you think about the reorientation, one, we've actually had now approaching half of our business that is in the detection and response area, which is actually in the must do, because I must sort of like, I must manage attacks in my environment. I must have it. Like I'm negligent if I do that. What we wanted to get away from is the part of the risk that was subjective about like, I should do it, but like, can I defer some of it, which is actually painful. And so what we're doing and what we're focused on, and I'll just say, look, we've done the initial release.
We have a pretty aggressive one, but when we finish with Exposure Command, and we've seen great success with the initial release, it actually moves up because it's not just on the risk of like what I should do. It is sort of capturing sort of like, it is the engine by which you answer like, what is my attack surface? Am I compliant? What are the things? And so you move into the critical part of that risk stack, which is not just another data source.
The problem is if you're just another data source, you're in the, all right, do I really need to do this? Versus if you're in the part of that risk source where like, we are the source of truth about what's happening, how do you actually look at compliance? How do you actually track against that? That puts it in the must do part of the risk bucket, and that's where we're actually really focused.
Yeah. And then, I mean, so we talked about the strong pipeline growth and Exposure Command, but you're also talking about really strong pipeline overall compared to last year.
Yes. Well, I would just say, look, I mean, we had, just to be clear, we restructured last year to actually make ourselves more efficient on a demand generation front under the assumption, which turned out to be wrong, that 2024 would have the same customer dynamics as 2023. We talked about what's different about those customer dynamics. But just to be clear, we did cut back on some of our pipeline generation and demand generation. We did actually pause the active selling of some of our risk solutions around VM and cloud.
And so we did actually face pipeline pressures for most of the year. What I've said is that we've actually recovered sort of like that now, and we're in a growth mode on that going into next year. But this year was a pressured environment on pipeline. Now, we expected it to be pressured in some ways. I mean, but we did not expect it to be pressured and have longer deal cycles, which exacerbated some of the pressure. Now we're actually in a place where we're actually building up, entering next year in a better position than we entered this year.
It's a tech conference in 2024, so we switched to GenAI.
Absolutely. We cannot have that at all.
I've always thought of Rapid7 as some of the core capabilities, always centering on automation and ease of use, usability.
Yeah.
Can you just talk about your GenAI strategy? Because it feels like that could lend itself to both of those kind of historic strengths.
It does. I mean, look, we're really excited by it. There's two big areas. So one, if you think about sort of like, do I know what my, you know, we are now, and this is part of why we really were accelerating and pushing to be the integrated source of truth and the system of record for what the attack surface is. And frankly, processing all the security telemetry, not just our data, competitors' data, adjacent data. Because now with GenAI, we can actually start solving some pretty interesting problems around how do people think about like regulatory compliance, how do actually people think about risk in ways that scale in ways that I would just say the GRC market, the governance risk and compliance market never could before. Because we live in a more and more fragmented world.
I mean, like, you know, like if you just look at the quantum of compliance regimes, forget the U.S. Like, I mean, forget the U.S. federal government. Just look at the state level, look at the countries around the world, look at the E.U., look at what's happening country by country. Global organizations and even non- and even regional organizations are having a massive burden that's actually being applied. When we just had our customer advisory board meeting and we were reviewing like the Exposure Command strategy, you know, one of the top things our customers asked us to accept, and we get to some previews of this GenAI approach to compliance, and like the number one thing is customers, you know, we're saying one, we want to actually be alpha and beta customers of it.
But two, they're just like, hey, you need to be done before you start releasing it. That's the type of regulatory pressure that people come up. Regulatory pressure has not been a big tailwind in the security industry historically. I think you're going to see a much bigger pressure over the next several years on the regulatory pressure. So GenAI plays a massive factor in helping people like manage the regulatory pressure that they actually find in the environment. The biggest area though, that probably we think that we can solve more customer problems is in that growing half of the business is detection and response. And so when you look at detection and response, most customers are only monitoring a fraction of the environment today. And the way, because SOC analysts are precious, they're expensive.
And it's even in an automated, like the scale that you actually get from that's not high. The ability to actually do automated investigations leveraging GenAI, I think will allow us to unlock the ability to manage the full environment. And that's definitely the largest GenAI bet we have. Now, you know, our team would say, look, it's still a combination of GenAI, machine learning, and automation. Because there's still lots of stuff that can be automated. GenAI plays a key role in the forensic analysis and the investigation portion of saying, we see this happening in the environment. What are the options for what this could mean? And so GenAI plays a lot of work for doing the research around sort of like those things in an automated fashion. But machine learning still plays a role. So like our team is taking a GenAI machine learning and automation approach.
But the goal is to actually say like, okay, if I have, you know, a security operations center of like 30, 40 people, and they're tracking and they're monitoring like, you know, 20% of the environment, which is the reality. No one looks at 100% of that security telemetry. How do we actually take those, you know, over time, and we don't say this talking, but how do you actually take that down to sort of like, instead of 30 people, it's 20 people, and they're monitoring 100% of the environment? That's the goal we want to get to, where it's both more cost efficient, but you're actually monitoring more of the environment at scale. That's what we're unlocking with GenAI, and again, with automation and machine learning.
And then we're obviously, you know, early to be talking about GenAI products, but when we talk about your pipeline reaccelerating, how often in a customer conversation, a new customer, are they focused on what is your GenAI strategy, like future proofing, wanting to know that they're picking someone for a longer duration?
Keep in mind, we tend to sell to customers that are historically budget constrained, and so we've always focused on like to be the productivity solution. Now, I mean, those customers are having a hard time right now, which is why we see some of the pressures that we actually do, but most of those customers are looking at like, how do you help me save cost and get operational scale? And so I would just say GenAI is part of what we address and talk about, but they're more concerned about like how they get operational scale. They're just like, look, I can't hire or I have to cut people.
How are you going to actually help me be? You know, I had a, you know, I had an interesting call yesterday with someone who was actually saying, like, I got to figure out how to do more with less, and they were just like, literally the call was brainstorm with me and help me figure out, like, help my team figure out how to do more with less because we're pretty stressed out about, like, how we actually are going to manage this dynamic. That's more of the cycle, and so I would just say AI is a factor. GenAI is a factor, but they're trying to figure out how to do more with less, which is the most important thing.
And then maybe sticking on go-to-market, 90% of new ARR bookings came through the partner channel. How do you think, I guess, about managing that channel over time and kind of the right percentage?
I think it's less about the percentage. Look, I think one of the big bets we made last year was to actually drive efficiency in our go-to-market and our sales and marketing engine and leverage partners more. We thought that was an opportunity to actually get more efficient overall. So I think it's less of what goes through. It's more about like how does a partner and channel do and help us actually build, find opportunities, manage those opportunities, and drive efficiency and overall sales force. I would just say that's trending in the right direction. We're still midway through the journey there, but that's like this is part of our overall strategy to actually drive more scale and efficiency through the go-to-market engine. I don't measure it by like how many deals go through.
I measure it more about like, all right, how does sales productivity actually trend over time, which we expect to actually start improving next year as we're through the, again, you know, we cut off a bunch of stuff that we were doing at the end of last year. We did some both partner stuff and some product stuff. The product stuff, we've actually recatalyzed coming out of Q3. The partner stuff has been building back up. And so our expectation is we see sales productivity improve going into next year. That's kind of how we measure it, less so about like how much goes, because you're like, does it matter if 100% goes through or 70% goes through? The question is, what's the overall impact of the efficiency of the go-to-market engine?
Yeah. And that's probably a great caveat between talking about product, talking about the go-to-market strategies, talking about partners. I mean, thinking about the building blocks into 2025, you provided an early look at ARR growth expectations of slight acceleration from the Q4 exit rate. We're sorry, flat to slight acceleration. Can you just walk us through the general guidance philosophy about what could drive acceleration throughout the year?
Yeah. And so we said flat to slight. One, we didn't want it, it was early and we did not want to get out over our skis on it. The second thing is that the initial data around, like if you look at the biggest driver, you have a DNR business that is robust and healthy and a risk business that we paused selling and we re-initialized selling of it in Q3 timeframe, which had great early leading indicators. And so if you think about like the leading indicators that we actually had, we said, all right, they're great leading indicators, but like they're just leading indicators right now. And so we're not going to actually estimate either the deal cycles or the ASPs or any of that other stuff till we get through that sort of initial deal cycle, which is roughly the Q2 timeframe.
And so we actually sort of like took a more thoughtful approach around saying that like we're not factoring in material re-acceleration of that risk business going into next year. Now, it's certainly something that we're managing too and that we're actually tracking and that we're actually focused on and the early indicators are good, but it made no sense to actually put that in our baseline expectations for actually guidance as we actually go forward. That's something we'll update people on as we actually go into Q2, but baking that in right now seemed premature.
Yeah. And with that context on ARR, can you just help us think about maybe historically how revenue lags ARR and maybe how we should think about revenue growth in 2025 relative to those ARR expectations?
Yeah. So I mean, I think you framed it well, which is that revenue lags the ARR growth rate. And so typically as you look at revenue, you'll trend that, you know, as ARR, you know, kind of as decelerated revenues lag that. And, you know, as we kind of stabilize and eventually look to drive re-acceleration, you can expect the revenue to track that path as well on the way up.
That's helpful. Yeah, we're right at five minutes. Are there any questions from the audience?
Thank you, guys. Just a quick one. You know, if you look at VM, it seems like all the companies, especially with GenAI and all coming, they're all like merging, and it has been the case for cybersecurity for the longest time, you know, one aspect. There's like swim lanes keep merging. Are you seeing any of the bigger ones or seeing a risk of bigger ones coming in and offering VM as a, you know, like a SaaS being offered by Palo Alto or something? And I mean, what makes it more difficult than someone, you know, for other people to do it? So that would be helpful. Thank you.
Yeah. And so one, I think that the question is one about like how do you think about like whether VM becomes sort of like a baseline offering and commoditization, which is one where we actually wanted ourselves to treat it as a feature because we're worried about that. I would just say we're not seeing things beyond what you see traditionally. And so traditionally, what you've seen is that like it's very easy to do VM at the OS level. And it gets more and more expensive to actually do the long tail. And so the way to think about it is that around three to four years ago, we stopped trying to actively monetize vulnerability management on endpoints because we said, listen, that's not hard, that's not difficult.
And if you get caught into that sort of like getting, you know, like $10 per laptop for vulnerability management, you're going to be a loser in the space. So we started shifting our growth. Yes, there's a little pressure on growth, but you actually want to be growth that's going to be sustainable and durable over time. And so I think that you will see the endpoint OS vulnerability management dollars be $0. We don't charge for it today, just to be clear. Like if you have an enterprise, if you cover your core data centers and other stuff like that, we're not charging you for your devices and stuff like that. If you're covering your cloud, your data centers and stuff like that. And so I think because that's the easy sort of like part of it.
The more complicated part of it, and this is where the compliance regimes and other things actually sort of like do create barriers for others, is that you got to be able to do that across like your entire ecosystem. And most people have really complex environments. And so most organizations are not pure cloud companies. They still have like Oracle, SQL Server, DB2, WebSphere. They still have the gauntlet of Linux stuff and all the different variants. And so like, yes, it's easy to do like the last two variants of Linux, but like going into like all the stuff and looking at sort of like the workloads that are running on it and the configurations that are obsessive. And then you look at the configuration policy assessments that NIST requires, the Australian sort of like cyber standards require.
That policy configuration layer outside of like what are the raw vulnerabilities that are running in your Windows OS machine, that's incredibly like complicated. Now, again, I think you have to actually say like, all right, where's the value line? And so we charge for that and we believe that that's going to be sticky and differential, but it requires a degree of shift of how you think about where you make money in this space, and I'll just say that like our view is that making money on commodity OSes for vulnerability management is going to be challenged, and we've been aggressively trying to shrink that risk profile. It was a headwind to growth over the last couple of years and it still is, but we think it puts us in better position for the future.
Anyone else?
Can you just provide a quick comment on any impact on your company or industry as a result of the new administration, whether that's M&A or regulatory? There's all talk about the DOGE new government department.
Yeah. Wow, you talked about politically loaded questions. So, look, anyone who actually is in the business of estimating what's going to happen in the new administration is probably a fool. And so I don't want to put myself in that category. Here's the things that I think that you can think about are sort of like the opportunities and the risk around it. You know, oddly enough, I've long advocated this publicly that we actually needed to reconcile the multiple cyber standards. And I've advocated that strongly in D.C. and saying that like there is far too many fragmentation and fragmented standards across too many agencies and other things that create friction for U.S. companies. And that's a bad thing. There's an opportunity there that like that could be a priority.
I think that that's net good because it both simplifies, and you can think, yes, we get paid for complexity, but having to sit around and ask about like these are the regulatory standards and here's the ones that actually could have options, I think that's a net good thing. Like I think that there's a potential opportunity there. You know, on the flip side, I would just say that like the U.S. government contributes to sort of like a more cybersecurity regulatory regime, but what they do is not going to fundamentally change the dynamic. What I mean is you're still going to have a bunch of states that actually are regulating cyber. You're going to have a bunch of international standards on cyber. That's not going to change there.
So on the regulatory environment, I think there are some things that could be good, but like it's not going to change the overall thing that that's a big problem and I think that that is going to be an increasing, we look at that as increasing benefit and tailwind to the business going forward about how we help customers address that, so that's one. The second thing that I would say is that there's all types of questions that you can ask about like, is there going to be any improvement or change in the way that the U.S. government deals with commercial companies? I, of course, have an incentive around that because we don't do lots of business with the federal government today because it's onerous and it's difficult and it's challenging. There's definitely some people that actually think that that should be easier.
I'm one of the people that thinks it should be easier, but the devil's in the details, and so like we believe that you have to have high standards. We're going through all the federal standards right now on FedRAMP compliance, which I think is a good standard, and I think it's important to actually have those. But anything that makes it easier for the U.S. federal government to get great off-the-shelf software that's customized to mission, I think is a good thing, and so I think it's how you approach those things that really matter, but these are all public statements that I've actually made in the past.
All right. And with that, we're at time. Thank you guys so much.
Thank you very much.