Okay. I think we're going to go ahead and get started. If you don't mind closing the—can you help me close the door, please? Thank you very much. It's getting noisy out there. Thanks, everybody, for joining today. My name is Adam Tindle, and this is part of my cybersecurity software coverage here at Raymond James. Very happy to have Corey Thomas, CEO of Rapid7. In terms of our format here, we're just going to do a fireside chat, no slides, no presentation. Of course, as always, we'll start at a very high level to try to introduce you to the story and then get into some more specific questions. I know there's a lot of moving parts to this story, so bear with us as we try to make it a little bit more simple. As you have questions, we'd love to keep it interactive.
Please raise your hand. Feel free to add to the discussion. Corey, thanks again for being here today.
Adam, thank you so much.
Yep. And for those not as familiar, if you could just walk us through the Rapid7 background of the company, the market opportunity, and the key value proposition.
Yeah. Rapid7 has been in the security operations space for a little while. You can think about security operations as how people manage their overall security of their environment. It includes areas of vulnerability management, compliance, detecting and responding to attacks across the environment. We started out as a mid-market-oriented focus vulnerability management company. We evolved over time to actually focusing on the end-to-end stack around security operations, which is collecting data about the environment, managing the risk profile and compliance profile across the environment, and detecting and responding to threats across the environment. Today, as we actually look going forward, the detection response is over half our business.
Yep. We're going to dig into that here in a couple of questions. If I kind of think about the evolution of the company in that respect, there's kind of like two different frameworks. One was a product company and into a platform vendor, and the second is the growing importance of managed security services, as you mentioned. What drove those changes, and how is Rapid7's competitive advantage evolving during those two eras?
Yeah. Look, I think one of the things is the term platform and consolidation tends to be overused in today's context. Let's be very precise, is that we saw a massive opportunity to simplify how people manage their security operations. It is a labor-intensive field. If you look out, almost no organization can manage a 24-by-7 SOC that's understanding what's their attack surface, what's their compliance and vulnerability gaps, and what's their detection response. This was especially acute as we looked at our mid-market install base. Now we've grown that up to actually have a broader install base that includes both mid-market and enterprise. When we looked, the fragmented, complicated approach didn't work for most organizations. Our first impetus was, how do we actually think about simplifying the operations for organizations that were resource and staff constrained?
We've been talking about that for a while now. The area that they need the most help with was how do they actually manage their detection and response in their overall environment? We made a pretty aggressive investment a couple of years ago to actually lead an era that we think about as augmented detection and response, which is how do you actually merge automation, core platform technology around monitoring and collecting data across the environment, and expertise to actually build that up. To get to your core question, we're very focused on consolidating security operations. Like that's the thing. It's not all the security. It's a focused consolidation around security operations. It has expanded over the last couple of years to include how do we actually collect data about the attack surface. If you don't know what your attack surface is, you can't manage it.
How do you manage compliance and risk against the attack surface? How do you monitor that attack surface for attacks? What we're seeing from customers at the end of the day is that they are struggling with how they actually scale the management of their environment. That's where we put our heaviest resource and our heaviest investments.
Perfect. I'm going to go through some numbers here just to give a little bit of a flavor for investors as they think about the model. Detection and response, I think, ended 2024 over $400 million of ARR growing double digits versus total ARR $800+ million growing kind of mid-single digits.
Yep.
The average ARR of those customers was about 40% higher than corporate average. Higher ARR per customer in that space. It has been a successful growth engine. The biggest piece of that is the managed detection and response. I think it is about three quarters of ARR and growing in the mid-teens. On the question, what is driving the really strong growth in that managed detection and response and detection and response in total? Why do you think it is happening now?
Yeah. Our fundamental premise that we give customers is that you have to monitor 100% of your environment, but you have to do that economically. The reason that has grown so much is because we actually have an integrated platform and because we have invested heavily in automation first and then AI, and we have actually translated that with SOCs around the world, we could actually help people scale the monitoring of their environments better than others. Now, part of the reason why it is the growth engine is that monitoring the environment is both required, and I would just say in today's high cost of talent, high cost of labor, it is uneconomical. If you take a zoom out and you say, how many organizations are going to be able to actually monitor their complete attack surface over the next five years, 24 by 7 themselves?
You're talking about a very small percentage of organizations that can actually fully monitor their environments actually going forward. Our premise is pretty straightforward. It's provide a strong integrated platform, leverage automation and AI, and leverage SOC expertise to deliver a high gross margin, high quality augmentation of security operation centers. It's been very popular with customers. We're expanding that effort to actually make it more extensible, more customizable. That value proposition of allowing customers to scale the monitoring of their environment has been extraordinarily attractive to customers. Therefore, you see the growth reflected in our results.
Yep. Kind of a two-part question in light of that. On the detection and response, obviously being a sizable portion growing mid-teens, how do you think about the sustainability of that level of growth in the future? The second part is the other stuff that's growing kind of mid-single digits. Is that kind of the expectation as well, kind of the growth algorithm between the two?
Yeah. By the way, we recognize that it is tricky when you have different parts of your business growing at different growth rates. That is why we have tried to actually provide more insights into it. I would just say on the detection and response, we see not just good stability, we actually see more opportunities to actually drive more growth over the midterm. We are addressing, I would just say, a part of the market today, but definitely not the complete part of the market. We have been working with lots of our large manufacturing customers for a more augmented detection and response service around the world. We just did our first big partnership with Comcast Business last year where they are leveraging our service and our technology to extend it to their install base. We see a number of those other things going forward.
We see lots of sustainability on that teenage growth rate going forward, and frankly, a wider range of growth outcomes there where we can actually grow at even faster rates. We feel very good about that. That is part of the investments that we actually made this year. Your second part of the question is the traditional risk and vulnerability-oriented business, which is actually growing flattish and has been more pressured. What I would just say is if you think about the entire VM market, it has actually shown some, I would say definitely within the mid-market install base, which is a much bigger part of it. Our detection and response has a wider range of customers. That core mid-market install base, we have a lot of volume, a lot of units, but they have not added as much.
The expansion opportunities in that install base have not been high over the last couple of years. We launched our Exposure Command offering last year, which really provides the integrated risk and compliance offering that extends to the cloud to that install base. So far, the pickup is early, but it's actually been quite good. We're excited because this is the first time that we've had the opportunity to upgrade that core install base to a larger offering as we actually go forward. That has been a flattish sort of like growth business over the last couple of years because those mid-market customers have not had lots of expansion opportunities for the on-prem world within their install base. They've also been laggards in adopting cloud security, which is the other piece of it.
Okay. Perfect. Helpful clarification. Thank you. I was getting the total at mid-single digit, that piece of flattish. It is pretty clear like in a traditional business, as we think about core VM, who the competitors are, Qualys, Tenable, you guys, kind of a three-horse race in that. That is how a lot of investors know Rapid7. If we go into the other area that is becoming kind of more important to the story and faster growing in that detection and response, what are the competitors that you typically run into? This Comcast partnership, for example, who else could they have used and how are you winning?
Yeah. I mean, I can't speak for Comcast. I didn't know that they did a very wide one-year, I would just say, competitive analysis and search before they landed with us as a partner. It would not be appropriate to talk about who they looked at. If you look at the broader market, you see a mix of technology player, MDR players, and services players. It is a broad market with a lot of different value propositions. You see the Accentures, the IBMs on the more service-oriented side. You see the private companies, the ReliaQuest, the Expels that have some technology, but also need to leverage other people's technologies in there that have good technology. Because they are actually bringing together other people's technology stacks, it is a more expensive value proposition to actually cover it all.
You see traditional, I would just say, mass market lower-end players like the Secureworks of the world, the Arctic Wolf. It's a massively fragmented. Last stats, I saw it was like 600+ players. We love fragmented markets because fragmented markets, we bring a simple value proposition is that we have our own tech stack. We integrate with others. We integrate and process data from across the technology environment. We're heavily leveraging automation and AI to actually bring that together. We like delivering the most integrated scalable experience at the lowest possible cost. It's a cost-quality curve for us. You see other people just managing their technology stack. Like CrowdStrike has a great business where they do managed CrowdStrike. It's not a managing augmentation of the entire environment, but it's actually managing what they actually do.
When you look at the value proposition that we offer, our goal is to how do we actually help you monitor 100% of your environment with the best cost economics and efficacy. I think we've actually shown quite well there. That's a big part of why we continue to grow well.
Okay. As you think about that business for 2025, meaning the detection and response piece, what are the key, I guess, investment areas? What are the key features that you're also looking to bring? After this, we're going to pause for audience questions. Please get ready.
Yeah. No. Part of why we actually think that we actually have continued not just growth stability, but growth upside there is we've been very focused on actually running that augmented detection and response where we augment people's workloads. I would just say very healthy gross margins. We made a bunch of investments last year and we're continuing to accelerate and make them this year that allow us to offer more customizable services. We partner with some of our large manufacturing companies that say, listen, I don't want to outsource completely to you, which the choice that you have to make is you outsource everything or you offload things.
What most customers want is an integrated experience where they can apply their skills, their experience, their expertise, but that they actually partner with a company that's providing both the technology, but can actually provide the expertise that they actually need to run the operations. A perfect example of that is that they may need us to actually do the tier two and tier three looks, or they may need us to do the tier one, or they may need us to do the nights and the weekends. What we're investing in right now is sort of like two things, is the ability to extend and customize the service for larger enterprises. We're doing that in conjunction with some of our larger manufacturing clients.
We are also investing in the collaboration technology that actually does the joint management inside of our platform where customers can actually cover nine to five and we cover nights and weekends. It is all AI assisted, which is allowing us to actually do it at higher scale, higher leverage.
Interesting. Questions for Corey?
Revenues in 2024, are the $400 million for detection and response into ARR?
ARR, yes.
What portion of those did you basically have you obtained from how about CrowdStrike?
Yeah, it's a good question. We have lots. CrowdStrike is actually different because they're doing managed CrowdStrike. It's not really we would never, nor would we recommend the customer just come to us just to manage their CrowdStrike. The question is if you want us to manage your entire attack surface environment, that would be the thing. On the Palo Alto, I would just say we've competed against the primary focus there is that they bought the IBM assets, which has been a traditional competitor, which has been losing share for a few years. I mean, Palo Alto is strong overall. The SIM offering is the one that they recently acquired from IBM. We've been competing against that for a while.
QRadar.
Yeah, the QRadar assets. Yeah.
Microsoft, how big a player are they?
Microsoft on the core technology side is a massive player. This is why we focus on the augmentation side. I would also say Microsoft is also a pretty significant partner for us too overall. We think about Microsoft as it has to be navigated, but we look at it as more an opportunity than a threat because they're not really focused on the management and the security augmentation. That's something they look at partners to do. I would just say they're becoming an increasingly large partner.
Other questions? All right. Kind of a helpful overview. I went through a couple of the numbers on the ARR side. If you could maybe just put your best Tim hat on and walk us through the economic model and key financial metrics. What are the key indicators that you guys look at?
Yeah. Look, the key indicators that we think about are a couple of things. One, we actually get growth matters. The noise here is we have a business that's going really well. We have a business that's been flattish. This is also the first time in the last four years that we've actually had a major upgrade cycle for the flattish business. We're pretty optimistic about that. We actually track sort of like the relative growth rates across, and that's why we provide more visibility. The second thing that we actually look at is the ARR per customer, which continues to expand. It's in the sort of like the lower 70s range. Frankly, we actually think that that has the capacity, and that should actually be double what it is.
The question is what's the velocity that we can actually get there? There's a natural tailwind on that with the mix shift towards the detection and response. Those deals are just larger. We actually also have the opportunities though to expand and upgrade the VM install base with exposure management. We see natural sort of like tailwinds in the ARR per customer, which is a big driver overall. The other thing that we're actually focused on is sort of like what's the cost of growth? We have a big focus on sort of like how do we actually grow economically. You'll notice that we kept our sales force relatively flat. There were some target investments this year. We actually see more leverage in the sales and marketing engine as we go forward.
We see some early dividends from some of the partnerships that we're doing overall. Outside of some of the target investments we've actually made, we've also scaled up this year. We're scaling up our India operations center, which allows us to have a better mix of cost structure for R&D and IT next year. It is sort of like expanding at a higher rate this year. We actually see a clear ability to actually not just accelerate growth based on the DNR and the VM to Exposure Command upgrade cycle. We see a very clear path to actually sort of like get the free cash flow growth back on the trajectory that we've been managing and planning to. That's the high level of the things that we're actually looking at. It's sort of like what's the growth rates? What's the opportunity for a customer?
Do we have a big opportunity for a customer? Yes. By the way, we see that with the 15% of our install base that is actually upgraded. The economics are actually much higher already. You are looking at well over $100,000 per customer. We actually say like, all right, what is the cost leverage of that growth and that expansion? While we are making some investments this year, we actually see that mix coming much more back into line next year.
We're going to talk about margins and free cash flow in a second because that's been obviously a bright spot. Maybe we can recap for investors that are newer to the story and looking at the stock chart. The stock's been under some pressure here in recent times. Obviously, that's why this meeting is very timely because we want to think about the forward. If we were to recap maybe the past year or so, there's been some go-to-market changes, some things happening. Could you maybe just go through a little bit of the history of that and bring us up to today?
Yeah. If you look, let's just talk about the biggest driver. The DNR has been consistent and I would just say strong and upside. The biggest one is that we saw a deceleration where we went to flattish on the risk and the vulnerability management side of the equation. That's primarily driven by sort of like two factors. One, the price in the cloud market has been less than what we in the industry thought altogether. I think that's true across all of it. Two, we've seen less growth in the mid-market on the traditional VM side, which is a big part of our install base. Therefore, we've had less expansion opportunity.
If you look at what we did last year, we actually took the time to say, okay, how do we actually make sure that we orient our product portfolio to really be able to monetize and drive the install base that we had? We had done lots of work exiting 2023 and lots of interviews and lots of time with customers. We reoriented towards this integrated exposure management view with the whole goal of providing an offering that we could actually take to our install base and upgrade the install base. One of the clear feedbacks that we actually got last year, we had a product offer called CRC that was a more cloud integrated product. It was also 2x the cost of the vulnerability management problem.
Trying to upgrade our mid-market install base with an offering that was 2x the cost, we grew, but we grew basically based on sort of like 5% of the customer base. It was going to be a long road to actually upgrade that install base. If you look at what we actually reoriented with Exposure Command, it's really centered. It happens to do cloud, but it's integrated risk and integrated compliance. And compliance is a big driver in integrated remediation. That's a big driver for that sort of like mid to larger enterprise install base for that resource-constrained buyer. It's targeting not a 2x uplift, but it's targeting like a 30% uplift. Since we introduced that, we've actually seen both a good uptake, not just in pipeline, but in early conversion rates around that.
Now, on a nine-month average deal cycle, the full evidence of that will not show up until like the middle to latter part of this year. I would just say the initial uptake about sort of like, did you see the first couple of million dollars as it progresses? The answer is yes. The attractiveness of the install base is much stronger. That is a big deal for us because you cannot actually have healthy growth in this environment unless you have an expansion engine of your install base in this environment. DNR is like a 2x to 3x uplift. Cloud was a 2x uplift. That is a full sales cycle to go to your install base with that type of uplift.
I think our reorientation around exposure management, 30% uplift, has an offering that our sales force feels that we can actually now get the momentum of the expansion in the install base, as well as the continued momentum that we actually see with detection and response.
Got it. One of the other things, if we're kind of recapping the challenge in the stock, has been performance on ARR relative to initial guidance entering the year has been shaky over the past couple of years. You just gave guidance for 2025 on ARR, Tim, I guess communicated that. How did you approach ARR guidance similarly or differently this year than in the past couple of years?
Yeah. There's a couple of things. There's one, we actually said that we won't actually, there's a couple of things. There's one, we widen the guidance range because we want to be appropriately thoughtful about different range of scenarios. There's a wider range. The second thing is that we did not base the guidance on things that we were investing on or improving in years. I'll give you an example with the Exposure Command. Great early momentum, but we're not going to actually count that until the results are actually in. We actually made our guidance based off existing businesses, existing return, existing known pipeline and conversion rates. We anchored our ranges there. We said, listen, we have wide upside ranges to that.
We actually have, if things are slower, because the worst thing you have is something slower than expected, then we actually have room on the mid to low end of the range there. We both widened it. We took a more, I would just say, view that we're not including any positive benefits until after the benefits have actually already occurred as we actually look out to our guidance outlook. We're a little bit more prescriptive in also what's the linearity of that guidance. I think in an appropriately thoughtful there.
I'm going to ask one more and then we'll pause again for questions. If we go back to that time period, I know we're talking about some of the challenges. One of the bright spots, as I mentioned, was free cash flow. Has been a big improvement alongside margins. I think in 2024, almost doubled year- over- year on free cash flow, close to a 20% margin on free cash. I guess, why was it important to show that leverage in the business? If we kind of go forward, how do you think about the balance between growth and margins?
Yeah. Look, so one is that, look, like all businesses, we have some inefficiencies. We also had, I think, which was not recognized and affected timing a little bit this year as you actually come in. So one, we had to get rid of inefficiencies. Two, we had to do some rotations. Like we were underinvested in detection and response. When we did our restructuring, I think people forget this, we actually said like half of it was inefficiencies that will go to the bottom line. Half of it, we were actually reoriented towards the primary growth engines that were around DNR and exposure management. It did take us a little bit longer to actually ramp that because we wanted to do it in a more, I would say, better long-term cost structure way as we allocated cost between high cost and low cost.
Some of the things that were supposed to hit last year are not hitting this year. Last year was a little bit inflated on the overall profitability. If you look at the trend trajectory, we believe that we can actually run a very efficient business. The thing that we have to demonstrate and prove out, and I know that we have to show it, is that we do expect growth to actually show modest acceleration this year. We expect modest acceleration next year. Over that time period, we actually do expect, as you actually move into 2026, that you've actually washed out the 2024, 2025 period where we actually have some timing things that we expect free cash slowly to accelerate. Our expectation is we're focused on what's the net growth of free cash over time.
My expectation is you'll see a mix of both margin expansion and, frankly, growth acceleration. If you look at our overall mix, there's no reason our DNR mix cannot stay at teens grower with the levels of investments and the things that we're doing. That becomes a positive tailwind over time. We will upgrade part of our VM install base. Now, it's a question that we have to prove out. Do we upgrade 20% of it, 30%, 40%, 50%? How fast do we actually do that? That opportunity is there. That's a worthwhile investment to pursue. That's why we haven't talked about what's the degree of acceleration. We've made our assumptions based on very tangible, knowable things. We think we still have room to actually sort of like see scale in the business and the economics.
We're really focused on what's the rate of free cash flow growth over time.
That makes sense. Questions?
Yes, just looking at your presentation from the most recent quarter, you got a large addressable market. You talked about kind of 80% of organizations are not able to receive the majority of their attack surface. It just seems like there's this phenomenal opportunity out there to really bring products to customers that they really need. Then we're seeing kind of 4%-6% growth.
No, no. It's a very.
I understand kind of the.
Yeah. So.
The opportunity versus the reality and where the gap is.
Yeah, no. It is very apparent. Just to be very clear on it, there are two dynamics. One, I would say we are participating in the DNR and could it be, should it be high teens or 20%? Yes, but we have to actually sort of deliver the more enterprise customizable services, and that can play out over time. I think that is where we are showing up today. On the exposure management business, that is not factored into that 4%-5% growth because there are two things that we are triangulating on now. It is that we have an aggressive roadmap, we are pulling some of it in, we are accelerating it, but the question and the velocity there is sort of like, what are the sales cycles, what are the conversion rates and win rates, and then what is the pace that we actually upgrade the install base?
I think that it should actually be a much, much faster growth rate. After missing last year, the last thing I was going to do is come in and say like, you know what, for a product that we just launched, the sales cycle is six months. The win rates are 30%. That's a little bit too much after a year where we actually didn't see what we expected to happen. To be explicit, on the Exposure Command, I'm bullish, but the last thing I want is to actually tell you it's a six-month sales cycle and it's a nine-month sales cycle or a 12-month sales cycle. I lose credibility. You get frustrated. That's not healthy for anyone else there. The second thing is the pricing in the overall market. Like we're going to upgrade. Is the uplift 20%? Is it 30%, 40%?
We're anchoring on the 30%. Like if it's 20%, that's fine too. That can be a very healthy business. When I say we have to get through the initial cycle, that's what we're doing this year. That's why it's upside to the cycle is it will be an accretive thing. What I don't want to do is sort of like overestimate the timing or the cycle or the magnitude of that.
If you think about a longer-term growth rate, you make deals with it for that. What would that be?
Look, I mean, if you look at what I think a reasonable amount of time, I think we have plenty of opportunity to be DNR in a mid-teens growth rate or above. You do not have to get out of your skis there. We have to do the, in fact, it is not even that the business is not available. We have to make sure that the business is available in ways that we like in our margin profile, which is where lots of the investment is. It is not whether we can get the business. It is can we get the business in a way that we actually like. That is not complex. We know we can actually do that, but it has to be in the way that we like it too.
If you think about the part that actually supports that, which is the exposure management business, I fully expect us to be able to upgrade somewhere to at least sort of like 30%-50% of our install base over time at a 20%-ish uplift. That would say that that business goes from a flattish business to at least a modest growth business, which you should then see over time our growth rates going up. Now, whether it's sort of like high single digits, low teens, I can't, it's unreasonable this early to get that precise. I would just say there's lots of levers to actually pull.
By the way, and it could be that we actually say that like, okay, we can't really see that fully until we do the full compliance solution, which is the next thing up that we're accelerating this year. My point is the opportunity is not a mystery about how you upgrade your install base. Like we're not having to go out and compete with Wiz or Cloud people to actually do it. We're talking about like how do we actually upgrade our install base over the next three years, which is the primary driver of stabilizing and driving the growth and expansion of that VM base. That's not a mystery. That's why we're accelerating the roadmap. That's why we're doing some of the stuff that we actually need to do.
That's probably.
I think it was a very fair question.
It's probably a good place to leave it. We're out of time, but we're going to continue the discussion.