Close the door, or?
Close the door.
Okay. Thank you so much. All right. Good morning, everybody. Welcome to day three of the Morgan Stanley TMT Conference. My name is Hamza from Morgan Stanley. I'm delighted to have Corey Thomas, CEO of Rapid7. Before I begin, just a brief programming note for important disclosures. Please see the Morgan Stanley Research Disclosures website at www.morganstanley.com/researchdisclosures. With that, Corey, first of all, thank you so much for being here. It's always an honor and a privilege to host you, and looking forward to the conversation.
Hamza, thank you so much for having me.
Great. Look, Corey, maybe just on a high level, Rapid7 has been through some transitions. It started off as a traditional vulnerability management company five, 10 years ago now, but it's a much different company today. I'd love for you to, just high level, just walk us through what that platform transition has been.
Yeah. As you said, Hamza, we started off as a traditional, you can think about the traditional vulnerability management as our own pre-owned vulnerability management. One of our core markets was the mid-market. We were a leader in traditional vulnerability management in the mid-market.
The interesting thing about that experience is that when you initially start serving sort of mid-sized enterprises, you also get a pretty good view into what a resource-constrained organization needs, what are they going to do, how do they actually think about security. We had an early view onto some of the constraints that were placed on enterprises that we believed were going to be replicated by both not just mid, but larger organizations all over the world.
As security became a bigger pressure point, there was going to be a harder time that people were going to have managing their security operations. The things that we actually learned from that and part of the path that we actually went down were how do you actually help security operations professionals understand their environment, identify risk, manage compliance, and monitor their environment at quality and scale.
What we heard from our customers at that time is that they were struggling to actually get quality, efficacy, and scale at a reasonable price point in their operations. Myself, along with our team, we made some pretty aggressive investments to say, "Okay, how do we actually solve this?" It was an early form of consolidation, even though we all talk about today.
In that time period, we started building out our detection and response pillars because if you look at the two core pillars of security operations, it's how do I assess risk in my environment, how do I understand my environment, how do I assess risk in my environment, and how do I monitor my environment. We actually built out our detection and response practice to actually monitor the environment. Our vulnerability management was the core risk part of the environment.
As cloud security came along, we started investing in understanding the risk of the cloud and also monitoring the cloud environment. If you zoom out to where we are today, if you look at our recent investments last year, we made a massive investment in understanding integrated risk across the environment. That's not just the risk that Rapid7 identifies.
It's actually consolidating risk across every security and technology provider in the environment to understand what's the attack surface, what are your compliance gaps, what are your controls gaps, and what are your misconfiguration gaps in the environment. We are leveraging that across the entire environment, endpoint, cloud, on-prem. How do we actually help customers monitor the environment? If you look today, we have an end-to-end platform that assesses the entire attack surface, understands risk and compliance across the attack surface, and monitors the attack surface. We augment that with our managed detection and response offering that actually leverages both AI and automation to drive scale.
If you looked at one of the big assumptions that we made in 2021 that we have even more conviction on today after seeing what we're seeing, we said, "In the next 10 years, there'll be less than 10% of the organization in the world that can run a true 24x 7 SOC." We said, "Listen, how do we actually do that at scale and at quality and at a price point that customers can afford?" We started off by adopting massive amounts of automation. We also built our own productized MDR service. We productized it end-to-end ourselves. We focused on integrating with the leading technologies in the world. As AI came along, we focused on adopting AI. If you look at our stack, we're augmenting customers' ability to actually manage security operations.
We're doing that in an environment that's changing our business model. The on-prem mid-market sort of is not a growth engine. If you look and you actually zoom out, customers actually are looking for not to completely outsource, but they're looking for a partner that can actually help them scale the management of their security operations. We think we built both the platform and the technology and the centers of excellence to actually help customers scale that.
Got it. That's really helpful. Right now, Rapid7, like you mentioned, is really addressing the core pillars of security, whether it's risk exposure management, now detection and response. The detection and response really has been, it feels like, the crown jewel asset, if you will. It's over half the business or roughly half the business. I think last quarter you said it was $400 million plus in ARR. 75% of that was the managed detection and response. I wanted to hone in a little bit on that. I think the MDR space has seen a lot of growth in recent years. I'm curious, when you think about scaling that, because there is a services component, what are some of the opportunities and challenges you see there? How does AI sort of fit into that dynamic?
Yeah. One is that our requirements are the economics have to scale good for the customer, but they also have to scale well for us. You can't have any door. There are a couple of things that we're obsessed about. We're obsessed about doing it efficiently, but also effectively for customers. There are a couple of precursors. One, more than I'm trying to think about any other provider that actually offers MDR service, we have a more integrated end-to-end stack. Other people have to actually sort of subsume and spend money, or the customer has to spend money on Azure Sentinel or Splunk or other stuff in their environment. Arctic Wolf does have their own stack around it. We really focused on building an integrated world-class stack that is also validated by customers' own usage.
Arctic Wolf has a great stack, but we sell our tech stack to customers. The majority of the use. When you think about what it takes to actually sort of scale it and get the efficacy is, one, you actually do have to have an incredibly strong tech stack that you actually own the core pieces end-to-end, the data stores, the data analysis engine, the core SIEM technology. You have to have the core pieces of the engine sort of in-house if you're actually going to scale efficiently and economically. The second piece of that equation that enables you to scale is you've got to be massive users of automation and AI. It just doesn't work if you actually can't sort of leverage automation and AI effectively across the environment.
You actually have to take your product expertise and the mentality that we have. If you look at our MDR SOC leaders right now, it is a mentality that says everything that they actually do, our technology needs to actually be doing. If you take what our junior analyst does, anything that they do, our technology needs to actually be doing within a year. They have a tight feedback loop and a tight cycle. We are scaling with technology. We are delivering the gross margins that are, I would just say that we have also not, we have grown well, but we have left money on the table because our take has been we are actually going to grow as long as we can actually grow efficiently. We have unlocked massive volumes of the potential for growth right now.
Part of why we're accelerating our investments in AI is that the ability of our teams to actually have our technology do more of the work and our team focuses on the longer horizon is sort of improving year after year as we actually move along. That core to scale is you've got to own your technology set. You've got to leverage automation and AI. You have to have a massive engine to actually process third-party telemetry across the environment. We're processing Palo Alto, CrowdStrike, SentinelOne. You've got to be able to process other people's data and telemetry, reconcile that with your own data that you're collecting natively across the environment with the cloud data, and do that efficiently. The efficiency and efficacy of that engine has been a massive investment for us.
That's really helpful. In some ways, if I may, it's almost as a bit like Service as a Software. We've seen other companies do a similar approach, great companies who've done very well in the last couple of years. It's predicated on the customer being on the Rapid7 platform, having that data, having the info.
We require customers to be on Rapid7. That does not mean we do not work. We have a great relationship with Microsoft where we connect and work with sort of their stack. Yes, the core processing is on the Rapid7 platform because that is what gives us and the customer economic scale.
Yeah. 100%.
I would just say, look, most of the players in this space are services companies that have different degrees of great integration stories. There is an advantage to being a product company that is building an MDR product. That is that sort of like that services as software sort of mentality, which is almost sort of like a reorientation.
Yeah. An important point being that it's very much product-led.
Product-led. Absolutely.
Maybe going back to AI, one of the questions I've got just on the MDR space in general is, to what extent is AI going to allow you to scale more efficiently versus AI being used to perhaps automate, maybe commoditize some of the services that are being offered? What are your thoughts on that? How does Rapid7 kind of defend itself from that?
It should do both, just to be clear. Look, the way to think about AI, there's a bunch of stuff. I think services companies are going to do this. We're a net beneficiary, so we know firsthand of it. There's a bunch of stuff that AI not just is doing that humans don't want to do. It's also doing things that humans do poorly, meaning that they do it very inconsistently. That stuff's easy. That stuff comes off the table. In fairness, anyone can actually go do that. You can say that that's a pressure point. We see it as a core advantage point because we want our SOC analysts and our teams doing the most valuable work. In fact, they're happy to go do the most valuable work. Humans are not good at being consistent every moment of every day.
We want them doing the most valuable work. The second thing that I think that while it drives a core advantage for us is that security is a dynamic environment. If you look at where AI is exceptional, AI is exceptional at actually taking massive quantities and volumes of data and doing two things: making sure that you can actually process sort of common patterns or common pains repeatedly or identifying edge cases and edge ranges. A lot of security, though, is the frontier of security research because there's new things that happen. Something that was vulnerable yesterday and something that was unvulnerable yesterday is actually vulnerable today. That's a new thing. There's no history there. Security has lots of things with actually no history. You did not have the state of the environment today that you actually had yesterday.
We think we're at net advantage of AI for sort of three distinct reasons that are actually, I think, incredibly important. The first one is just like you're going to have advantage for organizations that actually have better quality of data and larger sets of data. We have both the customer's data that we actually manage, but because we have 10,000 customers that just use our raw technology across the environment, we have access to sort of all of that data to actually train our models on. In comparison to almost any other MDR player in the market, not any, but people that do sort of the software as a service thing, we're top three in terms of the data advantage that we actually have.
The second piece that we actually sort of have is our belief is the best AI in the world for security is not unidimensional. What most people do, if you look at most of those startups, they're taking a unidimensional view of AI, and they're training it on the activity data in the environment. They're training it on the logs, or they're training it on the activity data you actually get out of APIs. That's a unit thing. It's activity data. Here's what's happening in the environment, and they're training it on what's happening in the environment. We, I think, uniquely to security, have a multidimensional model. We're training it on, yes, the activity data. Unique amongst almost all the players in the detection and response space, we actually know the state of the environment.
This is why we've made a massive investment in the attack surface management and the asset management space because it's not enough to know the vulnerabilities. We actually know what's every piece of technology you have in the environment, how is it configured, what are the controls you actually have in the environment, where are the controls gaps. When other people say, "This has happened in the environment," we can say, "This is happening in the environment, and here's the state of the controls and the configurations and whether you're susceptible or not susceptible to the environment." It's materially different if there's a measles outbreak somewhere is that we know who's been vaccinated. Our competitors just know that there's measles in this space. We actually know who's been vaccinated, who's not been vaccinated.
This is why we had a big investment in understanding the state of the environment because the activity relates to the state of the environment. An attack that's successful in one organization has nothing to do with what's successful in another organization. That is the second sort of vector. The third vector that's actually material is we actually have the process data because we actually have security analysts and operators that are doing this as part of our Rapid7. They actually have security operators that are actually giving the feedback about, "Here's what we see. Here's the research. Here's what should be programmed in." It is the process data from the operators, the state data about what's the state of this environment and how that relates to that activity, which is a unique platform to actually leverage AI going forward.
That's part of the investments we made last year, but that's also why we actually doubled down on some of the investments this year to accelerate that.
Makes a ton of sense. I think one of the things that you can also do with that data, I imagine, is because you know who's been vaccinated, to use your analogy, you're reducing the number of alerts that that customer may have or with some of your services.
Yeah. We know this is susceptible. This is not susceptible. Because all of that stuff, if you know it, you actually sort of can actually decide what matters. That actually gets rid of a lot of the inefficiency. That makes the solutions a lot more effective. That creates economic advantage for us and our customers because that allows us to manage their environment much more effectively.
Are there any examples maybe you could share where high level or numbers, but where you came into a customer, they adopted the platform, and they did see that significant alert or cost reduction?
Oh, yeah. Look, if you look right now, is that we are able most people that are actually doing their own SOC today or a I would just say it's actually a very common thing that we actually come in. Our value proposition when we go into a customer is that we will actually give them three advantages out of the gates. We'll monitor more of the environment. They will actually see less and the ways and the things that they'll see will be more relevant. They'll actually have 24x 7 coverage sort of out of the box. They'll have reconciliation across all of their data and all of their alert streams. We had a customer that I just saw this alert this morning. Because I'm an executive sponsor on a customer. We had a customer that deployed two weeks ago.
The customer advisor sent the feedback from the customer. They decided unbeknownst to us to actually do a red teaming test in their environment just to sort of check into us. The customer said, "They said you caught it within two minutes. This is the fastest time I've seen it." That was the only alert to actually sort of progress in the environment. They are like, "We've been doing these tests for the last two years." If they were caught, it actually was caught within days, not minutes. We were still getting lots of noise in the process. That is just one example of sort of our value proposition that we offer.
Yeah. I should mention this is not something that you started doing just one or two years. This is an evolution of a platform.
We started investing in this in 2015. It was slow going, but we started building out the thesis because, again, we saw in the early mid-market install bases, they had zero chances of being able to run a 24x 7 SOC. What we learned over time is we have some of the largest Fortune 500 manufacturers as actually customers. That's one of the bigger strengths, as we've been expanding that to actually deliver more customized services for larger customers. If you talk to a large manufacturer, they cannot afford the staff. Their environments are massive. Their security teams, even at 10-20 people, are just not big enough to actually manage the scope of the environment. This, how do you actually scale your security operations, is a really big deal for lots of organizations.
Yeah. Maybe without disclosing any numbers, but when a customer does get on the Detection and Response platform or the full platform, do you tend to see higher levels of stickiness or expansion rates as a result of that?
What we've heard from people that have done the marketing comparisons is that our retention rates for that service are amongst the highest in the industry overall when compared to sort of peers and benchmarks. They're definitely higher than what our traditional vulnerability management was. Keep in mind, the headwind that we have in vulnerability, not a headwind. The thing that we have in vulnerability management is that it's a sticky business, but be it market, vulnerability management is not a growing business. That is a big part of our install base. We had to have growth in other areas, which may be different if you have federal or large enterprise in orientation there. Not only is it actually stickier, it also has better sort of customer growth dynamics in our dynamics.
One more question from my end, and I'd love to open up to the audience for Q&A. You're certainly not starved of opportunity. There's a big market out there in detection and response and all the areas that you're covering. There had been some organizational changes in the last year from a go-to-market standpoint. It did seem like last quarter on the Q4 earnings call, you sounded a lot more upbeat that those changes were largely behind you. Maybe what are you excited about heading into 2025, and what were some of those changes that were made?
Yeah. The excitement is that this is the first time in a while that we actually have had the full product portfolio being updated. We have the opportunity to actually upgrade our install base. We'll see what's the pace and the velocity of sort of the upgrade in that install base. That is extraordinarily exciting for us and our sales cycles, even in the environment that we're actually in today. The changes that we actually made from an overall sales perspective were we've actually been focused much more on our partnership and distribution ecosystem, which is a major focus. We've also been focusing on aligning and rationalizing our teams to actually be more customer-pod focused, where instead of having three or four different organizations where keep in mind that one of the things with the MDR services, you have customer advisors.
You could have a customer advisor, a customer success manager, an AE, a Salesforce, a TAM. They are disconnected. We have actually focused on actually having teams that support customers. It is not a massive change to the model, but we actually want a team base where our customers have a specific team with a specific point person that is in charge. That gives the customer both better accountability. Frankly, it allows us to scale that engine much better overall. Those were some of the bigger changes that we actually made in the last year.
Any questions from the audience? We got one here.
It sounds like you have different components of the business with different growth profiles. Can you elaborate on what the mix is and what the relative growth rates are of those various businesses? Is there some inflection point that you hit when the MDR business gets to a certain scale or a certain percentage of the business?
Yeah. I mean, part of why we talked about it because I do think we're approaching that inflection point. Our D&R business overall, which MDR is a part of it. The reason I say it's a part of it is because strategically, the unit volume is actually only technology side, which actually gives us lots of data telemetry. That's roughly, it's a little bit under half the business, not quite half the business, but it's a little bit under half the business. We talked about it being a $400 million business that's growing in the teens. We actually think that there is both durability of growth there with the investments that we're making, but also ranges to actually have improvements in there because we're not addressing all of the market today. We have lots of enterprise customers that want us. They're like, "We love your service.
We've heard great things about it," or, "We've worked with you and other companies, but you need to actually manage these custom workloads." Big hustles like, "Hey, can you manage Epic? Epic is a pain. If you've seen one Epic installation, you've seen one Epic installation." How do we deliver that more customized service there? We think we have growth aperture there overall. The other side of the equation is it's not just vulnerability management, but it's the largest piece of the business. You can actually think about that business as sort of being closer to a flattish business. This is the first time that we've actually had an upgrade cycle with our Exposure Command offering in many, many years. We actually think we actually have upside. Now, we don't know the pace and velocity of the upgrades.
I always think about when you have upgrade cycles, do you get to sort of 30% of the business in three years or 70% of the business in three years? Part of why we're making our investments is the customers love the integrated view. They want us to accelerate compliance, and they want us to continue to accelerate cloud. We actually see lots of opportunity to drive upgrades in that cycle there.
Those are the two sort of if you say, "Listen, even if you do not have net improvements in that risk VM side of the business, we think that the growth rates in the D&R give us some comfort about sort of the sustainability, durability." We think we are almost through the cycle where you have the D&R cycles are their bigger ASPs, longer deal cycles, which just calls its own separate ship in the business. We do see the ability to actually have upside on that risk and exposure management business as we upgrade the install base.
Hi. Thank you. I have a question about the competitive landscape. As you go up market versus mid-market, do you start to see some of the platforms start to offer the same type of services, integrate your type of services into their platforms?
It depends on what. I would just say the exposure management cloud security market is going to be a congested sort of competitive market. We are really measuring ourselves about what percentage of the install base that we actually upgrade over time. Keep in mind, we make a lot of money getting to a third or half of our install base at a 10%-20% uplift. It is not like the economics of that and turning that into a positive momentum story are a mystery. That is why we are very focused about how do we deliver better quality of service to the customers overall there. Seeding that out to more customers is great, but that is almost upside to just the upgrade cycle that we are actually in now. That is a competitive market. Make no mistake, we have some strong competitors there.
We know we'll be able to upgrade a good portion of our install base, and we see early momentum, early size there. The economics of growth, there's lots of opportunities to actually monetize that. Under detection and response, we actually love the business there. I mean, that is a massively fragmented business. Yes, you see a wide range of stuff. You see a bunch of private companies that are services companies with great technology integration. You have CrowdStrike, which has a great product where they actually manage their stack. Our value proposition of actually managing an entire SOC, processing all of their data, and doing that at better cost economics and better scale than anyone else is I believe we're going to be top three there. We are now. I think we're going to be top three there for a long time.
I think the investments that we're making will continue to extend the differentiation there. That's a massively fragmented market with 600 plus providers with different approaches. I think our approach is strong, and it resonates, and it's actually different. Yes, there will be some people that will do outsourced Accenture, and that will be the right thing for them. There'll be some people that will actually have a different orientation, focus on price. I think there's plenty of growth opportunity in that market because the key thing is that, again, customers will have to have 24x 7 monitoring. It is a small fraction of customers that can run their own 24x 7 SOC around the world. The market trends are actually moving in that direction.
You mentioned about new ways of monetizing some of the things you're doing and sort of ingesting a lot of third-party data and going after threats. Can you elaborate on any of those, or are those still on the come?
I would just say the one thing that we've actually learned after sort of not being thoughtful enough about what we actually did in the years past is we'll talk about the results that we expect after we sort of demonstrate the progress. I'll tell you the things that we're actually focused on. We're working with some of our larger manufacturing customers about how do we actually sort of monitor. We have good core monitoring of the environment. They want lots more customized monitoring. That's been the purview of what I would just say is relatively higher priced, more expensive services-oriented companies. We're actually commoditizing that sort of services-oriented business by actually applying software and AI to actually monitor a lot more of the environment at scale. We're doing that right now. We launched the initial version of that last year. That's an example of it.
Last year, on top of our platform, we offered launch our first version of our red teaming as a service where we're leveraging, again, world-class penetration testers and red teamers. That's a business that is typically all historically has either been crowdsourced or has actually required deep expertise. We're having our teams provide the intelligence and the engines and the oversight of it, but they're managing AI models that go across that actually do sort of consistent red teaming. We're starting with the external attack surface. That I actually think is going to see good uptick as we actually move along. Those are just two examples of where we're actually sort of extending the service.
Thank you.
Thank you.
One more here. It looks like you've expanded margins quite rapidly the last couple of years, but the guidance implies a big step back in margins next year. What's going on there? Is this a one-time step back, and do you have a kind of longer view of the progression of margins?
Yeah. It is a one-time step back. Look, our base case has us both accelerating. We have not talked about the degree of acceleration and expanding margins. I want to be clear about that. The driver of it is really sort of two things. One, and this is why we provide the incremental visibility. We are investing to extend in known ways our Detection and Response service to actually leverage AI, to actually leverage our technology and our automation to actually manage more customized environments, which allows us to expand our market footprint. We consider that a high return scenario, and that is why we showed the scale of the business. It is not like we are investing with something that is a promise on the come, so to speak.
This is sort of a known good growth investment that we're partnering with our customers to extend the service in ways that actually both make us stickier, but also leverage technology that allows us to actually expand the growth rates and the growth horizons there. That is the first area of investments. The second one is we are accelerating on the Exposure Command, both our integration, our compliance, and some of our cloud stuff because as we've worked with our install base, we've seen good uptake. Lots of customers are saying, "Hey, once you get to that, I'll upgrade," and we want to make it as easy as possible to actually drive the upgrade velocity.
Now, part of why it's one time is that we looked at our cost structure and compared to most of our peers, we just have too much of our cost structure in mid-cost and high cost. We have zero historically in low cost. We are setting up our India sort of development center and operations. Part of that is actually sort of setting up that. That gives us some flexibility. I would just say to be market aligned. This is not one where we're going to actually be all in one place versus the other. It's that we should be at market norms, and that provides flexibility in the cost structure. Our expectation as we actually go forward is that we're expanding both margins, and we should be accelerating growth, and that's the base case.
The degree and the velocity of that, we're still working through, and that's why we talked about an analyst day later this year.
Thank you so much for traveling here and coming to our conference. It's always an honor to host you, and best of luck with re-accelerating the business this year.
Thank you very much. I appreciate it. Thank you.
Thank you.
All right. Thank you.