With that, I'll hand it over to Corey for a quick overview of the company, after which we'll have a firefight. Corey?
Yeah.
Yeah.
I have a short overview of the company. No, one, thank you all for coming today. Rapid7 is a cybersecurity company that's focused on helping organizations scale their security operations programs. Our observation on the market, we've been in for a long time, is that more and more companies are going to be responsible for actually driving improvements in the overall cybersecurity program, and they do not have the skills and expertise to do it. The program that we've built at its core is an integration orchestration program that allows them to understand their attack surface, manage vulnerabilities, manage compliance, and detect and respond to attacks. Over the last couple of years, we've really expanded. Over half of our ARR comes from the detection response business. We've successfully leveraged both automation, AI, and managed services to deliver high-quality, I would say outsourced SOC services at high gross margins.
We maintained near 70% gross margins. As we've done more and more both managed services, that's because we're leveraging AI and automation to actually do that at scale and at quality. The remaining part of it is for us to actually expand that coverage of the security operations program staff. The most strategic part, to be clear, was the detection response area, but now we're steadily expanding that out over time to actually do the active compliance management, active vulnerability management, active attack surface management, and managing both the remediation and the response across that ecosystem. That is sort of like an easier move. It's a much harder move to go from a product-based vulnerability management company to an AI service-driven detection response business, doing it at gross margins that no one in the industry had actually seen before.
That was a really hard step in the evolution. Now it's about expanding on that success and then, frankly, going back in and picking up some of the stuff that we had to let go in the traditional vulnerability management, some of the stuff that we deferred in cloud security, and bringing that into that security operations cloud that allows us to help organizations scale their total programs. We made some intentional choices to do the hard thing first. We've got sort of like critical mass there. We've got scale. We've got growth there. There are things that we have to actually pick up that we left behind in that acceleration, that run-up, because we didn't have infinite resources.
Absolutely. Absolutely. As part of this transition process, it seems like traditional vulnerability management customers that want to do more with Rapid7 also maybe can set aside some larger budgets and more resources to transition. Can you talk about how this maybe impacts the closure rates and cadence of deals as they become larger and potentially more complex?
You mean for the detection response?
Yes.
Yeah. So look, we're still getting used to—actually, no, we made our original business off doing—we made our original business off of doing a bunch of sub-$50,000 deals and vulnerability management across a bunch of companies. And frankly, we still have to be able to do that. If you look at detection response, they're just much larger deals. You're in the six- and seven-figure deals more regularly. That was, frankly, a growth curve and a learning curve about how we actually do those and now how we actually manage both the larger deals and the mid-size deals at the same time, especially in this economic environment where larger deals take longer. Our sales team is, and frankly, myself and our team are still learning how to actually forecast those large deals in an economically turbulent environment.
The thing is, the growth is still there if you actually zoom out. We talked about last quarter is that we had some delays, subsequently closed, but we're still learning how to actually tune and optimize that.
That makes a total, yeah. Oh, it's great to have the mic. That makes a ton of sense. In the risk exposure management area, it doesn't seem like this is well understood by the markets based on our conversations. There are a lot of larger private companies that are actually doing quite well in this market and growing quickly that overlap with the traditional VM market as well. Can you help us understand how Rapid7 can bridge the product set from traditional VM into areas like attack surface management, risk management, and help us understand where customers are in that journey as well?
Yeah, it's a great question. If you look at where lots of the public companies are focused in the areas of vulnerability management and CNAPP or cloud security management, vulnerability management is a great market. It's a critical market, but it's primarily focused on on-premise environments, which are not growing. In fact, the on-premise environment is shrinking at a slower rate, but it's still shrinking in orientation. The cloud market is still growing. It's just that the spend is less than anyone in the market expected it actually to be. Whether you're public or whether you're private, the private company is not going any faster in the cloud space other than Wiz, which is its own dynamic. The other cloud providers are not growing there. If you look at the growth parts of the private space, it's off of a small base.
If you look at the attack surface management or the ASM space, that is a very growth market. The largest players are still like $100 million. It is not like a massive market yet. That is where we have a lot of focus as that being the heart of our risk orchestration engine that provides integrated risk visibility, integrated compliance management, and integrated attack surface management. We entered that market late last year, and it is going quite well for us too. It is just growing off a very small base. We went from zero, but it is probably one of the most rapid product growths that we have actually had, even in this more challenged environment. It is just off a very small base, which is similar to the market in general. It is a good growth in the market, but it is still a very small market in aggregate.
The other part that you actually see growing in that market is compliance. Look, compliance sounds mundane. It sounds like a lot of stuff. The U.S. is becoming more disassociated with the rest of the world. The states are doing their own thing. When you have mysteries and when you have complexity, that's an opportunity for technology. It is something certainly that we're invested in when we think about sort of like your security operations cloud and driver security operations program. It starts with, do you actually know what you have, which is the core chasm or the core visibility across the attack surface. The risk management that we've always done with vulnerability management or cloud security management. The compliance management and controls management is a big part of that.
Excellent. Excellent. Maybe just in terms of your go-to-market motion, what has to happen? Risk managers are oftentimes not the same people as traditional VM and ops teams. How do you maybe start a more strategic discussion based on your platform with these folks? Who are they? Maybe to start out.
Yeah. Look, this is the benefit of it. It's much easier today than it was a few years ago. Look, the hard thing that we had to do was move beyond, I would just say, the tactical VM manager and go upstack. When we sell a detection and response service to manage someone's entire enterprise, we're selling to the CISO. That's our customer. The ability then to actually take that relationship and expand that to risk management, compliance management, the attack surface management, the controls gaps management, the automation and remediation, it's just a much easier proposition to actually do that from there. Today, we are predominantly telling to the CISO or the CISO's direct reports, which is a different position than we were in even three years ago when that was like a quarter of our business.
That's the benefit of actually having over half of our business be detection and response, is that we actually have the relationships at that level for that set of customers. Now, the ASPs are much larger, so it's still a smaller part of our 11,000 customer base. Our sales teams now have the advance to actually be able to engage with that customer base, leading with that detection and response offer.
Got it. Got it. Rapid7 has been very successful in the traditional SIEM market and moving to XDR as an early mover into the space. However, it seems like the space is getting more crowded with formidable players like hyperscalers and larger cybersecurity platforms now realizing the criticality. Where do you see the opportunity to differentiate and win in this market, particularly with what's happening with Splunk's installed base?
Yeah. I mean, that's an opportunity I think that the market broadly sees is that lots of people are trying to figure out, look, Splunk is great technology, but it's expensive to operate and expensive to license and use. People are trying to figure out how to actually cover their complete part of the environment. We've certainly been a net beneficiary from that perspective. I think your larger question, though, is the right one. You have lots of quote-unquote SIEMs, which are data search engines where you ingest the data and you do searches on security stuff. Microsoft has a good one. CrowdStrike acquired one. It's still early, but they acquired one. You actually have a play.
I would say even with all that, the market is net probably competitively positive because you have many more people exiting the market or legacy or declining the market than you actually have entering the market in general, and you have more share owners overall than you have share takers. The most important place is this will be somewhat controversial is I think SIEM is necessary, but not sufficient. We have our SIEMs. We're fine working with Microsoft SIEM as appropriate. The core that we actually really invest deeply in is the integration engine and the orchestration engine that drives security programs. If you look at what we've actually built out, it's the ability to actually track every asset, every cloud instance, every resource, what's the configurations, what's the control applied, what's the activity provided.
The data where the activity is stored is great because we do it more efficiently. Over time, I don't really care where customers store the data. The thing that drives AI in security operations is the ability to actually be able to make decisions on the data. We have the richest context store on the decisions about the data because we know everything that's in the environment. We know every configuration in the environment. We know every control in the environment. That insight allows us to actually continue to get the dividends from AI and automation as we actually go forward because it makes it material. Everyone else is just looking at what activity comes in the environment. What matters is that do you have endpoint protection on the thing where that activity happens? That's a really big deal.
If I see that same activity, can I actually sort of see everywhere that doesn't have the protection? I should probably go look there first. I should probably focus in. If I see an attack in the environment, it's just like, okay, I know this attack exploits this vulnerability or this configuration. Why don't I go search there? We can do that all instantaneously. That is why we spent so much time building our integration layer on the platform because when you're using AI, the context about what activities and attacks are happening against what environmental controls configurations matters deeper.
Absolutely. I totally agree with you. The log normalization and collection aspects of the SIEM is not where the value is.
It's not where the value is created. Look, I tell our teams that are somewhat controversial. I said, we build a great SIEM to save our customers money because it's often inefficient. We have to lower the cost scale. We can run on any technology environment. We manage lots of data today out of S3 buckets. The data storage is not the special sauce. We just need to have customers be able to store lots of data at the right cost structure. It's really about how do you actually mine that data and how do you actually filter through that data to actually find the signal from the noise?
Absolutely. Just speaking of maybe customers being overwhelmed by their SIEM or overwhelmed by their data stacks, what are they telling you when it comes to the managed detection and response market opportunity? What are customers looking for in terms of these solutions? What kind of ecosystem partners can you build out here?
Yeah. Look, we're early on in the ecosystem roster. We're very bullish about the ecosystem. Let's start with what customers want. Look, customers buy and keep in mind, we serve both mid-enterprises and what we call mainstream enterprises. Think about the Fortune 1000. Not as heavy a focus on the Fortune 100, but we serve lots of large customers, but they tend to be resource constrained. They want to have great security at an affordable price. What that means is that first and foremost, they want to make sure that they're not missing anything. They want to know what the environment is. Most SIEMs and most MDRs just start collecting data. They don't have a primary focus about what's in the environment to be collected. We start with what's the view of your attack surface? What should you be monitoring?
How do you actually have the right monitoring strategy in the environment? It's unique because we actually, other than most of our MDR players, know what the environment is better than the customer once they actually tune in and bring in the complete attack surface management. The second part that customers want is they want scale. What do I mean by they want scale? They want someone that can monitor the entire environment and do that economically. The choices that customers have had have actually been unaffordable scale. I have to do Splunk and a big systems integrator, which is prohibitively expensive to actually monitor my complete environment. If I want to save money, I can choose just to manage endpoints. There's a bunch of endpoint providers that have managed services, but that's pretty much managed endpoint providers.
I got to be willing to ignore most of the data and security telemetry in my environment and not have it. What they want is someone that can give them scale. What's unique about us is we have a full security operations platform and an integration engine that pulls in all the other data and the telemetry across the environment along with our own security operations stack. That allows us to enable customers to manage 100% of the environment cost-effectively, which has always been one of our primary differentiators.
Absolutely. Absolutely. Maybe talking a little bit about the financial model. I mean, Rapid7 has made some pretty significant investments to accelerate growth, I think around $30 million. How and when do these investments maybe start to kick in? What does that reacceleration look like in terms of growth for the business?
Yeah. Look, most of that growth investment is going in behind the things that are actually working today. It is the detection and response business, which is over $400 million growing mid-teens. We are addressing, I would just say, the core mainstream enterprise, but we have room up and we have distribution plays down. We are investing behind that. We are investing mostly it is around the world, but we are setting up a big security operations center in India and some other places that we are building up right now. The investment is to really scale that detection and response practice primarily, and we are already seeing benefits of that today. Again, most of that is actually to do more enterprise MDR services because we have lots of joint development customers where we already have demand on it.
We expect that to benefit 2026 primarily because they're larger deals when you have seven-figure deals. We don't count on that being short deal cycles, especially in that environment. We already see that we're off to a pretty good start now. We just launched in April, for what it's worth. I don't want to overtalk about something that just launched. We had a backlog of customers who were just like, "Can you build a more customized service for my environment? I want you to monitor more of this, manage more of this." We knew that we had latent demand there. We're actually going out and pursuing that right now.
Yeah. We increasingly hear in our discussions from customers that they do not want to buy more software. They do not want to buy more from a reseller. They want to buy an outcome. They want to buy something that matches.
They want to buy the outcome. That is what we look. We give customers the ability to actually run and scale their security operations program, and we do it lower than the cost that they can do to operate it. That is the thing that they want to buy. We provide the transparency, the accountability, and the visibility around that.
Excellent. Excellent. I've got one more question before we open it up to the audience. In terms of the many conversations, investors have sort of, I guess, where does detection and risk from a competitive set become, it's become a little bit more challenging. How do you push back on the view for Rapid7 and with investors that maybe are missing that perspective from a surface-level analysis?
Yeah. Look, I think it's a noisy market, so it's easy to be risk-off in noisy markets. We push back with facts and then increasingly with evidence. One is this is why we break out the fact that half of our business is detection and response. It's growing mid-teens. That's with a narrower market scope than we need to have, meaning that we're unlocking more of the addressable market around that. The anchor is already a successful business, and we've done the hardest part of the transformation. That's the first thing I lean with is just the facts. I think the competitive dynamic, frankly, serves us more as we go forward because, frankly, public markets, private markets can't afford to subsidize businesses as much as they did in a non-zero interest rate environment.
You see some of that playing out in the MDR market where people have been, I would just say, mispricing services for years, and that's getting reconciled very quickly.
Absolutely. Any questions from the audience? Pretty quiet group. Okay. I think we'll go ahead and give you a few minutes back.
Yes, sir.
Thank you very much.
Thank you all.
Thank you, Corey.
Thank you all.