Welcome, everybody. Thanks for being here. I'm Kingsley Crane, and one of the Software Analysts here at Canaccord. With me, we have the Rapid7 team. We have Corey Thomas, CEO, and Sunil Shah, SVP of Finance. Thanks for being here.
Thank you. Good to be here.
Let's kick it off. Let's start with the recent quarter. You reported solid results last week. What were the key takeaways for you in terms of customer activity, product traction, macro signals?
Yeah, so we thought coming out of the second quarter, we saw more stability in the macro. We had a healthy quarter. We saw a concentration of some of the larger deals that have been more hesitant in the first quarter, not just close, but we saw steady momentum both there and in the pipeline overall. We saw really strong health in our detection and response business. We saw budding signs of the exposure management upsell, even though there were larger consolidation deals. We felt good with what we saw. The primary thing that we actually noticed coming out of it is that we were seeing customers take more time, do more scrutiny, and focus more on how are they going to actually do more with less spend and budget overall.
That was for the deals that actually, for our consolidation play and how we help customers get leverage in their sales operations between our AI and MDR solution. That's an incredibly positive thing. It's also now we're in a situation where we used to be a traditionally mid-market player. Now we're actually looking at being customers' top line expense for mid to larger enterprises. We're adjusting to actually having longer deal cycles, with much higher average selling prices.
That's really helpful. I want to take it back to just a basic overview of the product portfolio. From a revenue perspective, it's a bit of a tail that you have. You have a detection and response business that's growing in the mid-teens, and then you have more broadly an Exposure Management business that has been seeding some share, a bit more stagnant. Can you speak to that dichotomy and how you're thinking about the overall portfolio?
Yeah, so when you take a look out, you zoom back a couple of years ago, we had a simple thesis, is that customers were going to have more complex environments. We used to be in the vulnerability management space, which was really anchored in the on-prem world. Our view was that the lead in the market overall was going to be detection and response about how people manage their security operations and how they scale their security operations. That detection and response or MDR would be the primary lead motion around how people thought about that. We invested heavily to actually be great at that. Today, it's over half of our business. It's over a $400 million business. It is a managed and AI-assisted detection and response business. We achieved our goal of actually building that business and scaling it.
Now we're actually going back and actually then attaching and bringing along the rest of the security operations stack. You'll see us do more compliance over time. We'll continue to go back and expand on the risk management with cloud security. When we think about the portfolio, security operations is really about how do you monitor what's happening in your environment? How do you manage your threat and risk profile? How do you manage your compliance posture? Then how do you actually remediate attacks against the environment? The core and the anchor is detection and response. We wanted to be great in that because it was the most strategic, the most important. That's the area of growth.
We knew that if we actually did that well, then we could actually go back and build the technology, the AI, and the managed experience to actually bring the rest of the stack overall. We've gotten half of it done. We have to actually go finish the other part of getting as much traction as we have in detection and response with the rest of the cloud security, the compliance, and the risk stack.
That leads nicely into the next question. When I think about the vision that you have for an integrated SOC, you include all the expertise you've built over the years, and you start layering in agentic workflows. It really is compelling. What do you think your right to win is in an agentic SOC arena? How do you think that could drive revenue acceleration and bring the whole portfolio together?
Yeah, it's a good question, especially in a world where there's so much noise when you think about the agentic SOC. You have to zoom out and say, like, what are the things that make any AI great? At the end of the day, it's do you have better data, better expertise? Like, that's true of any AI domain. We have better data and better expertise. Why do we actually have better data? Most of the SOCs that you actually see in the world, and most of the agentic players in the world, train their data on the activity data that comes from reading logs, looking at alerts across the environment. That's great. That's sort of like a part of the data that's actually needed. Most of them are just using a narrow set of product data, meaning that they don't have scale.
They have a small set of data that they actually use to train off of. That's always going to be suboptimal. What makes us unique is two factors. One, we actually have the complete customer context. We not just have the activity data that every SIEM, every MDR customer has. The reason we invested so heavily in the integration platform is we have all the data about what are the assets, what are the controls, what are the configurations, what are the cloud resources in the environments, and then what's the data on top of that. When you look at the expertise around that, we've actually been doing that for several thousand customers for multiple years and patterns. If you look at what's different about the environment, the first thing is that, like, you can say, well, all data is the same, but that's kind of silly.
If you think about it, like, if I have a drastically different environment, then the data and the attacks against my environment are going to be different. It's the same reason that you don't have the same insurance market in New England that you actually have in Florida, that you actually have in California. It's different. You're protected from different things. You have to know what the environment is. You have to say, all right, how does that environmental context relate to the data? Am I actually seeing a hurricane or am I seeing an earthquake? You can't treat those as the same type of thing. You have to have the expertise to know how to respond. You know, if you're fighting forest fires, you need firefighters. You need a different set of things if you're actually dealing with hurricanes. The expertise, the experience, and the data are different.
We've been building that over years. By the way, that's why we went deep in that area, and we did not try to be the best in cloud security because you can't be all things to all people. We're taking the advantage that we've actually gained in managed detection and response and AI and the data around that. We're actually expanding that out over time. That's the core difference.
It makes a ton of sense. In terms of AI in the security landscape, I would say that it's probably been better used by bad actors in the early days than the companies integrating into their own tools. I mean, how do you see that enabling more proactive security? How does that affect Rapid7?
It is absolutely true, but you can think about AI in some ways as tailor-made for bad actors. The number one thing we looked out for in attacks, when you have phishing attacks, is misspelling and something that looks really fishy and weird when you have some letter that says it's from some foreign prince to your grandmother or something else. Of course, AI is great for actually that. It's also been great for organizing. It's been great for research. It's been great for reconnaissance. Yes, in many ways, if you think about some of the most natural forms of attacks, whether it's organized attacks or reconnaissance before attacks, it's been a boon to bad actors. The challenge that security teams have and adopted is a little bit different in orientation, because it's not just about reconnaissance and organizing. It's about managing an incredibly complex environment.
That requires tools, that requires vendors, that requires the ecosystem to produce products to actually harness the power of the environment. You're seeing that right now. If you look, we're getting better at it. I consider us in the early stages of the AI journey. We manage thousands of customer security operations around the world. Right now, we've actually seen massive productivity gains in the ability to expand the coverage of customers' environments and do that while lowering their overall cost. That's a massive boon. If you look at what we've just released with Incident Command, it is the technology that our SOC's been using for a while. It's the first phase of that release. It allows people to actually automatically organize, automatically annotate, and automatically build investigations that pre-filter and pre-organize attacks. That is a big boon to productivity. I think we're in the very early stages of that.
This is something I don't hear talked about a lot, but in an increasingly automated security landscape, with incident response, how do you think about users becoming too reliant on automation? Is that a relevant concern for you?
The question is, if you're too reliant on automation, you're only too reliant on automation if you actually have more errors and less efficacy at the end of the day. How do you actually assess whether you're actually going to have more errors and less efficacy? Without a doubt, we know about hallucinations. There's definitely error rates. I don't want to dispute that. The question is, are you actually able to scale it and get collectively more efficacy out of the solutions overall? I think the answer is unambiguously yes. I think it's incredibly naive, and I'll just say this, to actually say that I'm just going to actually hand my entire security operations right now over to an automated AI-driven SOC. We're not at that point in time where you can actually do it. You still need the feedback loop where you're actually honing, tuning, optimizing.
The way that we think about unraveling the AI puzzle is applying AI in the areas where humans are the most volatile and the most error-prone. It is incredibly great at actually pre-processing, pre-organizing, collecting the additional information, and doing the same thing every time. If you know that when you see a certain thing, you go get this information and you organize it this way and you compare it against that way, humans just don't like mundane, routine things that you do time and time again. AI and automation is just better, especially if you think about adding some of the intelligence that you actually get from large language models that actually give you the ability to actually do, I would just say, a better class of thinking against certain types of tasks. Not all tasks, but against certain types of tasks. Is AI better for certain things?
Absolutely, hands down. Is it something that you actually go all or nothing? No, we're not at that stage yet. I think we're a long way from that stage where you don't have humans in the loop.
This ties into sort of a managed service question. In a market where managed services are increasingly critical to resource-light organizations, how do you balance the high-touch nature of those offerings with strong gross margins in the mid to high 70%? Maybe where does AI come into that picture to potentially boost margins?
Yeah, look, this has been sort of like the area that probably I have the most excitement in. In some ways, we've had to curtail some of our growth because we only did things that you could actually do at a reasonable gross margin. For the last several years in the managed services space, there's been many private companies that have actually been unsustainable, unprofitable, on the hopes that they could actually grow into scale, which just isn't true. You actually have to build scale and efficacy. We have not just one of the larger MDR businesses, we also have one of the best gross margin profiles overall in the market there. We've just unlocked the capability, leveraging AI, to actually take in more customized workloads and do it at higher gross margins. Our belief is you can actually approach product's gross margins over time, leveraging AI.
Now, it won't completely be there, but our belief is you can actually approach that over time. When you think about where customers are, you've got increasing security compliance requirements all over the world. You have a highly fragmented regulatory ecosystem. You have complex technology environments. You have competition for resources within companies. It lends itself to an environment where customers are going to be more inclined to leverage managed services if they can get the right quality and the right cost. I believe that AI and managed services and the right expertise give customers that right mix of cost and quality. We've clearly been leading into that with our MDR business overall, and we're seeing the fruits of that. Part of what happens is our approach has been to steadily unlock addressable market as we actually can do it at the right gross margin profile.
I think that strategy has been proven right when you look at there's a bunch of stuck businesses. There's a couple of high-quality businesses in the MDR space, and then there's a bunch of stuck businesses in the AR space. You're going to see the high-quality businesses that have reasonable gross margins, a healthy growth profile thrive. You're going to see a lot of other businesses that didn't do that work struggle.
Yeah, and I'll just add, Kingsley, I think you've seen us demonstrate that over the last number of years, right? We've talked about the sustainable sort of growth and the pace that we've seen of growth within our detection and response business. Now over $400 million, you've seen that scale, and we've been on that journey to see the gross margins of that business scale along the way to where as that scaled and taken up more share of our business, you've seen us maintain that 70% plus overall gross margin as a business, very healthy kind of software gross margins at a high level.
Yeah, it's been impressive. In the spirit of Boston, this is where we have our conference every year. You have a significant presence in Boston. You're building a tech business. Just curious your thoughts on the tech and cyber scene here and finding talent both in Boston and globally.
Yeah, look, a couple of years ago, it was incredibly difficult, like exiting 2021 when you had hyper-competitiveness in the market. Today, you can actually find great talent around the world. Boston, of course, produces amazing talent, whether it's the research institutions or even some of the schools. I won't name all of them because I'll get in trouble. I'm local here. There are some great schools that create great marketing people, salespeople, finance people. You actually have a great ecosystem. We're also a global company, and we actually operate all around the world. Talent attractiveness has probably not been as good as it is right now since pre-pandemic levels. We're able to find talent. We're able to attract talent. It's a very, very different model. Now it's really just trying to find the right talent in the right location that wants to work the right way.
I always joke, you know, someone asked me for one of our SOCs, like, why did you open up a SOC in Europe or India? I said, listen, I can find lots of talent. You know when an attacker's favorite time to attack is? It's Friday night. There's not many people in the U.S. who have the skills that we're looking for who actually want to be up at 1:00 A.M. Friday night monitoring environments for attacks. We have to be globally oriented.
Yeah, I mean, it's a huge asset. You spoke to some of your deals getting more strategic, getting larger. You entered this year with some of the strongest pipeline that you felt that you've had in a long time. Just how would you characterize that and how we've progressed through this year and how you're looking at the backup?
Yeah, so when we entered this year, we had two aspects of the pipeline. Our detection and response deals have always been larger deal cycles. That's not different, and that's been as we expected. We had a large amount of Exposure Management upgrades. The way to think about that is people moving from VM to the full management of their attack surface in their environment and the understanding of the risk, the threats, the compliance across the environment. Our hope, and I'll emphasize that, was to actually see a bunch of smaller upgrades, 10% - 20% upgrades that were actually built into the plan. The reality of what we're actually seeing is we're seeing people upgrade, but they're upgrading and consolidating at the same time. Instead of a 20% upgrade, we're seeing 200% uplifts on those, but also the corresponding deal cycles that go along with that.
That's what we've refactored in, we've refactored in a year to have larger average selling prices and longer deal cycles. Look, that's new for us. This is the first time that we've actually managed a deal cycle that's had this size average selling prices and 12-month plus deal cycles in the overall pipeline.
Right, you closed a number of large seven-figure deals in Q2. Just to play devil's advocate, why lower the guide again? Why not kitchen sink the guide if the only new elements are some of the seasonality that you may have known a quarter ago?
Yeah, and so two different parameters on the question. One, why lower the guide is that part of our job is to make sure we communicate what you see. It is different in terms of the smaller volume at-bat deals that are more predictable and the larger deals that we actually have in pipe. We're not precise in actually predicting that. I'll just say that this is the largest mix of concentrated deals, and we want to actually be in a range that we felt very comfortable we could actually hit without expecting to have the same conversion rate on $500,000 and $1 million and $1.5 million deals that we actually had at $50,000, $60,000, $70,000 deals. Once we have some traction, we'll be much better at actually leaning in with confidence.
We wanted to actually lean in with the way that we actually say we're confident in the range and the targets that we actually have and not expecting the same types of cycles and conversions overall. I mean, the same type of conversions that we were seeing on much larger average selling price cycles. That's one about why we tightened the guidance range. Yes, tighten. We stayed within the range when we came down to the lower half of the range. The question about kitchen sinking it, which we actually could have done, that's not the feedback that we're getting from the market. We're actually getting, we are having, if we were not seeing traction or success in detection and response or even the exposure management, then that would be rationale, say kitchen sinking it. What we're seeing is larger deal cycles.
We're definitely seeing all the stuff that we've been talking about for a while. It's not like it's an easy macro environment. It's not incrementally negative on the outlook. We thought that was the wrong thing too. Nuance sometimes gets lost. Trust me, there's no one more frustrated with the stock performance than I am. For no other reason, it massively undervalues the highly successful MDR business, which is probably worth in the whole stock combined just in and of itself. Our goal is to actually tell you what we're actually seeing and to be accurate and open about that as we actually go along.
I want to touch on that. Given the interest of time, I want to check if we have any questions from the audience. We can get them a mic. No, we can circle back. Speaking to this in terms of the stock price, I think we're clearly seeing a public market valuation dislocation right now. Stock's trading artificially depressed. You have more than half the business growing mid-teens. How do you think about operating in public markets versus private markets? Can you talk more about the conviction that you have in having that growth flow through to the other half of the business?
Yeah, the first thing, look, public versus private, we don't get religious on it. I will say there's a dislocation and the public valuation just is not sensible if you actually piece apart the parts of what's happening there. We have to execute on that. We have to deliver on that. That's clearly sort of a dislocation right now. By the way, public markets have that at certain points of time. Certainly, if you look at the growth trends at the macro level, it's understandable what the concern is. That's why we try to provide the color about what's happening up under that. The second thing is how do we actually think about the growth prospects overall? Look, our thesis is very consistent. I do think we actually have some credibility here is that more and more customers around the world now realize that they actually have to do security.
They're actually looking for partners to actually take lots of the security operational load. They want to operate at the program level. They do not want to be managing, installing, operating, and having legions of people managing security. When they got AI pressures, they got SaaS pressures, they have real competitive pressures based on the environment. Our model is to be the number one security partner for security operations. We started with detection and response, which is the lead. We will take that same model and apply it to risk management, to compliance, and to third-party risk and other areas of security operations. It's all going to follow the trend and the theme of how do we actually sort of give customers a better way to actually leverage both managed services and AI to have a great high-quality security outcome. We're starting to focus on MDR.
I know that causes mix in the model overall. We'll apply that same model across the stack. There are zero reasons to believe, I can't say zero, there are no reasons to believe that that's not going to be just as attractive for customers. If customers are willing to trust not just us, but many parties to actually do their core detection and response, which is the most strategic, they're going to be happy if they have a high-value solution that does their compliance, that actually tracks their risk performance and profiles over time. We're building into that. We're building into that like one workload at a time. We started with the detection and response workload because that's the most strategic. We're finishing up that. That'll be sort of like an ongoing area, and then we'll move to the next workload. I think we'll see growth from there.
I acknowledge that that's a tough thing to actually navigate and see in public markets. At the same time, we're seeing the customer adoption and the momentum. I'm confident that markets rationalize with time and data.
Yeah, I mean, I think you could make a really strong argument that today the stock is already undervalued on some of the parts basis.
In and of itself.
Including any of these other initiatives.
I mean, if you've got everything else and you just looked at the MDR business in and of itself, that is itself significantly undervalued.
Yeah. You mentioned your global business. You're building out an office presence in Pune, India. Growth's important. Margins are important. Where do you see that presence going over the next couple of years? Maybe what % of R&D employee headcount could that reach?
Yeah, look, I mean, right now, what I'd say is we're well under peer benchmarks. This is a catch-up area in terms of cost structure and talent. Right now, India is not just a low-cost system. Great talent. They have some of the world's also leading research universities. It's a big country with lots of talent. It's a growing market. We both like the talent, and we're also under the allocations you will see. Your average tech company has between 20% - 30% of their workforce in different talent locations. It's something we definitely see as a potential opportunity. Is it 20%? Is it 30%? It's probably too premature to tell you. What I'll say is that it's a great talent market. The cost structure is better overall, and we think it's the way we actually get scale while producing results in the overall business.
Just to sort of tie a bow on all this, if we think out to 2028 or a couple of years out, where do you want the company to be? What's the vision? How do you think that we're going to get there?
Oh, yeah. I mean, look, when you think about the old model of outsourcing, it is massively manual, and it is overloaded with both cost inefficiencies and typically like crappy experience. Our goal is to be the leading managed security AI partner for customers. When you think about AI outsourcing of your security operations, we help customers scale their security operations, and we do it at better quality, better efficacy. We do it in detection and response, we do it in risk management, we do it in red teaming and penetration testing, we do it in compliance, and we help customers actually get high-quality results at a reasonable cost. That is an attractive value proposition for a lot of customers, and we believe that we're well positioned to do that with the experience that we've already gotten with detection and response.
Look, I'd love to spend more time. We do have to keep the conference running really efficiently. Thanks again, Corey. Thanks again, Sunil. Really appreciate you taking the time.
Thank you, man.