M&A Announcement

Jul 19, 2021

Hello, thank you for standing by, and welcome to Rapid7's Acquisition of Insights Conference Call. At this time, all participants are in a listen only mode. After the speaker presentation, there will be a question and answer session. Please be advised that today's conference may be recorded. I would now like to hand the conference over to your speaker today, Sunil Shah, Vice President of Investor Relations. Please go ahead. Thank you, operator, and good afternoon, everyone. We appreciate you joining us today to discuss Rapid7's announced acquisition of Incyte Cyber Intelligence Limited. With me on the call today are Corey Thomas, our CEO and Jeff Golowski, our CFO. We've distributed our acquisition and second quarter twenty twenty one preliminary results press release over to Wire and it is now posted on our website at investors.rapid7.com. This call is being broadcast live via webcast and following the call, an audio replay will be available at investors.rapid7.com until 07/26/2021. During this call, we may make statements related to our business that are forward looking under federal securities laws. These statements are made pursuant to the Safe Harbor provisions of the Private Securities Litigation Reform Act of 1995 and include statements related to our preliminary results for the 2021, the impact of the Insights acquisition on our products, strategy and future results of operations the anticipated growth of Insights revenue post acquisition the company's positioning, our future goals and the assumptions of underlying such goals. These forward looking statements are based on our current expectations and beliefs and on information currently available to us. Actual outcomes and results may differ materially from the expectations contained in these statements due to a number of risks and uncertainties, including those contained in our most recent quarterly report on Form 10 Q and in the subsequent reports that we file with the SEC. The information provided on this conference call should be considered in light of such risks. Actual results and the timing of certain events may differ materially from the results or timing predicted or implied by such forward looking statements, and reported results should not be considered as an indication of future performance. Rapid7 does not assume any obligation to update the information presented on this conference call, except to the extent required by applicable law. At times in our prepared comments or in response to your questions, we may offer incremental metrics to provide greater insight into the dynamics of our business. Please be advised that this additional detail may be one time in nature, and we may or may not provide an update in the future on these metrics. Following our prepared remarks, we'll host a brief Q and A section. We'd like to focus today's call on Incyte's acquisition, so we ask that you hold all questions related to our preliminary second quarter twenty twenty one results or for our quarterly earnings results call to be held on 08/04/2021. With that, I'd like to turn the call over to our CEO, Corey Thomas. Corey? Thank you, Sunil, and good afternoon, everyone, and thank you for joining us on short notice. I'm excited to speak with you today about our acquisition of Insight, a leading provider of cybersecurity threat intelligence. For today's call, I want to focus on sharing how this combination accelerates Rapid7's ability to secure the digital experience, meeting customers where they are as they evolve to face security challenges of a growing digital footprint. Before I jump to that, I want to briefly highlight the outstanding execution by our Rapid7 team, delivering a very strong second quarter demonstrated by our preliminary results of 29% growth in ARR to approximately $489,000,000 ahead of our expectations. These results reflect the expanding need for organizations to invest in security transformation alongside their digital transformation investment. But increasingly, customers are recognizing that improved visibility to their internal risk profile is just one part of the equation. The external threat environment is evolving faster than ever, highlighting for customers that threat intelligence is now more strategic than ever. It's clear that with digital transformation comes an ever expanding external attack surface that they must monitor and protect against an escalating cyber threat landscape. Insights, based in Tel Aviv and founded six years ago, offers a leading external threat intelligence and remediation platform that helps customers solve their growing challenge. Their flagship Threat Command offering turns complex signals into contextualized attack surface intelligence, democratizing threat intelligence and making it easier for organizations of all sizes to remediate their most critical external risk factors. More specifically, Insights helps customers by monitoring the clear, deep and dark web to identify threats specifically targeting customers' digital footprints, things like data and credential leakage, malicious activity tied to their brand or fraud. Direct Command not only provides continuous monitoring to identify these external risks, such as suspicious phishing domain, it can then proactively respond with automated takeouts of these fraudulent domains or accounts. This is just one example of how insights provide actual intelligence and response that helps secure our customers' digital experiences. Coupling Insights' tailored threat intelligence with rapid governance, community infused threat intelligence and deep understanding of customers' environments will help our Insight platform to provide unmatched monitoring across internal and external surfaces. This will enable us to deliver rich insights that drive proactive and automated threat mitigation for our customers across their digital footprint. Our acquisition of Insights extends the core capabilities and outcomes that Rapid7's Insights platform can deliver to our customers in three primary ways. Let me take a moment to address each of these. First, Insight expands our addressable opportunity by positioning Rapid7 as a leader in the fast growing billion dollar threat intelligence market. We entered the build on Insight's strong momentum to date by making Threat Command accessible to an ever wider security audience by continuing to sell it standalone and over time, integrating it as a component of our Insight platform. I am confident that this can drive immediate value for many of our existing and prospective customers. Second, integrating Insight's Threat Intelligence with Rapid7's leading detection or spot capabilities will provide customers extended end to end fidelity for internal and external attack surface monitoring, solidifying Rapid7 as a leading cloud native XDR platform. At its core, XDR is about collecting and correlating disparate data to improve detection and accuracy and leveraging automation to drive response effectiveness. Since inception, InsightIDR has led with a data first approach to providing visibility and monitoring across customers' environments. Today, Rapid7 offers one of the most comprehensive extended detection response capabilities, combining internal visibility across network traffic, endpoint data, logs, user activity and cloud visibility with intelligent automation across our platform. Few competitors in the XDR market today can match this. But a critical challenge for every SecOps team today is to separate the overwhelming level of noise and alerts within the data from actionable signals of risk or compromise. By integrating Insight's leading technology into our Insight platform, we will bring to fruition our vision of a data driven XDR platform that provides unmatched telemetry via a best in class availability to understand the threat environment across internal and external surfaces, driving faster and more accurate detection and response to threats. We believe this combination will accelerate our position as a leading player in the fast evolving XDR space. Third, infusing Incyte's threat intelligence within our Insight engine will elevate and further differentiate every product on our platform, amplifying our unified platform experience. This is a critical component of Rapid7's acquisition strategy. At our recent Investor Day in March, we spoke at length about the value of our shared data collection ecosystem with analytics that can move from product to product. The integrated intelligence and telemetry from Incyte will enhance risk visibility, not just in our detection and response pillar, but also in our VRM and cloud security pillars as we continue to work towards delivering a unified SecOps experience in the cloud. A great example of this opportunity is an existing Rapid7 enterprise healthcare customer who also leverages Insights to protect their massive digital footprint. In their own words, at their size, they would need an army of 100 people to keep track of everything Insights does to monitor their external threat exposure. The net effect is that they have improved their security outcomes by leveraging Insights to identify and remediate about 500 external threats per year. This is a great representation of the size and scope of the challenge that many customers are facing today as their ongoing investments in digital transformation dramatically expand their digital footprint. In addition to Insight's ability to accelerate our core Insight platform capabilities, we see great mission driven alignment with the Insights leadership team as well as great cultural fit, which, as I have shared previously, has always been critical to the success of our acquisition strategy. Their effort to democratize threat intelligence fits squarely into our mission of making the best in security operations accessible for all. They have built an innovative and impactful business, and we are excited to welcome the Insights team and its customers to the Rapid7 family. Turning now to a brief financial review of the deal. Under the terms of the agreement, Rapid7 has acquired Insights for a total consideration of $335,000,000 subject to adjustments to be paid in cash and stock. Insights ended its 2021 with approximately $27,000,000 in ARR, and we see tremendous opportunity for the business to drive continued high growth looking ahead. We believe this accelerates our path to become a $1,000,000,000 company. Insights has approximately 400 customers across multiple industries, including technology, retail, financial services and manufacturing, among others, validating a huge opportunity for growth via both new customer acquisition and penetration into our existing customer base. We anticipate modest revenue contribution from Insights for the balance of the year as a result of the required purchase accounting deferred revenue write down. We will share more details on this in a few weeks when we update our full year guidance on our upcoming earnings call. I will highlight, however, that we intend to absorb Insight's operating expenses within our current profitability outlook for 2021. So were it not for the required deferred revenue write down, we would not anticipate a reduction to our low end of our full year non GAAP operating income expectations as a result of the acquisition. In summary, we're extremely excited about the opportunity Insights brings to expand our addressable market, extend our leading cloud native XDR capabilities and elevate our platform value proposition, all in the service of helping our customers close their security achievement gap. We look forward to integrating the Insights team and technology as we work collectively to deliver a unified SecOps platform experience that improves security outcomes for organizations of all sizes as they accelerate their digital expansion. With that, I will turn the call back to Sunil to open the call for your questions. Thank you, Corey. As a reminder, we ask that you hold all questions related to Q2 results for our upcoming quarterly earnings results call. We'd appreciate if we focused today's discussion on the Insights acquisition. Operator, can we now open the call for questions? Thank you. Our first question comes from Rob Owens with Piper Sandler. You may proceed with your question. Great. And thank you for taking my question. I guess relative to the acquisition, as we think about the category of XDR moving forward, and you talk about the cloud native capabilities that they have, Just curious if there's more you think you need to do from an on prem perspective. I know XDR has been a bit more of a marketing category and before that there was next gen SIEM. So kind of curious if you have the pieces now, Corey, from your perspective or if there's more to do from the on prem side of things to have a more holistic XDR? And I do have a follow-up as well. Yes. Thanks for the question, Rob. And so when we think about XDR, we think really about how do they help customers solve their fundamental problem about detecting and protecting themselves from threats and attacks in their environment. And if you think about security is by itself a large fragmented ecosystem and detection response, a fragmented ecosystem. Our long term goal with InsightIDR has always been to actually take that complex fragmented ecosystem and make it successful for people to actually have an integrated detection and response program. And so we've been building that steadily throughout the years where it wasn't just logs, it was endpoints. It wasn't just logs and endpoints. It was also about the network data and visibility. And now we also are able to provide the external threat visibility And we're able to look at response also in an integrated fashion with our InsightConnect platform that allows you to actually automate response across the portfolio. We think about whether you call it XDR, whether you call it integrated detection and response. At the end of the day, our primary focus is how do you actually take a complex environment and allow people to actually detect the attacks that are happening, make sure that attacks don't go through some of the gaps that often exist within security environments and allow them to actually respond as effectively as possible. With insights, it allows us to combine that holistic insight visibility with the external visibility. Now to your core question about do we actually have all the pieces, I would say we have the core pieces that we need. And we've been a leader in this space for a while. And so we've had the pieces for a long time. What happens is we keep pressing and pushing the boundaries so that we can deliver more and more value to our customers. And you see that with some of the organic investments that we're continuing to make and announce. And you continue to see us push the boundaries forward, ensure that customers don't have any gaps in their ability to detect and respond to attacks. And you said you have a about it. Yes. And as a follow-up just on the quarter, I know you're going to share more in details in the next couple of weeks, but this was the second largest sequential increase in net new ARR I think you guys have ever seen modestly behind the fourth quarter. And if we stack up acquisitions, there is an acceleration here in organic ARR growth. So maybe you can just comment generally about the environment that you saw during the second quarter. Yes. We're going to have most of our commentary on the Board call. What I would say is as I said on the inter call, I'm extraordinarily proud of our team. They have done really a tremendous job of, one, building solutions that customers need. And so it's easier to sell when customers actually value and want what you actually have. And as you indicated, that's true just as much organically as it is inorganically. And the second thing is that our go to market and our customer service and sales team just did a tremendous job executing and continuing to build. So we'll go into detail on our earnings call, but I'm going shorten the trial of the team and what they've accomplished for our customers. Thanks for taking the questions. Thank you. Thank you. Our next question comes from Jonathan Ho with William Blair. You may proceed with your question. Hi there. Can you hear me okay? We hear you just fine, Jon. Great. So just how much of an upsell opportunity do you see with Insight? And perhaps what's kind of a typical deal size for the company look like? Yes. And so let me just start with the upsell. We actually see a tremendous sort of opportunity to both cross sell and upsell into our installed base. We think with InsightIDR, as I've talked about on previous calls, we increasingly are seeing customers who are absolutely focused on figuring out how they actually make sure that they actually get up and running as quickly as possible with the best in class solution. And so we see more people focusing on how to upgrade their stock. And we see this as a natural synergy with InsightIDR and frankly with our InsightIDR installed base. That said, this is going be another offering that we continue to sell standalone. They have a great momentum, great traction in the market today. And we expect to continue that market both selling to Rapid7 customers, but also adding net new customers. I think that from the data that we actually put out, there's two core numbers is one, if you look at the rough ARR of approximately $27,000,000 and we actually talked about roughly 400 customers. And so that gives you roughly a $67,000 ASP, again, just from the data that we actually put out in the announcements earlier. Got it. Got it. And then in terms of the maturity of organizations, how should we be thinking about sort of their understanding level around protecting the external assets? And maybe in baseball terms, what inning we are in terms of seeing the market adoption and awareness here? Thank you. Yes, it's a great question. I'll answer that in two ways. One, if you look at what the from the TAM standalone, which is attractive, it's like in the low single billions of dollars per year. What was most exciting for us is the customer feedback that we've actually seen. We've seen a pretty big uptick in acceleration of customers looking for threat intelligence solutions and specifically actionable threat intelligence. And we think part of the reason they were so successful independently is because they're focused on the core things that people need to actually manage their risk exposure. So it's not just sort of like theoretical threat intelligence that's generic about what's happening in the environment. This is hyper actionable, hyper specific about what we're seeing related to your specific company, your officers, your people, how people are trying to actually use fraudulent websites, domains, information. We're looking across the clear web, deep web and dark web, all to actually figure out anything that's at risk specifically to a company. And for us, as we actually spend our time looking across this space, the specificity and actionability is something that we really wanted to make sure that was available in any offering that we had such that customers can continue to get a fast return on their results. Great. Thank you. Thank you. Thank you. Our next question comes from Brian Essex with Goldman Sachs. You may proceed with your question. Great. Thank you for taking the question. And I guess maybe if I could expand Corey on that last response you had. Could you maybe provide a little bit more detail into the value of the Incyte platform whether it's having an extra I guess, volume of data for you to ingest in the XDR? Or did they really do something different? Is there technologically something that they're going to add to your platform in terms of analytics where you need to more fully integrate them into your platform? Just trying to understand kind of explicitly what they're bringing to the XDR platform of Rapid7. Yes. You can think about what we well, it's a great question. It's an important one. Think about Rapid7 is excelled and excellent at providing an internal view of the environment. And so you think about a threat environment that's not a threat environment, a technology environment that with all the innovation, with all the focus on digital agility is expanding rapidly. And so our security customers have to actually manage that threat environment. And because we've been so focused on simplifying and integrating that security perspective, Rapid7's and here I'll talk about specifically inside IDR, but I would say for all of our security operations it's excellent at providing visibility about what's happening from a risk and threat perspective, the visibility and monitoring into the attacks that you actually have in the environment and then the automation that allows you to actually respond. All of this is internally focused. Now what Rapid7 has not done other than what we do from our open intelligence sort of like work is provide our customers in-depth views about their external risk and their external threats. And so are there people that are out there leveraging either their infrastructure or spooking their infrastructure that compromises them or their customers? Increasingly, you think about the world of cyber, where your people's brands are at stake and people are looking to actually catalyze and compromise any aspect of an environment, then it's incredibly important to actually not just focus on the internal environment, but also see what's happening in the external environment, what's happening in the dark web, what's happening with the infrastructure that's being built up. And that intelligence is increasingly valuable to customers. So what I would say to complement is we are best in class at an internal perspective. And what this adds is the best in class external perspective so that we can actually know if there's actually people or data that's been compromised on the dark web. We can actually know if people are taking our infrastructure or mimicking our infrastructure, using to compromise our clients and our customers. That's stuff that our customers increasingly care about. Got it. That's helpful. And maybe if I could ask one more follow-up. Maybe a little bit of color on how the transaction evolved. Was this a company that you partnered with and you saw the demand with customer customer overlap and you kind of sought out the technology based on what you heard from your customers? Yes. So like most things that we do, we're pretty demand centric at Rapid7. So we're constantly listening to our customers and see what they're interested in and how we can actually create more efficiencies and more productivity for the stuff that we do when we take care of our customers, especially as it comes to their security operations. In this case, we were actually tracking the demand and we're also tracking the general market. And this was a team that we were incredibly impressed with. And this is a team that we spent some time getting to know because what we found when we look at the broader market is that there was lots of companies that did, what I would say, research oriented threat intelligence. By the way, Rapid7 has great research oriented threat intelligence. But what we were hearing from our customers is they were incredibly hungry for I want specific stuff that's a threat to me and I want to know about when it's a threat and I want it to be able to respond. And so there's two actions we like. One, like the actionability of it being specific to a customer. But the second thing that we found incredibly unique is they had this ability to do these automated remediation takedowns. And so when they found things that automated the ability to actually remediate that for the customer, and that was incredibly unique from our perspective, especially combined with our overall platform. Great. Very helpful. Congrats on the transaction and the results. Thank you. Our next question comes from Saket Kalia with Barclays. You may proceed with your question. Okay, great. Hey guys, thanks taking my questions here. First maybe for you Corey, really interesting to just hear about sort of the internal versus external kind of perspective, right, in terms of what Insight brings. But I was wondering if you could just dig a little bit more into the threat intel offering here from Insight and maybe how you think it differentiates? And I guess I asked that question because it feels like there are several options out there for threat intel. How did you kind of think about sort of differentiation of that data during the due diligence process? Yes. It's a great question. One, there are several options that you can imagine. We do our homework with these things. And we were incredibly impressed with this team. I would say the things for us that actually stood out as we were comparing is I put these things in a couple of different buckets. Is one, you can actually think about the threat intelligence market really came up as a manual human centric, genius centric activity where you got a few really, really smart people and you actually have them dig, impersonate, spoof, gather and collect information. That's the historical threat intelligence market. By way, that's awesome. And as you all know, Rapid7 has people that actually do that or invested in that. The challenge for me is that doesn't scale. So when I want to actually scale this sort of like approaching 10,000 customers around the world and I want to be actionable is especially in the talent environment that we're in now, we can't afford to have armies of people that are actually going out doing this manual stuff. We need some that are deep experts and we'll continue to have that. Really what we wanted to look at is we were looking for threat intelligence that had scalability associated with it, where they really fine tune the technology aspect of the ability to both generate threat intelligence on an automated platform and then synthesize third party threat intelligence on a platform. And this was fairly unique in the ability to both generate threat intelligence in an automated fashion, synthesize threat intelligence and then add your own custom threat intelligence to the mix. That was incredibly important and powerful for us. And then the last thing, the thing I mentioned last time is that they had actually taken that a step further and really focused on the automation on the automated remediation and takedown. Now part of the reason that they've actually done some of these things, and again, we're going continue to invest and build out these capabilities, is that they have the similar mission to Rapid7. Their mission was democratizing threat intelligence. And when you think about what that means, that means how do you actually make the best in security operations, which is what Rapid7 is focused on, accessible to the broadest possible audience, be they a Fortune 10 company or be they a midsized company or be they a government around the world. And so that focus on scalability is really what drew us to them. They have very, very smart and talented people based on their background, but scalability was unique and precious in the market. And so we were excited about the opportunity. Got it. Got it. Maybe just a quick housekeeping follow-up. I think the deal just closed or maybe it's about to close. But can anyone talk just maybe about the financing mix between cash and stock in that $335 purchase price? Yes. Hi, Saket. It's Jeff. It closed Friday, so the total price was $335,000,000 It's about $21,000,000 of stock. The rest is all cash. That $21 went to the founders. Got it. Very helpful. Thanks, guys. Thank you. Thank you. Our next question comes from Alex Henderson with Needham. You may proceed with your question. Great. Thank you very much. I was hoping we could just hit a couple of the block and tackle elements of the acquisition. For instance, can you give us some sense of how many employees you're bringing in? And any idea around the growth rate, which I don't I know you said it was high, but high is a very qualitative term. Could you give us a little bit more sense of what the growth rate looks like? And then the third piece is, as we're looking at that $27,000,000 in ARR, how should we be thinking about the mechanics around how much of that is going to be lost as a result of the purchase accounting and how much of it you think you might be able to. And I realize that obviously that accounting exercise takes some time to play out and you don't have exact numbers, but something in the general ballpark would be helpful. Yes. Alex, they have 180 employees that we're acquiring. And this is another high growth asset that we're bringing on. It's a little over 40% in growth in ARR. With respect to the write down, it's what was I going to say? That's the deferred revenue and not the ARR. The ARR stays by itself. So that would be we'll talk about that on the August call. So that will affect the revenue, obviously. And what we said in the prepared remarks is that in our if you didn't take that write down, we come in on the low end of our operating income range. I see. Okay. And just going back into the competitive landscape. As you think about this acquisition, who do you look at as their nearest competitors? Who does it where does it overlap? I mean, is this a recorded future? Who should we compare this with broadly? And I appreciate the great responses and the opportunity to ask the question. Yes. Mean, the threat intel market is a highly fragmented market. I think you mentioned sort of like Recorded Future is one the most well known companies. Have RiskIQ, that's another comparable company in the space. I think there's a host of companies that you actually go down the list. I think those are probably two of the most notable based on news and name brand. And they all focus on slightly different aspects. Like I said, it's sort of like some focus on the custom threat intel, some focus on the automation, some focused on the brand and reputation. What we actually found here was a company that actually had a good mix of having a scalable platform for both processing other information but also finding information both on the clear and the dark web as it pertains to companies. Thank you. Thank you. Our next question comes from Brad Reback with Stifel. You may proceed with your question. Great. Thanks very much. Corey, as you mentioned before, now you cover sort of the inside and the outside from a threat perspective. So going forward, should we expect you to continue to look to widen the platform, either be it further acquisition or internal development or just go deeper on what you got? Thanks. Yes. I mean, a good question. I characterize it as actually going deep. I think we actually have a large TAM today. I think we have a clear market space. When we think about security operations and providing people the visibility into their environment, the analytics to understand what matters from both a risk and a threat perspective and the automation to actually scale the management of those risks and those threats, we think that's a massive problem, whether you break down the individual TAMs or you look at from an integrated perspective. And if you look at both the organic investments that we made and the inorganic, they've been fairly disciplined in the scope for that problem that I just described right there. We want to be the masters and the best in the world and helping people have visibility into their risks and threats, whatever that may sit and whatever may result from a cybersecurity perspective, and then provide the analytics and the automation to actually manage and remediate it in the most productive and efficient way. That's how we kind of think about our markets. I would say it's deep, but in a massive TAM and a massive area of need for our customers. Great. Thank you very much. Thank you. Thank you. And I'm not showing any further questions at this time. I would now like to turn the call back over to Corey Thomas for any further remarks. Well, just want to thank you again for joining us at the last minute today. I also want to give another shout of gratitude to both the Insights team and the Rapid7 team. And thank you to all the folks in the investor community who's been supporting the work that we've been doing on behalf of our customers. Thank you so much and have a great day.