Excellent. Okay. Well, hey, good afternoon, everyone. Welcome to day two of the Barclays TMT Conference. My name is Saket Kalia. I cover SMID-Cap software here. Very happy to have with us the team from Rapid7. We've got Andrew Burton, Chief Operating Officer. We've got Tim Adams, Chief Financial Officer. We've got Sunil Shah as well, in the up here in the front row as well, in the Investor Relations and kinda other stuff area. We'll go with that for now. We've got about 30 minutes here together. Maybe what we could do is we can take the first 20 or 25 minutes with some fireside chat with the team. I'd love to make this interactive.
Anyone that has any questions, just pop up your hand. We've got a mic runner around, and we'd love to make this interactive. Maybe with all that as a framework, Andrew, Tim, thanks so much for being with us here today.
Thank you for having us.
Yeah, absolutely. Andrew, maybe for those of us that are less familiar with Rapid7, I was wondering if you could just start us off with a little bit of an overview of the company, maybe specifically where you've come from as a VM company to what the company has turned into today and where you see us going.
That's a great question. One of the areas when people looked at us as a VM company, the core capability of a VM company was to be able to go out, scan an environment, collect a bunch of disparate data, very complex data, synthesize it all, and give people a simple visibility into where their top risks were, right? Take an incredibly noisy environment, dumb it down, and help someone improve their security program. As we have evolved as a company, we've become a SecOps company, and we believe we can be the number one leader in helping people get better visibility, insight, and analytics around their attack surface. What does that really mean? Where are my threats, and what are the risks to my environment, right? When we look at this, our customers consistently tell us it's a noisy environment.
It's very hard to get the team staffed to be able to get that insight. Our mission is to make that achievement a little bit easier, a little bit simpler, consolidate down, be a platform consolidator, and help people use our SecOps platform to address the end-to-end enterprise risks and threats facing their organization. That's how we think about the opportunity, especially in this economic environment.
Yeah.
People are looking for platform consolidation. They're looking for better analytics. They're looking for things they can automate, and they're looking effectively for a better security program, which is where we're helping them.
Yeah, absolutely. Tim, maybe just to level... Sorry.
Yeah.
I was just gonna say, maybe just to level set all of us. Are there any, are there any sort of highlights from last quarter that you want to make sure we know about, just so that we're all on the same page?
Maybe a couple things. Look, the headline that we're not certainly proud of is we lowered our guidance for the balance of the year. Q3 did not come in quite where we thought it would. We laid out, you know, a couple of high-level things. We are seeing a lot of economic pressure, macroeconomic, certainly in EMEA, and we're expecting to see more of that in EMEA, but to see it over here in the States in this mid-market category where we do have a lot of customers. We lowered the guide for the balance of the year. We believe we have de-risked it, you know, we're being very thoughtful about how we execute going forward.
I'm sure Andrew's gonna talk a little bit more about sales execution, it wasn't quite where we thought it would be for a variety of different reasons. Between sales execution and the macro environment, we lowered the guide. Corey just wanted to put it out there and reiterate a longer-term view that we shared a couple years ago at our investor day of being a Rule of 40 company in 2025, that we see the opportunity for a 20% ARR growth CAGR between now and 2025, knowing that next year is gonna put some pressure on that. It'll be down modestly. We set a point or two based on these couple of factors, making changes to our sales optimization, some pricing and packaging that we're working on, and who knows when the economy is gonna turn around.
I've not seen any estimates out there that, you know, I think many of us can hang our hat on. There is a lot of pressure out there on that side, we see those as the headwinds, certainly in the first half of the year. At least our thinking right now is on the execution side, that will get better in the seket half of the year, and we'll see how the economy plays out.
Yeah, absolutely.
... couple of things to share.
Yeah. Well, certainly you're not the only security company that's seeing that type of macro weakness, so you're in good company.
Yeah
... for what it's worth. Andrew, maybe for you, maybe as a derivative question here, I know you spend a lot of time with customers. Maybe the question is, what are you hearing from them on their security budgets right now, and how are they prioritizing tools like VM, like SIEM, and some of the other SecOps tools that Rapid7 brings to bear?
Yeah. First, security continues to be a high priority. I don't think anyone would say the threat landscape is any simpler or less threatening than it was, you know, even just a few months ago, right? I think we continue to see the threat. It's not immune, right? It's not immune to the macro forces. What we're hearing from customers, literally, security is still a priority, but I have to be very thoughtful of what I'm prioritizing on a relative basis to work through. That's what I'm hearing from CISOs. When we hear that, it really becomes a question of timing and sequencing. We're not hearing projects getting canceled.
We're not hearing that some of the flush spending that has occurred over the last few years, especially at the end of the year, we're not hearing that's going to occur because there's more deal inspection, right? As CFOs get more involved, as CEOs are keeping a very close eye on their spend. They continue to say security is important, security is a board-level topic, and it's something they need to protect their organizations. The question becomes, Saket, is where are people prioritizing? Where are they focusing their efforts? Digital transformation. Huge amount of dollars have gone into digitizing or transforming workloads, development environments. You saw this with Microsoft, Google, and Amazon in the cloud expansion. The security of those environments is incredibly important, right? We're also seeing this changing attack surface as being something that is very important.
Detecting and responding to potential attacks or threats to your organization, again, continues to be a top priority. That's what we're hearing, for us and for our point of view is it really becomes about being able to meet a customer where they are.
Right.
what they're prioritizing, and then really making sure you're able to work with them to make sure that that prioritization and that they can get to that outcome they need to.
Yeah, absolutely. Corey's definitely talked about this as well, meeting a customer on their journey, right?
Yeah. Exactly.
That definitely resonates. Maybe staying with you, Andrew. I mean, not unlike other companies as, you know, in our coverage, you know, the deal scrutiny, the longer deal sizes. Rapid7 is still growing security, the security transformation bucket ARR by I think about 40%. Can you just talk about is it fair to say that maybe more of that scrutiny is happening in the VM business, or would you point us to maybe another part of the portfolio or is it geo-specific?
Yeah. Yeah.
I mean, it's still great to see the security transformation bucket growing 40%.
Yeah.
We're talking about macro, so help me reconcile that maybe.
Yeah. I think one, you do have security programs that are evolving and transforming, more modern, let's call it, right?
Right.
You got this macro influence, right? Tim and we have talked about Europe and, you know, in the, in the mid-market in the U.S., those pressures are there, right? If you take a little bit of a closer look, and you look at the security programs themselves, on a relative basis, VM is not what we see being prioritized as much as some of the others.
Sure.
Security transformation, an area that we have done a lot of the hard work to build out that product set and that platform element, is an area that's incredibly important 'cause think about the amount of money that's been poured into those. I was just talking about digital transformation, cloud workloads. We see this, the detection and response business for us is security transformation, has been very healthy because what we effectively did is we consolidated five or six different tools into one offering. That's often missed when people look at Rapid7 is we were very much focused on consolidating around product centers. Now we're taking that to a platform consolidator, right?
Mm.
Security transformation has grown at such a nice clip because we have solved a problem of people trying to use multiple tools to get to a singular outcome. Now we give them a single tool, give them a better outcome at a better price. Now we're taking that to our platform.
Right. Right. That makes a lot of sense. Maybe the natural add on to that for you, Tim, just to give us a little bit of financial color. Can you just remind us how you segment the business between VM and security transformation? You know, how big are those respective businesses? What's the difference in growth rates? Maybe just to start us off.
Yeah. We've talked publicly. We came out of last year, we said security transformation solutions was a little more than 50% of our ARR base, VM being the primary lion's share of the other 50%. We've said this has been a very high growth engine of the business for us, growing over 40% more recently. When you look at the new deals, the new ARR, it's as high as 70%. There's a lot of traction and momentum behind that. Andrew talked a little bit about some of the packaging work that we're doing, and you think of cloud from a Risk Complete standpoint. You've got the DNR product, and you've got Threat Intelligence and automation.
All of these products are sitting in what we have traditionally called Security Transformation Solutions. That's where customers are going with their needs that they have in the market as they're trying to have better visibility across the traditional on-prem platform, the cloud platform. They really want to understand what risks are out there. They have to detect them, then what do I do once you detect them? How do I respond? These are just very important pieces of the puzzle that we've been able to put together on this platform that we call the Insight Platform. I think one piece maybe investors don't fully appreciate is the amount of work that has been done to build out the platform in this set of products.
Some were built internally, and some have been acquired, but either way, organic or inorganic, it does take a lot of work to put this together to have a more seamless environment and platform for the customer. We've done a lot of that heavy lifting, and that's in place. That's why we think we're very well-positioned when you think what's next and where are we headed with vendor consolidation, which we believe will happen in the broader security environment. There's still gonna be a handful of vendors that will be the ones standing at the end of the day. We think we're going to be one, and in part, it's because you have the platform, which is an enabler in that breadth of products.
Yeah.
The security transformation is an important piece of that.
Yeah, absolutely. Maybe just staying on that topic with you, Tim. I mean, you mentioned several of the products that were in security transformation. You know, understanding we're not gonna get into relative sizing, but could you maybe rank order for us what are the top three, four kind of products...
Yeah.
Just.
DNR stands out as really the big one that's in that bucket, and that's one that we've had a little bit longer inside of the portfolio. That has grown very nicely, probably 50%, order of magnitude. I would probably take Threat Intel and cloud. You know, we haven't quantified the particular pieces, but they're all strategically important in terms of what customers... in terms of the problems that they're trying to solve.
Yeah, sure. Andrew, maybe we can touch a little bit just on the sales force changes that we talked about in the last call. I think you touched this when you were talking about the platform sale a little bit, but could you just maybe give us an overview of the transition in the sales force? Why is right now the right time to transition the team from more of a product-specific to more of a platform sales approach?
Yeah.
Does that make sense?
No, it does. It's a question we get a fair amount, especially what's going on.
Sure.
Let me provide a little bit of just brief history so people understand how we got to where we are. About three years ago or so, we had two, relatively speaking, two specialized sales forces, right? Each focused in a different aspect of our product portfolio. As Tim was describing, as we looked at cloud security and we were building, and then we acquired DivvyCloud.
Mm-hmm.
as you may recall, Saket.
Mm-hmm.
To help accelerate that effort, we were faced with a decision. Were we going to have 3 specialized sales teams, or would we consolidate? Obviously, three specialized sales teams doesn't make sense from a customer standpoint, and also from an economic and productivity standpoint, it just wouldn't work for us over time. we consolidated down as we got into 2022, and we started to see some really nice productivity signs of the sales team being able to sell this broader portfolio. It was largely seen in the enterprise space and then internationally, right? As we began to really look at that, we were also began to hire a significant number of new account execs. As these two things are going on, what do we know happened, right? The macro changed.
In general, let's just say if the macro wouldn't have changed, if you hire a bunch of account execs and you look to bring them into a very complex land anywhere strategy, that is gonna take some time. Our models had built in a little bit of elongation of ramp time.
Sure.
That ramping time took a little bit longer than we expected. It has taken longer. Now you introduce macro to it, and now you've got these two factors, right? They're not 100% overlapping, but they begin to influence one another. As we look at bringing our sales force really forward to this next stage, we're introducing new packages that dramatically simplify our land motion around a couple of key core platform offerings, right? As Tim said, I was describing this earlier in some of our meetings. When you think about I break it down to three levels, right? The first, the technology in the platform. In many ways, that's the hardest thing to get right? Do you have the tech? Is it really been put together in a way that your customers can consume it?
We say, check, we've done a lot of the heavy lifting there. Second is, have you priced it and packaged it in a way that's easy to consume?
Mm-hmm.
In the previous instantiation, these were all separate pricing, packaging, sales cycles. The third is, do you have the people that can take your offerings into the market? You think as you hire a bunch of new people and you got to ramp them on a complex set of products, we felt like this is an opportunity, really, as a platform consolidator, to simplify the packaging and pricing and help further ramp and accelerate our ability of our sales team to go into a market now that's volatile. People are looking to get more for less out of their security programs, and they want to focus on strategic relevant areas, securing cloud and digital transformation. Hopefully, many of you would agree that's important. Second, being able to look at that changing modern attack surface to detect stuff.
What you'll see from us is a dramatic simplification of being able to go out to our customers and say, "Look, we can meet you where you are." We were talking about that a few minutes ago.
Sure.
Being able to simplify our pricing and packaging so that a sales force that maybe doesn't have two, three, four, five years of experience.
Yeah
... can ramp and get up to speed and still be able to have those complex conversations when needed and later in their tenure, right? For us, it's a really focus on productivity and simplifying it. It's good for our customers, it's good for our team, and helps us capture more share of our customer's environment.
Yeah, absolutely. I mean, it's a lot, it's a lot to digest there, so I understand why it's gonna take a while, but I also see the benefits around it as well.
Yeah. Yeah.
You know, Andrew, maybe just following up on that a little bit. I mean, clearly in this macro environment, close rates are very different.
Yeah.
Not just for you, but for everybody.
Yeah
... out there, right? I'm curious, though, how you feel about the pipeline-
Yeah
... and progress that you're seeing on the sales team transitioning to this more platform approach.
Yeah. We're very focused on pipeline, right? Much of the pipeline that we are closing now has been built well before we introduced these new offers. You know, we have as I think on the call we talked about, and we've talked about since, is some of the key deals. We have some very nice deals that we thought were going to close in September, and they pushed, and they closed in October. Nobody likes to see that, but we are not seeing deals or opportunities being canceled, right? It's timing, it's inspection. There's a few things we've looked at. One, increasing coverage ratios-
Mm-hmm
making sure we feel better about that. Making sure our sales teams, and Tim and I spend a lot of time looking at inspection and deal-based buildups to make sure we feel confident about where we need to get to be. Then obviously, one of the things that all the security teams doing, and I think beyond security, is making sure the budgets are aligned to the where prioritized spendings occur, right? When we hear.
Sure
... like, "Hey, this is opportunity," you got it really inspect that and make sure. Tenured account execs know how to do this, but we've got to really make sure that everyone's really focused on this to make sure that we can get where we need to be.
Yeah, absolutely. Maybe just last question on this topic and some of the, some of the changes with the sales force. I mean, the pricing and packaging here-
Yeah
I think seems like a really important part of it. Can you just Andrew, just talk to us, a little bit about that, and maybe more specifically, give us some examples of some?
Yeah
of those changes with the pricing and packaging and how that might help, because productivity-
Yeah. Yeah.
... is something I think you're looking for. How might that help that productivity here in 23?
Yeah. If folks don't mind, I'll give a really simple example.
Sure.
It really highlights this is. I mentioned vulnerability management. It's still, it's so important. People have gotta have a traditional program where they're looking at assessing their legacy on-prem environment, right? No one's gonna turn that off. If you ask a CISO, let's say you had a $10 million or a $100 million budget. Let's just pick a round number, 10 million. You said, "How much of your 10 million in your security program have you allocated over here to something that's important, but maybe it's not strategically relevant?" What we have done is with our Cloud Risk Complete offering, we said, "Look, we'll give you unlimited VM, unlimited if...
provide you with end-to-end visibility around your potential risk environment for your traditional environment plus your cloud environment, and we're gonna price that based on your cloud workloads." It's a pretty compelling proposition, right?
Mm-hmm.
What does a CISO get? A CISO gets the ability to allocate dollars around where they strategically are investing as an organization, digital transformation cloud. They get to be indexed on where workloads will grow over time, while still protecting and getting visibility into their legacy environment. This is important because many people have asked, "Is Rapid7 still focused on VM?" Absolutely. We view it as a feature, not as a standalone offering.
Mm.
Right? That is a shift, and that's been part of our strategy. This wasn't something we just did in Q3 or Q2.
Sure.
We said, "Look, our customers want end-to-end risk visibility across their infrastructure," right? We're providing that, and we think we're one of the few companies that can meet the customer where they are. Traditional VM, cloud workloads. We can actually bring end-to-end risk assessment, visibility, analytics, and automation to help them get more out of that program. That's a simple example.
Yeah.
obviously, if you can do that, we get share of environment, and we get compelling ARR on a per customer basis with a clear path to growth over time.
I would argue compelling economics for the customer as well, right?
Yeah. Yeah.
That's interesting. You know, maybe, let's put a bow on some of the Salesforce stuff. I'd love to dig into just a couple of the product areas that I've always found fun. Maybe starting with just InsightIDR. I mean, Andrew, maybe for you, how do you sort of think about... It's funny, we were doing the keynote, we asked about the SIEM market, got a funny response. I mean...
I would love to hear.
Yeah. I mean, how do you think about the SIEM market? Is there still room for InsightIDR to continue taking share?
The simple answer is absolutely, right. Now why is that? The SIEM market was predicated on people being able to look at where are they potentially getting attacked. The challenge became is there's so many potential threats or alerts that people were getting, they were overwhelmed. What we saw was this need to, if you're an analyst sitting in the SOC, and you got it click on every alert, that's gonna get very painful very quick, right. What we felt like is a detection-based response would be, what if we could collect not just your log data, your endpoint telemetry, your network data, your user analytics, right. I could go on and on.
What if we could bring that all into one engine that correlates, contextualizes, and provides perspective on where risk might be, and then it tells you, "We think this is a higher risk than all that other stuff."? If you're that analyst, that'd be pretty compelling, right?
Sure.
There's a lot of SIEM workloads out there that people are still trying to figure out how to get to work. We're like, look, the proposition, we just inverted the whole problem. We said, "Don't start with the assumption that, can you get all the data in a SIEM? Start with, can you figure out where the threats are that you really care most about?
Yeah.
Can you bring those things together?" The InsightIDR product consolidated, again, five, six plus offerings. Tim just mentioned threat intelligence. Threat intelligence on its own, very important, but what if I then bring dark web visibility into this?
Mm.
What if I bring Digital Risk Protection into this, right? Again, you're that same analyst. Do you want to be working in different tools or do you want one tool that does the hard work for you so you can spend your time doing the really important stuff?
Sure.
To answer your question, Saket, I think there's a great opportunity out there in the SIEM market because a lot of companies are still struggling with how to get their analysts and their SOC teams to a better place. 'Cause the modern attack surface, it isn't getting any easier, right?
Mm-hmm.
Getting more complex, more fractured, more fragmented. Again, that's an opportunity for Rapid7 to help people get to a better outcome.
That's really interesting. We've got about seven or eight minutes left here. Just before I switch to some financial questions here with Tim, any questions here from the audience? Tim, maybe for you, again, I'd love to shift to some more fun financial questions. I guess in conjunction with some of the scrutiny in sales cycles, you know, you mentioned the word de-risking earlier. The team decided to adjust the ARR guide for the full year, I think to 19%-20% growth, and you correct me there if I'm wrong.
Mm-hmm.
The question is, what was the thinking on this de-risking, and why is that the correct level?
If you're gonna change the number, you only want to do it one time. We wanted to be very thoughtful and de-risk it appropriately, and we believe that's what we've done. 19 to 20 is the range for this year.
Mm-hmm. Mm-hmm.
We really took a hard look at what was currently happening. You know, what I referenced earlier, the challenges that we're seeing macroeconomic in Europe continue to persist, and it's a pretty strong headwind. We also were starting to see signs in the mid-market category over here in the States, and we said, "Look, I think that's a risk area." To Andrew's earlier point, we, you know, we're talking about pipeline and looking at coverage and knowing that some deals are taking longer to close, then we said we need more pipeline coverage in our model for the number for the quarter.
Right.
Those were the factors that went into our point of view for the range that we put out for Q4 and the balance of the year.
Yeah. That makes a lot of sense. Tim, I think one of the other interesting points on the call was the operating margin beat. I think the, just the medium-term guide of free cash flow margin expanding by about 400 bips per year. Again, you correct me if I'm wrong.
That's right.
I guess I was wondering if you just dig into a little bit of detail around how you get that leverage.
Yeah. It's a couple of different things. We've always had a framework. You referenced our colleague, Sunil, earlier. He's done a lot of great things for the company, but one of which was to create this growth and profitability framework, probably what? Two years ago at the Investor Day. That's something that we've had in mind and we've shared with the street for some time, so it's not a new thing for us. You know, if you grow faster, we still think we can drive profitability, maybe just not as much as growing at a slower rate. We've had, I think, an intelligent framework in place.
Corey mentioned on the call that, look, we see 20% compound growth rate CAGR for the ARR, you know, between now and 2025, the other piece of our Rule of 40 is free cash flow. We believe, based on our modeling, that we can generate 400 basis points per year of free cash flow improvement. It comes at a variety of different areas. If you think of the entire P&L, we focus a lot on gross margin. We are a large AWS customer. We put a new contract in place with them with some better pricing. We have a team that is very focused on utilization of that platform in driving optimization, and they do a great work across the board. You look at the labor component, and we have a lot of metrics.
We were just going through this with Andrew the other day of what type of leverage we can get in gross margin from the labor component based on the relationship of our team to the number of customers they support or the dollars of AR that they support. You're trying to look at a lot of different things. Our perspective is we just want to drive leverage improvement year-over-year. It can vary, you know, how much by area.
Sure.
That holds true for sales and marketing, R&D, and G&A, where we know we can do a better job and get a little more efficient than where we are today. The finance team, we will set goals and targets for our colleagues that are running the operations. We have these healthy discussions as to what's the right amount of leverage and how do we get it, and that becomes the plan for next year. We do a lot of work on that side. R&D really comes down to looking at the different opportunities for investment and how we prioritize and the type of returns that we want to see to compare one project to another. It really goes across the entire enterprise that we're very focused on driving leverage because we believe we can do that.
Yeah, absolutely. Maybe I'm gonna take the leverage point and just maybe connect it back to the top line for a second. Tim, I think on the ARR targets for fiscal 25, I've always loved this disclosure just around the number of customers, then you can back into sort of the ARR per customer.
Yeah.
How do you sort of think about that equation in getting to that fiscal 25 target in terms of growth from?
Yeah.
You know, the customer bases as opposed to growth in the ARR per customer?
Yeah. We've always said there are three, at least three levers of growth. You know, we have about 11,000 customers today. We think that opportunity is, you know, 70,000-74,000. We have a lot of room to grow in the market with a huge TAM of acquiring new customers. We said that should grow 5%-10% a year. This past quarter, I think it was about 9% growth.
Sure.
We look at the ARR per customer. How much of our product set are customers buying? This past quarter, we reported 63,000 of ARR per customer. We have a slide in the investor deck that shows an average customer, if they bought all of our products, could be 500,000. We've got a long way to go in terms of wallet share to gain more. We said we think the ARR per customer can grow 10%-15%. Last quarter, I think it was around 14%.
Okay.
Then you have international. Notwithstanding the challenges that we're having in EMEA right now, we've all seen these cycles. They come, and they do go. Just a matter of how long it takes to get through these things. International is about 20% of our business today. We do think that as longer term is still a growth opportunity. I'd say there's at least those three levers where we have the opportunity to grow to get to that longer-term target.
Yeah, absolutely. Maybe in the last minute or so that we've got here. One of the questions that we're trying to ask all of our companies here at the conference, just given all the uncertainty around the macro is how are you define this? I mean, what percentage of your business, whether it's ARR or revenue, has historically come from new logos? How has that done in prior downturns?
Yeah, it's roughly 50/50. It can fluctuate quarter to quarter, whether it's new in the land side or on the expand side. When you look at that new ARR, you know, it fluctuates a little bit, but it's generally in that zip code.
Got it. Got it. Well, I think that's about all the time that we have. Andrew, Tim, thank you so much for being with us here today. Really enjoyed the session.
Thank you. Yeah. Appreciate you having us.
Thank you.