RAPID7, INC

Moat: 2/5

Understandability: 3/5

Balance Sheet Health: 3/5

Rapid7 is a cybersecurity software and service provider with a mission to offer innovative tools for threat detection, vulnerability management, and security operations, helping organizations to proactively address security risks.

Investor Relations Previous Earnings Calls

---

The moat, understandability, and balance sheet health scores reflect a conservative evaluation to ensure a margin of safety in any assessment.

Rapid7’s primary goal is to provide a comprehensive suite of security products and services for threat detection, vulnerability management, and security operations. The core of the business focuses on SaaS delivery model, ensuring accessibility and scalability for their customers.

Business Explanation

Revenue Distribution

Rapid7 generates revenue primarily through two avenues:

• Product Subscriptions: This segment forms the bulk of the company’s revenue, accounting for a significant percentage of total revenue (approximately 91.2%). It includes subscription fees for its core products such as InsightVM (vulnerability management), InsightIDR (threat detection and response), and InsightAppSec (application security).
• Professional Services: This segment includes specialized consulting and advisory services related to implementation, managed services, and training in use of the company’s software, that account for the rest of the revenue (~8.8%).

The company offers multiple products in cloud security that can be categorized as (1) Core: these include InsightVM (vulnerability management), InsightIDR (threat detection and response), and InsightAppSec (application security). (2) Adjacent: this includes vulnerability intelligence and threat intelligence. (3) Emerging: Cloud security (including managed detection and response, managed security services, and web application firewalls) and Automation (including vulnerability management automation and SOAR tools).

The company serves a wide array of customer types, including large enterprises, governmental organizations, small to medium enterprises, and even start-ups. They are also increasingly focusing on channel partners to expand their reach, especially in emerging markets and for the lower end of the market.

Industry Trends

The cybersecurity market is characterized by a few notable trends:

• Increased cyber threats: An escalation in cyber attacks and data breaches is driving a constant need for security solutions. The need for such solutions and services is expected to increase with each passing year and will continue in the next decades.
• Shift to Cloud: A move towards cloud-based solutions is driven by businesses embracing digital transformation. Companies are looking for security solutions that fit their cloud first model rather than traditional methods.
• Consolidation of Cybersecurity Solutions: Companies are increasingly looking to consolidate their security needs with a fewer number of vendors rather than managing various products from various different vendors. This requires vendors to provide a diverse and large portfolio of security services and products.
• Automation and AI: Automation and AI-driven solutions are gaining traction in the security space, to help address the increasing complexity and volume of security alerts.
• Emphasis on “Threat Detection and Response”: Companies want solutions that not only prevent but can also rapidly detect and resolve security incidents.

The company believes that a significant percentage of companies worldwide are just entering the early stages of cloud adoption, and there is still a lot of untapped market potential for them. As it starts penetrating into a higher percentage of market, the growth is anticipated to be faster.

Competitive Landscape

Rapid7 operates in a fragmented and competitive cybersecurity market that’s evolving fast, the main competitors being:

• Large, Established Security Vendors: These include companies like Palo Alto Networks, Crowdstrike, and Fortinet, that provide a full suite of security services and solutions, and are more or less direct competitors to the company’s main business.
• Emerging Cybersecurity Start-Ups: These new companies tend to focus on a specific niche or technology, often threatening innovation and disruption.
• Specialized Service Providers: These include managed security service providers, that offer services similar to Rapid7 but often provide a more bespoke service.

The cybersecurity sector is very competitive, and this will only intensify in the coming years as the market growth is very high. A company can either try to compete on price (cost leadership), or by innovation and different offerings (differentiation). Or, it can try to do a bit of both (integrated differentiation/low-cost strategy). Rapid7, so far, has decided to emphasize differentiation. The company also faces competition from companies that may choose a different delivery style for their product, like appliance or on-premise, or other companies which have different go-to-market strategies. They may even face open-source alternatives.

What Makes Rapid7 Different?

• Integrated Approach: Rapid7 offers a somewhat integrated platform that combines vulnerability management, threat detection, and security operations to help companies have visibility over their entire attack surface. The integration across tools is what makes the platform attractive to customers.
• Data and Analytics: Morningstar’s analysis considers them as one of the best at using data analysis to help their clients in threat detection and response.
• Focus on Security Outcomes: Rather than simply selling products, the company’s messaging emphasizes solving real-world business problems and improving security.
• Growing Cloud Security Platform: Rapid7 is putting emphasis on its cloud platform and expanding its managed detection and response capabilities.

Moat Analysis

Moat Rating: 2 / 5

Rapid7 has some competitive advantages, but the strength of these advantages, is not yet significant to create a powerful moat. While it has the potential to build a strong moat in the future, at present, it can be considered a somewhat defensible business, but not strongly so. The main reasons behind this rating are:

1. Customer Lock-In (Switching Costs): Rapid7 benefits from moderately high switching costs. The company’s products are tightly integrated with the customers’ workflows, which requires considerable effort and investment to switch to competing solutions. The risk of data and integration losses during transitions provides a stickiness to the company’s products. However, this is not unique to them, and many competitors have similar methods of integration into their customers’ businesses.

Switching costs are usually high if the product is embedded into a customer’s business process and switching will mean time or money losses. In Rapid7’s case, integration of the products into customers workflows makes that very costly.

1. Proprietary Technology: Rapid7’s proprietary technology for threat detection and analysis does set them apart. But this advantage is difficult to quantify and may prove to be temporary because cybersecurity solutions change often to counter new threats. Competitors are continually improving their products, and the advantage doesn’t last long in this sector.

Patents and proprietary tech also help a company in getting pricing power. However, in this case, the industry changes so rapidly that even proprietary tech does not provide much security from competitors, and their competitive advantage can disappear in a short span of time.

1. Network Effects: Although present, network effects within Rapid7 are weak. A larger customer base could help them make use of more data for their analysis and threat intelligence, but this is also what their competitors are doing, and there isn’t a clear differentiation from this approach.

Network effects are extremely valuable as a competitive moat, where the value of a product increases with the number of users. For example, the more users a social media platform has, the more value it provides to each user. This makes it very hard for new competitors to gain market share. As such, companies that have network effects are often deemed to be natural monopolies or oligopolies. But, they aren’t really applicable in the current context for the company.

Overall, there is some element of lock-in present because of the integration within customers businesses and the proprietary tech. But, as the market evolves, so do the competitors, and it will take some time to understand the impact of all these trends.

Risks to the Moat and Business Resilience

The company faces multiple risks that could hurt the competitive advantage, which include:

• Rapid Technological Changes: The cybersecurity industry evolves fast, with new threats emerging frequently. Competitors can innovate, bringing a product that offers a better solution to customers, at a faster pace. This can erode any kind of competitive advantage that the company tries to build.
• Increased Competition: The high demand in this market attracts new players, both established and new ones. This could lead to greater price competition and the lowering of returns.
• Ineffective Acquisitions: If the company has many inefficient acquisitions, it can start losing its own focus on what is important (its own business), and may create problems in operations.
• Data breaches: The company is a security business, which makes them susceptible to data breaches. Any major data breaches could severely hurt the company’s reputation.

Despite these risks, some factors might mitigate the impact:

• Established customer base: The company has an established customer base that may be loyal to its offerings even if better solutions are available.
• Focus on innovation: Rapid7 is constantly innovating and improving its products, allowing it to adapt quickly to new threats.
• Recurring revenue: A large chunk of the company’s revenue stream is recurring in nature due to its subscription-based business model, which gives them predictability and stability over the long-run.
• Scalability: Rapid7’s platform is mostly cloud based which allows it to be flexible as the company grows.

Financials

Rapid7’s financials paint the picture of a growing company with good potential, but that is yet to be translated into consistent and high profitability.

• Revenue Growth: The company has demonstrated a strong revenue growth in the recent past with revenues rising from 531 million in 2021 to ~722 million in 2022, a growth of around 36%.

• Gross Profit and Margins: The gross profit margin of the company is high, at above 70% (71.7% in 2022). This high margin reflects the inherent profitability in a software model, where the costs associated with new revenue aren’t high.

• Operating Losses: However, when we look at operating income, the picture is not rosy yet. The company had operating losses of $105.5 million and $144 million in 2021 and 2022 respectively. The high operating expenses can be attributed to the focus on high growth and marketing spend, for now.

• Net Losses: The net losses of the company are high, at $91 million in 2022, but at the very least have reduced since 2021 when the net losses were $193 million. This can be interpreted in two ways, the company may be finding ways to manage its expenditure, and/or growth may be slowing down, or a mix of both.

The management has stated that the focus is to continue investments and grow their revenues, and that they may become profitable on an adjusted-basis sooner than they thought.

• Cash Flow: Since net losses are non cash charges (that is, accounting charges, not real cash outflow), the company can still generate a positive free cash flow (cash flow that is available to investors) if its operations are cash positive.

• Revenue per customer: Annual recurring revenue was approximately $670 million in 2022, with a base of approximately 11.1k customers. This means the average value per customer is ~60.3k per year.

In general, this is the typical picture of a high growth company, where profitability is not the first priority and the company is more concerned about growing market share. However, as the company starts to mature, investors will be looking for more signs of turning profitability around.

The company’s management has frequently talked about reaching profitability in the future on earnings calls, but profitability is still distant for the company.

Understandability

Understandability Rating: 3 / 5

Rapid7’s business model is fairly easy to understand for an investor with some technical and financial knowledge, but it is not very simple. The reasons are:

1. Product Offerings: The product is primarily software, and hence, is less tangible, which makes it more difficult to understand its intricacies and how it works. The company has a vast array of offerings which may make the company’s core offering difficult to understand at times.
2. Technology: The cybersecurity space is complex, with the company needing to be on top of all technological developments in order to be successful. It is, thus, hard for a regular investor to understand their business fully if he/she doesn’t understand the industry well enough.
3. Industry Terms: The company and industry uses a lot of complicated terminology like ‘threat detection’ and ‘vulnerability assessment’ etc., which may confuse investors.
4. Competition: Understanding the different competitors and why they are different requires some deep thinking about the space.
5. Financials: While financial statements aren’t too difficult to look at, a lot of the accounting treatment used to achieve ‘adjusted’ profits may be hard to understand for many. However, the basic business model and revenue generation is very simple to understand, and does not make the company difficult for people new to business as a whole.

Balance Sheet Health

Balance Sheet Health: 3 / 5

The company’s balance sheet is alright, and not particularly concerning, but also not extremely good either. The main highlights are:

1. Liquidity: The company’s liquidity is decent, with 445 million of cash and cash equivalents and 154 million of short term investment in 2022. This will allow the company to spend on its operations.
2. Long term debt: The long term debt of the company is also relatively high at 929 million in 2022, so it must be a significant focus for the management.
3. Shareholders Equity: The shareholders equity for the company is negative ($618 million), because of accumulated losses, and the company’s aggressive acquisition strategy.

Given the nature of the business, which is a software business, the company doesn’t have to worry about inventory or manufacturing issues, and has a mostly recurring source of revenues, and high margins, and therefore the current balance sheet metrics, while not great, are not too concerning. Overall, I’m not too worried about the long-term survival of the company, but it may come under a severe strain in short to medium term, if the market gets more bearish.

Recent Developments

• Rapid7’s stock crashed during the recent tech selloff in the market, as the market punished companies that have not yet become profitable, despite having solid growth.
• The management has said that it believes the company is on a path to profitability, and that the business is robust and has not lost market share during the recent downturn.
• The management has expressed some concern about the macro environment and its impact on customer spending, as it may cause the conversion time of the company’s deals to be longer.
• Rapid7 is working on getting more of its products in the hands of partners, as a part of a broader initiative to use partners to penetrate new markets.
• The company has made a number of acquisitions, mainly those that give them specialized expertise and technologies. They are now working on merging these acquisitions into the main company.

Conclusion

Rapid7 is a growing business in an important sector. Its core strength is the integrated platform that delivers multiple services like threat detection and vulnerability management. However, the profitability of the company is yet to be determined, which makes the company somewhat difficult to value. Though they have an established customer base and decent recurring revenues, the competition and fast-paced innovation of the security industry may pose a threat to them in the long-run. Investors should keep a keen watch over the future performance of the company and should track their financial reports and earnings calls carefully.

The most important thing to look at the business is that it’s a tech company with a good product but which is still struggling to turn the top line revenues into profitability.