Frankly Speaking - Why Rapid7 should be bought

Consolidation in the vulnerability management market is long overdue

Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.

I’m going to experiment with guest and collaborative posts this year. I have a couple lined up already, but if you are interested or know anyone who is interested in collaborating with me on a Substack post, please send me a note!

LET’S BE FRANK

This week, I’m going to discuss why I believe Rapid7’s exploration of a sale is smart and how I believe this sale is going to unfold.

For context and disclaimer, I do not use Rapid7 products or services and have no plan to purchase any in the near future. I do not have a financial position in Rapid7 and do not plan to start any in the next 72 hours.

What is Rapid7?

Rapid7 is a security company that offers a variety of products and services, but it is best known for its vulnerability management product because it acquired the Metasploit project in 2007, which is one of the most popular penetration testing tools on the market. Rapid7 also has various other products as part of its platform, such as SIEM, XDR, and threat intelligence, which are typically used by security operations. It also provides security operations services, such as penetration testing and incident response. It’s typically known to target mid-market customers who are looking to buy all their security operations from one vendor.

In my opinion, their application security product and services are the strongest compared to their other products, many of which are from acquisitions. The company went public in 2015 at $16 a share and reached a peak at $133 a share before falling back down to $50 a share as of the market close on Friday 2/3/23, which gives them ~3B in market cap.

Who are Rapid7’s major competitors?

In my mind, Rapid7 has two other major competitors: Qualys and Tenable, which are both public companies. They compete primarily on the vulnerability management platform. Qualys and Tenable also have fewer product offerings compared to Rapid7 but similar revenue, yet they have almost 1.5x Rapid7’s market capitalization. The reason might be that they have more enterprise customers who the market perceives to be “stickier” and willing to pay more.

There is also a major private competitor: Snyk. They are valued at over 7.4B, but they have a different GTM motion and buyer. Although they focus on enterprise buyers, they tend to be popular among developers and engineering-focused companies with engineering-focused security teams, who tend to have agile workflows.

Why is selling itself a smart move for Rapid7?