Frankly Speaking - Why Rapid7 should be bought
Consolidation in the vulnerability management market is long overdue
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’m going to experiment with guest and collaborative posts this year. I have a couple lined up already, but if you are interested or know anyone who is interested in collaborating with me on a Substack post, please send me a note!
LET’S BE FRANK
This week, I’m going to discuss why I believe Rapid7’s exploration of a sale is smart and how I believe this sale is going to unfold.
For context and disclaimer, I do not use Rapid7 products or services and have no plan to purchase any in the near future. I do not have a financial position in Rapid7 and do not plan to start any in the next 72 hours.
What is Rapid7?
Rapid7 is a security company that offers a variety of products and services, but it is best known for its vulnerability management product because it acquired the Metasploit project in 2007, which is one of the most popular penetration testing tools on the market. Rapid7 also has various other products as part of its platform, such as SIEM, XDR, and threat intelligence, which are typically used by security operations. It also provides security operations services, such as penetration testing and incident response. It’s typically known to target mid-market customers who are looking to buy all their security operations from one vendor.
In my opinion, their application security product and services are the strongest compared to their other products, many of which are from acquisitions. The company went public in 2015 at $16 a share and reached a peak at $133 a share before falling back down to $50 a share as of the market close on Friday 2/3/23, which gives them ~3B in market cap.
Who are Rapid7’s major competitors?
In my mind, Rapid7 has two other major competitors: Qualys and Tenable, which are both public companies. They compete primarily on the vulnerability management platform. Qualys and Tenable also have fewer product offerings compared to Rapid7 but similar revenue, yet they have almost 1.5x Rapid7’s market capitalization. The reason might be that they have more enterprise customers who the market perceives to be “stickier” and willing to pay more.
There is also a major private competitor: Snyk. They are valued at over 7.4B, but they have a different GTM motion and buyer. Although they focus on enterprise buyers, they tend to be popular among developers and engineering-focused companies with engineering-focused security teams, who tend to have agile workflows.
Why is selling itself a smart move for Rapid7?
It’s tough to innovate and spend in a market that values efficiency over growth. However, growth and innovation are exactly what Rapid7 needs if they want to continue competing in its market. Does a sale solve this? Yes and no. A sale doesn’t give the company more ability to grow or innovate, but it does solve the need to grow at a rate the public market expects for the company to maintain its market cap. Also, depending on the buyer, it also could help reduce operating costs, such as sales and marketing, which might allow them to re-invest in research and development.
Now, here are some reasons why the sale might be a smart move.
Security spending in general is still on the rise. There’s a bunch of numbers floating around with Gartner and the other research firms. The exact numbers are not important, but it is important that companies do plan to spend more money on cybersecurity in the next few years. Especially in the recession, there will likely be more investment into tools. This means that Rapid7’s business will likely continue to grow and be healthy.
Rapid7 is in a tough market. As I said above, Rapid7 has various products, and they are going for a platform play in the middle market. It’s tough for them to go up market, and they have tried. It’s also tough for them to sell in their current market because cost of revenue is high for their customer segment. If you look at their financials, some of this is starting to show.
Here’s a snapshot of their statement of operations from the Nov 2022 earnings call:
A few important observations here.
First, they have good SaaS-like gross margins on their products. However, the cost of revenue for the product is increasing at a slightly faster rate (~36%) compared to their product revenue growth (~31%). Maybe, this is nothing, but it does seem like their costs to obtain revenue might be growing, or they might need to cut prices to win deals.
They already have pretty high market penetration in their customer segment. Given their product, it’s also hard to extract more revenue out of a customer for the same product. Hence, that’s why they have been expanding their product portfolio as a way to increase revenue per customer, which seems to be working as shown below.
However, to create new product lines, they will have to spend more on sales and marketing as well as research and development, and this will cut into their operating margins. This is a difficult balance to maintain, and it’ll become harder for them because they don’t have a clear platform to build new product rapidly (no pun intended!).
This is a good segue into the next point.
They are facing increased competition in a stagnant market. To be clear, the overall application security market is expanding. However, the more “legacy” application security products that Tenable, Rapid7, and Qualys have are tailored toward a more traditional application security persona, specifically ones that aren’t agile-focused. As companies adopt agile application development, they will look to spend more money on “shift-left” products, like Snyk and Semgrep. That is where the market is growing the fastest, i.e. agile-focused application security products.
Rapid7 is facing pressure from both sides. They will face increased competition in their current market and competition from newcomers who are looking to disrupt and encroach on their market. This will lead to increased operation costs and costs of revenue.
Private equity has a ton of dry powder. It’s likely that private equity will buy Rapid7. They have good cash flow. Security is a high margin business. Many private equity firms have purchased low growth security companies in the past to consolidate and improve operations to drive more cash flow. Finally, private equity has raised a ton of capital in the past 2-3 years without having deployed much. Rapid7 sits at an attractive valuation compared to its peers with more room to grow. It seems like an “obvious” private equity play, especially for a firm that has security companies already in its portfolio.
There could be an opportunity to sell off the services division. Their services division has been slow growing, but it does provide good marketing for the company and its products. However, it does affect gross margins and requires additional overhead. Like Mandiant/Fireeye, I can imagine there being value in splitting up the company under private equity, especially when security services are likely in more demand as companies look to trim headcount. Unfortunately, if this split were to happen while they were public, it would cause too many disruption.
The current financials and growth make it attractive. Regardless of what I described above, it’s a good company and business. This issue is that the company in the shadows of the other high flying security companies like Crowdstrike or Palo Alto Networks. However, they have good cash flow, strong margins, and good growth as seen below.
If they were to continue to compete in the public markets, they would have to take risks and reduce their cash flow at a time where efficiency is key. They have also experimented with acquisitions and other forms of growth, but this all seems risky. All options seem risky to grow seem risky given their product and customer segment. It makes sense to go private at the time when the business is healthy and figure out a better path forward.
Conclusion
Rapid7 is a good cybersecurity business and company. However, they are facing some headwinds in the market. An acquisition, especially from private equity, is a smart move. In general, the cybersecurity market, especially the segment that Rapid7 is in, can use some consolidation to increase efficiency. Overall, having broader consolidation to roll up security companies to increase operational efficiency is beneficial for the industry to reduce the amount of security product noise created in the past few years.