How Rubrik fails
Data security is a tough business
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
Rubrik recently filed for IPO and released its S-1. Bertrand’s Substack, How They Make Money, and its breakdown of Rubrik’s S-1 inspired me to give my take on Rubrik’s business and some failure modes. He writes a lot of great content on various public companies, so if you want to keep up with his insights, I suggest you subscribe!
I’ve written about various businesses in the past, and why they might fail. Here are some examples:
However, given the talk around Rubrik’s S-1 filing, I thought it was timely to give my thoughts. I used Bertrand’s breakdown of the Rubrik S-1 as a guideline. If you’re interested in more of an investment-focused perspective, I encourage you to read his article.
What is Rubrik?
Rubrik started in 2013 as a next-gen cloud data management company. That’s a fancy way of saying they are a backup company. They make it easy for you to recover from data loss regardless of whether your company uses on-prem, public cloud, or hybrid cloud. However, in recent years, the company has pivoted toward cybersecurity.
They currently have 6100 customers and $784M in subscription ARR of which $525M is cloud ARR.
This rise of Rubrik
Rubrik started as a data resiliency company. Legacy backup companies weren’t adapting well to cloud and hybrid environments. The cloud increased both the amount of data and deployment speeds. Moreover, more businesses are online, and being online is critical to their continued success. As a result, having business continuity is a necessity.
Recently, Rubrik has shifted its messaging to focus more on cybersecurity, specifically business continuity from ransomware attacks, which have become more prevalent. This is logical and smart not just because it creates more urgency for their products but also because they can access the cybersecurity budgets. Rubrik provides an important remedy for ransomware, and it seems that they are doubling down by providing more solutions for data security.
They also recently made a transition from legacy licenses to subscription-based licensing. They are also moving away from hybrid solutions into cloud-focused ones.
As you can see, cloud ARR started as a small part of their overall ARR, but they have managed to transition many of their customers over. It makes sense since that’s what the public markets want to see, and they can demand more of a “cloud premium.” In my mind, that was the biggest barrier and risk for Rubrik, its ability to move toward being perceived as a cloud infrastructure product. In fact, I wrote a short newsletter in 2019 stating how I believed that Rubrik wasn’t a cloud company.
At best, I thought Rubrik was a SaaS company when I wrote that, but classifying them as a cloud was inaccurate because they barely had any cloud ARR, and most of their subscription ARR was from maintenance due to their hybrid operations. On top of that, they also weren’t “core” to a company’s cloud operations, unlike AWS. Companies were just putting data on Rubrik’s cloud. However, they also mitigated this risk by focusing more on data security.
Why Rubrik might fail
I do think that Rubrik has resolved some serious dealbreakers, and I credit them for doing this over the past 4-5 years. However, they have shifted some of the risks, especially now that they have entered the cybersecurity business.
Cybersecurity is a hot but competitive space. As a result, they have to invest substantially in GTM. It already seems like they are doing that.
They are spending 77 percent of their revenue on sales and marketing, and this is a large portion of their operating loss, which was $307M in FY24 and up from $261M in FY23. Unfortunately, they need to keep doing this to stay ahead, especially since data backups are a competitive market with strong competition from major, established players like Cohesity, Dell, and CommVault.
Some of the numbers are a bit deceiving in their S-1 because their cloud ARR is growing quickly, but their revenue has only grown 6% year over year. It’s unclear how much of that slow growth is a result of accounting changes. They invested substantial effort to do this change, which will benefit them in the long run, but has this been done at the cost of growth and product improvements?
The problem is that data backups themselves are commoditized, meaning there’s little differentiation among vendors. As a result, the reason to go with a vendor is the platform, which has value-added solutions. In Rubrik’s case, this will likely be around data security, so we are seeing more products in that space. This is a common approach for a security company and makes sense for Rubrik because it both amortizes GTM costs and creates differentiation. Unfortunately, the data security is tough. I’ve written about this in the past, and I don’t think Rubrik will be any different.
They are entering a market where platformization doesn’t make sense anymore with the cloud. Rubrik might be able to continue selling their backup product, but it’ll be difficult for them to build a sustainable platform. They will only be able to store a company’s core data, but as I stated in the newsletter above, a company will have less data in its own cloud over time. Even with AI, I do see AI platforms, such as OpenAI and Anthropic, providing some security on their own as a value-add. There’s very little room for independent companies in this space.
What does this mean for Rubrik? Their core business of data resiliency is a race to the bottom. They will try to expand into data security as a way of going deeper into the cybersecurity market, which they are considered a new entrant comparatively. However, they will invest a substantial amount of money into sales and marketing, leaving them very little capital to improve their product. As a result, they will have to take a big risk by investing more into their product, but cybersecurity moves too fast for them to develop this in-house. They will likely have to acquire companies as their competitor Cohesity did with Veritas. They will be caught in a tough situation. It’ll be expensive to grow, and it’ll be too risky to become profitable. It’ll likely be a stagnant player in the public markets.
Luckily for them, if they continue to build their brand and maintain their customers, a cybersecurity-focused private equity firm, such as Thoma Bravo, might take them private and make them part of their large cybersecurity portfolio, taking pressure off their GTM. Another possibility is that a large cybersecurity company like Crowdstrike or Wiz will start seeing data protection as an important part of the platform as a way to compete with Palo Alto Networks.
Rubrik is going public with a tough growth story. It’s in a market facing extreme pressures to consolidate. It’s already competitive and crowded in the cybersecurity market, but it’s even more crowded in the data security market. I credit Rubrik for cleaning up their story and pivoting into a more promising space. However, they have their work cut out for them, and they have a lot of important strategic decisions to make once they go public.