Rapid7, Inc. (NASDAQ:RPD) Q1 2025 Earnings Call Transcript

Rapid7, Inc. (NASDAQ:RPD) Q1 2025 Earnings Call Transcript May 13, 2025

Operator: Hello and welcome to the Rapid7 First Quarter 2025 Earnings Call. All lines have been placed on mute to prevent any background noise. After the speakers’ remarks, there will be a question-and-answer session. [Operator Instructions] I would now like to turn the conference over to Elizabeth Chwalk, Head of Investor Relations at Rapid7. You may begin.

Elizabeth Chwalk: Thank you, operator, and good afternoon, everyone. We appreciate you joining us today to discuss Rapid7’s first quarter 2025 financial and operating results. In addition to our financial outlook for the second quarter and full fiscal year 2025. With me on the call today are Corey Thomas, our CEO; and Tim Adams, our CFO. We have distributed our earnings press release over the wire, and it is now posted on our website at investors.rapid7.com, along with the updated company presentation and financial metrics file. This call is being broadcast live via webcast. And following the call, an audio replay will be available at investors.rapid7.com. During this call, we may make statements related to our business that are considered forward-looking under federal securities laws.

These statements are made pursuant to the Safe Harbor provisions of the Private Securities Litigation Reform Act of 1995 and include statements related to the company’s financial guidance for the second quarter and full year 2025 and the assumptions underlying such goals and guidance. These forward-looking statements are based on our current expectations and beliefs and on information currently available to us. Actual outcomes and results may differ materially from the future results expressed or implied in these statements due to a number of risks and uncertainties, including those contained in our most recent quarterly report on Form 10-Q filed today at May 12th, 2025 and in the subsequent reports that we filed with the SEC. The information provided on this conference call should be considered in light of such risks.

Actual results and the timing of certain events may differ materially from the results or timing predicted or implied by such forward-looking statements, and reported results should not be considered as an indication of future performance. Rapid7 does not assume any obligation to update the information presented on this conference call, except to the extent required by applicable law. Our commentary today will primarily be in non-GAAP terms and reconciliations between our historical GAAP and non-GAAP results can be found in today’s earnings press release and on our website at investors.rapid7.com. At times, in our prepared comments or in responses to your questions, we may offer incremental metrics to provide greater insight into the dynamics of our business or our quarterly results.

Please be advised that this additional detail may be onetime in nature, and we may or may not update these metrics in the future. With that, I’d like to turn the call over to our CEO, Corey Thomas. Corey?

Corey Thomas: Hello, and thank you to everyone joining us this afternoon. Rapid7 ended the first quarter with revenue and operating income above our guidance ranges, while our ARR fell short of our expectations, ending at $837 million with 4% year-over-year growth. During the quarter, we saw continued strength in Detection and Response, progress towards stabilizing our Risk and Exposure Management business and resilience and profitability and free cash flow. In a moment, I’ll walk through the details of our performance. But first, I want to remind everyone of the expectations we shared on our last earnings call. We entered 2025 with a clear strategy and commitment to reaccelerate long-term growth and expand free cash flow over time.

This strategy rests on three pillars. First, building on our scale and success and Detection and Response where we have strong customer demand and are well positioned to sustain growth. Second, upgrading our large vulnerability management customer base to our Exposure Management platform, which will both increase retention and provide a valuable on-ramp to our D&R platform. And third, improving our underlying cost structure while continuing to innovate by leveraging our new operations center in India and streamlining our processes. In Q1, Detection and Response continued as the core growth driver of our business from both an ARR and product expansion perspective. This business now represents over half of our total ARR and maintain mid-teens growth in the quarter.

Our D&R performance would have been even better if not for a few seven-figure deals slipping into the second quarter, which have now since closed. However, our Risk and Exposure Management business continue to see challenges missing our expectations with continued growth deceleration. While exposure command continued to gain traction, this was offset by ongoing negative growth in our traditional vulnerability management offering. A positive note our investments to improve our cost structure remain on track, setting us up for profitability reacceleration in 2026. Our performance took place in a more challenging macro environment than we anticipated entering the year. We observed customers becoming increasingly cautious and measured about their investments, both in terms of what they purchase and win.

Extended deal cycles have become more common across multiple sectors and many organizations are actively evaluating vendors, reprioritizing budgets and implementing tighter spending controls. These dynamics are particularly evident in the North American mid-market enterprise segment, which has experienced slower deal cycles. This customer segment is demonstrating greater scrutiny and tighter budget control, trends that are reflected more broadly as customers reassess their priorities and spending commitments. As we’ve seen in previous periods of economic uncertainty, the pressure is more pronounced in our Risk and Exposure Management products. While our Detection and Response offerings continue to show resilience. Now let’s examine our product base performance in detail.

Our Detection and Response business continues to be our growth engine, anchored by strong momentum in our managed offering. We ended Q1 with over half of our ARR coming from Detection and Response, growing in the mid-teens year-over-year. This growth is driven by persistent demand trends, particularly for NBR, which represents more than 75% of our D&R business. As customers seek enhanced visibility, broader coverage and operational efficiency in managing an increasingly complex threat landscape. We believe the Detection and Response market offers attractive and durable tailwinds, and we’re still in the early innings of its development. We spent years investing and laying the foundation to position ourselves to capitalize on this opportunity and we continue to innovate and invest for growth.

This includes our recently announced Intelligence Hub which seamlessly integrates threat intelligence into our command platform experience and expanding our capabilities through our recently opened SOC innovation center in India, which will scale over the coming quarters. These investments are helping us deliver services more efficiently while driving better customer outcomes. As organizations increasingly turn to Rapid7 to monitor and respond to threats across complex environments, our integrated platform and MDR expertise continues to stand out in a private marketplace. A great example is a first quarter competitive win with a midsized enterprise health care customer who consolidated their security stack with our managed threat complete solution.

They were seeking broader visibility, greater automation and reduced operational complexity, challenges we were uniquely positioned to address. Our differentiation was clear across several dimensions. Our managed XDR capabilities enable seamless third-party Detection and Response through native integrations with their existing tools. Our AI-powered SIEM and log management offered unlimited ingestion and long-term retention, providing unmatched visibility, our customizable analytics and automated alert triage streamline their operations and we delivered true defense in-depth by correlating alerts across multiple sources, not just endpoints, creating a more robust security posture. This win was driven by our technology and strengthen our partner collaboration and ability to support the customers’ goals with speed and clarity.

It exemplifies how our consolidated platform continues to drive success in highly competitive environments. With our proven brand, our track record and the right capabilities to win we remain excited about the future of this business and expect to continue to drive growth for Rapid7. Now let’s turn to our Risk and Exposure Management business, which is where we experienced the most pressure during the first quarter. As we’ve shared in recent quarters, we have made a deliberate shift transitioning from a traditional standalone VM business to a consolidated integrated approach to Risk and Exposure Management. We believe customers increasingly need unified visibility across their attack surface with streamline remediation and smarter risk prioritization.

This is what exposure demand delivers, bringing together vulnerability management, cloud native application protection and threat context into a cohesive experience by consolidating risk insights across hybrid environments, automating response workflows and focusing teams on what truly matters, real, exploitable threats were helping security teams efficiently secure their expanding attack surface. Our strategy to improve Risk and Exposure Management is center on driving adoption of exposure command across our VM customer base. And we continue to believe this will stabilize performance and ultimately position the business back to growth. We laid the right foundation in 2024 with our exposure coming at launch. And today, we’re actively working to transition our VM installed base to this more modern integrated solution.

While we’ve not yet made the full progress we hoped, we are resolute in our strategy and the key consideration is around timing. The most significant variable in our near-term performance will be the velocity of the upgrade cycle and Risk and Exposure Management. This is where we’re focusing our efforts, accelerating migrations, enabling partners and removing friction points to shorten time to upgrade in what is clearly a more competitive and measured environment. On the go-to-market side, we have completed initial partner and build enablement and are now refining our packaging and pricing to support clear customer pads and more streamlined upgrades. We also recognize the need to better communicate the strength of our CNAPP capabilities, which remain a core differentiator but are still underappreciated in the market.

On the product side, we continue to invest in innovation, including several recent enhancements that expand coverage, improve automation, and reinforce our leadership in unified Exposure Management across hybrid environments. Now turning to our outlook for the remainder of the year. We remain confident that our strategy can position Rapid7 for sustainable growth and expanding cash flow in the years ahead. Our Detection and Response business continues to perform and remains the primary growth engine for 2025 as we work to modernize our Risk and Exposure Management platform and return that business to growth. That said, it’s clear the environment is more dynamic and fluid than when we initially provided guidance in February. We’re seeing greater variability in customer decision cycles, something we experienced firsthand with certain March deals slipping into April and we recognize that broader policy and budget implementations take additional time to play out.

Additionally, we’ve taken the opportunity to leverage the expertise and input from our new board members to help evaluate and enhance our guidance approach. Given the evolving backdrop and our slower start to the year, we’re adjusting our ARR guidance by lowering the overall range and also widening the range to account for increased budgetary uncertainty. Importantly, we are maintaining our expectations for operating profitability, which is a reflection of the operating discipline, flexibility and resiliency that we’ve built into our model. As we look ahead, our focus remains clear and grounded in three strategic priorities. First, we will continue to drive industry-leading product innovation across both our growing D&R franchise and our established Risk and Exposure Management business.

Second, we remain committed to delivering successful outcomes for our customers helping them navigate increasingly complex threat environments while ensuring clear returns to their security investments. And third, we’re focused on driving comfortable growth and strong cash generation, including through operational efficiency and continued leverage in our expanded partner ecosystem. Before I turn the call over to our CFO, Tim Adams, to discuss financials, I want to take a moment to welcome our newest addition to our Board of Directors. Wael Mohamed, Michael Burns and Kevin Galligan, each brings expertise that will support our efforts as we navigate a rapidly evolving landscape. We look forward to leveraging their experience to drive growth, enhance our industry leadership and create value for all our shareholders.

With that, I’ll turn the call over to Tim to walk through the results in more detail.

Tim Adams: Thank you, Corey, and good afternoon to everyone. We appreciate you taking the time to join us on today’s call. Before I turn to the results, a quick reminder that except for revenue, all financial results we will discuss today are non-GAAP financial measures, unless otherwise stated. Additionally, reconciliations between our GAAP and non-GAAP results can be found in our earnings press release. Rapid7 ended the first quarter of 2025 with $837 million in ARR, representing growth of 4% over the prior year. ARR results came in below our expectations and reflect continued healthy growth in our Detection and Response business, offset by both macroeconomic headwinds and continued pressure in our Risk and Exposure Management business.

Softness in our standalone vulnerability management business and a few delayed new deals were the primary headwinds, combined with an incrementally more cautious customer spending environment, which muted potential upside drivers in the first quarter. Amid this, we delivered revenue and profitability that exceeded our guided ranges, and we continued to demonstrate strong operational discipline and free cash flow generation. Now turning to the rest of our financial results for the quarter. Year-over-year ARR growth in the first quarter was split fairly evenly between new and existing customers. ARR per customer grew 2% year-over-year to approximately $72,000 and our total customer base grew 2% year-over-year to 11,685 customers globally. Revenue of $210 million for the first quarter grew 3% year-over-year and was above our guided range.

Product revenue grew 4% year-over-year to $204 million. Professional services declined year-over-year, consistent with our decision to deemphasize certain lower-margin service engagements. International revenue represented 25% of total revenue and grew 10% over the prior year. On operating and profitability measures, our product gross margin was 76% and total gross margin was 75%. Sales and marketing expenses were 34% of revenue, reflecting disciplined investments in growth initiatives. R&D and G&A expenses were 18% and 8% of revenue, respectively, and consistent with our plan to prioritize targeted investments behind our core security operations platform and scaling our India innovation center. Operating income for the first quarter was $32 million and above our guided range due to the timing of certain hiring and G&A expenses.

We now expect these costs will be reflected in the later quarters. Adjusted EBITDA was $39 million in the quarter and non-GAAP net income per share was $0.49. Turning to our balance sheet and cash flow statement. We ended the first quarter with cash, cash equivalents and investments of $593 million. In early May, we fully repaid the remaining $46 million balance of our 2025 convertible notes, further simplifying our capital structure. Our existing convertible debt is attractively priced and we plan to meet these obligations through a combination of cash on hand and free cash flow generated from the business. We believe this financial flexibility positions us well to continue investing in growth, while maintaining a strong capital structure.

Free cash flow for the quarter was $25 million. This brings us to our outlook for the remainder of the year. For the full year 2025, we are adjusting our ARR guidance to reflect the slower start to our year, along with increased uncertainty we’re seeing in the market. While Detection and Response remains a consistent performer. The softness in our Risk and Exposure Management business and lengthening sales cycles, particularly in March, have created more variability than we anticipated at the start of the year. As a result, we are lowering and widening our full year ARR range to $850 million to $880 million, growth of 1% to 5% over the prior year in order to better account for these dynamics. We continue to monitor the macro environment closely and are staying agile in our planning and execution.

Given the changes in the ARR outlook, we now expect full year revenue of $853 million to $863 million, representing growth of 1% to 2% over 2024. Recurring product revenue growth will outpace total revenue growth, offset partially by a year-over-year decline in professional services. On operating profitability, we are reiterating our full year operating income outlook of $125 million to $135 million. We are adjusting our full year free cash flow guidance to a range of $125 million to $135 million to reflect billings and collection dynamics associated with our lower ARR outlook. Non-GAAP net income per share is expected to be between $1.78 and $1.91 based on approximately 76.7 million diluted weighted average shares. For the second quarter, we expect revenue in the range of $211 million to $213 million, representing year-over-year growth of 1% to 2%.

We expect non-GAAP operating income between $30 million and $32 million and non-GAAP net income per share of $0.43 to $0.46 based on approximately 75.3 million diluted weighted average shares outstanding. In closing, while the broader environment remains cautious, we are confident that the steps we are taking, driving innovation in our product portfolio deepening customer relationships and operating with financial discipline position us well to drive improved execution through the balance of 2025 and beyond. To close, I’d like to thank our teams for their hard work and continued focus as we execute against our long-term strategy. We remain committed to driving sustainable growth, expanding profitability overtime and reinforcing Rapid7’s leadership in security operations.

Thank you again for joining us today. Operator, we will now open the line for questions.

Q&A Session

Operator: Thank you. [Operator Instructions] Your first question comes from Saket Kalia with Barclays. Your line is open.

Saket Kalia: Okay. Great. Hey, guys. Thanks for taking my questions here. How are you?

Corey Thomas: Good. Thanks, Saket.

Saket Kalia: Hey, guys. Maybe I’ll stick to the rule just around one question and maybe make it for you, Corey. Can you just go one level deeper into why you think maybe the upgrade cycle on exposure command is just going a little bit longer than you expected. I mean it’s clearly a tough macro, but can you just maybe dig into some of the product considerations here as customers think about really consolidating multiple tools with that product?

Corey Thomas: Yes. So if you look at the budgetary, if you look at sort of you can step back and say, like, why do customers want to upgrade to a product like exposure command. It’s by and large, customers have a more complex risk environment. So they have more cloud assets, more SaaS assets. They need to actually look at risk across the environment. They need to understand their environment. They need to model their attack surface and they need to manage their remediation and their compliance across that complex environment. So complexity is the primary driver of demand. The reason that we actually have confidence in the cycle is we’re seeing good interest and demand in solving the problem. We are seeing, especially in our core mid-market installed base is not readily available budget.

And so part of how we think about the opportunity is where we’re seeing budget that people can actually allocate and where are we not. As we entered the year, we actually looked at it across the board and thought that there will be a pace of upgrades across, which we still think that there will be a healthy pace of upgrades. But we are seeing a difference between those that can actually afford the budget and those that can’t afford the budget. I’ll remind you that we tend to have a heavier — a more heavy weighted mid-market installed base, especially in traditional VM. And that’s where we’re expecting it to take a little bit longer on the time to actually get through that upgrade cycle because it is incremental expense.

Saket Kalia: Got it. Very helpful. I’ll hop back in queue.

Corey Thomas: Thank you very much.

Operator: The next question comes from Jonathan Ho with William Blair. Your line is open.

Jonathan Ho: Hi. Good afternoon. I guess one thing I wanted to understand a little bit better is when it comes to your expectations around the ARR side of things, I mean, clearly, it’s a bit more challenging here with the macro and with what’s happened around Exposure Management. But what has to happen to sort of reaccelerate the ARR? And what could maybe be some upside scenarios here as we look at sort of the environment? Thank you.

Corey Thomas: Yes. Thanks for the question, Jonathan. Look, we see two drivers, which is why we have a pretty wide range right now. The first driver is the continuation of what we’re seeing right now. We’ve seen strong demand for Detection and Response. We just expanded the offering to be able to actually go after more customized, more enterprise use cases that just launched off. So we’re expecting execution there. Now those deal cycles are longer. And so we’re not forecasting or making that completely into the plan. But we’re definitely bullish on what we’re seeing. And even with the performance in Q1, what I would just say some things that were headwinds where deals got delayed in D&R and they showed up in the early part of Q2.

We had some customers that had M&A. We still saw very, very healthy performance on D&R, and we just significantly expanded the market opportunity at the TAM there. And so that’s an area where we actually have a lot of confidence overall. The second part is that the ability to upgrade our installed base. We don’t have to get to material parts of the installed base to see upside. We are incrementally more cautious about the US mid-market. We still see lots of strength internationally around the world. But when we look at sort of what it takes to see reacceleration, it’s really sort of like can we actually start to get the upgrade engine going. Keep in mind, the upgrade engine is a new engine for us. This is the first time in a long time that we’ve had the ability to upgrade a material part of the installed base.

And so again, that’s why we have a wider range. So again, to simplify it, continued D&R momentum pursuing the expanded D&R opportunity, which we just opened up from a product portfolio, and we’re well positioned to actually get. And then we need to actually see the upgrade cycle perform on the risk side. All of those give us plenty of room to actually achieve the upside, but timing is one of those things that we did not want to actually overcommit on the timing because the upgrade cycle especially could take a little bit of time.

Jonathan Ho: Thank you.

Corey Thomas: Thank you very much.

Operator: The next question comes from Matt Hedberg with RBC. Your line is open.

Matthew Hedberg: Great. Thanks for taking my question, guys. I wanted to follow up on Saket’s first question at the start. And it seems like, Corey, you outlined a couple of steps for improving Risk and Exposure Management that you talked about enabling partners and accelerating migration. I’m just kind of curious what sort of timeline should we think about for stabilization, if not improvement in that business?

Corey Thomas: That’s a great question. And this is one of the things that we focus a lot on. I would say, if you look at the guidance range that we actually have now is we’re expecting moderate stabilization over the course of this year. And then I would just say, reacceleration as we actually move forward. When we look at the core drivers, you really do have to break it down and say what’s happening by a segment basis. And so what we’re finding right now is that customers that actually have flexibility in budget, we’re seeing a movement, and we’re continuing to see upgrade cycles, not at the pace that we would want to see, just to be clear, to offset the larger macro pressure, but we are seeing momentum, and we are seeing upgrades and we are seeing proof points around those.

The deal cycles tend to be a little bit larger, which is one of our indicators that we’re seeing more pressure in our core mid-market installed base. There are some things that we’re doing around packaging and pricing to actually try to ease the upgrade cycle for that core mid-market customer. But to answer your core question is that we expect I would just say stabilization as we — moderate stabilization as we actually go through the year. We are expecting to be more pressured than we actually expected as we started the year overall in the Risk and Detection business, but we’re constantly focused on what it takes to unlock that. The steps that you outlined are sales and channel enablement, hone in and tuning the price and packaging, driving campaigns against the installed base and segment in the installed base, really focused on those who actually have the budget and the ability to actually upgrade overall, and most importantly, continuing to improve the product value proposition.

Those are the keys that we actually see that drive the midterm cycle there. In the interim, we’re not jamming the timing on that. We’re focused on our sales teams and marketing teams on what’s working. We have a strong value proposition in Detection and Response. And so we’re really focusing on that as we actually continue to drive the systematic upgrade on the installed base.

Matthew Hedberg: Thanks, Corey. Super helpful.

Corey Thomas: Thank you.

Operator: The next question comes from Aaron Samuels with Susquehanna. Your line is open.

Aaron Samuels: Hey, good afternoon. Thank you very much for taking the question. I wanted to ask a little bit more about the macro. You mentioned some pressure from US mid-market customers. Do you have any call-outs in terms of customers that have been relatively more resilient, whether by customer size, geography or industry vertical? Thank you.

Corey Thomas: It’s a good question. It’s interesting is that I would just say customers where security is required and mandated are clearly easier to actually sort of like withstand and get the budgets more. So that’s why we find it more in both highly regulated industries as well as slight I would just say, not large, large, but I would just say the larger end of our installed base. When you think about that over $1 billion of revenue customer set. And so there tends to be more we have to solve. We actually do see real benefits and tailwinds from the fact that those customers also have to scale their operations. And so we think that there’s a real opportunity, especially with our expanded enterprise MDR offering to actually be able to drive growth and acceleration there.

So that’s where we actually see opportunities. We also see lots of actually opportunities in Europe, especially outside of the US, where we continue to actually have healthy growth and healthy demand drivers overall. The places that we’re seeing pressure are unfortunately places that are, I would say, critical to Rapid7’s focus on resource-constrained buyers historically is we see pressure in the health care sector. We see pressure in the education sector where, again, they’re still moving forward, but those deals are definitely taking longer, and there’s lots of budget concerns as you go around. Same with state and local sectors. And then we talked about sort of like the general market. So we see areas of strength, we also see areas of pressure.

The one thing I’ll say, as you look across those things, we are seeing even though it may take a little bit longer, the D&R projects are closing. Now people want to make sure they get great value for what they’re getting, but those D&R deals are closing and moving forward.

Tim Adams: We saw those in the month of April that slipped from March.

Corey Thomas: Exactly.

Tim Adams: So it’s very positive.

Corey Thomas: Thank you for the question.

Aaron Samuels: Thank you.

Operator: The next question comes from Fatima Boolani with Citigroup. Your line is open.

Unidentified Analyst: Hey. Good afternoon, team. This is Mark on for Fatima. Thanks for taking our questions. Maybe just on the challenging macroeconomic environment and also the new upgrade cycle motion that you guys are seeing. Can you maybe speak to the level of growth churn and the attrition during the quarter? Any sense of observed disruptions from the upgrade cycle? And related to that, any color you could provide on NRR would be great. Thank you.

Corey Thomas: Yes. No, it’s a good question. So when you look at the churn that we actually saw, it’s pretty consistent with what we actually saw exiting last year. So if you think about the pressure from a net AR perspective, is the churn was consistent, especially in the risk business with what we saw exiting last year. Well, it was a pressure environment. So we didn’t expect any major changes overall. I will say that we were pressured more on the new side of the equation in that core mid-market space. As you think about sort of like the traditional vulnerability management growth. While, it’s not a big factor, it’s still sort of a factor when you think about total net ARR growth. But churn was relatively consistent to what we expected as we actually exited last year. And that has the upgrade cycle hasn’t been a major factor in the churn overall. If that’s the core question is, is this putting more deals up for risk? No, we’re not seeing that at all.

Operator: The next question comes from Patrick Colville with Scotiabank. Your line is open.

Patrick Colville: Thank you so much for taking my question. I guess, Corey, I mean this one is for you. I mean, in the quarter, we had, I mean, RSA conference recently and a large, I guess, platform cybersecurity company best known for its endpoint tool put into GA, it’s network-based VM. I guess, clearly, too early to tell what that might mean. But can you just show us some thoughts on like what this entrant could be for Rapid7 and how you guys are going to compete against them to kind of lock them out? Thank you.

Corey Thomas: Yes. And so, when we look at VM, we consider VM to be a hyper competitive pressure, but also not high-growth space. And so we do have to actually defend an upgrade. Our strategy is pretty straightforward. We uniquely have a very differentiated approach to actually provide integrated risk visibility across the attack surface, which is what people are looking for now. I’ve said it before. If you are looking at monetizing just traditional standalone VM, it’s going to be an untracked business. Part of what we’re doing is part of the upgrade cycle is we’re drawing down the value of historical traditional standalone VM and providing more value from the ability to actually track all the assets, resources technology across the attack surface look at the integrated risk profile across the attack surface, manage remediation across the attack surface and manage compliance across the attack surface.

I look at all the announcements at RSA, none of them are actually taking a truly integrated approach overall there. So we think that our upgrade strategy, this is why we said that it is an imperative to upgrade our installed base because we are upgrading in a way that actually makes us stickier. And so that’s a no. We have to execute on it, but that’s a no, no. But the other part of it is there’s a lot of focus, I would just say it is defense and we are definitely declining on the overall traditional vulnerability management market, and that’s the imperative upgrade. But the other part of that is to actually continue to play offense about what’s working. And the D&R growth engine also provides a stickier avenue and approach for those VM customers as they consolidate on the platform.

And so if you think about our strategy, defense is too far off. If we have a bunch of, I would just say, stranded vulnerability management with customers that don’t have any sort of like other compelling value, then that’s a higher risk for disruption and we acknowledge it. That’s the imperative there. But either upgrade to exposure command or upgrade them to our integrated Detection and Response offering, those customers are much, much more stickier. And we’ve already seen that with our overall D&R customer base. So that’s the strategy and that’s the approach. I would just say regardless of what anyone does, standing still was never an option. We’ve known that. We could have managed to change better, but we’ve known that standing still was never an option.

We are in a good place that we have massive momentum and we are participating in a core growth market and we’re getting more than our share of that core growth market, which is D&R as we actually then address the changes that are happening in the vulnerability management market overall, which we forecast in a solid economy.

Patrick Colville: Very clear. Thank you so much, Corey.

Operator: The next question comes from Eric Heath of KeyBanc Capital Markets. Your line is open.

Eric Heath: Hey, Corey. Hey, Tim. Thanks for taking the question. Corey, just curious to understand, maybe at a high level, how much of the success on D&R is dependent on the installed base of VM. Can D&R continue to grow double-digits if VM continues to decline? And Tim, if I could sneak one in. I think in the past, you’ve given some guardrails on ARR for the upcoming quarters. So just curious if there’s any guardrails on 2Q ARR? Thanks.

Corey Thomas: So to answer your core question is we’ve been pretty lucky with the D&R business is that the growth has actually come from both within our installed base. I’ll just point out that we saw a massive upgrade opportunity within our overall installed base, both on an exposure command upsell basis, but also on the existing D&R and technology customers in the installed base. So we still have plenty of upgrade room. That’s one of our underleveraged opportunities that we’re really focusing our sales engine on building the motion about how do we actually expand and growing the installed base. So to answer your questions, one, are we running our room because of the VM dynamics is no. We have massive room in the VM as always.

I think the second part of your question is, when I think about it do you actually have a land motion independent of the installed base and yes. The unique thing about our D&R business, and this is what makes us very proud is that we’ve always been able to actually add new land customers. And I’m not saying that’s like 10%, 20%, it’s been pretty close to half of the installed base could actually come from new land customers, which is much higher than we expected. So we still have more than enough land engine to actually drive sustained growth as we actually go forward in that business overall. Even as we have opportunities to upgrade existing D&R businesses, our focus on what some of the stuff that we’re actually launching later this year around AI for our D&R customers, we think we’ll actually be a boom for both our technology customers but also for our MDR customers who continue to want us to cover and manage more and more of the environment.

You’re seeing some of the early indicators of that with our recently launched enterprise MDR customizable service and business where we are using more and more AI for that and that’s a clear upgrade opportunity. To your last point is, Tim, you can do a quick one on the thing because we’re supposed to keep everyone on one question.

Tim Adams: Yes. Eric, on Q2, I would say we’re anticipating a modest increase from where we ended Q1. And our full year guide for the year is more second half weighted this year.

Eric Heath: Thank you.

Operator: The next question comes from Gregg Moskowitz with Mizuho. Your line is open.

Gregg Moskowitz: Okay. Thank you for taking the question. Corey, anecdotally speaking, why is it that the US mid-market does seem particularly cautious about spending right now? For example, are customers deliberating for a longer period of time as they decide how specifically they may consolidate in cybersecurity and with which vendors where tariffs mentioned at all as an issue in late March or in April. Any additional color there would be helpful.

Corey Thomas: Yes. Look, I actually think it’s general uncertainty. What we found in almost every cycle, we’ve had — we’re probably one of the few cyber companies and enterprise companies that had a mid-market business for longer. So we’ve seen a lot of these cycles. The mid-market tends to respond faster to economic pressures. It tends to set all faster, come on faster and so that’s not anything new, which is why as we saw things play out in the early part of the year. We actually did shift our position to take more and we talk to them and validate it with taking more cautionary approach. Now to get down to the reasons is that they very, very differently across the industry. So manufacturers are, of course, worried about tariffs or cost structures, pricing, how much they can equip in their businesses.

The midsized health care companies are clearly worried about margins, whether you are a health provider or health insurer that is a concern that you’re actually going to have regardless. Retailers are very worried about their cost structure. So again, I won’t say it’s a formal survey, but we do our pressure chest across a bunch of different segments. And so it does vary about what the pressure is. But what I’ll tell you is that we saw in the COVID cycle, we’ve seen in the previous cycles is retail customers tend to pause and wait to see what’s happening much faster than some of the larger customers, some of the larger enterprises. And then one thing that’s unique is we are seeing more pressure in the education sector this go around for obvious reasons.

Gregg Moskowitz: Exactly. Thank you.

Corey Thomas: Thank you.

Operator: The next question comes from Gray Powell with BTIG. Your line is open.

Gray Powell: Okay. Great. Thank you very much. So yes another question on the macro environment. I mean everything you said makes a lot of sense and I just really appreciate you’re being upfront with everybody. I am curious like can you give us a sense as to the tone of customer conversations in April and May? And just broadly speaking like my understanding was that people were pretty panicked the week after Liberation Day. And I actually heard some people say it felt like March of 2020. But once the tariff pause went into place like on April 9th, I was hearing that things started to fall out. So I’m just curious if you heard anything like that. Did any conversations start to improve the last few weeks?

Corey Thomas: Yes, absolutely. I mean so Tim said earlier, we have closed some of the deals that we were worried about. You can make an argument that things are stabilizing. I think anyone who would actually estimate that things stay stable in this environment is probably a little delusional because I think we’re probably in an up and down cycle on the new cycle. Well, I would just say there’s just as much reason to actually see stabilization and upside as there is to see downside pressure. I just want to be clear. We’re not, I would just say, overly pessimistic about the macro. We just realized that now there’s a wider range of outcomes there. We have seen some customer deals progress and move. We see continued opportunity creation.

So it’s not a negative read. I would just say, on balance, we see increased pressure. But as you said earlier is people do respond to actually what’s in front of them. And it feels like it’s not the worst of the worst right now what would be my read of it. But I don’t think we’re yet what I would consider a stable macro environment. I think there’s a lot of unknowns and we’re trying to reflect that. That’s why you see we actually have a wider range here because we haven’t, we have the upside and we have the base case and we have the downside scenario, but that required a wider range.

Gray Powell: Understood. Thank you very much.

Corey Thomas: Thank you.

Tim Adams: Thank you.

Operator: The next question comes from Roger Boyd with UBS Securities. Your line is open.

Roger Boyd: Awesome. Thanks for taking the questions. Corey, you mentioned confidence in the CNAPP product. And I understand there’s a big opportunity there, but I think we’ve all kind of seen that it’s incredibly expensive to compete there. There’s been others in that space that have been there for a long time that are now looking to partner. Just how are you thinking about the health of the cloud security market? And how do you think about kind of the investment strategy to capitalize on the opportunity there? Thanks.

Corey Thomas: Yes. No, it’s a great question. So I would just say we’ve been very deliberate about how we think about it. Our primary focus is just upgrading the installed base to our integrated offering. And we have lots of, I would just say, levers to actually pull there. This is not when we’re going to go out and spend a ton of money trying to acquire new land in cloud security is we think we can provide compelling economically leverage upgrades for our customers in our installed base. We think that our installed base is underpenetrated of having any cloud security solutions there. That tends to just describe a little bit of the resource constrained buyer that we have heavily in our installed base. And so we see that as the primary opportunity, which is a much more efficient cost of sales and marketing.

That’s it. We are maturing in our ability to actually pursue that opportunity. Because this is probably the first time in a long time that we’ve had a big upgrade cycle in front of us. So we’re getting the engine ramped and targeted. I was talking to one of our sales leaders earlier today, and they said, listen, we’re starting to actually progress and ramping up the sales engineer. But we are targeting a much more efficient growth opportunity there, which is really how do we grow the installed base. I’ll remind you is that to achieve success, we actually just need a moderate uplift across a moderate portion of our installed base and that actually drives stability, which takes away a negative growth engine in our overall Risk and Exposure Management installed base, puts it to net neutral to slightly positive.

And then we can actually really leverage the tailwinds that we see on the traditional D&R side of the equation. That’s the dual focus in some ways a tale of two cities. So stabilizing and then get into neutral positive on the Risk and Exposure, which is really about upgrading the installed base, even acknowledging some of the traditional churn pressure, while we actually continue to actually really focus on the massive growth engine that is a D&R business.

Roger Boyd: Great. Thanks very much.

Corey Thomas: Thank you.

Operator: The next question comes from Joshua Tilton with Wolfe Research. Your line is open.

Joshua Tilton: Hey, guys. Can you hear me?

Corey Thomas: Yes.

Tim Adams: We can. Hey, Josh.

Joshua Tilton: Great. Thanks for sneaking me in. I want to start by echoing Gregg’s comments. I appreciate you guys being upfront on what you’re seeing out there. The one I had is just kind of parsing out some of the comments that have come out during the Q&A. And I guess in the prepared remarks, you talked to D&R still being mid-teens growth but some deals slipped. It would have been better, but those deals have closed. I guess, is that a macro dynamic? And then did you see a similar dynamic on the Risk and Exposure side of the business in the sense that you had a light quarter, but what has happened to those deals since. And what’s expected in the guide for everything that’s slipped going forward? Thanks.

Corey Thomas: Yes. No, it’s a very fair question. So on the D&R deals that actually slipped. What I would describe is it was just very large deals, so it’s easy to count. Like it’s a handful of, not even handful, it’s a couple of deals that just happen to be very material in the organization. And the reason that they slipped were probably, I would just say, macro pressured situation. One was a large educational institution, which really need to see how things were going to actually play out and another was in the retail sector. And so those are sectors. We had a smattering of, I would just say, manufacturing companies, too, that I think most of those have actually since closed, not all. And then when you look at the Risk and Exposure Management side, kind in mind our strategy on the upgrade is just much smaller ASP.

So it’s not that you didn’t have deal slippages on that side. It’s just that it’s not as concentrated. The D&R business tends to actually have larger average ASPs and then wider ranges overall. And so that’s the read through is that. And then on your question about what’s in the guide and the expectation, look, our core guide is really anchored on, I would just say, consistent D&R performance, which is, I would just say, in line with what we saw in Q1. There’s no real deltas that we’re experiencing there overall. I would say the range of outcomes on the high and the low is that do we actually get some acceleration in D&R based on the expanding offerings that we think are pretty competitive. That’s upside there. But without history, it doesn’t make sense to make it into the range.

And then we are more modest on balance on the pace of the upgrades, which can offset some of the VM pressure. We are working very, very hard to actually drive the upgrade cycle and then operationalize that. But I would just say, incrementally versus the start of the year, we are expecting that cycle to actually take a little bit longer and we’re expecting to see continued pressure in the overall vulnerability management business for all the reasons that we actually talked about earlier. Do we have upside there based on the updated cycle? Absolutely there. But we’re at where we are based on what we’ve seen so far.

Joshua Tilton: Super helpful. Thank you.

Corey Thomas: Thank you.

Operator: The next question comes from Shrenik Kothari with Robert Baird. Your line is open.

Shrenik Kothari: Great. Thanks for taking my question. So Corey, you mentioned, of course, structural pressures and traditional VM and slower mid-market. Despite all of that, you’ve been able to drive MDR growth, which is anchored and, of course, lower TCO via AI automation, but also differentiating beyond cost. So on the Risk and Exposure Management, I hear you mentioned about, of course, packaging pricing, partner enablement. But in terms of messaging, right, you did touch upon that, how are you farming this broader Risk and Exposure Management to differentiate your approach Rapid7’s approach from other VM players? I had a quick follow-up after this.

Corey Thomas: So I think the question is how are we differentiating versus traditional VM players. Well, one, I would say, look, we have to recognize that the VM market has a lot of approaches, players, avenues, I would just say, it overlaps with the cloud market in some ways. We’ve taken a very, very specific approach of focusing on integrated risk management. And so the way to think about that is that what’s unique about us is we’re one of the few players and the only player I’m aware that fully out of the box integrates all the assets, all the information, all the context in your environment. We actually consolidate risk across the environment, not just from our tools and technologies, but across the environment. We have open APIs by the way.

People can collect our data too. We believe in open APIs to support that. And we think that’s good for the technology industry in general. We consolidate the remediation across the environment. We have some enhancements later that are going to accelerate our ability to process and help customers drive compliance, navigate AI across the environment. And then we actually build automated workflows. In general, the way to think about what we’re doing is when you think about the CTM structure that Gartner recommends across is our big focus is about being the integration engine behind that and enabling the automation of the response and management of those processes. We see ourselves as highly differentiated. There’s areas that we’re catching up like some of the long tail of the cloud capabilities that some of the cloud pure plays have actually done is we’re playing catch up with some of those areas.

But when we look at our core installed base, while they may be more budget constrained, they made more resource constrained, lots of them are trying to figure out how to actually get efficacy at scale, and we think we have a great story and a great solution for that installed base.

Operator: The next question comes from Aidan Perry with Piper Sandler. Your line is open.

Aidan Perry: Good afternoon. This is Aidan on for Rob Owens and thank you for taking my question. You mentioned earlier the complexity of the driver demand. And with the launch of MDR for enterprise, do you think these new capabilities will allow you to go after specific verticals with complex environments more effectively or is this offering intended to address large customers more broadly? Thank you.

Corey Thomas: It’s intended to address large customers more broadly. But, look, there’s also some large verticals that we see like we’ve gotten lots of demand from the manufacturing vertical, for example, which really has a massive amount to manage, and they’re looking for scale help. Healthcare, we actually see on the large and real dynamics there. So think about our sweet spot here is very, very large customers that have to scale. Security is mandatory. They are looking for a partner. They have some security resources, but they’re looking to scale. The unique thing that we do is we help them understand what their attack surface is. We actually help them monitor 100% of the attack surface at efficacy. They know that they have to monitor the not just the endpoints.

They know they have to monitor the identities, all the cloud resources, which are incredibly noisy across that environment. They know that they actually have to actually process all the security telemetry together. They have to reconcile the data. We are leveraging both AI and our talent to actually do that. And so we’re adding real scale to those organizations, and we’re assisting them in a way that works for them. This took a lot of effort and investment to actually be able to do that in a way that had healthy gross margins, but can operate in a way that customers want. So we’re incredibly excited about the launch, that is one of the upside drivers for the year. We had a nice warm reception from our initial pilot customers and some of the customers at RSA.

But that is a growth driver. But I would just say it’s — think about very, very large resource contained buyers. We offer the best economic solution to actually get efficacy at scale.

Operator: The next question comes from Joe Gallo with Jefferies. Your line is open.

Joseph Gallo: Hey, guys. Thanks for the question. Last quarter, you announced heavy investments for D&R which seems justified. But maybe can you just talk a little bit about your overall profit versus growth framework? Are some of these investments fluid if growth doesn’t accelerate? And then maybe how should we think about sales capacity as well?

Corey Thomas: No. There’s a lot of questions built in there. So let me just sort of like hit a couple of ones. One, look, like any company, you need to invest behind growth opportunities. In Detection and Response, we have a massive market. We have a healthy position and we can actually create an even stronger position and frankly expand our addressable market there. So that’s a clear, I would just say, profitable growth opportunity. In almost any definition you actually invest for profitable growth in the growth opportunity. When you think about the allocation of resources across is that, again, we’re not trying to be all things to all people. We are focused when we think about outside of that, things that reinforce our overall stack.

So we’re going to be the best at actually integrating telemetry across the environment. That’s both the entity data, the risk data and the monitoring data. So our integration engine is a core investment prioritization that we’re focused on across the environment. And then we’re going to make sure that we actually have the right capabilities to serve our core mainstream customer when it comes to the Risk and the Exposure at the best economics. So we have a rational allocation view. It takes focus. It takes discipline around it. But we are invested in the areas that actually have the best growth profile. And you’ll continue to see us sort of like both innovate, partner to actually drive success in the overall market.

Tim Adams: Yes. Hey, Joe, it’s Tim. I would just underscore something Corey brought up earlier, selling into the installed base. As you know, we’re just under 12,000 customers. And that really creates a large market opportunity for us with customers that we have a good relationship with on the expansion motion, and that does come at a lower cost of sale for us. So that’s one area where we can see leverage in the future.

Corey Thomas: Yes. And our go-to-market motions are pretty straightforward. And our go-to-market motions are pretty straightforward. It’s the — if you look at what we’re doing, we are driving the integrated land motion about like looking at how customers look at integrated security operations. We’re upgrading our installed base, VM to exposure command, and we’re driving adoption as our big trust in Detection and Response.

Joseph Gallo: Thank you.

Operator: The next question comes from Adam Borg with Stifel. Your line is open.

Adam Borg: Awesome and thanks for fitting me in. Maybe just building off to Joe’s question. So when we think about the new socket in India, maybe Corey or Tim, you could talk a little bit more about how that’s supposed to help not just from an innovation perspective, but also from an efficiency perspective as well. Thanks.

Corey Thomas: Yes, there’s a couple of elements. So one, if you think about our operations in India, India is another global development center just like we have a couple of them in the US. We have one in the UK. We just opened up a development center specifically in Prague and now we’ll have a global operation center in India that will have some development, some security operations. I would just say, just to be clear, the number one driver of the center that we’re doing for the SOC, we need to go out to SOC in India is that we’ve had significant growth in EMEA and APAC in our core Detection and Response business. And so having people that are in regions that have overlaps that can actually do multiple times on coverage is a response to customer demand.

That’s the number one drop. It happens and then also has some economic benefits, but I just want to recognize that the customer benefits are massive and significant because that’s where the growth is. Again, our thesis is very clear, just invest behind the growth. So we see great growth internationally in those regions and we’re invested behind. That said, when you think about how do we actually scale D&R and we have big MDR demand, we’re customizing more it. You have to engineer that in, you have to have a product-based approach. And also it’s a combination of technology and sort of like the cost of the talent there. I want to be clear. Is there’s definitely cost talent arbitrage something there. But if you say what’s the majority of the cost efficacy that’s going to allow us to continue to scale this business.

As it actually serves more and more customer use cases, it’s definitely the investments that we’re making in our adoption of AI technology, which is a big part of the investment thesis that Tim laid out earlier. And again, I met with our teams over the last couple of weeks and that is on track and frankly, accelerating the investments that we’re actually having. Our belief is that our technology and the AI investments that we’ve actually already made and they’re in the SOC. And frankly, we’re going to make available to our broader customer base. A little bit later this year are already yielding massive dividends that are allowing us to actually run at better operating margins from a traditional MDR player. And if you say where most of the gains is going to come from, it’s going to come from the technology innovation side of the equation.

Yes, there will be lower-cost talent that’s going to actually play a factor there. But we’re seeing real gains from sort of our ability to leverage both AI and automation to drive the efficacy of the SOC and that will be the dominant driver of how we continue to actually have better margins than most traditional MDR players.

Tim Adams: Corey, we’re already seeing that in the numbers on international. It’s 25% of revenue and it’s growing faster than what we saw in the US that 10%.

Corey Thomas: As part of how we’re actually able to actually even with some of the wider ranges continue to manage profitability this year because we’re already seeing some of those benefits.

Operator: That is all the time we have for questions. This concludes today’s call. Thank you for joining. You may now disconnect.