June 20, 2017 - 3:25pm EST by
2017 2018
Price: 17.00 EPS 0 0
Shares Out. (in M): 42 P/E 0 0
Market Cap (in $M): 714 P/FCF 0 0
Net Debt (in $M): -96 EBIT 0 0
TEV ($): 618 TEV/EBIT 0 0

Sign up for free guest access to view investment idea with a 45 days delay.


Summary: a red-headed stepchild in terms of profitability will become the little orphan Annie of the vulnerability management space as the long-term model inflects in 2018-19. Using peer multiples, RPD should be worth $25-30 over time versus today’s $17. As an (in)sanity check, a margin progression towards $50-60m in CY20 FCF + $5/share in pro forma net cash underpins the investment case as S&M delevers ~2000bps from 2016’s 57% of revenue as RPD’s enterprise subscription business scales. A solid management team led by CEO Corey Thomas has all the right tools at its disposal with the backing of Bain and TCV, making the investment case one of execution in a growing TAM.


While not required for the investment case to work, the software and analytics portfolio is the right size to be consolidated into a strategic buyer. Sensible buyers include VM peers like QLYS or Tenable, SIEM/analytics peers like SPLK or application security peers like IBM.



Why does the opportunity exist?

Direct VM peers including QLYS and privately-held Tenable earn robust 20%+ EBIT margins at similar scale, but RPD had been unable to leverage its sales force as it invests for growth. Navigating the transition from small deal sizes that typically close intra-quarter to more enterprise business with longer sales cycles of 1-2 quarters creates the opportunity after a large air pocket in 3Q16 bookings. While RPD’s stock has recovered in recent quarters, we think growth is set to accelerate as an updated platform, better sales leadership and better execution get things humming.


Business Description

Rapid7 provides security data and analytics solutions. Effectively, RPD answers ‘am I vulnerable, am I compromised and am I optimized?’ Its platform allows customers to detect weaknesses and potential threats both on-premise and in cloud-based environments. Recurring revenue is ~70% of the total business with legacy solutions including Nexpose Now (VM), Insight IDR (analytics), Metasploit (threat database) and Logentries (log management) becoming one integrated “Insight” platform in 2017.




VM and analytics growing rapidly. The core VM space counts Qualys, Tenable and IBM among peers. With HSD share in VM, RPD is a share gainer in a market that IDC estimates will grow at a 15% CAGR. The more exciting opportunity is analytics, where Rapid7 successfully competes with Splunk through its Insight IDR product. RPD’s 2017 revenue of $195m at the midpoint of guidance compares to a TAM that it defines as $14.4bn. This is relevant to the thesis since RPD is not ‘just’ a VM company:

  • $2.0bn Vulnerability Assessment

  • $3.4bn SIEM (Security, Information and Event Management)

  • $3.0bn Intrusion Detection & Reponse

  • $2.5bn Endpoint security suites

  • $3.5bn Security services


Execution, execution, execution. With the backing of Bain and TCV as VC investors in Rapid7, we think CEO Corey Thomas is the right person for the job. Not every product of HBS turns into an amazing manager, but Corey checks out as more than capable of bridging the divide between the technology and business cases for Rapid7. As the company matures and gets past a sizable  3Q16 miss (discussed below), we see improved execution as key to the story:

  • New sales leadership getting the right people and processes in place. The Jan 2017 hire of Eric Erston bolstered RPD’s enterprise sales effort as he came with 14 years of experience at RSA.

  • International execution is improving and represents only ~15% of ltm revenue. Compared to other software players with international revenue around ~30-40% of total (e.g. QLYS 30%), there should be ample room to grow.

  • Lumpy deals and weakness in federal spending should get better in 2H17 as the budget cycle kicks off. Deals that slipped in 2016 should come through as RPD is better positioned.

  • New CFO Jeff Kalowski has improved forecasting processes, marrying the finance team with the folks out there in the field. Better communication with the street is a bet we’re making on the come.

The ‘what happened’ in 3Q16 that makes execution so important is a billings slowdown. Weakness in its ability to close enterprise deals and slow federal spending pointed to gaps in the sales organization as opposed to slowing end market demand. As RPD made the necessary changes to people and process, the stock fell from $19 to $10.63 and bottomed ~2.2x EV/Sales.





Def Rev

















































Integrated portfolio should lead to better margin profile. Given growth at a breakneck pace, RPD had arguably not integrated the 2015 acquisition of Logentries or the 2009 acquisition of Metasploit as well as it could have. Sales pitches could often be made to different departments or to different teams (e.g. CTO suite vs IT operations).This changed in early 2017 as RPD introduced the Insight platform for VM, ID&R and Application Security. This unified offering helps customers better understand the suite of services that RPD has available and should over time increase the dollar revenue renewal rate from ~120% and the customer renewal rate of ~89%.


Said another way, there is nothing structurally different that makes RPD a bottom of the barrel software player. They are not selling a one-and-done on-prem box. While the business was meant to achieve upwards of mid-20s EBITDA margins communicated at the time of its 2015 IPO, we think management will lay out a thoughtful, achievable plan at its first analyst day in 2H17:

  • Gross margins should be steady to slightly better at a blended 75%+

  • S&M was 57% of revenue in 2016 vs QLYS ~27%. We don’t forecast 3000bps of improvement here, but there’s lots of room for leverage as deal size increases and international growth scales.

  • R&D as 30% of revenue can come meaningfully lower.

  • G&A at 18% of revenue should see natural leverage to the low teens.


Favorable backdrop post-WannaCry. Bookings should be robust given the relative ease with which VM solutions can be trialed once a CISO pulls the trigger on a purchase. That is, an event like WannaCry may encourage usage and show up in bookings and customer numbers sooner rather than later. Interestingly, customer conversations reveal relatively high switching costs (it’s a pain) though relatively low barriers to trialing VM for those that don’t have a solution. Add in GDPR regulations in Europe in 2018 and there should be some tailwind for RPD.


Takeout potential given recurring revenue. Nearing 70% of recurring revenue in a visible model, we reason that at 4-8x maintenance revenue that RPD on CY18 figures is worth $800-1,500m as an enterprise or $20-35/share compared to today’s $17. With a clean balance sheet and > $2/share in net cash, we could see SPLK, IBM, HP, EMC or even QLYS/Tenable as suitors. Recognizing the 2000bps+ of S&M margin that needs to be leveraged, we think a strategic makes more sense than a financial buyer.


EV / Sales








































Freeform Q&A

Rather than rehash the business description or a sell-side initiation, a Q&A format that might promote discussion in the comments section.

Won't this idea stink if growth slows? This business doesn’t make money?

You bet, as it did in 3Q16. Bookings growth is not a layup even with revenue visibility. It is not trivial to move up the stack from a bread and butter SMB sale to enterprise. While there was some lumpiness in a monster 2Q16, the company was jamming round pegs in square holes with the sales organization. The person who sells a $10k deal over a 2-week period does not have the same skill set to close a $200k deal over a 6-month period. This sales team has improved materially. But, if growth slows over an extended period it would be hard for the model to mature.

M&A upside sounds good, but there’s still an overhang?

There’s no law that says the VCs have to clear out of the way before a strategic transaction might happen, but I suggest that the Bain/TCV ownership presents both an overhang and an opportunity. These two investors own ~15.6m shares of stock or 37% of the company. After a 2.8m share secondary in early June, it is clear that at the right price the VCs are ready to realize some return on their investment. This is negative on one hand as it is a lot of supply to jam through in a somewhat less liquid name (RPD declined > 6% in the two sessions following the recent secondary versus a flat Nasdaq tape). If any strategic sale is pushed out until the VCs have liquidated, so be it. To the good, this is a name that may not register for some would-be investors as the limited float → ADV of ~$3-4m ytd. As some readers may start idea sharing conversations with “it has to trade at least $10m a day…” I think this is a clear reason RPD has been overlooked. This will change over time. It’s also fair to point out that with a new CEO hire at Tenable this year they could go first when it comes to consolidation.

EV/Sales multiples are garbage.

Mainly true. From industry conversations, we see no impediments to RPD approaching levels of profitability well below peers that would still make a cash-flow based valuation sensible. As the model matures, it stopped burning cash in late 2015. But, moving all the way up the P&L for comparative purposes is a dangerous place to be if growth disappoints. That said, we can observe what strategic and financial players feel is a bargain on EV/recurring maintenance which might suggest RPD is a bargain bin price around $12-13.

$50m in R&D is pretty thin, no?

A lot of the heavy lifting to integrate core VM, Logentries and analytics onto one platform has been done on the R&D and G&A lines. To be clear, the biggest delta for the model to work is on the S&M line (57.5% of revenue in 2016). But, we like RPD’s suite of solutions as they stand today.

Walk me from GAAP to non-GAAP EPS?

About $16m in annual SBC and $2m in intangibles amortization. The share count has increased 4.6% since the end of 2015.

Recent management changes mean disruption?

Not really. Former CFO Steven Gatoff (from the Stratton Sclavos / VRSN days of yore in 2002) left the company after a tenure from 2013-4Q16. Gatoff helped usher RPD through the IPO process and announced his move back to the Bay Area for family reasons in Aug 2016 (you spend four winters in Boston vs Berkeley and you’ll see). New CFO Jeff Kalowski is an upgrade as new processes allow management to have a better real-time handle on sales and bookings trends. Further, Kalowski has experience selling a security business as his former firm Imprivata was bought by Thoma Bravo in 3Q16. We also like the new sales hires discussed in the memo.

Make a case for permanent destruction of capital.

Did somebody say EV/Sales? What about EV/security breaches? This business needs to leverage various expense lines including S&M to generate meaningful FCF. If they can’t do that, growth slows and somebody in the VM space gets aggressive on price then it might be easy to pick a lower sales figure and lower multiple that gets you closer to $10. The $2+ in net cash wouldn’t mean much at that point.


You’re just being lazy...you wrote up QLYS late last year.


We own both RPD and QLYS and view them as attractive long-term investments. Yeah, this is a double dip of VM but the stories are distinct and leverage more bps over the same number of hours worked.

I do not hold a position with the issuer such as employment, directorship, or consultancy.
I and/or others I advise hold a material investment in the issuer's securities.


Continued execution under restructured sales force.

International growth.

Analyst day 2H17 articulates path to profitability.

Potential M&A.


    show   sort by    
      Back to top