Why bother looking at yet another security software vendor?
Is anyone out there interested in looking at a small, somewhat unique security vendor today? It is probably more fun, although perhaps not all that profitable to speculate endlessly as to the potential impact on the economies of the U.K., the EU or perhaps even the world.
But for readers who might be tired of yet another Brexit discussion, I would like to focus on a small-cap cyber-security name called Rapid7 (NASDAQ:RPD). At least Rapid7 has 87% of its revenues coming from North America. It is just too small and too new to have established much of an international presence although offshore has been growing lately. It does have development facilities in Belfast and in Dublin and those, of course, have been so located both to take advantage of lower labor costs on both sides of the Irish border which are not insignificant compared to Greater Boston and to take advantage of subsidies that are available these days both in the Irish Republic and in Northern Ireland.
And I really do not think that Brexit is going to have much impact on potential data security breaches one way or the other. Users buy security software for one reason and one reason only and that the costs and the impacts of a breach can be catastrophic. Price is not a huge consideration except competitively and the status of international trade is not a significant consideration in terms of security breaches either.
OK then, why look at this company which on the surface seems like many, many other smaller loss-making tech vendors? Simply put, Rapid7 is really competing in a rather different part of the software security space and hence has a relatively significant competitive moat when compared to the giants of that market. I will try to explain below, as best as I can, the concept of SIEM and the solutions that use it to deliver some level of cyber-security protection for users. Rapid7, along with a couple of other competitors, has a second generation solution in the universe of SIEM applications that really obsoletes much of the older technology. What Rapid7 sells is really a bit unique and quite differentiated from the solutions sold by many competitors who offer older versions of the SIEM technology.
Further, the shares are relatively cheap with an EV/S of 3, far less than many other companies in IT with subscription models and it seems to have a realistic path to profitability. By no means a rapid path, I believe, and I think at some point management is going to have to think through the trade between growth and profitability again, but there is a path there and it can be seen. Given its size the company doesn't have the coverage of some other IT vendors. Only seven analysts follow the name.
And while insiders own almost half of the shares, institutional ownership of 10% is low and the short interest of 9% of the float is relatively high. There's the tendency to think that low institutional ownership and particularly lower ownership by hedge funds must mean that something is wrong with the company. It surely can, but it can also mean that this company is a bit small to fit into many institutional portfolios. And that's a rare opportunity for individual investors.
The company is forecasting positive operating cash flow this year of $10 million and its capex of about $1 million/quarter is not very high. Stock based comp was 16% of revenues last quarter. In the prior year's quarter RPD was not yet a public company and hence there's no meaningful comparison. Rapid7 is a small-cap name that is loss making, but it has some other far more interesting characteristics that might intrigue investors given the potential level of appreciation potential and the potential the company has to be consolidated.
So what is Rapid7 and how are they positioned in the cyber security market?
Yes, this is a relatively small security software vendor with a name that reminds me of Motel 6, perhaps not the most pleasant of analogies. The name actually derives from the fact that two of the founders used the No.7 line of the of the New York subway that goes from Times Square (nowadays from 34st and 11th) to Flushing in the borough of Queens. The line passes by Citi Field and the Tennis Center and the rest of the ride is notable mainly for the dreary views of Queens that can be seen from the elevated tracks. It isn't one of the more pleasant experiences to endure day to day and apparently to pass the time two of the founders focused on conversations that led to the development of what is now Rapid7.
Now I grew up using what is now the No. 4 line that goes from the southern tip of Manhattan to Woodlawn, a bucolic setting for a famous cemetery. Nothing that special has ever happened to me while riding the trains. I was once bullied by a bunch of kids from Dewitt Clinton HS which was somewhat frightening but I never thought up some great trading strategy or a brilliant idea with which to launch a company. Perhaps the breezes on the elevated line in the West Bronx lacked some kind of magic elixir present in Flushing or Jackson Heights or even Sunnyside.
It is just irresistible for me to add that trying to discuss anything, let alone corporate strategy within a New York City subway car at rush hour is likely one of the more fraught experiences in the world. Personally, I would rather hear a choir singing flat than take the No. 7 to and from work end to end, day after day. But despite the venue of its genesis, Rapid7 has managed to build a company that is rapidly growing and which appears to offer differentiated solutions. Who knew that rides on the No. 7 made up for their unpleasantness with such corporate mojo.
Rapid7 went public just last summer and it has never again sold as high as the IPO price. Indeed, it is just less than half the price it closed back in July 2015. And therein, I believe, lies the opportunity. For a fast growing company in the security space it is quite modestly valued - perhaps because of its loss making history. It is definitely a minnow in a sea of sharks with revenues estimated this year at $152 million compared to say $1.6 billion for calendar year 2016 for Palo Alto (NYSE:PANW).
Almost inevitably the company is loss-making although company CFO Stephen Gatoff has forecast that the company will achieve "meaningfully positive operating cash flow in 2016." Mr. Gatoff has forecast that overall operating cash flow will come to $10 million for the year with positive free cash flow. And if it is going to be a survivor (by which I mean that it is going to remain unconsolidated) it has a relatively low EV/S at just greater than 3X. Growth this year is forecast to be 38% and that is likely more than anyone else in the security software space with the exception of PANW - but is that fast enough? And what is it that RPD7 does that makes it unique and able to withstand competition from much larger and better known competitors?
Basically Rapid7 is not another advanced firewall security product. It is essentially a different category called security data analytics as I will try to explain below. The overall size of the market is said to be about $5 billion this year and is expected to grow at a CAGR of 11% through the end of the decade. There are various categories and sub-categories within this space that are of interest to potential users. As it happens, Rapid7 has dogs in all of the races in the overall space and during Q1-2016 it indicated that percentage growth was relatively consistent across all of the categories. I'm not going to go too deep into which category has which product. It doesn't matter in terms of evaluating the stock. My interest is really to see if Rapid7 might be a decent investment.
One thing to note this particular niche is not dominated by the usual suspects who compete in firewall security - no Palo Alto, no Check Point (NASDAQ:CHKP) and no Fortinet (NASDAQ:FTNT). And for potential investors, that is a very, very good thing. There are, to be sure, more than enough competitors such as Symantec (NASDAQ:SYMC), EMC (NYSE:EMC), HP (NYSE:HPE) and IBM (NYSE:IBM). Most of these competitors have products that are built around what is called the SIEM (security information and event management) paradigm. It is an approach to security that seeks to provide a holistic view of an organization's overall IT security. The best known of the independent vendors in the SIEM space is Splunk (NASDAQ:SPLK).
Rapid7 has products that use next-generation behavioral analytics coupled with fast search to overcome the challenges/limitations of the current generation of SIEM offerings, that rely on an almost endless series of rules that sometimes simply overwhelm security analysts who try to keep up with the alerts issued by their software. To a degree, the Rapid7 approach uses a somewhat different paradigm than the approaches used by advanced firewall vendors. Firewalls, by their nature, are essentially designed to prevent breaches. In the approach used by Rapid7, statistical analysis determines the parts of a network that are most under threat. The paradigm continues with a service that identifies what are thought to be inevitable breaches. The company's InsightDR (IDR) attempts to secure data quickly and automatically in the wake of breaches. The company's AppSpider product, acquired through a recent acquisition, is the tool the company sells to assess threat vulnerabilities. The two competitors that offer solutions more comparable to those offered by Rapid7 are Splunk and LogRhythm. There are occasions on which Rapid7 partners with LogRhythm and the two companies have integrated some of their technology. The unified solution includes the LogRhythm SIEM 2.0 with the RPD risk assessment solutions.
In October 2015, RPD acquired Logentries for $68 million of which $36 million was cash and $32 million was in RPD shares. Logentries is a company that has a portfolio centered on log management and search. Logentries is a direct competitor of Splunk and gets quite high marks in the user surveys, significantly besting Splunk in the ones that I have seen. It is almost certainly early days to evaluate how the competition between Logentries and Splunk might go now that RPD has acquired that company.
Typical users of this next generation technology currently are said to include larger enterprises, including telecom, energy and power financial services. So far, RPD has been moderately in terms of acquisitions. More than three years ago it acquired a mobile security company Mobilsafe which specialized in risk management for mobile devices. Adding Mobilsafe allowed Rapid7 to address threats coming from what is called the BYOD (bring your own device) space. And of course it acquired Logentries and has made a deal to acquire some Intel (NASDAQ:INTC) customers. But by the standards of this era, RPD has not been a serial acquirer.
Compared to many smaller start-up companies that primarily generate revenue through subscriptions, Rapid7 has a significant consulting practice that actually enjoyed the greatest percentage growth last quarter. In Q1, 31% of total revenues came from consulting. The consulting gross margin was 30%. There's plenty of room to grow gross margins at scale. Given the specialized nature of its consulting expertise, consulting services could readily enjoy gross margins of 40% or more as is the case for Indian outsourcers with a far less specialized practice.
Self-evidently, professional services revenue is not recurring. That said, this company has a strong balance of deferred revenue and even with the outsize proportion of consulting it has decent short-term visibility. I believe that the company's practice is a significant competitive benefit that RPD can offer prospective users.
What are the issues keeping these shares down?
Fair question. The shares are down almost 16% YTD and that's in spite of two quarters that were beats and raises. Since the start of the year, the IGV software index has fallen 4%.
The company announced its Q4-2015 results on 2/10/16. The shares did rally 50% between the time of the earnings release and 3/7/2016, but that was during a period during which tech shares were all rallying from the February 9, 2016, bottom. RPD announced its Q1 results on May 10. The shares did rally by 7% after hours because of the beat and raise. Perhaps the beat wasn't large enough. Even though full-year guidance was increased noticeably, the forecast for Q2 was more or less consistent with prior expectations. In any event the shares declined about 5% over the next week. As the IGV was rallying a bit at that time, it seems that investors were disappointed at some elements of the earnings release and judging by conference call questions I believe that was the case. Management said on the call that the year would be second-half weighted (60-40% in terms of bookings) and their guidance reflects those observations. I have no reason to believe that Q2 results will not be another "beat and raise." Well no reason other than any Brexit induced panic amongst IT security customers. Estimates are aligned with guidance and estimates indicate a revenue growth slowdown from 48% to 40% for this quarter and to 36% in the September quarter. The math suggests those numbers might easily be exceeded and management has reaffirmed that it intends to show operating leverage at scale going forward.
The earnings forecasts show little or no evidence that analysts really believe that will happen. The September quarter has a forecast of $2.3 million of sequential revenue growth but the growth in sequential profits is only $.8 million. 2017 estimates show revenue growth of almost $40 million, but show only $6.5 million of profit improvement. Those numbers are really not what is meant by terms like "operating leverage" or "path to profitability."
It is probably instructive to look at the Q1 earnings release in some detail. I will use a GAAP presentation. Non-GAAP might have lower expense ratios but it tells the same story directionally. Gross margins were at 75%. Given the drag from professional services, gross margins are not a significant issue for this company. What the significant issues are S&M and R&D spend. R&D spend increased 81% year on year and are at 35% of revenues. The CFO on the call commented that the first place to expect spend ratio improvement would be on the R&D line and said specifically that "this is due in large part to our talented offshore engineering teams in Belfast and Dublin and as a result we expect continued marginal decrease in our R&D expense to revenue ratios in 2016." I have no idea what the term "marginal decrease" means in terms of actual numbers. There's at least a 1000 bps opportunity to bring R&D spend in line with that which other companies in the security space spend.
The GAAP spend on marketing is 65.5%. That's a quite remarkable number and in itself might suggest the reasons for the current valuation of the shares, Marketing spend was up 73% in Q1 compared to the prior year. Speaking with a bit of experience on the subject I simply have to question the efficiency of that kind of spending increase. Rapid increases in sales spending inevitably lead to sub-optimal hiring patterns and to efforts to fit square pegs in round holes. It amazes me that real analysts do not ask company managements about those kinds of ratios and force them to defend what the CFO called the company's "dual mandate." But I suppose a 73% increase in spend is better than increasing R&D spending by 81%. Management chose to look at the metric differently. The CFO said that the non-GAAP marketing expense ratio fell from 64% to 57% on a sequential basis. Again, the CFO is forecasting ratio improvement on the sales and marketing line during the balance of 2016.
It probably ought to be noted that last October Intel discontinued its McAfee Vulnerability product and has made Rapid7 its exclusive partner for vulnerability management based on RPD's Nexpose technology. There are royalty payments associated with the transaction which closed in early January and those royalty payments are going to be recorded as a part of the sales and marketing expense category. The company never quantified its expectations regarding incremental revenue from this deal but did say it was ahead of plan thus far but was proving to be quite labor intensive in terms of the time spent by the sales force contacting all of Intel's customers.
While the G&A expense ratio is not as egregious there's certainly room for improvement. GAAP G&A expense grew 63% last quarter year on year and G&A is 19% of revenue - 16% on a non GAAP basis. RPD is a relatively small company and G&A expense is normally higher as a percentage for companies this size than for larger companies but at least the growth in G&A spend can just track revenue growth.
Overall, the company is forecasting a 500 bps improvement in operating loss percentages in the current year. For the stock to work that is a minimum expectation. The greatest catalyst for the shares would be a more substantial improvement in operating loss margins. I believe that the greatest factor in the mediocre share price performance recently is the rather elongated path to profitability. The non-GAAP operating loss margin last quarter was 27%. I do not think investors are disposed to wait five more years until this company reaches break-even non-GAAP operating margins. I'm sure that management is far more aware than I am of the trade-offs in terms of growth and profitability. If the company doesn't address the issues of profitability with greater celerity by itself, there are plenty of PE firms and strategic acquirers that will do the surgery for them.
In Q1 some of the sub-headline numbers were displeasing to some observers. In particular, while deferred revenue increased by 49% year on year, its sequential growth was quite small. In addition, Q1 bookings showed only a 34% increase compared to the reported revenue growth of 48%. Much of the lower level of growth in bookings than in revenues had to do with the duration of new contracts which went from 24 months to 22 months. Absent that change, bookings would have been nearly 10% higher and the growth in bookings would have been in the mid 40% range. Much of the contraction is seasonal because Q1 sees a smaller percentage of larger deals that tend to have longer terms. In any event, the company's visibility has been enhanced by the Intel/MVM deal and also by the recent launch of the company's IDR product. IDR is a product that has the potential to directly replace SIEM technology and hence has a very significant revenue potential for this company.
I think that the explanations for these sub-headline anomalies are quite reasonable and the success of MVM transitions and IDR will be important in sustaining growth going forward. To the extent that the 34% bookings number may have concerned investors, I have reasonable confidence that large deals will expand sequentially - that is just seasonal and drive up term lengths and hence bookings to more pleasing levels. I do not think it matters all that much to the company's business one way or the other but it is likely to matter to the shares.
It would, I think, be inappropriate not to mention the acquisition potential for RPD7. This is a small company with a modest enterprise value (about $460 million). It is growing rapidly and it stands in an important technology trend in the cyber security space. Most consolidators in this space are far larger than RPD and would conclude that the short-term dilution would be essentially negligible relative to the significant benefits to be attained through a merger. Under the circumstances it would be more surprising if there had not been potential proposals for a consolidation at significant percentage appreciation. Most consolidators are going to look at financials and conclude that they can readily enhance profitability by controlling expenses in terms of the percentage spend on both R&D but also sales and marketing. And most potential acquirers are going to think that they will be able to dramatically increase sales of the RPD solutions. On that basis it becomes a very compelling potential transaction.
The level of premium that has lately been seen in some acquisition deals in the IT space is such that applying those kinds of valuations to RPD shares could result in a high enough bid to interest the insiders who still essentially control the company with an interest of near 50%. Almost all of the current vendors of traditional SIEM solutions are likely to have an interest in acquiring this company simply to give them a significant competitive advantage.
I obviously have no way of knowing if there are any deals or how management might receive overtures. But lightning does strike and this company is the equivalent of a tall building on high ground in the midst of a thunderstorm.
- Rapid7 is a smaller cyber security vendor that is growing rapidly in a land of giants.
- It is loss-making and some of its spend ratios are basically unreasonable in the opinion of this writer.
- The company offers technology that is said to be a second generation alternative to traditional SIEM offerings. It utilizes advanced behavioral analytics to help determine both threat areas and the probability that breaches have or are occurring.
- The company recently acquired Intel's solution in this space.
- The company has made several other strategic acquisitions over the years to provide a broad portfolio of integrated solutions in its space.
- Both user and analyst surveys (often one and the same) rate the company's solutions very highly and significantly better than its older and larger competitors.
- The company has forecast $10 million in operating cash flow for this year.
- The company, based on its technology, its valuation, and its relatively low enterprise valuation of $460 million is likely to be a subject for speculation regarding its potential to be consolidated.
Rapid7 has indeed been rapid in terms of moving to exploit an element of new technology in the cyber security space. It has done so, for better or worse, by being rapid as well in its ramping of expenditures. Perhaps in the longer run that may not matter if those expenditures better set up the company to continue its hyped growth or to get acquired.
Disclosure: I am/we are long RPD.
I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.