Rapid7: The Trump Cyber Security Trade

| About: Rapid7 (RPD)

Summary

RPD is ideally positioned to lead the $14.4B security data and analytics market.

The recent hiring of experienced sales executives should allow RPD billings growth to rebound after a disappointing 3Q2016.

RPD trades at 2.3x EV/FY2017E Sales, below its peer average of 4.5x.

February 9th conference call is a potential near-term catalyst.

12-Month Price Target of $19 (47% upside).

Overview

Rapid7, Inc. (NASDAQ:RPD) is a leading provider of security data and analytics solutions to organizations seeking to take a data-driven approach to cyber security. Through its portfolio of solutions, RPD equips technology professionals with the analytical tools necessary not only to identify weak spots within their networks but also to prioritize remediation efforts to optimize their IT budgets and workflow. Additionally, RPD provides the incident detection tools required to identify and effectively respond to threats across enterprises and to complete investigations internally.

Given its growing portfolio of solutions, anchored by its core vulnerability management offerings and focus on equipping technology professionals with the information necessary to analyze and manage security across their enterprises, I believe RPD is well positioned as Chief Information Security Officers ("CISOs") within companies and government agencies increasingly look to use security data and analytics to secure their enterprises while optimizing their IT budgets.

Source: Company Presentation

Over the next twelve months, I expect shares of RPD to appreciate to $19 for the following reasons:

  1. Portfolio of solutions geared for new era of IT spend optimization within organizations and government agencies
  2. Recent addition of experienced enterprise software sales executives
  3. Undervalued relative to peers

Security Data and Analytics Market Growth

RPD's portfolio of solutions allows customers to detect vulnerabilities, close security gaps and respond to threats in real-time across their organizations. Over the next few years, RPD is positioned to increase market share in the 14.4B security data & analytics market.

Source: Company Presentation

RPD's solutions can be broadly divided into two categories: Vulnerability and Threat Exposure Management and Incident Detection and Response.

RPD's Vulnerability and Threat Exposure Management portfolio includes its Nexpose (vulnerability management), Metasploit (attack simulation) and AppSpider (web application assessment) solutions.

Nexpose is RPD's flagship vulnerability management offering. It works by scanning across an organizations ecosystem (applications, IP addresses etc.) and provides the CISO with a holistic understanding of risk-adjusted exposure, allowing them to prioritize and close security gaps.

Metaploit is RPD's attack simulation product which allows CISOs to analyze how a potential attack would unfold based on their network's vulnerabilities. This type of product is mandated for Payment Card Industry (NYSE:PCI) and Health Insurance Portability and Accountability Act (HIPAA) compliance and should continue to contribute consistent growth.

AppSpider is RPD's web application vulnerability product which allows CISO's to analyze vulnerability across all network applications.

Source: Company Presentation

RPD is known for its Vulnerability Management portfolio, however, the company has recently made a push into the Incident Detection and Response area with innovative products that allow CISOs to respond to network compromises in real-time, improve network uptime and complete investigations. The two main products in this portfolio, InsightIDR and InsightOps, were both released in 2016 and represent opportunities for future margin growth as RPD looks to execute its Land-and-Expand sales model. If RPD can successfully upsell these products, which have larger profit margins, to existing and new customers it will be a tailwind to the share price.

Source: Company Presentation

Solutions Geared for the Trump Era of Security and Optimized Spending

In light of recent cyber-attacks on major enterprises, federal agencies and other organizations that were seemingly secure thanks to their massive budgets, it is clear the era of "spending more means your more secure" is over. Security professionals are increasingly looking for the data and analytical tools to "spend smart."

Source: Company Presentation

In addition to the opportunity that exists within the private sector, President Donald Trump has indicated he intends to make cyber security a priority during the first few months of his administration, with a focus on identifying vulnerabilities. I believe this initiative will trickle down throughout state and local governments as well.

Source

In addition to being focused on cyber security, it is widely known that the President is always focused on cost. Thankfully, RPD's differentiated portfolio of solutions allows organizations of all sizes (including government agencies) to assess their vulnerability while providing the analysis necessary to prioritize remediation based on risk-adjusted exposure - i.e. spend money on most critical issues - as well as respond to breaches and complete investigations on their own. Based on analysis performed by RBC Capital Markets, it is expected the cyber security will be one of the top priorities at the Department of Defense (see chart below) over the next few years. I expect other federal agencies, states and municipalities to follow the DoD's lead, representing a large opportunity for RPD.

(Click to Enlarge)

Source: RBC Capital Markets

I believe RPD is well-positioned to provide solutions to state and federal agencies that may not show up on everyone's radar. Most of the time people think of the "sexy", defense-related agencies (like the DoD) when thinking of government cyber security, but in my opinion the larger opportunity for RPD is with the thousands of other government agencies at the municipal, state and federal level. As we learned in 2015 with the hack of the Office of Personnel Management, network security is important across the board. Imagine if your state's DMV was hacked? What about your child's school district?

In summary, RPD is unique in that their portfolio of solutions allows customers to optimize their security and IT budgets by providing the data and analytical tools that help them prioritize their investments and measure the effectiveness of their programs.

To quote the age-old parable, RPD does not just give the customer a fish, it gives them the tools to fish for themselves. Not only do I believe these types of solutions will be increasingly in demand by corporations as well as municipal, state and federal agencies, but I believe this type of recurring revenue model is more sustainable than those that rely on one-time incident-response advisory services.

Addition of Senior Sales Leadership

On November 9, 2016 RPD reported Q3 2016 results which disappointed the market, primarily due to slower than expected growth of customer billings. On the conference call, CEO Corey Thomas identified sales execution as the primary issue: "…total billings in the third quarter were below our expectations, primarily due to internal sales execution issues in two specific areas, larger deals in the enterprise sector and in the federal sector."

Based on consistent customer renewal rates of over 120%, it appears that RPD does not struggle in the "expand" part of their sales model, but instead was in need of sales leadership that could drive new customer acquisition. Similar to the situation going on over at Splunk (NASDAQ:SPLK) I referenced in my article last week, this is a story of sales execution, not product, and I find that attractive.

Source: Company Presentation

On January 11, 2017, RPD announced in a press release that Eric Erston, who previously served as Vice President of Global Enterprise Sales for the energy software company, EnerNOC (NASDAQ:ENOC), would join the company as SVP of Americas Sales. Additionally, it was announced that Stephanie Furfaro would become SVP of Customer Success and Sales Strategy.

Eric Erston

According to a press release when Mr. Erston joined ENOC in January 2015 as the VP of Global Enterprise Sales, Mr. Erston "previously served in a variety of sales leadership roles at RSA, the Security Division of EMC, a multi-billion dollar global provider of cloud-based IT solutions that promote data backup and recovery." According to his Linkedin (NASDAQ:MSFT), Mr. Erston served as Vice President of Sales & Go to Market , Risk and Identity Management at RSA after rising through RSA's sales organization over the course of 14 years. During his tenure at RSA, Mr. Erston led the global integration of a strategic acquisition for RSA, and built out RSA's Sales, Professional Services, and Customer Support organizations in the EMEA and Asia-Pacific regions. When Mr. Erston joined ENOC in 2015, the SVP of Global Sales Gregg Dixon said the following, "Eric's proven track record of triple digit software sales growth is just one of many strong qualifications Eric brings to this role."

Stephanie Furfaro

According to RPD, Ms. Furfaro joined the company in 2011 to lead Business Strategy and Sales Operations before taking on the role of Chief of Staff in 2015.

In addition to Mr. Erston and Ms. Furfari, it appears from Linkedin that Jeremy Razar, who was part of Eric's team at EnerNOC and RSA, also joined RPD as Director of National Accounts, Americas.

Overall, this looks exactly like the type of team necessary to execute RPD's land-and-expand sales strategy (customer case study below) and get RPD's billings growth back on track. Mr. Erston has vast sales leadership experience in the cyber security arena and should be able to jumpstart new customer growth. It is also a great sign that Mr. Erston brought at least one member of his team, as it will allow him to hit the ground running. Based on her title, SVP of Customer Success and Sales Strategy, I assume Ms. Furfaro will be responsible for up-selling and cross-selling products to customers ("expand" part of the strategy") once Mr. Erston and his team has brought them onto the platform. As a long-time employee of RPD, she presumably has the deep product knowledge that would make her an ideal candidate for this type of role.

Land and Expand

Source: Company Presentation

Overall, this is the catalyst I have been waiting for since the last conference call. RPD has the right products based on customer renewal rates and is in the right part of the market at the right time. However, they needed to make changes within sales leadership for billings growth, and in turn the stock, to recover. With Mr. Erston and Ms. Furfaro, RPD appears to have delivered.

Undervalued Relative to Peers

After its initial public offering in July 2015, RPD ran up to a high of $24.99 on its first day of trading before falling to a price of $9.46 on February 9, 2016. Following the most recent earnings call in November the stock dropped ~15% (see chart below), and has drifted slowly upwards since.

Source: StockCharts.com

Although the billings growth was disappointing, I believe the market overreacted to the news given that the majority of the shortfall was due to major enterprise and federal accounts. The market may not remember, due to the run up since Trump's election, but during Q3 2016 (pre-election), executive-level uncertainty was widespread. My thinking is that the uncertainty in the market may have led to some hesitancy on the behalf of RPD customers to close new deals or switchover to RPD. Either way, the new sales team and improved macro-environment should be tailwinds for RPD.

RPD currently trades at an EV/S multiple of 2.3x my FY2017 Sales Estimate of $200M, below its peer group average of 4.5x. Peer companies, referenced in the table below include Palo Alto Networks (NYSE:PANW), Fireeye (NASDAQ:FEYE), Check Point Software (NASDAQ:CHKP), Proofpoint (NASDAQ:PFPT), Fortinet (NASDAQ:FTNT), Symantec (NASDAQ:SYMC), Imperva (NASDAQ:IMPV), Secureworks (NASDAQ:SCWX), and Cyberark (NASDAQ:CYBR). After a tough 2016 for cyber security, RPD is the best positioned of this group going into 2017.

Given that the stock sold off following its Q3 2016 conference call primarily due to sales execution issues, I expect the market to react favorably on February 9th, when RPD hosts its 4Q2016 conference call and introduces Mr. Erston and others to the broader market. Although it will take a few quarters for the impact of the new sales leadership to be reflected in the numbers, I believe that with confidence restored in RPD's ability to achieve strong billings growth, the stock will rebound over the next year to a EV/FY2017E Sales multiple of 4.0x, closer to its peer group average of 4.5x. This implies a target stock price of ~$19, which is ~47% higher than the closing price on January 20, 2017.

(Click to Enlarge)

Source: Internal

Based on the current open options interest in the February expiration, it appears that the options market expects upward pressure on share price following the Q4 2016 conference call as well.

Source: MarketChameleon.com

Downside Risk Factors

Although I believe RPD's portfolio of solutions is optimally positioned to take advantage of the growing security data and analytics market, there are a number of downside risks that could impact share price in the near term.

If on the Q4 2016 earnings call it is revealed there has been additional deal slippage that results in an accelerated decline of billings growth or if the adoption rates of InsightIDR and InsightOps are well below expectations then the share price could be pressured. Also, given that my thesis hinges on the fact that RPD has the right products (they just need to execute sales strategy), if we see a significant decline in renewal rates then I would have to revisit my target price.

If a large macroeconomic event that undermines business confidence occurs or a customer-specific event occurs that impacts one of its major customers, RPD's growth trajectory and share price could be impacted.

Finally, if the newly hired sales leadership is unable to gain traction throughout the year, the market could again lose confidence in the company's growth prospects.

Summary

With its portfolio of solutions aimed at providing customers with the data and analytics necessary to manage vulnerability and respond to threats across their network, RPD should be able to reach annual revenue in 2017 of $200M as demand for security data and analytics increases.

In the near term, I expect the market will gain confidence in RPD's new sales leadership team and the company will be rewarded with a EV/FY2017E Sales multiple of 4x, closer to the average of its peer group, and a share price of $19 per share.

Disclosure: I am/we are long RPD.

I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.

Additional disclosure: I own the stock and have multiple February bull call spreads in place.

About this article:

Expand
Author payment: $35 + $0.01/page view. Authors of PRO articles receive a minimum guaranteed payment of $150-500.
Tagged: , , , Application Software,
Want to share your opinion on this article? Add a comment.
Disagree with this article? .
To report a factual error in this article, click here