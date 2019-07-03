Falling FCF margin has resulted in failing the Rule of 40 used by some analysts to judge the health of a company.

Rapid7 has prioritized a new global headquarters over ramping up sales and marketing. This may ultimately impact market share of the new market segment.

Rapid7, Inc. (RPD) provides cybersecurity analytics and automation to more than 7,900 organizations. Rapid7 is also a pioneer in Security Operations (SecOps), a relatively new field that the company hopes to become a dominant player in. While Rapid7 appears to be a strong company with good growth, I have some reservations about the stock as an investment. These concerns include falling free cash flow margin, large expenditures that will extend into 2020 and intense competition for the SecOps market. And there is the possibility that the SecOps market develops as the company hopes it will. For these reasons, I give Rapid7 a neutral rating with an eye to revisit the company later in the year.

Company Background

Rapid7 has been transforming its business for the last few years, going from selling perpetual licenses into a Software-As-A-Service (SaaS) business, and from essentially one product (Vulnerability Management) to a suite of products that provides upgrade and cross-sell opportunities. 85% of sales are now recurring and the transformation to SaaS is almost complete, while the product suite is still evolving. The company calls the current offerings the “four main pillars of SecOps” as described below:

Vulnerability Management: Our industry-leading Vulnerability Management solutions provide enterprises with comprehensive, yet prioritized, visibility into potential cyber risks across their traditional and modern IT environment. With built-in remediation workflows, automation, and validation, our solutions are designed to help ensure that risks can be easily mitigated, and attack surfaces diminished. Incident Detection and Response: Our Incident Detection and Response solutions are designed to enable organizations to rapidly detect and respond to cyber security incidents and breaches across physical, virtual and cloud assets. Equipped with user behavior analytics, attacker behavior analytics and deception technology, our Security Information and Event Management is designed to provide comprehensive network visibility and accelerate threat investigation and response. Application Security: Our Application Security offering provides dynamic application security testing and run-time application security monitoring and protection solutions that are designed to continuously analyze web applications for security vulnerabilities and block many types of attack automatically. Security Orchestration and Automation Response: Our Security Orchestration and Automation Response solutions allow operations teams to connect disparate solutions within their cyber security, IT and development operations and build automated workflows, without requiring code, to eliminate repetitive, manual and labor-intensive tasks, resulting in measurable time and cost savings.”

(Source: Rapid7 2018 Q4 - Results - Earnings Call Slides)

To date, the majority of enterprise spend on cybersecurity has been on threat protection products, including network, endpoint and web security that are designed to stop threats from penetrating corporate networks. Rapid7 is staking its future in large part on the growth in the market for SecOps, a fledgling and highly competitive industry that is constantly evolving. Given that there is no significant history for SecOps to base guidance on, this is a risky bet for Rapid7.

According to company management:

"Although we continue to introduce and acquire new products and professional services, we derive and expect to continue to derive a majority of our revenue from customers using certain of our vulnerability management offerings, InsightVM, Nexpose and Metasploit. Greater than half of our revenue was attributable to InsightVM, Nexpose and Metasploit in each of our last three fiscal years.”

Enterprises may continue to allocate their budgets to vulnerability management and not embrace the more comprehensive cybersecurity products that Rapid7 has to offer.

As I mentioned earlier, the cybersecurity market is highly competitive.

"Our primary competitors in Vulnerability Management include Qualys and Tenable; in Incident Detection and Response (SIEM) include Splunk, Micro Focus and LogRhythm; in Application Security include Micro Focus and IBM; in Security Orchestration and Automation Response include Phantom (Splunk) and Demisto."

Omitted from the above is Microsoft’s (MSFT) Azure Sentinel. There are other interesting approaches to cybersecurity such as Okta’s (OKTA) Zero Trust that may eat away the Total Addressable Market (TAM). Also, some enterprises are reluctant to use cloud solutions for cybersecurity because they have concerns regarding the risks associated with the reliability or security of the technology delivery model.

Company Fundamentals

As I explained in my last article on Wix (WIX), high-growth companies generally don't measure up based on traditional value metrics. In fact, they often confound analysts, with the result being a lost investment opportunity. In place of traditional value factors, I generally focus on other measures, such as revenue growth, the software company "Rule of 40," and my favorite: company performance relative to analysts' estimates.

Revenue Growth

Rapid7 had a good year with trailing twelve-month (TTM) revenue growth of 25%, according to portfolio123. Note that the revenue growth may be somewhat skewed due to the change in accounting method from ASC 605 to ASC 606, making historical figures non-comparable. I am going to stick with the figure of 25% as the guidance provided in the Rapid7 2018 Q4 - Results - Earnings Call Slides was for 26% revenue growth for 2019.

Free Cash Flow Margin

Rapid7's free cash flow margin TTM has dropped recently and now sits at -12% of revenues.

(Source: Portfolio123.com)

While some of the drop in the chart may be explainable by the change in accounting, the final figure of -12% is real. According to company management:

"…we’re moving our global headquarters and consolidating facilities this year and hence our free cash flow will be negative as a result of significant capital improvements in 2019. But these expenditures will decline substantially in 2020."

Not only that, but some sales & marketing expenses have been pushed out due to the significant spend.

"During the first quarter, sales and marketing expense decreased to 45% of revenue when compared to Q1 2018 expense of 50%. This improvement reflects the operating leverage inherent in our business model but is also driven by the timing of some hiring that was pushed out to future periods."

Ramping sales & marketing is a critical tactic that most companies do towards the end of the transformation process to SaaS. The goal is to capture as much market share as possible as soon as possible, giving a foothold in the industry and hopefully creating an economic moat. Yet, Rapid7 has bumped the ramp of S&M to some future period of time. This expense has been sacrificed to build a global headquarters. The global headquarters may be a good long-term move, but it is pushing out sales resources needed to grow the business.

Analysts' Estimates

Examining how a company performs versus analysts' estimates gives me a feel for how conservative the management is and how well they communicate with the investment community. This is a good predictor of what to expect in future quarterly results. With that said, Rapid7 has an excellent record of beating analysts' estimates. The company has exceeded estimates for the last five quarters for both sales and EPS.

(Source: Portfolio123.com)

The Rule of 40

Analysts are challenged when it comes to valuing software companies. While these companies tend to generate high revenue growth rates, they also tend to be unprofitable due to large investments in research & development and sales and marketing. Discounting future cash flows requires many assumptions that are typically unreliable and difficult to support.

One industry metric that is often used for early- to mid-stage software companies is the "Rule of 40." It is an industry rule of thumb that attempts to help software companies ascertain how to balance growth and profitability. There are different ways of calculating the Rule of 40; some analysts use EBITDA, and others use the free cash flow margin. I use the free cash flow margin, as the figure is useful in a later part of my analysis.

Some analysts interpret the Rule of 40 as follows: If a company's growth rate is at least 40 percentage points higher than its free cash flow margin, then a high-growth SaaS company can burn cash in order to drive growth.

Cash Burn

Rapid7 is burning cash. SG&A expenses are 87% of revenues, higher than what would be expected from a more mature software company that would typically have a figure around 50-60%.

(Source: Portfolio123.com)

Note that SG&A includes Sales & Marketing, General & Administrative, and R&D.

On the other hand, Rapid7’s SG&A expense is more reasonable than some other stocks that I have analyzed recently, such as Okta, which has more than 100% SG&A as a percentage of revenues.

According to the Rule of 40, the cash burn is OK so long as revenue growth plus free cash flow margin adds up to 40% or more.

Revenue Growth + FCF margin = 25% - 12% = 13%

In the case of Rapid7, the cash burn appears to be "not acceptable". Revenue growth would need to be higher than 50% to support the negative FCF.

Summary

Rapid7 is also a pioneer in SecOps, a relatively new field that the company hopes to become a dominant player in. Rapid7 has transformed its business to SaaS and now has 85% recurring revenues. The company's original product, Vulnerability Management, and related software, still accounts for more than 50% of revenues. New product suite additions, although they appear to be promising, are still in their infancy, and there is the risk that the SecOps market may not grow as the company anticipates, or the competition may prove to be formidable. The company is spending a significant amount of money on a new global headquarters that has put free cash flow into negative territory and caused the "Rule of 40" to be violated. The Rule of 40 is often applied to small and mid-sized companies. For these reasons, I have given Rapid7 a neutral rating with the intent of revisiting the fundamentals in late 2019.

