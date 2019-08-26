The company provides one of the best vulnerability assessment solutions, and it is well-positioned to gain more market share.

Rapid7 (RPD) is a leading provider of on-prem vulnerability assessment solutions. However, in recent quarters, it is proving to be more than just a compliance and audit security vendor. The company has introduced three more products, while making key acquisitions to strengthen its capabilities. The Street is still valuing Rapid7 like a traditional vulnerability assessment company. Fast product growth, customer growth, high retention rate, and annual recurring revenue paints a different picture of a company which has expanded its TAM and capabilities. As such, Rapid7 deserves a better valuation, and there is more room for multiple expansion from here.

Rapid7 came under my radar after I learned that it acquired Metasploit. For penetration testers, Metasploit is one of the leading industry tools for performing vulnerability assessment and network scanning. I used it in my days of learning penetration testing to write exploits and payloads. The sheer sight of what the tool is capable of is astounding.

Metasploit reminds me of the film Snowden. You know how the NSA can scan multiple networks and find exploits while making it look like it's nothing? You can make your security lab out of its open source Metasploit framework. It's a powerful tool for detecting security vulnerabilities in networks, apps, and defense systems.

Today, Rapid7 is more than that. It has added more capabilities in IDR (incident detection and response), app security, security orchestration, and automation. That's why it's used by 40% of Fortune 500 companies. Due to the level of congestion in the space, many investors are wary of the ability of new cyber plays to maintain fast growth while improving profitability. A lot of investors are risk-averse, and it's justified, because a bird in the hand is worth two in the bush.

Rapid7 has a similar DNA to most cybersecurity companies. It has recently transitioned to a subscription-as-a-service model. This move increases operating costs during transitioning, due to the development of the required cloud infrastructure. We are in the tail end of the transition, and the evidence is clear that the SaaS model is going to improve growth and profitability. ARR is currently 87% of revenue, while the renewal rate is well above 100%. The customer count is also growing. Near term, bottom line profitability ratios will continue to blink red. This might deter impatient investors and keep the stock range down and depressed.

At a market cap of $2.6 billion, Rapid7's valuation is not scratching the surface of what its acquisitions are capable of. The multiple cross-sell and up-sell opportunities offered by its network packet inspection solution (acquired NetFort), application threat defense and monitoring (acquired tCell.io, Inc.) and the triple-digit growth from its IDR solution are understated in the company's valuation.

The stock isn't overvalued by most valuation ratios. It has a forward P/S of 8.3X versus Qualys (QLYS) (10.4X) and Tenable (TENB) (6.1X). This is driven by its quarterly revenue growth of 35% versus Qualys (15%) and Tenable (34%). Selling the business for $2.6 billion will be a steal for any acquirer given the level of growth it's been able to sustain.

Going forward, I expect profitability ratios to continue to improve as management drives sales and product efficiency through its cross-sell and up-sell strategy. Its flagship Nexpose product (responsible for ⅔ of revenue) is a top-three product in RFPs for vulnerability and network security scanning solutions.

Its IDR and app security offerings rank favourably in Gartner's quadrant for top SIEM and application testing solutions. In terms of market share, IDC published a report which was shared by Qualys in 2018, in which Rapid7 was ranked behind Qualys and Tenable, its top two competitors.

(Source: Qualys)

As a security researcher, I tend to favour companies with strong support for open source tools, as it helps spread the word amongst tinkerers and developers. In this regard, Rapid7 leapfrogs its competitors. The Metasploit framework relies on contributions from the best security researchers and bug hunters in the world. As a researcher who has written exploits, I can vouch for the depth and capability of its exploit database.

Moving on to its financials, Rapid7 is currently enjoying double-digit grow ahead of its analyst day guidance on both revenue and ARR. The only worry for me is the operating and profit margin, which have worsened due to investments in sales strategies to accelerate growth. Free cash flow has also taken a hit due to acquisitions. Management is guiding for breakeven in 2020. I won't be deterred if it takes longer than that due to the investment required to sustain growth. However, I will be on the watch for improvements in gross and operating margin as an indicator of the product and sales efficiency that management is touting. Rapid7 has a gross margin of 71% compared to Qualys (77%) and Tenable (84%). Its operating margin is -15% versus Qualys (20%) and Tenable (-26%).

The Street hasn't fully baked in the shocking earnings beat, which means the stock isn't susceptible to a knee-jerk reaction in the result of an earnings miss. The average analyst revenue estimate in 2019 is $319 million (+30% y/y) and $394 (+23%) in 2020. The average price target is $71/share, which implies the stock is trading at a 31% discount to analysts' consensus estimates.

Conclusion

When valuing cybersecurity companies, I like to put myself in the shoes of the stereotypical forward-thinking chief information security officer of a Fortune 500 company. Using my industry and product experience, I try to answer a simple question: Would I buy this product if I were a CISO, and how much would I be willing to pay for it? From my experience, it's a big "yes" for Rapid7. I'll install Rapid7 and task my security researcher with the responsibility of bug hunting and getting ahead of the latest zero-day exploit. It isn't too much a price to pay to stay ahead of the latest threat vectors. I assume every other Fortune 500 CISO will be thinking along these lines. Other mid-market businesses will definitely need some awareness, and I believe the security industry is getting to that point.

In this regard, I'll rate Rapid7 a "Buy," as I'm confident in the capabilities of its product and I believe the company will continue to gain market share as it intensifies its effort to raise awareness about cybersecurity best practices.

Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.