Jeff Bray - Vice President, Investor Relations Corey Thomas - President and Chief Executive Officer Jeff Kalowski - Chief Financial Officer.
Saket Kalia - Barclays Matt Swanson - RBC Capital Markets Liz Verity - KeyBanc Gur Talpaz - Stifel Jonathan Ho - William Blair Anne Meisner - Susquehanna Financial Group Melissa Franchi - Morgan Stanley Fred Havemeyer - Macquarie.
Ladies and gentlemen, thank you for standing by and welcome to the Rapid7 First Quarter 2018 Financial Results Conference Call. [Operator Instructions] As a reminder, this conference is being recorded, Tuesday, May 8, 2018. I would now like to turn the call over to Mr. Jeff Bray, VP of Investor Relations. Please go ahead..
Thank you, operator and good afternoon everyone. We appreciate you joining us to discuss Rapid7’s Q1 2018 financial and operating results in addition to our financial outlook for the second quarter and full fiscal year 2018. I am Jeff Bray, Vice President of Investor Relations.
I am here today with Corey Thomas, President and CEO and Jeff Kalowski, our CFO. We distributed our Q1 2018 earnings press release over the wire and it’s now posted on our website at investors.rapid7.com.
We have also posted our updated company presentation and financial metrics file on our Investor Relations website, which includes additional information to help explain the impact of shifting to 606 on our Q1 financials. This call is being webcast and can be accessed at investors.rapid7.com.
The webcast of this call will be archived and a telephone replay will be available on our website until May 15, 2018. We would like to bring the following to your attention, the date this call is May 8, 2018.
Our discussion today contains forward-looking statements about events and circumstances that have not yet occurred, including without limitations, statements regarding our objectives for future operations and future financial and business performance.
These forward-looking statements are based on our current expectations and beliefs and on information currently available to us. Statements containing words such as anticipate, believe, continue, estimate, impact, intend, may, will and other similar statements are intended to identify such forward-looking statements.
Actual outcomes and results may differ materially from the expectations contained in these statements due to a number of risks and uncertainties, including those contained in the risk factors section of our most recent Annual Report on Form 10-K filed with the Securities and Exchange Commission and subsequent reports that we file with the Securities and Exchange Commission.
The information provided on this conference call should be considered in light of such risks. Actual results and the timing of certain events may differ materially from the results or timing predicted or implied by such forward-looking statements and reported results should not be considered as an indication of future performance.
Rapid7 does not assume any obligation to update the information presented on this conference call except to the extent required by applicable law.
On this call, we will provide and talk about our results using non-GAAP financial measures and provide non-GAAP guidance and unless otherwise stated for purposes of comparability, we will be presenting results in accordance with ASC 605.
We believe that the use of these non-GAAP financial measures provides an additional tool for investors to use in understanding company performance and trends, but note that the presentation of non-GAAP financial information is not meant to be considered in isolation or as a substitute for the directly comparable financial measures prepared in accordance with GAAP.
We have provided a reconciliation of the historical non-GAAP financial measures to the most comparable GAAP measures in the financial statement tables included in the press release issued today announcing our results. The press release announcing our financial results is available on our website at investors.rapid7.com.
At times in our prepared comments or in responses to your questions, we may offer incremental metrics to provide greater insight into the dynamics of our business or our quarterly results. Please be advised that this additional detail maybe one-time in nature and we may or may not or may provide an update in the future on these metrics.
With that, I’d like to turn the call over to Corey..
first, where InsightIDR was named a visionary by Gartner in the SIEM Magic Quadrant and second, when our application security solutions earned the highest scores in Gartner’s evaluation of dynamic application security testing, or DAST.
We have always said that we have great technology, but now we’re getting third-party validation across our portfolio. You can understand why we are so proud of our R&D teams and why we continue to lead a customer growth and retention rates. Now, let’s review the quarter and the context of our 2018 goals.
First off, the highlight of the first quarter performance was our ARR, which accelerated to 38% growth well ahead of our goal of at least 30% growth.
ARR growth is being supported by the overall health of the market that we address, our shift from perpetual to subscription across all of our products and strong performance of our go-to-market teams who are quickly transitioning to selling based on ARR.
During the quarter, we officially shifted all of our products to subscription pricing and we saw a dramatic shift to subscription contracts during the quarter.
Our customers have quickly embraced the simplicity and ease of subscription pricing and continue to migrate to our cloud platform-based solutions for enhanced visibility analytics and automation. One metric we are now tracking is ARR per customer, which also saw strong growth, increasing 23% year-over-year to almost $25,000 per customer.
The entire Rapid7 organization is aligned to drive ARR growth and we are enjoying those results today. Our management team is compensated on ARR, our sales, quotas are based on ARR and we now have a full complement of SaaS and subscription products across our product portfolio.
Our sales team has done a great job of positioning to an ARR model and we have also experienced higher than expected retention of our sales team during this critical transition, which is helping drive confidence in our plan for ARR growth.
As for our second goal, which is to leverage the expansion of our SecOps portfolio to keep driving new customer growth and cross-selling into our customer base, we had a strong quarter in sales to both new and existing customers. This quarter, we grew customers by 12% year-over-year.
The quality of our customer growth continues to be high, with our platform customers going 82% year-over-year and very strong growth in ARR per transaction as we shift to subscription.
One effect of our shifting incentive compensation towards ARR is that we are seeing slower growth in overall services customers and revenues, although we are generating higher ASP per services customer. We are now focusing on more strategic services relationships, which also contributes to a stronger higher quality customer and revenue base.
The net impact is that we believe we are increasingly focused on adding customers that have the greatest lifetime value. InsightVM continues to be our primary tool for customer acquisition, driving new customers across the Fortune 1000, mid-market and internationally. Once again, we increased our Fortune 100 penetration to 55%.
One example of a new InsightVM customer is a Fortune 1000 video game publisher with a small team responsible for a huge vulnerability management environment with over 200,000 assets. Their existing solution had too many manual processes and lacked quality integrations with ServiceNow and other solutions and their SecOps environment.
With InsightVM, the customer is able to quickly improve visibility across a very complex modern infrastructure and can now leverage remediation workflows to integrate directly with their ServiceNow deployment.
Our platform approach means that we now have an opportunity to sell them more products and applications such as our application security and Komand. This is a good example of why we have confidence in being able to continue to lead the market in customer acquisition.
Once again, this quarter, we achieved a strong renewal rate of 120%, as our existing customers continue to return to Rapid7 for more coverage and more solutions to solve their security and SecOps challenges. Our cross-selling continues to accelerate, with new ARR cross-selling growth up 83% year-over-year and cross-selling transactions up plus 50%.
We continue to see strong growth for InsightIDR as customers increasingly see value in powerful visibility and analytics solutions that can improve their risk profile by dramatically reducing the time to discover a breach as well as reducing the time to investigate breaches.
The market understands that a strong user behavior analytics tool is required for detection and that only a cloud-based solution can quickly and cost effectively enables detection and response. Our existing customers also recognize the value in consolidating their visibility and analytics solutions with one provider.
For example, a $400 billion asset manager with a three person security team was looking to upgrade their legacy SIEM, which is only capable of providing them with compliance reporting to-date. The customer is already a VM and applications security customer of Rapid7.
The team required a strong UBA solution, especially one that can identify a lateral movement by attackers.
Not only do InsightIDR performed the best in their evaluation, other deception features and integrations into our cloud platform for vulnerability management prove to be a major differentiator and the customer was able to experience the excellent asset value that InsightIDR can provide.
We also continue to see growing interest in application security as customers increasingly realize that web-facing applications are a major risk for tax and also an area where they often lack visibility. We entered this market in 2015 with our AppSpider product, which is an on-premise solution and is offered on a term license basis today.
As part of our shift towards cloud-based solutions and ARR last year, we launched InsightAppSec on our cloud platform. While our AppSpider solution had a great Q1 with overall interest increase in application security and the maturation of our cloud solution, we are beginning to see demand shift towards InsightAppSec.
Jeff will go into the accounted impact of this shift a little later. As an example of the building momentum for InsightAppSec, our largest ARR deal this quarter was a Fortune 500 financial technology customer already relying on Rapid7 for Nexpose, Metasploit and AppSpider.
They will look into consolidate multiple application security solutions with a provider that could quickly and effectively scan their 4,000 apps every month across both legacy and modern applications.
The customer is able to consolidate a legacy product with Rapid7 and InsightAppSec proved to be the most flexible and effective solution and also clearly provide the best asset value. With only 1.5 solutions per customer on average today, we still have plenty of runway to cross-sell into our existing base.
And to our third goal, we remain committed to improve profitability as we generate operating cash flow in 2018 as well as to generate profit for 2019. In the first quarter, our operating loss was within our guidance range, and we generated $7.3 billion in cash from operations.
We were all – we were able to do this even while we increased some investments in our go-to-market efforts to accelerate the hiring of account executives and an accelerated deployment of a new CRM system for improved operational efficiency.
We chose to make these investments to help maintain our momentum in ARR growth, providing a strong foundation for 2019 when we can begin to realize the full leverage of our land and expand model and our shift to subscription pricing and the goal of generating non-GAAP operating profit.
Overall, the first quarter was a great start to 2018 and we made good progress on our 2018 operational and financial goals. Our focus on ARR has been embraced by our sales teams and customers, and our SecOps portfolio is indeed a critical need for both new and prospective customers. I am very excited about what is ahead for Rapid7.
With that, I would like to turn the call over to Jeff to discuss our financial results and our guidance.
Jeff?.
lower perpetual license revenue in 2018 as we spread those revenues over 5 years under 606 and lower maintenance revenue as we use a different allocation method under 606; finally, as for the term licenses are recognized upfront under 606, we have provided a benefit in Q1.
As Corey mentioned, the shift of our application security business towards a SaaS solution appears to be accelerating, which means that more of our application security revenue maybe deferred and recognized over the contract term as opposed to recognize upfront under 606. This is purely income statement accounting and has no impact from cash flow.
This is the reason the midpoint of our 2018 revenue guidance under 606 is not increasing as much as it is under 605. We continue to have very high visibility into our revenue forecast. Recurring revenue was 77% of total revenue under ASC 606.
Under ASC 605, recurring revenue was 75% of total revenue in the first quarter of 2018, up from 69% in 2017, which is growth of 40%. 85% of total revenue under ASC 606 and 89% of total revenue under ASC 605 came from deferred revenue on the balance sheet at the beginning of the quarter.
Majority of this difference is due to less perpetual revenue being recognized under ASC 606. The value of our annualized recurring revenue increased to $177.8 million at the end of the first quarter, a 38% increase year-over-year, which we believe is indicative of the success we are having with our shift to subscription.
Calculated billings for the first quarter were $48 million, or up 9% year-over-year. Average contract months were 18 months for total billings down significantly from 23 months in the prior year period.
As we said since we launched InsightVM, given the mixed shift from perpetual to subscription, we have expected our customers to shift towards 1 year contracts and we saw that materialize in Q1. Also, our 2018 quotas for our sales reps are now based upon new ARR.
Consequently, we believe billings and contract mix are no longer a meaningful comparison to prior periods during this transition as they don’t capture the benefit of a higher security mix and growth of our recurring revenue and that result is that our billings are resulting more current revenue and greater lifetime customer value.
Looking at the business geographically, in Q1, North America comprised 85% of revenues. Rest of the world revenue increased 22% year-over-year and contributed 15% of total revenue in the first quarter.
While our rest of the world revenue growth was a little slower this quarter due to large services deal recognized in Q1 2017, we did see our international bookings grow faster than overall bookings. Our customer count increased by 12% year-over-year and we ended Q1 with more than 7,100 customers globally.
Overall, we continue to see strong bookings from new customers driven by larger deal sizes, multi-product sales, increased recurring revenue, which we believe are important parts of our growth strategy. And as Corey said, fewer but higher quality services to customers.
Our renewal rate was 120%, and our expiring revenue renewal rate was 89% in the first quarter. As Corey mentioned, we had a strong cross-sell. Turning back to the P&L, on an ASC 606 basis, non-GAAP total gross margin for Q1 2018 was 72%. Product non-GAAP gross margin was 79%. Maintenance and support non-GAAP gross margins were 83%.
The professional services non-GAAP gross margins were 28%. On an ASC 605 basis, non-GAAP total gross margin for Q1 2018 was 74% compared with 74% also in the prior year period. Cost of goods sold, are essentially the same for both ASC 606 and 605 and therefore the gross margin difference is all due to growing revenues in 606.
On a 605, non-GAAP product gross margins were 80% in Q1. And as expected, we are down from 84% prior year period due to increased usage of our SaaS platform and its service offerings, although we did improve in Q4 as we realize some of the benefits of increasing scale in our cloud offering.
Our non-GAAP maintenance and support gross margin increased to 84% in Q1 from 83% in the prior period.
In aggregate, our product plus maintenance gross margins were 81% in Q1 as compared to 84% in the prior period and we believe it is important to look at product and maintenance gross margins on a combined basis as we migrate more customers to the platform and our maintenance revenues and costs continue to migrate to product revenues and costs.
We still expect our combined product and maintenance gross margins to decrease slightly for the full year. Our non-GAAP professional services gross margin was 31% in Q1 compared to 34% in the prior year period as we have slightly lower services bookings and utilizations this quarter.
We would expect professional services gross margins in the mid-30s for the full year 2018. We continue to expect our total gross margin to stay in the low to mid-70s on both the ASC 605 and ASC 606 basis.
For operating expenses, please note that the only difference between 605 and 606 was in sales and marketing expense, which was $1.7 million lower than 606 due to the impact of deferring sales commissions, which is in line with our guidance.
As for operating expenses, we saw modest leverage in sales and marketing year-over-year, where sales and marketing decreasing to 50% of revenues. As Corey mentioned, given the opportunity that we are seeing in 2018, we decided to make two incremental investments in Q1 to help drive ARR growth this year.
First, we accelerated sales force hires that were planned for later in the year. Second, we accelerated some upgrades to our CRM systems to drive more efficiency in our quoting and forecasting. Without these investments, we believe we would have reported a non-GAAP operating loss better than our guidance range.
We intend to make some additional investments again in Q2, but we still expect to see leverage from sales and marketing expense for the full year of 2018. Our R&D expenses were up slightly as a percentage of revenue this quarter, partly due to the Komand acquisition and some one-time expenses.
We continue to expect flat R&D as a percent of revenue for the full year. Moving to first quarter operating loss, on an ASC 606 basis, non-GAAP operating loss was $8.9 million, which was at the favorable end of our guidance of a loss of $10.1 million to $8.8 million.
On an ASC 605 basis, non-GAAP operating loss was $6.9 million, slightly better than the midpoint of our guidance of a loss of $7.4 to $6.5. On a 606 basis, adjusted EBITDA loss for the first quarter was $7.4 million. On a 605 basis, adjusted EBITDA loss was $5.4 million for the first quarter compared to a loss of $4.6 million in the prior year period.
On a 606 basis, non-GAAP net loss per share was $0.19 in Q1 2018. At 605 basis non-GAAP net loss per share was $0.15. We ended Q1 with cash, cash equivalents and investments of $130 million, inclusive of the $31 million raised from our public offering in January of this year. This compared with $92 million as of December 31, 2017.
Our operating cash flow for Q1 was positive $7.3 million. Moving to our second quarter and full year guidance, as for ARR, given our strong momentum coming into 2018 and our strong performance on new bookings in Q1, we’re raising our guidance for full year in Q2 ARR growth to exceed 33%.
For Q2 2018, on an ASC 606 basis, we anticipate total revenue to be in the range of $54.3 million to $55.7 million. We anticipate non-GAAP operating loss to be in the range of $9.8 million to $8.4 million. We anticipate non-GAAP net loss per share for Q2 2018 to be in the range of $0.21 to $0.18.
This is based on an anticipated 46.5 million weighted average shares outstanding. On an ASC 605 basis, we anticipate total revenue to be in the range of $57.6 million to $59 million. This equates to year-over-year growth of 21% to 24%. We anticipate non-GAAP operating loss to be in the range of $8.7 million to $7.8 million.
As we mentioned, we are increasing some investments in our sales organization in Q2 to take advantage of the momentum that we have built in the business around ARR and our shift to the cloud. For the full year of 2018, we are raising our total revenue guidance.
On an ASC 606 basis, we are raising our guidance for total revenue to be in the range of $231 billion to $236.5 billion. This equates to an impact of approximately $12.5 million to $13.5 million from ASC 605.
The midpoint of our 606 guidance is increasing by $1 million less than in 605 due to the impact of a mix shift over our application security bookings to Insight app set from our on-premise solutions result in a more radical versus upfront recognition as we continue before.
This is purely timing of when we recognize the revenue and has no impact on our cash flow. We are maintaining our guidance for non-GAAP operating loss to be in the range of $26 million to $20 million.
We anticipate non-GAAP net loss per share for 2018 to be in the range of $0.55 to $0.22 just based on an anticipated 46.7 million weighted average shares outstanding. On an ASC 605 basis, we are raising total revenue to be in the range of $244.5 million to $249 million. This equates to year-over-year growth of 22% to 24%.
We are maintaining our guidance for our non-GAAP operating loss to be in the range of $25 million to $21 million. Our full year guidance reflects our plan to increase investment into our sales organization during the first half of the year, but also more leveraged from sales expense in the second half of the year.
In conclusion, we have built strong momentum with our shift to the cloud and subscription, leading to raised ARR and revenue guidance and we are maintaining our operating loss guidance for 2018 as well as our plan to generate operating profit for 2019. With that, we appreciate your time and support and we will open the call for any questions.
Operator?.
Certainly. [Operator Instructions] And our first question comes from the line of Saket Kalia with Barclays. Your line is open. Please go ahead..
Hi, guys. Thanks for taking my questions here.
How are you?.
Good, Saket..
Hey, maybe just to start with you, Jeff. Nice acceleration on the ARR. I think this was really the first quarter where we have the sales force all aligned on ARR and also the first quarter or first full quarter where we introduced a subscription version of the product as well.
Maybe qualitatively, how do you think about those different drivers to the acceleration of ARR this quarter? And just to make sure we asked the question, were there any one-timers to call out, because it was a nice acceleration in ARR?.
Yes Saket. I think that we were very careful and we spent a lot of time structuring the comp plans to influence the right behavior. We have talked about it a lot is that we want them focused on ARR. And historically, we have been on TCV plan, so we make sure that, that transition could go as smoothly as possible.
And I think that what we saw in Q1 is that they really embrace the opportunity to do well and to be compensated appropriately on that shift to ARR and not have to be dependent on multiyear deals and TCV in the past. And I think that was a pretty big driver.
Also we saw a nice shift from subscription from our perpetual deals when there are non-cloud products as well that also drives more ARR per transaction. I think its overall enthusiasm for the SecOps platform I will let Corey add some commentary there that he talked about in his prepared comments..
Yes. I think more than the benefits we had back, it was that – our IDR products have been on an ARR-owned and ARR basis for a while. So when you think about the big shift that was really in our [indiscernible] management operates, which had very, very healthy growth for the quarter.
I think part of that though was that our sales team is selling to a customer base that was already in a market that was subscription-based and so that lessens the risk for us as a company and that translated through higher productivity and higher growth rates in ARR..
Saket, I am sorry, I forgot to answer your question on the one-timers, no, we didn’t see any one large – excessively large deal that will skewed the results at all..
Got it. That’s all really helpful.
Maybe for a follow-up for you, Corey, it’s been a couple of quarters since we brought Komand into the fold, I guess the question is how are you thinking about that product enhancing what we have in VM and SIEM versus that is really a standalone tool to make a bigger place sort into the orchestration market any thoughts on command and future would be helpful?.
Absolutely. We have always said the Komand orchestration and automation market is huge and we are seeing more and more customers looking for solutions there and we will be a major player in that market.
Our priorities right now are integrating into our platform, we believe that data and analytics driven automation will provide customers a much, much more robust platform and our goal is to be a dominant player in the market and to add lots of innovations to the market, it actually helped make orchestration and automation mainstay.
That said you will see both a major product offering in Komand over time and you also see us rollout orchestration and automation capabilities in our products this year that really are focused on solving the customers solve problem as well as differentiated our solutions versus other end markets.
So, the answer is both, it’s a massive market, it’s also a core capability of the platform we think is going to drive – help drive continued growth..
Got it. Very helpful guys. Thanks very much..
Thank you..
Our next question comes from the line of Matt Hedberg with RBC Capital Markets. Your line is open..
Thanks. This is actually Matt Swanson on for Matt. Corey, you started off talking about InsightVM, the success you have seen and some of the accolades you have received recently.
Could you just talk a little bit more about some of the specific differentiation and the offering and kind of the competitive landscape you are seeing around it?.
Yes, no, absolutely. So if you think about vulnerability management, historically, it’s been mentioned much more of a tactical solution. And our observation that really started 4 plus years ago that the problem of how people manage and maintain their IT environments was one of the single biggest calls to take risk.
And if we could actually translate what we were doing in vulnerability management, they are hoping customers better manage, maintain, update, configure and control the environment and to solve the IT complexity problem from a security operations perspective, then we would be doing a great service for our customers and make ourselves successful.
That is the core of the translation of how vulnerability management, have been setup vision, it is about not just reporting, it’s about taking data about the environment, analyzing the viability state of the environment and then making it easy for people to remediate and shift that state of the environment.
And so the big differentiators that we get credit for our analytics, about risk exposure and the environment, our analytics about their remediations in the environment, helping people understand not just what the vulnerabilities are, but how does that relate to their IT operational practices.
And then what we are doing as we go forward is translating that remediation analytics and remediation workflows into remediation orchestration and automation that allows people to much more effectively pass control and maintain the environment.
What we are seeing is a natural outcome of that is that vulnerability management will just be managed by a very small subset of the security team focused on compliance.
For our customers, it’s now becoming a core capability that spends on security and IT and it’s hard that they operate – have made sort of vulnerability management much more operational..
That’s great. And then if I could just ask one more, another really strong quarter for cross-sell.
I was just wondering how efficient you feel the go-to-market motion is right now around cross-selling, like, are you firing on all cylinders or is there additional gains to be made in that?.
But we are making – so, one we make great gains, we are seeing great momentum at cross-selling. And we believe that there are still greater gains to be made.
We still are in the early stages of the ARR per customer that we can achieve the number of products for customers we can achieve and we are getting positive feedback and momentum from our customer base on our overall SecOps portfolio strategy.
So we are optimistic that we actually have sustainable growth in cross-selling which leads to much higher rates of ARR..
Alright, great. Thanks for the time..
Thank you very much..
Our next question comes from the line of Michael Turits with Raymond James. Your line is open. Please go ahead..
This is Eric Keith [ph] on for Michael. Congrats on the quarter.
Maybe a couple of questions to follow-up on Matt’s questions, could you maybe talk about how your resources between going after new customers versus expanding the existing customer base just kind of how you allocate those resources? And then further to how the sales force is organized to land new customers versus cross-selling and up-selling existing customers, just kind of the dynamic between those two?.
Yes, absolutely. So one, we actually have the luxury to be firing on all cylinders. And so because of that, we actually believe that the best thing keeping it simple and so we are focused on one thing, ARR growth and we achieved ARR growth both by adding new customers but also expanding.
So, it is an effort and the way that we structure our sales team is we have a team that actually focuses on customer relationship management and account management and the renewable ecosystem and then we have a team that’s responsible for new ARR growth and that can come from adding new customers or from expanding existing customers.
And we, for the stage that we are at right now we are fine with either one. We have massive growth in the number of customers that we are going to add to our platform and we have substantial opportunities to grow the ARR by per customer, by huge multiples.
And so because we actually have positive outcomes that we can achieve on either, we have actually left it to our sales team to actually figure out what’s the most efficient way to grow.
Now, we are managing it and we are looking at it until we could do split and send them in place to actually keep it balanced, so you should continuously both add new customers and expand the ARR for customers, but right now, we are just focusing on the overall growth of ARR biggest because both of those are going to grow substantially..
Great. That’s helpful.
And then maybe similarly on the VM kind of competitive landscape, could you maybe just talk about where you are seeing with competition in terms of endpoint vendors that maybe moving towards VM? It just seems like kind of a little bit of shift there over the trend that we may see going on and just how that impacts you strategically going forward?.
Yes, well, it’s not really a shift. There is always I think – since the history of vulnerability – there has always been players and attempt to add VM as a feature.
It has always been – even in the days of compliance with all in a while adequate like everyone from IBM to as a whole list of people to the current count of people who look at it as a feature of just saying, hey, I have a small view on the assets and I have a small view of a significant subset of vulnerabilities.
If you think about what a modern vulnerability management program which evolves over time, it’s about providing basic visibility into the environment not just the assets where you actually have agents, so it’s about providing visibility to your cloud infrastructure to all of those hidden assets that have no agency solve and have never agency solved in the environment and then understanding every application and service installed known assets and not just what the level or the pass level or the vulnerability level is, but also understanding the configuration level of those assets.
At the end of the day, I think what I will analyze what’s the overall risk and exploitability of the environment and then translate that into a remediation and workflow and action plan. Then in the future, we will be able to automate.
That is an incredibly difficult piece of engineering and most people wants to actually get into the details of what it takes to actually run a modern VM program and realize that it’s a market differentiator against other influent vendors or whatever other markets that they are in, but none of those things have proven credible and ensure vulnerability against those..
Great. Thanks, Corey..
Our next question comes from the line of Rob Owens with KeyBanc. Your line is open. Please go ahead..
Hi, this is Liz on for Rob.
I was curious if you could comment on the underlying market you are seeing in vulnerability management, whether you are seeing kind of a breadth of – if you have seen any change in growth in that market and then whether or not – whether that change is coming from increasing breadth of scans or sort of scanning more of your environment or more frequency of scans? Thanks..
Yes.
So we are different than other vulnerability management companies because we are selling to the value proposition of how people operationalize their security and so we are just as much selling into vulnerability management budget as we are – what do you do about it and how do you operationalize security, how do you actually analyze your remediation in your IT processes and then how do you automate those over time and hide those into your workflows.
Because we actually have that unique proposition, we are seeing much higher demand because most of the customer that we are talking to on a big part of the growth that we are seeing, they are trying to move past the phase of just having visibility into a place where they can actually really start to operationalize security and operationalize demand for the environment.
So, we see incredibly strong demand, but it’s not causing vulnerability management is tied to our approach around SecOps and our focus on the remediation analytics, the remediation on workflows and the upcoming orchestration and automation around that, that it resonates with customers saying, okay, I can actually do something about it, yes..
Okay, that’s really helpful. And then quickly just curious if you had any change in sales attrition or turnover based on change in the comp plans. If there were some changes that need to be made? And clearly, it looks like you didn’t see that in the quarter, but just wondering if there is any change there? Thanks..
We talked earlier we expect that we are able to say it’s confidentiality we expect to have slight higher shareholder, we didn’t see it.
We actually have higher retention and higher productivity of our sales teams that was expected and that gives us increasing visibility and confidence as we go through the year, which is one of the outcomes of us raising our guidance both in revenue and ARR..
Our next question comes from the line of Gur Talpaz with Stifel. Your line is open. Please go ahead..
Great. Thanks for taking my question and Corey, Jeff and Jeff congrats on the quarter. So, ARR per customer, interesting metric to offer here, it looks like it accelerated here for the sixth great quarter, I think as far back to the data I have. If we breakdown the components here, you talked about 1.5 solutions per customer, still lot of room there.
How much of that growth here is InsightIDR, InsightOps, new solutions versus the growth in VM and then if we could expound upon that.
If you think about the VM opportunity, how much – how far do you think you are penetrated right now in your installed base just for VM?.
Yes, so multiple questions there. So, the core obviously breaks down about how we think about the expanding ARR growth, so a simple one is that expanding the number of customers and so that clearly has the ARR. When you think about on a per customer basis, they are sort of like three main numbers that I want to.
The first number is sort of the amount of coverage of the asset that’s driving the environment and a big part of our growth is that we have more assets per customer in the environment.
The second thing is we actually are pointing to is the number of products per customer and what we have there is that we have expanded our product portfolio and our products that we have introduced in the last 2 years have actually done quite well in the market have been well regarded and well received.
We are in the very early stages, but we are seeing great adoption on the expansion of the possible customer and that’s actually translated into actual both recurring revenue and they all started translate in revenue as time cross-sell.
And so it’s not just something that download and something to actually paying significant amount of money for, so that’s positive. The second part of that sort of aspect of the number of products per customer also has due to the fact that our products have different ASPs, so things like IDR has higher ASPs that vulnerability management has.
But you have a number – so what’s happening is our ASP growth is solely introducing products. And then the last aspect is sort of – is a temporary one, but that’s the makeshift as you go from life into perpetual to a subscription basis.
That started last year and that’s a positive effect that you actually have, but the date we really focus on sustainably is continue to further increase the customers and then really the big lever is increasing the products per customer there..
Gur, the other point is that the IDR continued to grow triple-digit over 100% again. So to directly answer a question on the mix, but it’s a data point and VM had very strong growth as well this quarter..
That’s helpful. Thanks for that color. And maybe another question here on the shift to recurring, it’s obviously a big emphasis for you guys. Can you talk about the response in the installed base as you made these changes this quarter, particularly the legacy base here perpetual customers now being sold into recurring models.
How was the response been thus far from those customers?.
It’s been positive and I think part of that positivity is one we didn’t actually – we learn from others. Again, we have the benefit of actually doing this transition later and actually taking the time to study what’s worked and what hasn’t worked.
We didn’t force it with the [indiscernible], we actually brought it last year and our cloud-based platform provides really robust capabilities around both analytics and workflow management and we will continue to actually have capabilities that are just possible with the compute power that you have typically have in most environments.
And so by taking a benefits approach, we are actually seeing much higher levels of conversion to our platform than we expected..
That’s great. Thanks guys and congrats again..
Thank you..
Our next question comes from the line of Jonathan Ho with William Blair. Your line is open. Please go ahead..
Good afternoon and congrats on the strong quarter.
I just wanted to start out with some of the commentary that you had around the Forrester placement and sort of what’s been the reaction from customers and partners? How has this helped you from a win rate perspective? Does this help you address different potions of the market just want to get a little bit of sense of what that’s been so far?.
And we talked earlier, we have achieved and we are achieving strong growth and strong pipeline there. I would say that we got the rank in Forrester because of the capabilities that we are positioning.
And so it came out somewhat later in the quarter, so it’s too early to tell how much impact that – could we have, but we have been selling that value proposition and it’s been resonating to customers and part of that you saw the outcome of that in the results.
And we definitely see that in our competitive win rates which were already high and continue to be high. And so I was thinking we are seeing more opportunities. We are kind of one of those companies that as – when people looking to do something, that people look that they have to do by default.
And I think that, that recognition helped us continue on that track ensure that we have more and more deals over time and we have more and more ability in that sort of vulnerability management aspect of our SecOps business..
Got it. And then just in terms of the additional investments in sales, can you give us a sense of maybe where those investments are going to go? Is this is going to be more on the international side? Are there certain segments of the market that you are targeting with those investments? Any color would be appreciated. Thank you..
So, our point of sales investment is really we invest where we actually see productivity and visibility. And if you look at our performance, we see broad-based productivity, we see broad-based visibility and so our investments are across the board, because we are investing behind demand.
And because we see the demand and we see that opportunity, we were able to make that investments and it really is happening across all aspects of our business..
Our next question comes from the line of Anne Meisner with Susquehanna Financial Group. Your line is open. Please go ahead..
Hi, thanks for taking the questions. Corey, I just wanted to dig into the new strategy around services a bit more.
You have a number of different type of services that you guys offer, are there any that you are deemphasizing more than others if you focus on more strategic customers? I would assume that pen testing and Internet response would remain somewhat strategic for you, so maybe you can just shed some light on how should we be thinking about that?.
No, absolutely. It’s a great question especially as we are seeing more demand for ARR and we are seeing – and we are focused ourselves on what we consider more strategic services. The way that we think about more strategic services is services that have a net higher lifetime value for Rapid7, not just in terms of services, but also in terms of ARR.
So what we are really looking at is focusing on companies and organizations that are looking to transition and transform their security program and actually really embody that SecOps vision and we are aligning our services around that.
Over time, what that means for us is that we are focused on less, I would say, transactionals, whether it’s pen testing our IRR, less of the transaction of finance work and more on the transformative work that will result in larger engagements.
We have already seen larger ASPs in our services contracts, but also more strategic relationship with our customers. That’s the focus of what we are doing..
Okay. That’s helpful. Thank you..
Thank you, Anne..
Our next question comes from the line of Melissa Franchi with Morgan Stanley. Your line is open. Please go ahead..
Great, thank you. Corey, you talked a lot about investing in the direct sales force.
So I am wondering if you could maybe comment on investments in the channel and how they are being levered to help enable their journey to subscription that they are fully ramped on that?.
That’s a great question, Melissa. And so one, we are actually seeing increasing channel demand, the demand for channel partners. I think a big part of that is both the recognition that we are receiving in the market from our technology, but also this traction that we are getting with customers.
And so engaging with the channel from a position where the channel wants to engage in deals that has much easier position to engage from.
Our strategy – the other we have actually aligned everything on an ARR and a subscription basis, our strategy was the channel is actually the focus on value-added partners that can really help our customers achieve our SecOps vision and the vision that we think customers be more productive.
And so we are not indiscriminate towards the channel partners, we are actually taking a very thoughtful approach that combines near-term revenue and ARR, but really with long-term customer transformation that we believe will generate the creative economics both for the channel and for ourselves over time..
Okay, that’s helpful. And then one quick one for Jeff, Jeff, I think last quarter you commented on cash flow for ‘18.
I don’t know if I missed it this quarter, but wondering if you could maybe give an updated view on what to expect for cash flow?.
Yes, sure. So we did say that the cash flow this year would approximate 2017 levels. We are not seeing any change there, but having said that, if contract lengths go down further, could be, yes – could it be a little bit less sure, still be positive operating cash flow, but it’s all dependent on really the contract mix.
For a few quarters, we have been talking – we have been saying that we expected the contract lengths to go down and it really materialized this quarter in Q1 with the focus on ARR, so we have less multiyear billings. But at this point, we are still seeing in the same range of 2017.
As I said, it might be a little less if that changes, but we will have to see how it goes over the course of the year..
Thanks..
Our next question comes from the line of Sarah Hindlian with Macquarie. Your line is open. Please go ahead..
Hi, this is Fred Havemeyer on for Sarah Hindlian. I wanted to reiterate firstly, what many others have said already here about very nice acceleration in ARR this quarter. And I wanted to better understand some of the dynamics within ARR.
Firstly, so on this, would you be able to describe how much of your ARR is related to purely SaaS subscriptions and how much is relative to say perpetual license we have sold on a subscription or term basis? And then secondly around the ASC 605 and 606 guidance in the presentation, is there anyway that you would be able to help us bridge the difference between ARR reported under 605 and what we should be looking at under 606 as we build our models? Thank you..
Yes. We don’t breakout the components of that ARR, but the SaaS portion is increasing, obviously, as we converted our vulnerability management products to InsightVM in the second quarter of last year.
So, it’s becoming a bigger portion, but still, we still have the legacy of over $100 million in that 35% portion from all the perpetual sales still carrying forward. So, it’s still the majority, but what we can’t say is that the SaaS portion is growing with the migrations and of course our IDR product line is all SaaS.
And the way we define ARR is the same across the product line. There is no difference under 605 or 606 it’s still the recurring revenue SKUs, not the perpetual SKUs..
Okay, thank you..
There are no further questions over the phone lines at this time..
Thank you all very much for joining us today..
Ladies and gentlemen, that does conclude the call for today. We thank you for your participation and ask that you please disconnect your lines..